Is there a fairly straight forward method of deriving a mainnet addr using a given testnet addr, and vice versa without access to the verification key?

That’d simply be a matter of bech32 decode/encode with right prefixes:

echo addr_test1q8hsff3uwtphx7dtya7unjwjwug52e5jvqp09je6pwqx8k4jvuxrw2x5rr7e258a33yzkrhhlrrc5ezvd2z7qtdq0gasfepjx8 | bech32 addr

# addr1q8hsff3uwtphx7dtya7unjwjwug52e5jvqp09je6pwqx8k4jvuxrw2x5rr7e258a33yzkrhhlrrc5ezvd2z7qtdq0gasme44c9

Also note that everything except the prefixes (addr1 and addr_test1) and the checksum in the last six characters is the same, because you want to have the same payment and stake key with the same hashes encoded into the BECH32 address.

thank you both @HeptaSean and @rdlrt very helpful!