fn finish_sidecar_verification<T: SignedSidecar + DeserializeOwned>(
canonical: &str,
now: DateTime<Utc>,
freshness_window: Duration,
reject_before: Option<DateTime<Utc>>,
) -> Result<Verified<T>, VerifyError>Expand description
Schema gate + reject_before + bidirectional freshness check (past +
future, both with CLOCK_SKEW_SLACK_SECS slack). reject_before runs
first so alerts can distinguish compromise from staleness.