Canonicalize Before Verify

A signature verifier transforms an artifact through a parser, normalizer, or re-encoder before handing the result to the cryptographic check. The signature ends up attesting to the verifier's transformed form, not to the raw bytes downstream consumers act on. When the verifier's parser and a downstream consumer's parser disagree about what the raw bytes mean, the verifier's 'verified' label covers bytes nobody else sees.