[security] SDK hardening: distinct unverified status, payload binding

capiscio_sdk/validators/signature.py

@@ -98,15 +98,27 @@ def validate_signature(
                 import jwt
 
                 # Verify signature
-                jwt.decode(
+                decoded = jwt.decode(
                     signature,
                     public_key,
                     algorithms=['RS256', 'ES256', 'PS256'],
                     options={"verify_signature": True}
                 )
 
-                # Signature is valid
-                logger.debug("Signature verified successfully")
+                # Bind: compare decoded payload against caller-supplied payload
+                if decoded != payload:
+                    issues.append(
+                        ValidationIssue(
+                            severity=ValidationSeverity.ERROR,
+                            code="PAYLOAD_MISMATCH",
+                            message="Decoded signature payload does not match the supplied payload",
+                            path="signatures",
+                        )
+                    )
+                    score = 0
+                else:
+                    # Signature is valid and payload matches
+                    logger.debug("Signature verified successfully")
 
             except jwt.InvalidSignatureError:
                 issues.append(
@@ -156,12 +168,12 @@ def validate_signature(
             issues.append(
                 ValidationIssue(
                     severity=ValidationSeverity.WARNING,
-                    code="NO_PUBLIC_KEY",
-                    message="Signature format valid but no public key provided for verification",
+                    code="UNVERIFIED_FORMAT_OK",
+                    message="Signature format valid but cryptographic verification not performed (no public key provided)",
                     path="signatures",
                 )
             )
-            score = 70  # Format is OK but not verified
+            score = 50  # Format-only: below success threshold
 
         # Ensure score doesn't go negative
         score = max(0, score)