Test-only trust policy that accepts any signer with a parseable cert in the
JWS x5c header. Refuses to start under Mix.env() == :prod.
Used as the default in test environments. Production deployments must use
SignCore.Policy.PinnedRegistry (allowlist by SPKI hash) or
SignCore.Policy.CASignedAllowlist (CA + per-subject allowlist).
This policy intentionally violates the hard invariant in specs.md §7.1
("sender-supplied certs are untrusted input until allowlist match") and
exists only to make round-trip tests possible without setting up a registry.
The Mix-env guard ensures it cannot be misused in production by accident.