Function verify_signed 

pub fn verify_signed(env: &SignedRoomMessage) -> Result<(RoomMessage, String)>

Verify a SignedRoomMessage envelope:

1. The asserted fingerprint must equal the fingerprint derived from ed25519_pubkey_b64 — closes the “claim someone else’s fingerprint but sign with your own key” attack.
2. The Ed25519 signature must verify_strict over the decoded payload_b64 (strict rejects low-order / mixed-order pubkeys).
3. The payload must deserialize as a RoomMessage.
4. huddle 0.7.11: signed_at_ms must be non-zero and within SIGNED_ENVELOPE_WINDOW_MS of the receiver’s wall clock — closes indefinite replay of captured signed messages.

Returns the inner message and the (verified) sender fingerprint on success. Caller should still check that the fingerprint is one they expect for this context (e.g. an owner for BanMember).