Function evaluate_constraints 

pub fn evaluate_constraints<'a>(
    cert: &DelegationCert,
    ctx: &VerifierContext<'_>,
    now_sec: i64,
    ext_evaluators: Option<&BTreeMap<String, Box<dyn ConstraintEvaluator + 'a>>>,
) -> Result<(), String>

Run every Constraint on cert against the caller-supplied VerifierContext. Return Ok(()) iff all pass; an error string otherwise. Fail-closed: unknown Type or missing required context field causes rejection. (SPEC §17.7) Unknown built-in types fall through to ext_evaluators before failing closed.