Verified client certificate captured at TLS handshake time, with
every predicate-readable field pre-extracted so the per-Check
dispatch is allocation-light. Built once by the engine’s
post-handshake population (run_tls); the seven
tls.peer_cert.* predicates read pre-computed strings off this
struct rather than re-parsing the DER on every test.