fix(framework): Fail trusted entity verification when SuperLink doesn't have app validation support

[mohammadnaseri]

When trusted_entities is configured on a SuperNode, app verification now fails if the connected SuperLink does not return validation metadata. Previously, the SuperNode only logged a warning and continued, with this change it rejects the FAB instead, so trusted-entity verification behaves consistently across SuperLinks that do and do not support app validation.

[Copilot]

Pull request overview

This PR makes trusted-entity verification on the SuperNode fail closed when the connected SuperLink does not provide app validation metadata, ensuring consistent enforcement of trusted_entities across SuperLink variants.

Changes:

• Update SuperNode FAB handling to reject FABs (and generate an error reply) when trusted_entities is configured but validation metadata is missing.
• Add unit tests covering rejection when verification metadata is missing and when FAB signature verification fails.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
framework/py/flwr/supernode/start_client_internal.py	Changes _pull_and_store_message to treat missing app validation metadata as a hard failure when trusted_entities is set.
framework/py/flwr/supernode/start_client_internal_test.py	Adds tests to assert fail-closed behavior for missing metadata and invalid FAB verification.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[msheller]

LGTM, but I have a few items for cleaning up in the future:

• a single failure code path is preferred to prevent future bugs
• "magic strings" are risky in security checks. Ideally, these are clean enums/constants (again, helps with future bugs and with review because it builds the mental model)