Assert empty payload before discarding it on CertValidationNeeded

VerifyRemoteCertificateAndGenerateNextToken released the incoming token's
payload unconditionally. SecureTransport pauses the handshake at the peer-
auth-completed break before producing the next flight, so the pending-
writes buffer drained into the token is expected to be empty. Add a debug
assert so any future regression that produced bytes at this point is
surfaced loudly instead of silently dropping handshake bytes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: liveans

src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs

@@ -944,6 +944,11 @@ private ProtocolToken GenerateToken(ReadOnlySpan<byte> inputBuffer, out int cons
 #if TARGET_APPLE
         private ProtocolToken VerifyRemoteCertificateAndGenerateNextToken(ProtocolToken token)
         {
+            // SecureTransport pauses the handshake (errSSL{Server,Client}AuthCompleted) before
+            // any bytes are produced for the next handshake flight, so the pending-writes buffer
+            // drained into token should be empty here. Assert to catch any future regression
+            // that would silently drop handshake bytes.
+            Debug.Assert(token.Size == 0, "Expected empty payload at CertValidationNeeded pause; dropping non-empty payload would lose handshake bytes.");
             token.ReleasePayload();
 
             ProtocolToken alertToken = default;