fix(tss): verify recipients before signing

[mrdanish26]

TICKET: WAL-375

Description

Ensures verifyTransaction always receives recipient details before any signing material is sent to BitGo, preventing a compromised API from silently substituting signableHex with attacker-controlled bytes.

A resolveEffectiveTxParams() guard is added to both ECDSA and MPCv2 signRequestBase() paths. It resolves recipients from three sources in priority order:

1. txParams.recipients — normal case.
2. txRequest.intent.recipients — fallback for smart-contract interactions (e.g. Tempo supplyController) where native ETH amount = 0 so buildParams is empty but intent carries the recipients.
3. No-recipient tx types (tokenApproval, acceleration, fillNonce, bridgeFunds, consolidate, transferToken) — guard skipped; verifyTransaction handles validation internally.

Shared logic is extracted to tss/ecdsa/base.ts (NO_RECIPIENT_TX_TYPES + resolveEffectiveTxParams) to avoid duplication between the two signing paths.

A previous PR (#8462) hard-threw on any empty recipients, breaking cases 2 and 3. It was reverted in #8538. This PR supersedes it.

Type of change

• Bug fix (non-breaking change which fixes an issue)

Testing

Added 4 new unit tests to each signing path (8 total):

• signTxRequest should succeed when recipients are only in intent — validates intent fallback
• signTxRequest should succeed for no-recipient tx types (tokenApproval) — exemption
• signTxRequest should succeed for no-recipient tx types (acceleration) — exemption
• signTxRequest should prefer txParams.recipients over intent.recipients when both present — priority

[linear]

WAL-375 [Security] MPCv2 signTxRequest() Defaults txParams to Empty Recipients — Transaction Verification Bypass

[sachushaji]

@claude