fix: validate bitcoin addresses received from pool messages in the web gui

The web GUI accepted any string as an output address from pool messages. Pool messages come from untrusted peers over nostr, so a malicious participant could inject garbage that later fails PSBT creation, or content meant for injection. The Electrum plugin already validates participant addresses with is_address(); the web GUI had no equivalent check.

Addresses from output messages are now validated with embit (decode to a scriptPubKey, covering base58 and bech32 for mainnet, testnet, signet and regtest) before being added to the round, in both the check-outputs poll and the register-input recovery path. Invalid addresses are logged and dropped.

Closes #29

Merge request reports

Loading