fix(signals): verify TX sender matches provider before publishing

[antfleet-ops]

Fix: verify TX sender matches provider before publishing a signal

Severity: MEDIUM

What's wrong

signals/scripts/publish-signal.sh accepts any TX hash as trade proof without verifying that the transaction was actually sent by the signal provider's wallet. A subscriber could pass any confirmed on-chain TX (even one from a completely unrelated address) and publish it as their own trade — fabricating a track record.

The SKILL.md guarantees "All track records verified against blockchain data. No fake performance claims." — but the code never enforces the one check that makes that guarantee meaningful: that the TX from field matches the provider address.

Fix

Before posting the signal, fetch the on-chain receipt and check:

1. TX exists on Base
2. TX succeeded (status == 0x1)
3. TX from == provider wallet address (the missing check)

If any check fails, the script exits non-zero and the signal is not published.

+# Verify TX on-chain: must exist, must have succeeded, and must have been sent
+# by this provider — prevents publishing someone else's TX as your own trade proof.
+if [ "$TX_FROM" != "$PROVIDER" ]; then
+  echo "Error: TX sender $TX_FROM does not match provider $PROVIDER" >&2
+  exit 1
+fi

---

Found by AntFleet automated security review. Bench PR: AntFleet/bankrskills-bench#5