fix: reject short WBGL signatures without panic

[tolga-tom-nook]

Summary

• reject WBGL submit signatures whose decoded byte length is not exactly 65 before reading the recovery byte
• prevent malformed short hex signatures from panicking in validateMsgSignature
• add a focused regression test for the short-signature case

Root cause / acceptance proof

validateMsgSignature decodes the hex signature and then immediately reads sigBytes[64]. A syntactically valid but too-short hex signature such as 0x00 decodes successfully to one byte, then panics with an index-out-of-range runtime error.

This turns malformed user input into a normal validation error instead of crashing the handler path.

Validation

• RED before fix: go test ./workers/handlers -run TestValidateMsgSignatureRejectsShortSignature -count=1 panicked with index out of range [64] with length 1
• GREEN after fix: go test ./workers/handlers -run TestValidateMsgSignatureRejectsShortSignature -count=1
• Full suite: go test ./...

Bounty note

Submitting as a focused bridge robustness/security improvement for the Bitgesell bounty/improvement program, especially BitgesellOfficial/bitgesell#81. If approved for payout, USDT/EVM-compatible address: 0x4a76c7E64C08cF29B59eFC640b4ada97A270d428.

Assisted by Hermes Agent.

[tolga-tom-nook]

Pushed a small hardening follow-up to this PR (903183e):

• expands malformed signature coverage beyond the original short-signature regression
• adds positive coverage for both 0/1 and 27/28 recovery-ID encodings so the guard does not accidentally reject valid WBGL signatures

Re-verified locally:

go test ./workers/handlers
go test ./...
git diff --check pr-5..HEAD