Fix VaultLockedException crash in resolveSigner() before biometric unlock

[Copilot]

resolveSigner() accessed signer.publicKey for an account-match check before biometric unlock. For VaultSigner, this throws VaultLockedException when the key isn't cached yet — crashing the operation even though the subsequent ensureBiometricAuth() call would have unlocked and cached it.

Changes

• resolveSigner() — wraps publicKey access in catch(VaultLockedException), skipping the eager account check when the vault is locked and deferring it to post-unlock
• New verifyAccountMatch(signer, account) — performs the deferred account-match check after unlock; re-throws VaultLockedException directly if the vault is still locked (rather than letting a confusing IllegalArgumentException surface with no key available)
• All 5 callers (transferToken, createAccount, closeAccount, swapInstruction, swap) — call verifyAccountMatch() immediately after ensureBiometricAuth()
• resolveSignersForBatch() — same VaultLockedException catch applied; full per-option validation falls through to resolveSignerForAccount() inside the forEach loop once the vault is open

// Before: crashes with VaultLockedException when vault is locked
if (account.isNotBlank() && signer.publicKey.toBase58() != account) { ... }

// After: defers check when vault is locked, validates eagerly when key is cached
try {
    val signerKey = signer.publicKey.toBase58()
    if (signerKey != account) throw IllegalArgumentException(...)
} catch (e: VaultLockedException) {
    // deferred — verifyAccountMatch() called after ensureBiometricAuth()
}

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• dl.google.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED --add-opens=java.base/java.time=ALL-UNNAMED -Xmx2048m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)