Validate destination address at swap confirm and CLI entry

[fansilas]

Summary

An empty or malformed to_address currently flows through the swap-confirm path into vote_initiate untouched. The CLI side prints a soft warning and then proceeds anyway. Both entry points should reject a bad destination before it leaves the validator or the user's terminal.

Changes

Validator (handle_swap_confirm in allways/validator/axon_handlers.py):

• Empty to_address is rejected before the axon lock is acquired, matching the existing pattern for from_address and from_tx_proof.
• After resolve_swap_direction returns, the destination-chain provider is looked up and is_valid_address(synapse.to_address) is checked. Missing provider or failed format check rejects the synapse before the source-chain tx fetch runs.

CLI (alw swap now in allways/cli/swap_commands/swap.py):

• The yellow warning on an invalid receive address becomes a red error and returns.
• The hasattr(provider, 'is_valid_address') guard is removed because the method is abstract on ChainProvider and every provider already implements it.

Why this layer

A queued PendingConfirm carrying a garbage to_address otherwise sits in the validator state store until either the reservation expires or the auto-initiate replay hits it, blocking the miner from being reserved for a legitimate swap in the meantime. Catching at handle_swap_confirm avoids that trap and also keeps the contract from seeing values it would have to reject anyway.

Tests

tests/test_axon_handlers.py is new. It covers every rejection branch of handle_swap_confirm, including the two added checks, plus the queue-on-unconfirmed path, reservation expired, reservation data missing, no commitment, same-chain commitment, unsupported direction, unsupported source chain, unsupported destination chain, source tx not found, contract rejection, non-rejection contract error, and unexpected exception. This handler had no unit coverage before.

Local run:

$ pytest tests/
287 passed