fix: reject PSBT inputs with non-standard sighash types before signing

[odudex]

What is this PR for?

Although Embit already refuses to sign inputs with non-ALL sighash by default, this adds a redundant pre-sign validation that refuses to sign if any input requests SIGHASH_NONE, SIGHASH_SINGLE, or ANYONECANPAY, which could allow an attacker to redirect funds after signing. Addresses security audit C2 of #843

Changes made to:

• Code
• Tests
• Docs
• CHANGELOG

Did you build the code and tested on device?

• Yes, build and tested on Amigo + Sparrow

What is the purpose of this pull request?

• Bug fix
• New feature
• Docs update
• Other

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.31%. Comparing base (76feb7b) to head (08036f0).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop     #844   +/-   ##
========================================
  Coverage    97.31%   97.31%           
========================================
  Files           83       83           
  Lines        10573    10581    +8     
========================================
+ Hits         10289    10297    +8     
  Misses         284      284           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[joaozinhom]

ACK 08036f0