Splice command returns success before peers exchange `tx_signatures`

[remyers]

Eclair will report success as soon as the splice initiator has sent their commit_sig, even if the peers have not exchanged tx_signatures yet.

For example, if the peers disconnect after the splice initiator sends their commit_sig, but before the other peer receives it's tx_complete, the splice initiator will return to the user that the splice was successful.

    // alice                    bob
    //   |         ...           |
    //   |    <interactive-tx>   |
    //   |<----- tx_complete ----|
    //   |------ tx_complete --X |
    //   |------ commit_sig ---X |  return RES_SPLICE
    //   |      <disconnect>     |
    //   |      <reconnect>      |
    //   | <channel_reestablish> |
    //   |<------ tx_abort ------|
    //   |------- tx_abort ----->|

Eclair should wait until tx_signatures have been exchanged before the command returns success, and otherwise return failure.

This should only occur for rare edge cases, but it could result in confusion for operators.

This could lead to problems with liquidity purchases if the purchaser uses fee credits but the splice is automatically aborted after a disconnect.

[t-bast]

That's a good point! IIRC this is because it wasn't trivial to wait until tx_signatures to respond to the command, while correctly handling disconnections (in which case we must respond to the command with a failure). But it's definitely worth investigating, it would be nice to fix!

[remyers]

I'll investigate and also look at lightning-kmp where it might be more likely to cause problems.