Fix resharing for old keys

.github/workflows/ci.yml

@@ -100,11 +100,11 @@ jobs:
           echo "Files in current directory:"
           ls -la
           govulncheck -format=sarif ./... > govulncheck-results.sarif
-          
+
           govulncheck -json ./... > vuln.json
           count=$(jq '[.[] | select(.finding != null and .finding.trace != null)] | length' vuln.json || echo 0)
           echo "Found $count vulnerabilities"
-          
+
           if [ "$count" -gt 0 ]; then
             echo "⚠️ Vulnerabilities found by govulncheck (see Security tab for details)"
           else
@@ -259,9 +259,10 @@ jobs:
         run: |
           curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
 
-      - name: Scan SBOM with Grype
+      # Keep SBOM generation & artifact upload as-is (no SARIF upload from SBOM)
+      - name: Grype SARIF (directory scan)
         run: |
-          grype sbom.spdx.json -o sarif --file grype-results.sarif
+          grype dir:. -o sarif --file grype-results.sarif
         continue-on-error: true
 
       - name: Upload Grype results to GitHub Security tab

pkg/eventconsumer/event_consumer.go

@@ -603,7 +603,6 @@ func (ec *eventConsumer) consumeReshareEvent() error {
 			return ec.node.CreateReshareSession(
 				sessionType,
 				walletID,
-				ec.mpcThreshold,
 				msg.NewThreshold,
 				msg.NodeIDs,
 				isNewPeer,
@@ -638,11 +637,19 @@ func (ec *eventConsumer) consumeReshareEvent() error {
 		ctx := context.Background()
 		var wg sync.WaitGroup
 		if oldSession != nil {
-			oldSession.Init()
+			err := oldSession.Init()
+			if err != nil {
+				ec.handleReshareSessionError(walletID, keyType, msg.NewThreshold, err, "Failed to init old reshare session", natMsg)
+				return
+			}
 			oldSession.ListenToIncomingMessageAsync()
 		}
 		if newSession != nil {
-			newSession.Init()
+			err := newSession.Init()
+			if err != nil {
+				ec.handleReshareSessionError(walletID, keyType, msg.NewThreshold, err, "Failed to init new reshare session", natMsg)
+				return
+			}
 			newSession.ListenToIncomingMessageAsync()
 		}
 

pkg/mpc/ecdsa_resharing_session.go

@@ -18,7 +18,7 @@ import (
 
 type ReshareSession interface {
 	Session
-	Init()
+	Init() error
 	Reshare(done func())
 	GetPubKeyResult() []byte
 }
@@ -99,7 +99,7 @@ func NewECDSAReshareSession(
 	}
 }
 
-func (s *ecdsaReshareSession) Init() {
+func (s *ecdsaReshareSession) Init() error {
 	logger.Infof("Initializing resharing session with partyID: %s, newPartyIDs %s", s.selfPartyID, s.partyIDs)
 	var share keygen.LocalPartySaveData
 
@@ -110,15 +110,15 @@ func (s *ecdsaReshareSession) Init() {
 	} else {
 		err := s.loadOldShareDataGeneric(s.walletID, s.GetVersion(), &share)
 		if err != nil {
-			s.ErrCh <- err
-			return
+			return fmt.Errorf("failed to load old share data ecdsa: %w", err)
 		}
 	}
 
 	s.party = resharing.NewLocalParty(s.reshareParams, share, s.outCh, s.endCh)
 
 	logger.Infof("[INITIALIZED] Initialized resharing session successfully partyID: %s, peerIDs %s, walletID %s, oldThreshold = %d, newThreshold = %d",
 		s.selfPartyID, s.partyIDs, s.walletID, s.threshold, s.reshareParams.NewThreshold())
+	return nil
 }
 
 func (s *ecdsaReshareSession) Reshare(done func()) {

pkg/mpc/eddsa_resharing_session.go

@@ -91,7 +91,7 @@ func NewEDDSAReshareSession(
 	}
 }
 
-func (s *eddsaReshareSession) Init() {
+func (s *eddsaReshareSession) Init() error {
 	logger.Infof("Initializing resharing session with partyID: %s, peerIDs %s", s.selfPartyID, s.partyIDs)
 	var share keygen.LocalPartySaveData
 	if s.isNewParty {
@@ -100,13 +100,14 @@ func (s *eddsaReshareSession) Init() {
 	} else {
 		err := s.loadOldShareDataGeneric(s.walletID, s.GetVersion(), &share)
 		if err != nil {
-			s.ErrCh <- err
-			return
+			return fmt.Errorf("failed to load old share data eddsa: %w", err)
 		}
 	}
 	s.party = resharing.NewLocalParty(s.reshareParams, share, s.outCh, s.endCh)
 	logger.Infof("[INITIALIZED] Initialized resharing session successfully partyID: %s, peerIDs %s, walletID %s, oldThreshold = %d, newThreshold = %d",
 		s.selfPartyID, s.partyIDs, s.walletID, s.threshold, s.reshareParams.NewThreshold())
+
+	return nil
 }
 
 func (s *eddsaReshareSession) Reshare(done func()) {

pkg/mpc/node.go

@@ -272,7 +272,6 @@ func (p *Node) ensureNodeIsParticipant(keyInfo *keyinfo.KeyInfo) error {
 func (p *Node) CreateReshareSession(
 	sessionType SessionType,
 	walletID string,
-	oldThreshold int,
 	newThreshold int,
 	newPeerIDs []string,
 	isNewPeer bool,
@@ -334,6 +333,7 @@ func (p *Node) CreateReshareSession(
 		"ready count", len(readyOldParticipantIDs),
 		"min ready", oldKeyInfo.Threshold+1,
 		"version", oldKeyInfo.Version,
+		"isNewPeer", isNewPeer,
 	)
 
 	if len(readyOldParticipantIDs) < oldKeyInfo.Threshold+1 {
@@ -380,7 +380,7 @@ func (p *Node) CreateReshareSession(
 			selfPartyID,
 			oldAllPartyIDs,
 			newAllPartyIDs,
-			oldThreshold,
+			oldKeyInfo.Threshold,
 			newThreshold,
 			preParams,
 			p.kvstore,
@@ -401,7 +401,7 @@ func (p *Node) CreateReshareSession(
 			selfPartyID,
 			oldAllPartyIDs,
 			newAllPartyIDs,
-			oldThreshold,
+			oldKeyInfo.Threshold,
 			newThreshold,
 			p.kvstore,
 			p.keyinfoStore,

pkg/mpc/session.go

@@ -242,12 +242,18 @@ func (s *session) loadOldShareDataGeneric(walletID string, version int, dest int
 	if version > 0 {
 		key = s.composeKey(walletIDWithVersion(walletID, version))
 		keyData, err = s.kvstore.Get(key)
+		if err != nil {
+			return err
+		}
 	}
 
 	// If version == 0 or previous key not found, fall back to unversioned key
-	if err != nil || version == 0 {
+	if version == 0 {
 		key = s.composeKey(walletID)
 		keyData, err = s.kvstore.Get(key)
+		if err != nil {
+			return err
+		}
 	}
 
 	if err != nil {