fix(tbtc/signer): free finalized non-signing siblings on aggregate (re-review)

mswilkison · claude · mswilkison · commit 49fdcbcc9ec1 · 2026-06-20T18:19:30.000-04:00
Codex re-review (P2, valid): when a multi-seat attempt aggregates with a threshold
subset that EXCLUDES a local member which opened/Round1'd the same attempt + root,
that member never calls Round2 (it is not a signer), so the Round2 completion gate
never runs for it - its interactive_signing entry (nonces, key, message) and its
live-member capacity slot stayed resident until the 1h TTL or an explicit abort.

interactive_aggregate's success path now frees the LOCAL siblings finalized by the
completion: after persisting the marker, remove + zeroize every interactive_signing
entry on (attempt_id, taproot root) - the signers' entries were already removed at
their Round2, and a sibling on a DIFFERENT root is a distinct signing task and is
left untouched. The Round2 completion gate stays as the defense for a sibling that
RE-OPENS the finalized attempt and tries to sign.

Test interactive_round2_refused_after_aggregate_for_unsigned_sibling now asserts the
non-signing sibling is freed at aggregation, then re-opens it and confirms the gate
still refuses its Round2. All 296 lib tests pass; cargo fmt clean.

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
diff --git a/pkg/tbtc/signer/src/engine/interactive.rs b/pkg/tbtc/signer/src/engine/interactive.rs
@@ -915,6 +915,31 @@ pub fn interactive_aggregate(
             .remove(&aggregated_marker);
         return Err(persist_error);
     }
+
+    // The attempt is now final for (attempt_id, message, root). A LOCAL sibling seat
+    // that opened/Round1'd this same attempt + root but is NOT in the signing subset
+    // never calls Round2, so free those entries now - zeroizing their nonces and
+    // returning their live-member slots - rather than leaving them resident until the
+    // TTL sweep. The signers' own entries were already removed at their Round2; a
+    // sibling on a DIFFERENT root is a distinct signing task and is left untouched.
+    let session = guard
+        .sessions
+        .get_mut(&request.session_id)
+        .expect("session existed under the held engine lock");
+    let finalized_members: Vec<u16> = session
+        .interactive_signing
+        .iter()
+        .filter(|(_, entry)| {
+            entry.attempt_context.attempt_id == attempt_id
+                && entry.taproot_merkle_root == taproot_merkle_root
+        })
+        .map(|(member, _)| *member)
+        .collect();
+    for member in &finalized_members {
+        if let Some(mut removed) = session.interactive_signing.remove(member) {
+            zeroize_interactive_round1(&mut removed);
+        }
+    }
     drop(guard);
 
     record_hardening_telemetry(|telemetry| {
diff --git a/pkg/tbtc/signer/src/engine/tests.rs b/pkg/tbtc/signer/src/engine/tests.rs
@@ -11755,7 +11755,8 @@ fn interactive_round2_refused_after_aggregate_for_unsigned_sibling() {
         member_identifier: 2,
     })
     .expect("member 2 round 1");
-    let c3 = interactive_round1(InteractiveRound1Request {
+    // Seat 3 opens + Round1s the same attempt but is NOT in the {1,2} signing subset.
+    interactive_round1(InteractiveRound1Request {
         session_id: session_id.to_string(),
         attempt_id: opened.attempt_id.clone(),
         member_identifier: 3,
@@ -11829,9 +11830,28 @@ fn interactive_round2_refused_after_aggregate_for_unsigned_sibling() {
         );
     }
 
-    // Seat 3 (open, round1'd, never signed) tries to release a share for the now
-    // completed attempt, in a subset it WOULD be valid for ({1,3}). Without the
-    // completion gate this releases a fresh share; with it the attempt is final.
+    // Aggregation proactively frees the LOCAL non-signing sibling (seat 3): it never
+    // calls Round2, so its entry must not linger to the TTL sweep.
+    {
+        let guard = state().expect("state").lock().expect("lock");
+        let session = guard.sessions.get(session_id).expect("session exists");
+        assert!(
+            !session.interactive_signing.contains_key(&3),
+            "the non-signing sibling is freed when the attempt aggregates"
+        );
+    }
+
+    // If seat 3 RE-OPENS the finalized attempt and tries to release a share (in a
+    // {1,3} subset it would otherwise be valid for), the completion gate refuses it:
+    // the bound marker makes the attempt/message/root final.
+    open_interactive_for_test(session_id, key_group, &message, &included, 1, 3, 2)
+        .expect("seat 3 re-opens the finalized attempt");
+    let c3_reopened = interactive_round1(InteractiveRound1Request {
+        session_id: session_id.to_string(),
+        attempt_id: opened.attempt_id.clone(),
+        member_identifier: 3,
+    })
+    .expect("seat 3 round 1 after re-open");
     let package_13 = interactive_package_for_test(
         &message,
         vec![
@@ -11841,7 +11861,7 @@ fn interactive_round2_refused_after_aggregate_for_unsigned_sibling() {
             },
             NativeFrostCommitment {
                 identifier: key_packages[&3].identifier.clone(),
-                data_hex: c3.commitments_hex.clone(),
+                data_hex: c3_reopened.commitments_hex.clone(),
             },
         ],
     );
