fix(frost): enforce no-coarse-fallback at the single coarse-invocation point

Codex review (PR #4101 P2): the interactive-only check sat in
attemptRoastRetryOrchestrationFromRequest, AFTER the drive - so the earlier
static-fallback returns (readiness gate off, no coordinator registered, unsupported
signer material) returned (nil, nil, nil) before the check ran, and the adapter then
proceeded to the coarse primitive. KEEP_CORE_FROST_INTERACTIVE_SIGNING_ONLY was
bypassed on exactly the misconfigured/cutover paths it was meant to protect.

Move the enforcement to native_ffi_executor_adapter, the SINGLE point where the coarse
primitive is invoked: when the orchestration yields no interactive signature for ANY
reason (audit gate off, no engine, or any static fallback) and interactive-only mode
is on, the adapter fails CLOSED before nefea.primitive.Sign instead of falling
through. Revert the partial executor-entry check.

Test moves to the adapter level: TestNativeExecutionFFIExecutorAdapter_Execute_
InteractiveOnlyRefusesCoarse runs in the DEFAULT build, where the orchestration helper
is a no-op (nil,nil,nil) - the ultimate static fallback - and asserts the adapter
returns a refusal AND the coarse primitive's signCalls == 0 (never invoked). Plus the
flag-parsing test. Builds across all tag combos; existing adapter + executor-entry
tests unchanged; gofmt clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: mswilkison

pkg/frost/signing/native_ffi_executor_adapter.go

@@ -144,6 +144,20 @@ func (nefea *nativeExecutionFFIExecutorAdapter) Execute(
 		}, nil
 	}
 
+	if InteractiveSigningOnlyEnabled() {
+		// Interactive-only mode (coarse-path retirement): the orchestration produced
+		// no interactive signature - the audit gate is off, no engine is registered,
+		// OR any static fallback fired (readiness off, no coordinator, unsupported
+		// material). This is the SINGLE point where the coarse primitive is invoked,
+		// so refusing here fails CLOSED on every fall-through path rather than
+		// silently signing over the retired coarse path.
+		return nil, fmt.Errorf(
+			"interactive-only signing mode (%s) is set but interactive signing did not run "+
+				"(%s off, no engine, or static fallback); refusing the coarse fallback",
+			InteractiveSigningOnlyEnvVar, InteractiveSigningOptInEnvVar,
+		)
+	}
+
 	signature, err := nefea.primitive.Sign(ctx, logger, ffiRequest)
 	if err != nil {
 		return nil, err

pkg/frost/signing/native_ffi_executor_adapter_test.go

@@ -257,6 +257,75 @@ func TestNativeExecutionFFIExecutorAdapter_Execute_RejectsNilSignature(
 	}
 }
 
+func TestNativeExecutionFFIExecutorAdapter_Execute_InteractiveOnlyRefusesCoarse(
+	t *testing.T,
+) {
+	// Coarse-path retirement: with interactive-only mode ON, the adapter must NOT fall
+	// through to the coarse primitive on ANY no-interactive-signature path. In the
+	// default build attemptRoastRetryOrchestrationFromRequest is a no-op (nil,nil,nil)
+	// - the ultimate static fallback - so this exercises exactly the gap Codex flagged:
+	// a fall-through that an executor-level check (which runs only after orchestration
+	// activates) would have bypassed. The adapter is the single coarse-invocation
+	// point, so the refusal here covers every path.
+	t.Setenv(InteractiveSigningOnlyEnvVar, "true")
+
+	primitive := &mockNativeExecutionFFISigningPrimitive{
+		signature: &frost.Signature{
+			R: [frost.SignatureComponentSize]byte{0x01},
+			S: [frost.SignatureComponentSize]byte{0x02},
+		},
+	}
+
+	executor, err := NewNativeExecutionFFIExecutorAdapter(primitive)
+	if err != nil {
+		t.Fatalf("unexpected adapter setup error: [%v]", err)
+	}
+
+	_, err = executor.Execute(context.Background(), nil, &Request{
+		Message:            big.NewInt(123),
+		SessionID:          "session-interactive-only",
+		MemberIndex:        2,
+		GroupSize:          5,
+		DishonestThreshold: 1,
+		SignerMaterial: &NativeSignerMaterial{
+			Format:  NativeSignerMaterialFormatFrostUniFFIV1,
+			Payload: []byte{0xaa},
+		},
+		Attempt: &Attempt{
+			Number:                 3,
+			CoordinatorMemberIndex: 1,
+			IncludedMembersIndexes: []group.MemberIndex{1, 2, 3},
+		},
+	})
+	if err == nil {
+		t.Fatal("interactive-only mode must fail closed instead of using the coarse primitive")
+	}
+	if !strings.Contains(err.Error(), InteractiveSigningOnlyEnvVar) {
+		t.Fatalf("unexpected error (want a refusal naming %s): %v", InteractiveSigningOnlyEnvVar, err)
+	}
+	if primitive.signCalls != 0 {
+		t.Fatalf(
+			"coarse primitive must NOT be called in interactive-only mode, got %d call(s)",
+			primitive.signCalls,
+		)
+	}
+}
+
+func TestInteractiveSigningOnlyEnabled_ParsesFlag(t *testing.T) {
+	t.Setenv(InteractiveSigningOnlyEnvVar, "")
+	if InteractiveSigningOnlyEnabled() {
+		t.Fatal("unset must be off")
+	}
+	t.Setenv(InteractiveSigningOnlyEnvVar, "  TrUe ")
+	if !InteractiveSigningOnlyEnabled() {
+		t.Fatal("case-insensitive, trimmed true must be on")
+	}
+	t.Setenv(InteractiveSigningOnlyEnvVar, "false")
+	if InteractiveSigningOnlyEnabled() {
+		t.Fatal("false must be off")
+	}
+}
+
 func TestNativeExecutionFFIExecutorAdapter_RegisterUnmarshallers_Delegates(
 	t *testing.T,
 ) {

pkg/frost/signing/roast_retry_executor_entry_frost_native.go

@@ -131,16 +131,5 @@ func attemptRoastRetryOrchestrationFromRequest(
 	if err != nil {
 		return nil, cleanup, err
 	}
-	if signature == nil && InteractiveSigningOnlyEnabled() {
-		// Interactive-only mode (coarse-path retirement): interactive signing did
-		// not produce a signature (its audit gate is off, or no engine is
-		// registered), and the coarse fallback is disabled - fail CLOSED rather than
-		// silently signing via the retired coarse path.
-		return nil, cleanup, fmt.Errorf(
-			"interactive-only signing mode (%s) is set but interactive signing did not run "+
-				"(%s off or no engine registered); refusing the coarse fallback",
-			InteractiveSigningOnlyEnvVar, InteractiveSigningOptInEnvVar,
-		)
-	}
 	return signature, cleanup, nil
 }

pkg/frost/signing/roast_retry_executor_entry_frost_roast_retry_test.go

@@ -7,7 +7,6 @@ import (
 	"encoding/json"
 	"errors"
 	"math/big"
-	"strings"
 	"testing"
 
 	"github.com/ipfs/go-log/v2"
@@ -37,55 +36,6 @@ func newEntryRetryTestRequest(t *testing.T) *NativeExecutionFFISigningRequest {
 	}
 }
 
-func TestEntry_InteractiveOnly_RefusesCoarseFallback(t *testing.T) {
-	// Coarse-path retirement: with interactive-only mode ON but interactive signing
-	// not running (its audit gate off), the executor must REFUSE the coarse fallback
-	// and fail closed, rather than returning a nil signature for the caller to sign
-	// over the retired coarse path.
-	t.Setenv(RoastRetryReadinessOptInEnvVar, "true")
-	t.Setenv(InteractiveSigningOptInEnvVar, "") // audit gate OFF -> the drive returns nil
-	t.Setenv(InteractiveSigningOnlyEnvVar, "true")
-	ResetRoastRetryRegistrationForTest()
-	ResetSessionHandleRegistryForTest()
-	t.Cleanup(ResetRoastRetryRegistrationForTest)
-	t.Cleanup(ResetSessionHandleRegistryForTest)
-
-	RegisterRoastRetryCoordinator(RoastRetryDeps{
-		Coordinator: roast.NewInMemoryCoordinator(),
-		Signer:      roast.NoOpSigner(),
-		Verifier:    roast.NoOpSignatureVerifier(),
-		SelfMember:  1,
-	})
-
-	signature, _, err := attemptRoastRetryOrchestrationFromRequest(
-		context.Background(), newEntryRetryTestRequest(t), log.Logger("entry-interactive-only"),
-	)
-	if signature != nil {
-		t.Fatal("interactive-only refusal must not return a signature")
-	}
-	if err == nil {
-		t.Fatal("interactive-only mode must refuse the coarse fallback when interactive signing did not run")
-	}
-	if !strings.Contains(err.Error(), InteractiveSigningOnlyEnvVar) {
-		t.Fatalf("unexpected error (want a refusal naming %s): %v", InteractiveSigningOnlyEnvVar, err)
-	}
-}
-
-func TestEntry_InteractiveSigningOnlyEnabled_ParsesFlag(t *testing.T) {
-	t.Setenv(InteractiveSigningOnlyEnvVar, "")
-	if InteractiveSigningOnlyEnabled() {
-		t.Fatal("unset must be off")
-	}
-	t.Setenv(InteractiveSigningOnlyEnvVar, "  TrUe ")
-	if !InteractiveSigningOnlyEnabled() {
-		t.Fatal("case-insensitive, trimmed true must be on")
-	}
-	t.Setenv(InteractiveSigningOnlyEnvVar, "false")
-	if InteractiveSigningOnlyEnabled() {
-		t.Fatal("false must be off")
-	}
-}
-
 func TestEntry_StaticFallback_ReadinessOptInUnset(t *testing.T) {
 	// Explicitly unset the env var.
 	t.Setenv(RoastRetryReadinessOptInEnvVar, "")