fix(frost): submit reject/conflict-only ROAST evidence snapshots (PR2b-2 review fold)

submitSnapshotIfActive skipped any snapshot whose Overflows map was empty, but a
validation-blamable Reject (e.g. an attempt-context-hash mismatch) or a
first-write-wins Conflict populates Evidence.Rejects / Evidence.Conflicts WITHOUT
producing an Overflow. NextAttempt's exclusion path consumes snapshot.Rejects
(next_attempt.go), so dropping reject/conflict-only snapshots silently starved the
blame pipeline of exactly the validation evidence it needs -- newly reachable now
that PR2b-2 enables the multi-seat submit path. Widen the emptiness test to all
three evidence categories, and add a reject-only submission regression test.

Folds Codex review P2 on PR #4087.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: mswilkison

pkg/frost/signing/roast_retry_submit.go

@@ -58,13 +58,20 @@ func submitSnapshotIfActive(
 		return
 	}
 	evidence := recorder.Snapshot()
-	if len(evidence.Overflows) == 0 {
-		// Nothing observed worth submitting; emitting an empty
+	if len(evidence.Overflows) == 0 &&
+		len(evidence.Rejects) == 0 &&
+		len(evidence.Conflicts) == 0 {
+		// Truly nothing observed worth submitting; emitting an empty
 		// snapshot is still meaningful in the ROAST protocol
-		// (proof-of-attendance) but adds noise to the bundle.
-		// Phase 4.3 chooses to skip empty submissions; Phase 5
-		// orchestration may revisit this if attestations need to
-		// be unconditional.
+		// (proof-of-attendance) but adds noise to the bundle, so we
+		// skip it. The emptiness test MUST consider all three evidence
+		// categories, not just overflows: a validation-blamable Reject
+		// (e.g. an attempt-context-hash mismatch) or a first-write-wins
+		// Conflict populates Rejects/Conflicts WITHOUT any Overflow, and
+		// NextAttempt's exclusion path consumes snapshot.Rejects
+		// (next_attempt.go). Dropping a reject/conflict-only snapshot
+		// here would silently starve the blame pipeline of exactly the
+		// validation evidence it needs.
 		return
 	}
 	snap := buildSignedSnapshot(deps, ctx, evidence)

pkg/frost/signing/roast_retry_submit_frost_roast_retry_test.go

@@ -307,6 +307,53 @@ func TestSubmitSnapshotIfActive_MultiSeatSubmitsPerSeat(t *testing.T) {
 	}
 }
 
+// TestSubmitSnapshotIfActive_SubmitsRejectOnlySnapshot guards the fold of Codex's
+// PR2b-2 P2: a snapshot carrying ONLY reject evidence -- no overflow, no conflict
+// -- must still be signed and submitted. A validation-blamable Reject (e.g. an
+// attempt-context-hash mismatch) populates Evidence.Rejects without any Overflow,
+// and NextAttempt's exclusion path consumes snapshot.Rejects; the old overflow-only
+// emptiness check silently dropped such snapshots, starving the blame pipeline.
+func TestSubmitSnapshotIfActive_SubmitsRejectOnlySnapshot(t *testing.T) {
+	ResetRoastRetryRegistrationForTest()
+	ResetSessionHandleRegistryForTest()
+	t.Cleanup(ResetRoastRetryRegistrationForTest)
+	t.Cleanup(ResetSessionHandleRegistryForTest)
+
+	const selfMember group.MemberIndex = 1
+	cap := newCaptureCoordinator(roast.NewInMemoryCoordinatorWithSigning(
+		selfMember, &deterministicSigner{id: selfMember}, deterministicVerifier{},
+	))
+	RegisterRoastRetryCoordinator(RoastRetryDeps{
+		Coordinator: cap,
+		Signer:      &deterministicSigner{id: selfMember},
+		Verifier:    deterministicVerifier{},
+		SelfMember:  uint32(selfMember),
+	})
+
+	ctx := newTestContextForSubmit(t, "session-reject-only")
+	handle, err := cap.BeginAttempt(ctx)
+	if err != nil {
+		t.Fatalf("begin: %v", err)
+	}
+	SetCurrentAttemptHandleForSession("session-reject-only", selfMember, handle, ctx)
+
+	// Only a reject -- no overflow, no conflict.
+	recorder := attempt.NewBoundedRecorder()
+	recorder.RecordReject(2, "attempt_context_hash_mismatch")
+	submitSnapshotIfActive("session-reject-only", selfMember, recorder)
+
+	if len(cap.recordedFor) != 1 {
+		t.Fatalf("reject-only snapshot must be submitted; got %d RecordEvidence calls", len(cap.recordedFor))
+	}
+	snap := cap.recordedSnp[0]
+	if len(snap.Rejects) == 0 {
+		t.Fatal("submitted snapshot must carry the reject evidence")
+	}
+	if len(snap.OperatorSignature) == 0 {
+		t.Fatal("reject-only snapshot must be signed")
+	}
+}
+
 func TestSetCurrentAttemptHandleForSession_LaterBindingOverwrites(t *testing.T) {
 	ResetSessionHandleRegistryForTest()
 	t.Cleanup(ResetSessionHandleRegistryForTest)