hardening(frost/roast): verifiable blame — accuser quorum for exclusion; overflow can only park (#4029)

Stacked on #3866 (base: `feat/frost-schnorr-migration-scaffold`).
Implements item 2 of the review feedback on the FROST/ROAST stack
(verifiable blame, not counted blame).

## Problem

`NextAttempt` permanently excluded members on unverifiable observer
counters — reject/conflict threshold 1, overflow 4 — **summed across
observers and across reasons**, so a single byzantine observer
fabricating counters could permanently exclude any honest member, and by
repetition grind the included set below threshold
(`ErrAttemptInfeasible`). That inverts ROAST's robustness guarantee: the
design's whole point is liveness with t honest of n, and the blame layer
handed a liveness-and-membership veto to any single member. Bundle
evidence (`OverflowEntry`/`RejectEntry`/`ConflictEntry`) is
observer-signed *claims* — nothing in a counter lets a third party
re-check that the accused misbehaved.

## What changed

**Accuser-quorum gate (`ExclusionAccuserQuorum`).** An accusation only
produces action when made by at least `f+1 = groupSize − threshold + 1`
distinct credible observers (f = the byzantine tolerance). At f+1, at
least one accuser is honest under the protocol's own t-of-n assumption,
so the group may act as if the fault were verified. Real faults reach
quorum naturally — contributions are broadcast, every honest member
observes the same bytes — while f colluding members can never reach f+1
by fabrication. Production shape (n=100, t=51): quorum 50 vs. 49
worst-case byzantine.

**Counting hygiene.** Observers count once per accused per category
regardless of claimed `Count` magnitude; reject reasons no longer
multiply accusers; categories tally independently (reject + conflict
claims no longer sum); only previous-`IncludedSet` members are credible
accusers; accusations against non-original-set members are ignored.

**Overflow can never be permanent.** Transport pressure is observable
only at the transport layer and can never be made self-incriminating. An
*established* (quorum-corroborated) overflow accusation now parks the
member for one attempt — same transient mechanics as silence parking —
instead of excluding forever.

**Sub-quorum claims are ignored entirely**, not parked: acting on a
single unverifiable claim would let one byzantine observer impose an
attempt of liveness cost on any honest member at will.

Established reject/conflict accusations still exclude permanently, and
the policy remains a pure deterministic function of `(prev, bundle,
threshold)`.

## Why quorum rather than self-incriminating proofs now

The review's endgame is proof-carrying blame: the accused's own two
operator-signed conflicting payloads (conflicts), or their signed
contribution plus a re-checkable deterministic validation failure
(rejects). That requires wire-format and verification-routine changes
(the current bundle carries only counters). The quorum gate delivers the
safety property — fabricated blame can never become permanent, and the
grinding-to-infeasibility vector is closed — with no wire change, and is
the correct *floor* even after proofs land (proof-verified entries can
then bypass the quorum per category). RFC-21 Layer B now documents the
policy, the rationale, and that roadmap; the residual cost
(sub-quorum-observed faults burn retry attempts instead of excluding) is
explicitly folded into the serial-attempt latency budget.

## Tests

New regression coverage: quorum boundary at f vs f+1 for both permanent
categories; fabricated-blame grinding across six attempts (single
byzantine accuser, max counters, honest members never move);
count-magnitude fabrication; cross-category non-summing; reason
non-multiplication; non-credible accusers; non-original accused;
established-overflow park-and-reinstate cycle; production-shape quorum
pin `(100, 51) = 50`. Existing overflow/categories/soak tests updated to
the new semantics. `go test ./pkg/frost/... ./pkg/tbtc/...` passes; `go
vet` clean.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Author: mswilkison

docs/rfc/rfc-21-roast-coordinator-retry-and-transition-evidence.adoc

@@ -307,44 +307,83 @@ seed bytes must produce the same legacy `int64` on every honest
 signer. The bridge is named, isolated, and exhaustively tested so
 later edits cannot accidentally desynchronise it.
 
-The exclusion policy is:
-
-. Senders with `OverflowCount >= overflowExclusionThreshold` during the
-  attempt window are moved to `ExcludedSet` (transport blamable).
-. Senders with at least one confirmed reject event for non-transport
-  reasons are moved to `ExcludedSet` (validation blamable).
+The exclusion policy (verifiable-blame revision) starts from one
+observation: every evidence entry in the bundle is an observer-signed
+*claim*, not a self-incriminating proof. Nothing in an overflow,
+reject, or conflict counter lets a third party re-check that the
+accused actually misbehaved. A policy that permanently excludes on
+unverifiable counters inverts ROAST's robustness guarantee -- a single
+byzantine observer could fabricate evidence against honest members
+and grind the `IncludedSet` toward `ErrAttemptInfeasible`. Permanent
+exclusion therefore requires the accusation to be *established*:
+corroborated by a quorum of distinct accusers large enough that, under
+the protocol's own t-of-n honesty assumption, at least one accuser is
+honest.
+
+. Accusation tallying: each bundle snapshot is one observer's claim
+  set. Only observers in the previous attempt's `IncludedSet` are
+  credible; each observer counts at most once per accused member per
+  category regardless of the claimed count magnitude; accusations
+  against members outside the original signer set are ignored. An
+  accusation is established when at least
+  `ExclusionAccuserQuorum(originalGroupSize, threshold)
+  = originalGroupSize - threshold + 1` (that is, `f+1`) distinct
+  observers make it. A real fault is observed by every honest member
+  processing the broadcast, so established faults reach the quorum
+  naturally; fabricated ones cannot, because at most `f` members are
+  byzantine.
+. Established reject or conflict accusations (validation /
+  equivocation blamable) move the accused to `ExcludedSet`
+  permanently. The categories are tallied independently and never
+  summed with each other.
+. Established overflow accusations (transport blamable) move the
+  accused to the *parked* set for one attempt -- never to
+  `ExcludedSet`. Transport pressure is observable only at the
+  transport layer and can never be made self-incriminating, so
+  overflow may cost an attempt of liveness but not permanence.
 . Senders with deadline-expiry only -- silent peers -- are moved to a
   *parked* set that the next attempt skips but the attempt after that
-  retries (to tolerate transient outages). Silence parking is
-  *strictly transient*: a single attempt's worth of skip, no escalation.
-  A peer falsely labelled silent because their contribution arrived
-  late (or because a malicious coordinator censored it) is not
-  permanently penalised -- they are reinstated by the very next
-  attempt. Permanent exclusion only follows from overflow or non-
-  transport reject events, neither of which can fire on a slow-but-
-  honest peer.
+  retries (to tolerate transient outages). Parking is *strictly
+  transient*: a single attempt's worth of skip, no escalation. A peer
+  falsely labelled silent because their contribution arrived late (or
+  because a malicious coordinator censored it) is not permanently
+  penalised -- they are reinstated by the very next attempt.
+  Silence is detected as *bundle absence* (the member submitted no
+  evidence snapshot for the transition). A member that submits its
+  snapshot while withholding its signing contribution is therefore
+  not parked by this policy: signing-silence is invisible to the
+  transition layer, costs the attempt, and is bounded only by the
+  retry budget (Annex B) until t-of-included finalize lands.
 . If `IncludedSet` minus exclusions drops below the threshold `t`, the
   coordinator returns `ErrAttemptInfeasible` and the session is
   declared failed for this signer set.
 
-The thresholds are *fixed constants* in the initial design, picked to
-be evidently small relative to the per-attempt deadline and the
-`expectedMessagesCount*4+1` channel capacity:
-
-[source,go]
-----
-const (
-    overflowExclusionThreshold = 4 // overflow events per attempt window
-    rejectExclusionThreshold   = 1 // any confirmed non-transport reject
-    silenceParkingThreshold    = 1 // any deadline expiry parks for 1 attempt
-)
-----
-
-Making them constants up-front means honest signers do not need to
-negotiate them. If production telemetry indicates a constant is wrong
-for the attempt's wall-clock bound, the change is a routine code
-update that ships through Phase 7's manifest gate -- not a runtime
-parameter that drift can desynchronise.
+The quorum is a *derived constant* of the key-group shape -- for the
+production 51-of-100 group it is 50 -- so honest signers do not need
+to negotiate it and drift cannot desynchronise it. Sub-quorum claims
+are deliberately ignored rather than parked: acting on a single
+unverifiable claim would let one byzantine observer cost any honest
+member an attempt of liveness at will.
+
+*Verifiability roadmap.* Permanent exclusion on a *single* piece of
+evidence becomes sound once the wire format carries
+self-incriminating proof: for conflicts, the accused's own two
+operator-signed payloads with identical (attempt, sender) and
+different bytes; for rejects, the accused's operator-signed
+contribution plus a deterministic validation failure any member can
+re-run. When those land, the per-category quorum gate can be relaxed
+to proof-verified entries. The cost of the interim quorum policy is
+bounded: a fault observed by fewer than `f+1` honest members (for
+example a targeted, per-recipient equivocation) is not permanently
+excluded and instead burns retry attempts, which the serial-attempt
+latency analysis already budgets for. Near the assumption boundary
+the gate is intentionally demanding -- at worst-case `f` only `t`
+honest observers exist, so establishment needs all but `2t-n-1` of
+them (50 of 51 at the production shape) to have observed the fault
+and landed snapshots in the bundle. In that regime the quorum acts
+as a fabrication firewall rather than a working exclusion mechanism;
+restoring per-category exclusion under heavy attack is exactly what
+proof-carrying blame is for.
 
 === Layer C: Retry orchestration (M7)
 

pkg/frost/roast/multi_coordinator_soak_test.go

@@ -265,13 +265,15 @@ func TestSoak_CleanAttemptPreservesIncludedSet(t *testing.T) {
 	}
 }
 
-func TestSoak_OverflowEvidenceExcludesPermanently(t *testing.T) {
+func TestSoak_EstablishedOverflowParksTransiently(t *testing.T) {
 	members := []group.MemberIndex{1, 2, 3, 4, 5}
 	nodes := newSoakHarness(t, members)
 	prev := soakStartingContext(t, members)
 
-	// Four observers report 1 overflow each against member 3.
-	// Total 4 = OverflowExclusionThreshold.
+	// Four distinct observers report overflow against member 3:
+	// 4 >= ExclusionAccuserQuorum(5, 3) = 3, so the accusation is
+	// established -- but transport blame is unverifiable in
+	// principle, so it parks transiently instead of excluding.
 	overflow := map[group.MemberIndex][]group.MemberIndex{
 		1: {3},
 		2: {3},
@@ -280,8 +282,14 @@ func TestSoak_OverflowEvidenceExcludesPermanently(t *testing.T) {
 	}
 	next, _ := soakAttempt(t, nodes, prev, nil, overflow, 3)
 
-	if !containsMember(next.ExcludedSet, 3) {
-		t.Fatalf("member 3 must be excluded; got %v", next.ExcludedSet)
+	if !containsMember(next.TransientlyParked, 3) {
+		t.Fatalf("member 3 must be parked; got %v", next.TransientlyParked)
+	}
+	if containsMember(next.ExcludedSet, 3) {
+		t.Fatalf(
+			"overflow must never permanently exclude; got %v",
+			next.ExcludedSet,
+		)
 	}
 	if containsMember(next.IncludedSet, 3) {
 		t.Fatal("member 3 must not be in next IncludedSet")