fix(frost): close outer native fallbacks + classify the refusal terminal

Fold of two Codex #4101 P2 findings:

- P2-1 (suppress outer fallbacks): the interactive-only guard lived only inside the
  FFI adapter, so when the native FFI path was unavailable (ErrNativeCryptographyUnavailable
  before the adapter's guard) the OUTER buildTaggedNativeExecutionBridge/Adapter still
  delegated to the legacy backend, because nativeExecutionFallbackAllowed() stayed true.
  Gate that single function on the flag: interactive-only now returns false there,
  closing every outer legacy/coarse fallback (the bridge + adapter consult it before
  delegating). New backend test asserts the suppression.

- P2-2 (terminal classification): the adapter's refusal returned a plain error, so the
  tBTC signingRetryLoop (which only aborts on ErrTerminalSigningFailure) treated this
  deterministic configuration failure as retryable and spun to timeout. Wrap the
  refusal with %w ErrTerminalSigningFailure; the adapter test now asserts errors.Is.

Also folds my own review's scope notes into the gate doc: interactive-only is
format-agnostic (refuses coarse for every signer format the native executor handles),
closes both the inner FFI primitive and the outer fallbacks, and fails all native
signing closed in a build without the interactive engine - so enable it only on a
frost_native node with the audit gate on.

Builds across all tag combos; full default + frost_native/frost_roast_retry suites
pass; gofmt clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: mswilkison

pkg/frost/signing/backend.go

@@ -164,6 +164,16 @@ func setNativeExecutionMode(mode nativeExecutionModeValue) {
 }
 
 func nativeExecutionFallbackAllowed() bool {
+	// Interactive-only mode (coarse-path retirement) suppresses EVERY legacy/coarse
+	// fallback, not only the inner FFI coarse primitive: if the native FFI path does
+	// not yield an interactive signature - including when it is unavailable before the
+	// adapter's own guard runs - the outer bridge/adapter must not delegate to the
+	// legacy backend either. This is the single gate those outer fallbacks consult, so
+	// failing it here closes them all.
+	if InteractiveSigningOnlyEnabled() {
+		return false
+	}
+
 	executionBackendMutex.RLock()
 	defer executionBackendMutex.RUnlock()
 

pkg/frost/signing/backend_test.go

@@ -176,6 +176,26 @@ func TestSetExecutionBackendByName(t *testing.T) {
 	}
 }
 
+func TestNativeExecutionFallbackAllowed_SuppressedByInteractiveOnly(t *testing.T) {
+	// Coarse-path retirement (Codex #4101 P2): interactive-only mode must close the
+	// OUTER native fallbacks too - the bridge/adapter consult this single gate before
+	// delegating to the legacy backend, so the flag has to flip it closed regardless
+	// of the execution mode, or a node with an unavailable FFI path would still sign
+	// over the legacy/coarse delegate.
+	previousMode := currentNativeExecutionMode()
+	t.Cleanup(func() { setNativeExecutionMode(previousMode) })
+
+	setNativeExecutionMode(nativeExecutionModeFallbackAllowed)
+	if !nativeExecutionFallbackAllowed() {
+		t.Fatal("baseline: the fallback-allowed mode must permit the outer fallback")
+	}
+
+	t.Setenv(InteractiveSigningOnlyEnvVar, "true")
+	if nativeExecutionFallbackAllowed() {
+		t.Fatal("interactive-only mode must suppress the outer native fallback")
+	}
+}
+
 func TestSetExecutionBackendByName_NativeFailureRestoresPreviousMode(
 	t *testing.T,
 ) {

pkg/frost/signing/native_ffi_executor_adapter.go

@@ -148,13 +148,14 @@ func (nefea *nativeExecutionFFIExecutorAdapter) Execute(
 		// Interactive-only mode (coarse-path retirement): the orchestration produced
 		// no interactive signature - the audit gate is off, no engine is registered,
 		// OR any static fallback fired (readiness off, no coordinator, unsupported
-		// material). This is the SINGLE point where the coarse primitive is invoked,
-		// so refusing here fails CLOSED on every fall-through path rather than
-		// silently signing over the retired coarse path.
+		// material). Refuse the inner coarse primitive here; the OUTER bridge/adapter
+		// legacy fallback is closed separately via nativeExecutionFallbackAllowed().
+		// Mark the refusal TERMINAL so the tBTC signingRetryLoop aborts immediately
+		// instead of retrying a deterministic configuration failure until timeout.
 		return nil, fmt.Errorf(
-			"interactive-only signing mode (%s) is set but interactive signing did not run "+
-				"(%s off, no engine, or static fallback); refusing the coarse fallback",
-			InteractiveSigningOnlyEnvVar, InteractiveSigningOptInEnvVar,
+			"%w: interactive-only signing mode (%s) is set but interactive signing did "+
+				"not run (%s off, no engine, or static fallback); refusing the coarse fallback",
+			ErrTerminalSigningFailure, InteractiveSigningOnlyEnvVar, InteractiveSigningOptInEnvVar,
 		)
 	}
 

pkg/frost/signing/native_ffi_executor_adapter_test.go

@@ -300,6 +300,9 @@ func TestNativeExecutionFFIExecutorAdapter_Execute_InteractiveOnlyRefusesCoarse(
 	if err == nil {
 		t.Fatal("interactive-only mode must fail closed instead of using the coarse primitive")
 	}
+	if !errors.Is(err, ErrTerminalSigningFailure) {
+		t.Fatalf("interactive-only refusal must be TERMINAL so the retry loop aborts: %v", err)
+	}
 	if !strings.Contains(err.Error(), InteractiveSigningOnlyEnvVar) {
 		t.Fatalf("unexpected error (want a refusal naming %s): %v", InteractiveSigningOnlyEnvVar, err)
 	}

pkg/frost/signing/roast_interactive_signing_gate.go

@@ -43,6 +43,14 @@ func InteractiveSigningOptInEnabled() bool {
 // frost-secp256k1-tr engine external audit clears and the tECDSA->FROST cutover is
 // made: flipping it on IS that cutover for this node (the coarse path is no longer
 // available as a fallback). Read per call, not cached, matching the audit gate.
+//
+// SCOPE: it presumes the node signs EXCLUSIVELY via the interactive tBTC-FROST path.
+// The refusal is format-agnostic (it fails closed for every signer format the native
+// executor handles, not only the tBTC-signer one); it closes BOTH the inner FFI coarse
+// primitive and the outer legacy fallbacks (the latter via nativeExecutionFallbackAllowed);
+// and in a build WITHOUT the interactive engine (no frost_native) it fails all native
+// signing closed. Enable it only on a node running the frost_native interactive engine
+// with the audit gate on.
 const InteractiveSigningOnlyEnvVar = "KEEP_CORE_FROST_INTERACTIVE_SIGNING_ONLY"
 
 // InteractiveSigningOnlyEnabled reports whether interactive-only (no coarse