feat(frost): member-key the ROAST session-handle binding (7.3 PR2b-2 step 1) (#4087)

## What

RFC-21 Phase 7.3 PR2b-2 **step 1**: member-key the ROAST session-handle
binding.

Re-keys `sessionAttemptBindings` in `pkg/frost/signing` from `sessionID`
alone to `(sessionID, member)`, threading the local member
(`request.MemberIndex`) through the receive-loop validators and the
evidence-submission path.

## Why

A multi-seat operator runs one receive loop per local seat. With the
binding keyed by `sessionID` alone, sibling seats collided:
- the later seat's `Set` **overwrote** the earlier seat's binding, so
evidence submission used the wrong handle (mis-attribution);
- one seat's cleanup `Clear(sessionID)` deleted the **shared** binding,
silently disabling the surviving seat's inbound attempt-context-hash
enforcement (a security regression).

PR2b-1.5 papered over this with multi-seat fail-closed guards; this PR
makes the path actually member-safe and retires those guards.

## Changes
- **Registry** (both build flavors): `sessionMemberKey{sessionID,
member}` key;
`Set`/`Clear`/`currentAttemptHandleForCollect`/`CurrentAttemptHandleForSession`
take `group.MemberIndex`.
- **Read path**: `verifyMessageAttemptContextHash` /
`setMessageAttemptContextHashIfBound` take `member`; the 3 receive-loop
callers pass `request.MemberIndex` (the local receiver, **never** the
inbound sender).
- **Write path**: `BeginOrchestrationForSession` /
`EndOrchestrationForSession` / cleanup bind & clear per `(sessionID,
member)`.
- **Submit**: `submitSnapshotIfActive` becomes member-aware
(`RegisteredRoastRetryCoordinatorForMember`).
- **Guards retired**: `count>1` terminal in `Begin`; `count>1` no-op in
submit. A fully-registered multi-seat operator now proceeds per-seat
with isolated bindings.
- **Guard kept**: partial-registration fail-closed.

## Design note — partial-registration fail-closed is kept deliberately

Member-keying isolates *registered* seats; it does nothing for a seat
with **no** coordinator. The ROAST-vs-legacy selector is
process-uniform, so an unregistered sibling running legacy while
siblings drive bound ROAST would fracture the attempt. So `!ok &&
count>0 → ErrTerminalSigningFailure` (fail closed); only `count==0` (no
seat registered anywhere) → the static legacy sentinel. Design locked
via Codex + Gemini consult (both ratified).

## Why it's safe
`AttemptContext` has no per-seat fields, so `ctx.Hash()` is identical
across sibling seats — member-keying does **not** change validation
semantics; it only isolates handles and prevents cross-seat cleanup.

## Tests / verification
- New: `_MultiSeatProceedsPerSeat` (isolation via
survival-after-sibling-cleanup; sibling handles are equal so
cleanup-survival is the proof), `_IsolatesByMember` (registry, distinct
handles), `_MultiSeatSubmitsPerSeat`, `_BindingIsMemberScoped`. Flipped
the old full-multi-seat fail-closed test; kept the partial one.
- All 5 tag combos build+vet+test green; `-race` green on the combined
combo; gofmt clean; `pkg/tbtc` signing-loop tests green (tagged +
default).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Author: mswilkison

pkg/frost/signing/attempt_context_binding_validation_default_build_test.go

@@ -14,7 +14,7 @@ func TestVerifyMessageAttemptContextHash_DefaultBuildPassesEverything(t *testing
 	// build, matching the rollback promise made in the rollout
 	// guide (docs/development/frost-roast-retry-rollout.adoc).
 	msg := stubDefaultBuildMessage{}
-	if err := verifyMessageAttemptContextHash(msg, "any-session"); err != nil {
+	if err := verifyMessageAttemptContextHash(msg, "any-session", 1); err != nil {
 		t.Fatalf(
 			"default build must always pass; got %v",
 			err,

pkg/frost/signing/attempt_context_binding_validation_frost_native.go

@@ -5,6 +5,8 @@ package signing
 import (
 	"errors"
 	"fmt"
+
+	"github.com/keep-network/keep-core/pkg/protocol/group"
 )
 
 // attemptContextHashCarrier is implemented by every protocol
@@ -49,12 +51,18 @@ var ErrAttemptContextHashMismatch = errors.New(
 // optional to required at the receive boundary, but only when the
 // session has a ROAST-attempt binding registered.
 //
-// When no session-handle binding exists for sessionID (the typical
-// state for non-ROAST sessions and for default builds), this
+// When no session-handle binding exists for (sessionID, member) (the
+// typical state for non-ROAST sessions and for default builds), this
 // function returns nil and lets the message through. The receive
 // loop's other gates (shouldAcceptNativeFROSTMessage, etc.) still
 // apply.
 //
+// member is the LOCAL receiver seat's member index (request.MemberIndex),
+// NOT the inbound message's sender: the binding being enforced is the
+// one THIS seat's orchestration set for the attempt it is running. A
+// multi-seat operator keys its bindings per seat (RFC-21 Phase 7.3
+// PR2b-2), so looking up by sender would read the wrong (or no) binding.
+//
 // When a binding exists -- i.e. the orchestration layer has begun
 // an attempt for this session and is expecting the receive loops
 // to participate -- the message must carry an AttemptContextHash
@@ -64,8 +72,9 @@ var ErrAttemptContextHashMismatch = errors.New(
 func verifyMessageAttemptContextHash(
 	msg attemptContextHashCarrier,
 	sessionID string,
+	member group.MemberIndex,
 ) error {
-	_, ctx, ok := currentAttemptHandleForCollect(sessionID)
+	_, ctx, ok := currentAttemptHandleForCollect(sessionID, member)
 	if !ok {
 		// No binding: legacy / non-ROAST mode. Skip enforcement
 		// so default builds and non-ROAST sessions stay
@@ -91,12 +100,16 @@ func verifyMessageAttemptContextHash(
 // setMessageAttemptContextHashIfBound attaches the current ROAST
 // attempt binding to an outbound message. Default/non-ROAST sessions
 // have no binding, so the field stays absent for backward
-// compatibility.
+// compatibility. member is the local sender seat's member index
+// (request.MemberIndex); the binding is looked up per (sessionID,
+// member) so a multi-seat operator tags each seat's outbound message
+// with that seat's own bound context (RFC-21 Phase 7.3 PR2b-2).
 func setMessageAttemptContextHashIfBound(
 	msg outboundAttemptContextHashCarrier,
 	sessionID string,
+	member group.MemberIndex,
 ) {
-	_, ctx, ok := currentAttemptHandleForCollect(sessionID)
+	_, ctx, ok := currentAttemptHandleForCollect(sessionID, member)
 	if !ok {
 		return
 	}

pkg/frost/signing/attempt_context_binding_validation_frost_native_test.go

@@ -62,7 +62,7 @@ func TestVerifyMessageAttemptContextHash_NoBindingPasses(t *testing.T) {
 		{present: true, hash: [AttemptContextHashFieldLength]byte{0x01}},
 	}
 	for _, msg := range cases {
-		if err := verifyMessageAttemptContextHash(msg, "session-x"); err != nil {
+		if err := verifyMessageAttemptContextHash(msg, "session-x", 1); err != nil {
 			t.Fatalf(
 				"no-binding path must pass; got %v for msg %+v",
 				err, msg,
@@ -76,11 +76,11 @@ func TestVerifyMessageAttemptContextHash_BindingPresent_MatchingHashPasses(t *te
 	t.Cleanup(ResetSessionHandleRegistryForTest)
 
 	ctx := newOrchestrationTestContextForValidation(t)
-	SetCurrentAttemptHandleForSession("session-match", roast.AttemptHandle{}, ctx)
+	SetCurrentAttemptHandleForSession("session-match", 1, roast.AttemptHandle{}, ctx)
 
 	expected := ctx.Hash()
 	msg := stubMessage{hash: expected, present: true}
-	if err := verifyMessageAttemptContextHash(msg, "session-match"); err != nil {
+	if err := verifyMessageAttemptContextHash(msg, "session-match", 1); err != nil {
 		t.Fatalf("matching hash must pass; got %v", err)
 	}
 }
@@ -90,10 +90,10 @@ func TestVerifyMessageAttemptContextHash_BindingPresent_MissingHashFails(t *test
 	t.Cleanup(ResetSessionHandleRegistryForTest)
 
 	ctx := newOrchestrationTestContextForValidation(t)
-	SetCurrentAttemptHandleForSession("session-missing", roast.AttemptHandle{}, ctx)
+	SetCurrentAttemptHandleForSession("session-missing", 1, roast.AttemptHandle{}, ctx)
 
 	msg := stubMessage{present: false}
-	err := verifyMessageAttemptContextHash(msg, "session-missing")
+	err := verifyMessageAttemptContextHash(msg, "session-missing", 1)
 	if !errors.Is(err, ErrAttemptContextHashMissing) {
 		t.Fatalf(
 			"expected ErrAttemptContextHashMissing; got %v",
@@ -107,14 +107,14 @@ func TestVerifyMessageAttemptContextHash_BindingPresent_MismatchedHashFails(t *t
 	t.Cleanup(ResetSessionHandleRegistryForTest)
 
 	ctx := newOrchestrationTestContextForValidation(t)
-	SetCurrentAttemptHandleForSession("session-mismatch", roast.AttemptHandle{}, ctx)
+	SetCurrentAttemptHandleForSession("session-mismatch", 1, roast.AttemptHandle{}, ctx)
 
 	wrong := [AttemptContextHashFieldLength]byte{}
 	for i := range wrong {
 		wrong[i] = 0xff
 	}
 	msg := stubMessage{hash: wrong, present: true}
-	err := verifyMessageAttemptContextHash(msg, "session-mismatch")
+	err := verifyMessageAttemptContextHash(msg, "session-mismatch", 1)
 	if !errors.Is(err, ErrAttemptContextHashMismatch) {
 		t.Fatalf(
 			"expected ErrAttemptContextHashMismatch; got %v",
@@ -123,6 +123,37 @@ func TestVerifyMessageAttemptContextHash_BindingPresent_MismatchedHashFails(t *t
 	}
 }
 
+// TestVerifyMessageAttemptContextHash_BindingIsMemberScoped asserts the binding
+// lookup is keyed by the LOCAL receiver seat's member (request.MemberIndex), not
+// shared across seats: a binding set for member 1 enforces the hash for member 1
+// but is invisible to member 2's receive loop (which has its own binding or, here,
+// none -> passes through). This is the PR2b-2 member-keying applied to the receive
+// validation path; under the old sessionID-only key, member 2 would have enforced
+// member 1's binding.
+func TestVerifyMessageAttemptContextHash_BindingIsMemberScoped(t *testing.T) {
+	ResetSessionHandleRegistryForTest()
+	t.Cleanup(ResetSessionHandleRegistryForTest)
+
+	ctx := newOrchestrationTestContextForValidation(t)
+	SetCurrentAttemptHandleForSession("session-scoped", 1, roast.AttemptHandle{}, ctx)
+
+	// A message that does NOT match the bound context.
+	wrong := [AttemptContextHashFieldLength]byte{}
+	for i := range wrong {
+		wrong[i] = 0xff
+	}
+	msg := stubMessage{hash: wrong, present: true}
+
+	// Member 1 has the binding -> enforcement runs -> mismatch.
+	if err := verifyMessageAttemptContextHash(msg, "session-scoped", 1); !errors.Is(err, ErrAttemptContextHashMismatch) {
+		t.Fatalf("member 1 must enforce its binding; got %v", err)
+	}
+	// Member 2 has no binding for this session -> passes through (no enforcement).
+	if err := verifyMessageAttemptContextHash(msg, "session-scoped", 2); err != nil {
+		t.Fatalf("member 2 (no binding) must pass through; got %v", err)
+	}
+}
+
 func TestVerifyMessageAttemptContextHash_RealMessageTypeIntegration(t *testing.T) {
 	// Exercise the helper against a real protocol message type
 	// (the tbtc-signer round contribution) rather than just the stub,
@@ -132,7 +163,7 @@ func TestVerifyMessageAttemptContextHash_RealMessageTypeIntegration(t *testing.T
 	t.Cleanup(ResetSessionHandleRegistryForTest)
 
 	ctx := newOrchestrationTestContextForValidation(t)
-	SetCurrentAttemptHandleForSession("session-real-msg", roast.AttemptHandle{}, ctx)
+	SetCurrentAttemptHandleForSession("session-real-msg", 1, roast.AttemptHandle{}, ctx)
 
 	expected := ctx.Hash()
 	msg := &buildTaggedTBTCSignerRoundContributionMessage{
@@ -143,7 +174,7 @@ func TestVerifyMessageAttemptContextHash_RealMessageTypeIntegration(t *testing.T
 	}
 	msg.SetAttemptContextHash(expected)
 
-	if err := verifyMessageAttemptContextHash(msg, "session-real-msg"); err != nil {
+	if err := verifyMessageAttemptContextHash(msg, "session-real-msg", 1); err != nil {
 		t.Fatalf("real-message integration must pass; got %v", err)
 	}
 
@@ -157,9 +188,9 @@ func TestVerifyMessageAttemptContextHash_RealMessageTypeIntegration(t *testing.T
 		[]group.MemberIndex{1, 2, 3, 4, 5},
 		nil,
 	)
-	SetCurrentAttemptHandleForSession("session-real-msg", roast.AttemptHandle{}, differentCtx)
+	SetCurrentAttemptHandleForSession("session-real-msg", 1, roast.AttemptHandle{}, differentCtx)
 
-	err := verifyMessageAttemptContextHash(msg, "session-real-msg")
+	err := verifyMessageAttemptContextHash(msg, "session-real-msg", 1)
 	if !errors.Is(err, ErrAttemptContextHashMismatch) {
 		t.Fatalf("rebinding must cause mismatch; got %v", err)
 	}
@@ -170,10 +201,10 @@ func TestSetMessageAttemptContextHashIfBound_AttachesBoundHash(t *testing.T) {
 	t.Cleanup(ResetSessionHandleRegistryForTest)
 
 	ctx := newOrchestrationTestContextForValidation(t)
-	SetCurrentAttemptHandleForSession("session-outbound", roast.AttemptHandle{}, ctx)
+	SetCurrentAttemptHandleForSession("session-outbound", 1, roast.AttemptHandle{}, ctx)
 
 	msg := &stubMessage{}
-	setMessageAttemptContextHashIfBound(msg, "session-outbound")
+	setMessageAttemptContextHashIfBound(msg, "session-outbound", 1)
 
 	got, present := msg.GetAttemptContextHash()
 	if !present {
@@ -189,7 +220,7 @@ func TestSetMessageAttemptContextHashIfBound_NoBindingLeavesAbsent(t *testing.T)
 	t.Cleanup(ResetSessionHandleRegistryForTest)
 
 	msg := &stubMessage{}
-	setMessageAttemptContextHashIfBound(msg, "session-no-binding")
+	setMessageAttemptContextHashIfBound(msg, "session-no-binding", 1)
 
 	if _, present := msg.GetAttemptContextHash(); present {
 		t.Fatal("expected no attempt context hash without a session binding")
@@ -201,7 +232,7 @@ func TestSetMessageAttemptContextHashIfBound_AllOutboundMessageTypes(t *testing.
 	t.Cleanup(ResetSessionHandleRegistryForTest)
 
 	ctx := newOrchestrationTestContextForValidation(t)
-	SetCurrentAttemptHandleForSession("session-all-types", roast.AttemptHandle{}, ctx)
+	SetCurrentAttemptHandleForSession("session-all-types", 1, roast.AttemptHandle{}, ctx)
 	expected := ctx.Hash()
 
 	messages := []attemptContextHashCarrier{
@@ -214,7 +245,7 @@ func TestSetMessageAttemptContextHashIfBound_AllOutboundMessageTypes(t *testing.
 			t.Fatalf("%T does not implement outbound carrier", msg)
 		}
 
-		setMessageAttemptContextHashIfBound(outbound, "session-all-types")
+		setMessageAttemptContextHashIfBound(outbound, "session-all-types", 1)
 
 		got, present := msg.GetAttemptContextHash()
 		if !present {

pkg/frost/signing/attempt_context_bound_exchange_frost_native_test.go

@@ -38,7 +38,14 @@ func bindAttemptContextHashForExchangeTest(
 		t.Fatalf("failed creating attempt context: [%v]", err)
 	}
 
-	SetCurrentAttemptHandleForSession(sessionID, roast.AttemptHandle{}, ctx)
+	// Bind the (identical, group-level) attempt context for EVERY participating
+	// local member seat. The bootstrap round runs one receive loop per member, and
+	// each loop looks the binding up by its own (sessionID, member) after PR2b-2
+	// member-keyed the registry; binding only one member would leave the others'
+	// loops unbound and silently skip the hash enforcement this test exercises.
+	for _, member := range members {
+		SetCurrentAttemptHandleForSession(sessionID, member, roast.AttemptHandle{}, ctx)
+	}
 }
 
 func TestBuildTaggedTBTCSignerBootstrapCoarseRound_BoundAttemptContextHashExchange(

pkg/frost/signing/native_ffi_primitive_transitional_frost_native.go

@@ -1086,7 +1086,7 @@ func buildTaggedTBTCSignerRoundContributions(
 		ContributionIdentifier: ownContribution.Identifier,
 		ContributionData:       append([]byte{}, ownContribution.Data...),
 	}
-	setMessageAttemptContextHashIfBound(roundContributionMessage, request.SessionID)
+	setMessageAttemptContextHashIfBound(roundContributionMessage, request.SessionID, request.MemberIndex)
 
 	if err := request.Channel.Send(
 		ctx,
@@ -1102,7 +1102,7 @@ func buildTaggedTBTCSignerRoundContributions(
 	// when nothing is registered preserves Phase 2 receive
 	// semantics.
 	contributionsRecorder := roastRetryRecorderForCollect()
-	defer submitSnapshotIfActive(request.SessionID, contributionsRecorder)
+	defer submitSnapshotIfActive(request.SessionID, request.MemberIndex, contributionsRecorder)
 	peerMessages, err := collectBuildTaggedTBTCSignerRoundContributionMessages(
 		ctx,
 		request,
@@ -1237,7 +1237,7 @@ func collectBuildTaggedTBTCSignerRoundContributionMessages(
 			return
 		}
 
-		if err := verifyMessageAttemptContextHash(payload, request.SessionID); err != nil {
+		if err := verifyMessageAttemptContextHash(payload, request.SessionID, request.MemberIndex); err != nil {
 			evidence.RecordReject(payload.SenderID(), "attempt_context_hash_mismatch")
 			return
 		}

pkg/frost/signing/roast_retry_attempt_handle_default_build.go

@@ -5,22 +5,24 @@ package signing
 import (
 	"github.com/keep-network/keep-core/pkg/frost/roast"
 	"github.com/keep-network/keep-core/pkg/frost/roast/attempt"
+	"github.com/keep-network/keep-core/pkg/protocol/group"
 )
 
 // SetCurrentAttemptHandleForSession is a no-op in the default build:
-// the receive loops will never find a handle for any session, so the
-// snapshot submission path is dormant. The build-tagged
+// the receive loops will never find a handle for any (session, member),
+// so the snapshot submission path is dormant. The build-tagged
 // implementation does the real registration.
 func SetCurrentAttemptHandleForSession(
 	_ string,
+	_ group.MemberIndex,
 	_ roast.AttemptHandle,
 	_ attempt.AttemptContext,
 ) {
 }
 
 // ClearCurrentAttemptHandleForSession is a no-op in the default
 // build.
-func ClearCurrentAttemptHandleForSession(_ string) {}
+func ClearCurrentAttemptHandleForSession(_ string, _ group.MemberIndex) {}
 
 // ResetSessionHandleRegistryForTest is a no-op in the default
 // build.
@@ -35,6 +37,7 @@ func StartSessionHandleSweeper() {}
 // the RecordEvidence call.
 func currentAttemptHandleForCollect(
 	_ string,
+	_ group.MemberIndex,
 ) (roast.AttemptHandle, attempt.AttemptContext, bool) {
 	return roast.AttemptHandle{}, attempt.AttemptContext{}, false
 }
@@ -45,6 +48,7 @@ func currentAttemptHandleForCollect(
 // always returns ok=false.
 func CurrentAttemptHandleForSession(
 	sessionID string,
+	member group.MemberIndex,
 ) (roast.AttemptHandle, attempt.AttemptContext, bool) {
-	return currentAttemptHandleForCollect(sessionID)
+	return currentAttemptHandleForCollect(sessionID, member)
 }