feat(frost/signing): RFC-21 Phase 7.1 -- AggregateBundle + bundle registry (#3985)

mswilkison · web-flow · commit 9f4590eae04e · 2026-05-22T22:40:22.000-05:00
## Summary First Phase-7 PR. Wires \`AggregateBundle\` production into the orchestration cleanup path so the elected coordinator's node automatically produces a \`TransitionMessage\` at the end of each attempt. The bundle is stashed in a per-session registry that Phase 7.2's ROAST-driven \`signingParticipantSelector\` reads to compute the next attempt's \`IncludedSet\`. Stacked on #3984 (Phase 6.4). ## What lands | File | Build tag | Role | |---|---|---| | \`roast_retry_bundle_registry_default_build.go\` | \`!frost_roast_retry\` | Permanent no-op stubs. Default-build selector always falls back to legacy. | | \`roast_retry_bundle_registry_frost_roast_retry.go\` | \`frost_roast_retry\` | Real mutex-protected map. TTL matches \`SessionHandleBindingTTL\` (2h). Later Record-calls overwrite (latest transition wins). | | \`roast_retry_orchestration.go\` (extended) | untagged | New \`maybeProduceTransitionBundle\` helper called from cleanup. | ## How cleanup produces a bundle After \`BeginOrchestrationForSession\` returns, the deferred cleanup fires at session end. It: 1. Verifies the local node is the elected coordinator (skip if not). 2. Checks the attempt is still \`Collecting\` (skip if already transitioned -- e.g. signature succeeded, no bundle needed). 3. Calls \`Coordinator.AggregateBundle\`. 4. Stashes the result via \`RecordTransitionBundleForSession\` (no-op stub in default build). **Failures along the path are silent.** Cleanup must never panic and must never propagate errors into the signing flow's defer chain. A missing bundle just means the next attempt's selector falls back to legacy. ## Test coverage | File | Build | Cases | |---|---|---| | \`roast_retry_bundle_registry_test.go\` | \`!frost_roast_retry\` | 1 (default stub is observable no-op) | | \`roast_retry_bundle_registry_frost_roast_retry_test.go\` | \`frost_roast_retry\` | 5 (round-trip, latest-wins, clear, nil-discard, TTL eviction, TTL matches session-handle TTL) | | \`roast_retry_orchestration_bundle_test.go\` | \`frost_roast_retry\` | 3 (elected coordinator records, non-elected does not, double-cleanup is safe) | ## Verification | Command | Result | |---|---| | \`go build ./...\` | clean | | \`go test ./pkg/frost/...\` | pass (5 packages) | | \`go test -tags 'frost_roast_retry' ./pkg/frost/signing/...\` | pass | | \`staticcheck -checks '-SA1019' ./pkg/frost/...\` | silent | | \`gofmt -l ./pkg/frost/signing/\` | silent | ## Phase 7 plan | PR | Scope | State | |---|---|---| | **7.1 (this)** | **AggregateBundle + bundle registry** | **open** | | 7.2 | ROAST-driven signingParticipantSelector (consumes registry) | next | | 7.3+ | Readiness manifest entry + integration testnet evidence + manifest flip | post-7.2 | ## Test plan - [ ] CI green. - [ ] Reviewer confirms the silent-error discipline in cleanup is appropriate (alternative: log at WARN level). - [ ] Reviewer confirms the TTL = session-handle TTL alignment is intentional (alternative: longer-lived bundles).
diff --git a/pkg/frost/signing/roast_retry_bundle_registry_default_build.go b/pkg/frost/signing/roast_retry_bundle_registry_default_build.go
@@ -0,0 +1,26 @@
+//go:build !frost_roast_retry
+
+package signing
+
+import "github.com/keep-network/keep-core/pkg/frost/roast"
+
+// RecordTransitionBundleForSession is a no-op in the default build:
+// the per-session bundle registry is not active without the
+// frost_roast_retry tag. The signing-loop ROAST selector (when
+// installed via Phase 7's build) reads this registry to consume
+// the most recent TransitionMessage for a message.
+func RecordTransitionBundleForSession(_ string, _ *roast.TransitionMessage) {}
+
+// TransitionBundleForSession returns (nil, false) in the default
+// build, signalling to callers that no ROAST bundle is available
+// and the legacy retry shuffle should be used.
+func TransitionBundleForSession(_ string) (*roast.TransitionMessage, bool) {
+	return nil, false
+}
+
+// ClearTransitionBundleForSession is a no-op in the default build.
+func ClearTransitionBundleForSession(_ string) {}
+
+// ResetTransitionBundleRegistryForTest is a no-op in the default
+// build.
+func ResetTransitionBundleRegistryForTest() {}
diff --git a/pkg/frost/signing/roast_retry_bundle_registry_frost_roast_retry.go b/pkg/frost/signing/roast_retry_bundle_registry_frost_roast_retry.go
@@ -0,0 +1,105 @@
+//go:build frost_roast_retry
+
+package signing
+
+import (
+	"sync"
+	"time"
+
+	"github.com/keep-network/keep-core/pkg/frost/roast"
+)
+
+// TransitionBundleRegistryTTL is how long a session's most recent
+// TransitionMessage is retained before the background sweeper
+// evicts it. Matches the session-handle TTL: a bundle's usefulness
+// to retry-driven participant selection expires when the session
+// it describes is itself archived.
+const TransitionBundleRegistryTTL = SessionHandleBindingTTL
+
+// sessionBundleEntry pairs a TransitionMessage with the wall-clock
+// time at which it was recorded so the sweeper can evict stale
+// entries.
+type sessionBundleEntry struct {
+	bundle    *roast.TransitionMessage
+	createdAt time.Time
+}
+
+var (
+	sessionBundleRegistryMu sync.RWMutex
+	sessionBundleRegistry   = map[string]sessionBundleEntry{}
+)
+
+// RecordTransitionBundleForSession stores the most recent
+// TransitionMessage produced by the elected coordinator for the
+// named session. The bundle is later consumed by the ROAST-driven
+// signingParticipantSelector to compute the next attempt's
+// IncludedSet via EvaluateRoastRetryForSigning.
+//
+// A later call for the same session overwrites the earlier bundle
+// -- the registry tracks only the most recent transition.
+func RecordTransitionBundleForSession(
+	sessionID string,
+	bundle *roast.TransitionMessage,
+) {
+	if bundle == nil {
+		return
+	}
+	sessionBundleRegistryMu.Lock()
+	defer sessionBundleRegistryMu.Unlock()
+	sessionBundleRegistry[sessionID] = sessionBundleEntry{
+		bundle:    bundle,
+		createdAt: time.Now(),
+	}
+}
+
+// TransitionBundleForSession returns the most recent transition
+// message for the named session, plus a presence flag. Callers
+// (the ROAST selector) treat (nil, false) as "no bundle; fall back
+// to legacy".
+func TransitionBundleForSession(
+	sessionID string,
+) (*roast.TransitionMessage, bool) {
+	sessionBundleRegistryMu.RLock()
+	defer sessionBundleRegistryMu.RUnlock()
+	entry, ok := sessionBundleRegistry[sessionID]
+	if !ok {
+		return nil, false
+	}
+	return entry.bundle, true
+}
+
+// ClearTransitionBundleForSession removes any bundle for the named
+// session. Called when a session terminates.
+func ClearTransitionBundleForSession(sessionID string) {
+	sessionBundleRegistryMu.Lock()
+	defer sessionBundleRegistryMu.Unlock()
+	delete(sessionBundleRegistry, sessionID)
+}
+
+// ResetTransitionBundleRegistryForTest clears every bundle. Test-
+// only seam.
+func ResetTransitionBundleRegistryForTest() {
+	sessionBundleRegistryMu.Lock()
+	defer sessionBundleRegistryMu.Unlock()
+	sessionBundleRegistry = map[string]sessionBundleEntry{}
+}
+
+// evictStaleTransitionBundles sweeps the registry and removes
+// entries older than maxAge. Exposed at the package level so
+// tests can invoke it directly with small maxAge values. The
+// production sweeper invokes it from sessionHandleSweepLoop
+// (Phase 5.2) so the bundle and handle registries share a single
+// background goroutine.
+func evictStaleTransitionBundles(maxAge time.Duration) int {
+	cutoff := time.Now().Add(-maxAge)
+	sessionBundleRegistryMu.Lock()
+	defer sessionBundleRegistryMu.Unlock()
+	evicted := 0
+	for sessionID, entry := range sessionBundleRegistry {
+		if entry.createdAt.Before(cutoff) {
+			delete(sessionBundleRegistry, sessionID)
+			evicted++
+		}
+	}
+	return evicted
+}
diff --git a/pkg/frost/signing/roast_retry_bundle_registry_frost_roast_retry_test.go b/pkg/frost/signing/roast_retry_bundle_registry_frost_roast_retry_test.go
@@ -0,0 +1,109 @@
+//go:build frost_roast_retry
+
+package signing
+
+import (
+	"testing"
+	"time"
+
+	"github.com/keep-network/keep-core/pkg/frost/roast"
+)
+
+func TestTransitionBundleRegistry_RoundTrip(t *testing.T) {
+	ResetTransitionBundleRegistryForTest()
+	t.Cleanup(ResetTransitionBundleRegistryForTest)
+
+	bundle := &roast.TransitionMessage{
+		CoordinatorIDValue: 7,
+	}
+	RecordTransitionBundleForSession("session-A", bundle)
+
+	got, ok := TransitionBundleForSession("session-A")
+	if !ok {
+		t.Fatal("expected bundle to be present after Record")
+	}
+	if got.CoordinatorIDValue != 7 {
+		t.Fatalf(
+			"bundle round-trip mismatch: got coordinator %d, want 7",
+			got.CoordinatorIDValue,
+		)
+	}
+}
+
+func TestTransitionBundleRegistry_LaterRecordOverwrites(t *testing.T) {
+	ResetTransitionBundleRegistryForTest()
+	t.Cleanup(ResetTransitionBundleRegistryForTest)
+
+	RecordTransitionBundleForSession("session-B", &roast.TransitionMessage{CoordinatorIDValue: 1})
+	RecordTransitionBundleForSession("session-B", &roast.TransitionMessage{CoordinatorIDValue: 2})
+	got, ok := TransitionBundleForSession("session-B")
+	if !ok {
+		t.Fatal("expected bundle to be present")
+	}
+	if got.CoordinatorIDValue != 2 {
+		t.Fatalf(
+			"later Record must overwrite earlier: got %d, want 2",
+			got.CoordinatorIDValue,
+		)
+	}
+}
+
+func TestTransitionBundleRegistry_ClearRemovesBundle(t *testing.T) {
+	ResetTransitionBundleRegistryForTest()
+	t.Cleanup(ResetTransitionBundleRegistryForTest)
+
+	RecordTransitionBundleForSession("session-clear", &roast.TransitionMessage{})
+	if _, ok := TransitionBundleForSession("session-clear"); !ok {
+		t.Fatal("setup: bundle must exist")
+	}
+	ClearTransitionBundleForSession("session-clear")
+	if _, ok := TransitionBundleForSession("session-clear"); ok {
+		t.Fatal("bundle must be removed after Clear")
+	}
+}
+
+func TestTransitionBundleRegistry_NilBundleIsIgnored(t *testing.T) {
+	ResetTransitionBundleRegistryForTest()
+	t.Cleanup(ResetTransitionBundleRegistryForTest)
+
+	RecordTransitionBundleForSession("session-nil", nil)
+	if _, ok := TransitionBundleForSession("session-nil"); ok {
+		t.Fatal("nil bundle must be discarded")
+	}
+}
+
+func TestEvictStaleTransitionBundles_RemovesOldEntries(t *testing.T) {
+	ResetTransitionBundleRegistryForTest()
+	t.Cleanup(ResetTransitionBundleRegistryForTest)
+
+	RecordTransitionBundleForSession("session-old", &roast.TransitionMessage{CoordinatorIDValue: 1})
+	// Backdate.
+	sessionBundleRegistryMu.Lock()
+	entry := sessionBundleRegistry["session-old"]
+	entry.createdAt = time.Now().Add(-10 * time.Minute)
+	sessionBundleRegistry["session-old"] = entry
+	sessionBundleRegistryMu.Unlock()
+
+	RecordTransitionBundleForSession("session-new", &roast.TransitionMessage{CoordinatorIDValue: 2})
+
+	evicted := evictStaleTransitionBundles(5 * time.Minute)
+	if evicted != 1 {
+		t.Fatalf("expected 1 eviction, got %d", evicted)
+	}
+	if _, ok := TransitionBundleForSession("session-old"); ok {
+		t.Fatal("old bundle must be evicted")
+	}
+	if _, ok := TransitionBundleForSession("session-new"); !ok {
+		t.Fatal("new bundle must survive")
+	}
+}
+
+func TestTransitionBundleRegistryTTL_MatchesSessionHandleTTL(t *testing.T) {
+	if TransitionBundleRegistryTTL != SessionHandleBindingTTL {
+		t.Fatalf(
+			"bundle TTL %s != session-handle TTL %s; bundles must not outlive sessions",
+			TransitionBundleRegistryTTL,
+			SessionHandleBindingTTL,
+		)
+	}
+}
diff --git a/pkg/frost/signing/roast_retry_bundle_registry_test.go b/pkg/frost/signing/roast_retry_bundle_registry_test.go
@@ -0,0 +1,34 @@
+//go:build !frost_roast_retry
+
+package signing
+
+import (
+	"testing"
+
+	"github.com/keep-network/keep-core/pkg/frost/roast"
+)
+
+func TestTransitionBundleRegistry_DefaultBuildIsNoOp(t *testing.T) {
+	// In the default build the registry is a permanent stub:
+	// RecordTransitionBundleForSession discards; TransitionBundleForSession
+	// always returns (nil, false). The ROAST selector must therefore
+	// always fall back to legacy retry in the default build.
+	RecordTransitionBundleForSession(
+		"session-default-build-test",
+		&roast.TransitionMessage{},
+	)
+	got, ok := TransitionBundleForSession("session-default-build-test")
+	if ok {
+		t.Fatalf(
+			"default build registry must report not-present; got bundle %v",
+			got,
+		)
+	}
+	if got != nil {
+		t.Fatalf("default build must return nil bundle; got %v", got)
+	}
+
+	// Clear and reset must not panic.
+	ClearTransitionBundleForSession("session-default-build-test")
+	ResetTransitionBundleRegistryForTest()
+}
diff --git a/pkg/frost/signing/roast_retry_orchestration.go b/pkg/frost/signing/roast_retry_orchestration.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/keep-network/keep-core/pkg/frost/roast"
 	"github.com/keep-network/keep-core/pkg/frost/roast/attempt"
+	"github.com/keep-network/keep-core/pkg/protocol/group"
 )
 
 // ErrNoRoastRetryCoordinatorRegistered is returned by
@@ -71,11 +72,75 @@ func BeginOrchestrationForSession(
 	}
 	SetCurrentAttemptHandleForSession(sessionID, handle, ctx)
 	cleanup := func() {
+		// RFC-21 Phase 7.1: if this node is the elected
+		// coordinator and the attempt is still in the Collecting
+		// state at cleanup time (i.e. it did not succeed via
+		// signature aggregation), produce the TransitionMessage
+		// and stash it in the per-session bundle registry. Phase
+		// 7.2's ROAST signingParticipantSelector consumes the
+		// stashed bundle to compute the next attempt's
+		// IncludedSet via EvaluateRoastRetryForSigning.
+		//
+		// Failures are best-effort and silent: a panic in the
+		// deferred cleanup is materially worse than a missing
+		// transition bundle (the next attempt's selector falls
+		// back to the legacy retry shuffle), so we swallow errors
+		// rather than propagate them.
+		maybeProduceTransitionBundle(sessionID, handle, deps)
 		ClearCurrentAttemptHandleForSession(sessionID)
 	}
 	return handle, cleanup, nil
 }
 
+// maybeProduceTransitionBundle attempts to call AggregateBundle on
+// the registered Coordinator when (a) the local node is the
+// elected coordinator for the attempt and (b) the attempt has not
+// already transitioned. The result is stashed via
+// RecordTransitionBundleForSession (a no-op in default build); on
+// any error path the function returns silently because cleanup
+// must not break the signing-flow contract.
+//
+// In the default build this still compiles because
+// RecordTransitionBundleForSession is a no-op stub; calls to
+// roast.Coordinator methods compile because pkg/frost/roast is
+// not build-tagged.
+func maybeProduceTransitionBundle(
+	sessionID string,
+	handle roast.AttemptHandle,
+	deps RoastRetryDeps,
+) {
+	if deps.Coordinator == nil {
+		return
+	}
+	if deps.SelfMember == 0 {
+		// Without a known self-member, we cannot determine
+		// whether to aggregate. Skip.
+		return
+	}
+	elected, err := deps.Coordinator.SelectedCoordinator(handle)
+	if err != nil {
+		return
+	}
+	if elected != group.MemberIndex(deps.SelfMember) {
+		return
+	}
+	state, err := deps.Coordinator.State(handle)
+	if err != nil {
+		return
+	}
+	if state != roast.AttemptStateCollecting {
+		// Already transitioned or succeeded -- nothing to do.
+		return
+	}
+	bundle, err := deps.Coordinator.AggregateBundle(handle)
+	if err != nil {
+		// Best-effort; the next attempt's selector will fall
+		// back to the legacy retry shuffle.
+		return
+	}
+	RecordTransitionBundleForSession(sessionID, bundle)
+}
+
 // EndOrchestrationForSession is a convenience for callers that
 // did not capture the cleanup function from
 // BeginOrchestrationForSession (e.g. callers that pass session
diff --git a/pkg/frost/signing/roast_retry_orchestration_bundle_test.go b/pkg/frost/signing/roast_retry_orchestration_bundle_test.go
