feat(frost/signing): RFC-21 Phase 1B -- optional AttemptContextHash on protocol messages (#3964)

## Summary

RFC-21 Phase 1B: extends the three FROST/tbtc-signer protocol message
types with an optional 32-byte `AttemptContextHash` field that binds
each message to the deterministic `AttemptContext` introduced in
Phase 1A (#3963).

**No protocol behaviour change yet.** Receivers do not match the hash
against a locally-computed context in this phase; that lands later
behind a build tag. Phase 1B is purely the wire-format extension.

Stacked on #3963.

## Affected messages

- `nativeFROSTRoundOneCommitmentMessage`
- `nativeFROSTRoundTwoSignatureShareMessage`
- `buildTaggedTBTCSignerRoundContributionMessage`

## Migration contract

| Property | Behaviour |
|---|---|
| Field tag | `json:\"attemptContextHash,omitempty\"` -- absent on the
wire when the sender has not bound the message. |
| Old peer compatibility | Pre-Phase-1B JSON unmarshals cleanly; field
reports as absent via `GetAttemptContextHash`. |
| New peer compatibility | New JSON with a 32-byte hash field
unmarshals; `GetAttemptContextHash` returns `(hash, true)`. |
| Validation | Unmarshal rejects wrong-length hash fields; len must be
exactly 32 or absent. |
| Equal-or-reject | The existing first-write-wins helper
(`buildTaggedTBTCSignerRoundContributionMessagesEqual` from #3959) now
compares `AttemptContextHash` bytewise, so a peer mutating the binding
mid-stream is reported as a conflict. |

## Why split from Phase 1A

Phase 1A (#3963) added the `AttemptContext` type with no consumers.
Phase 1B (this PR) adds the wire-format extension. Splitting keeps the
type definition reviewable independently of the wire change, since
the wire change touches existing message structs in production code
paths.

## Test coverage

17 new tests under `pkg/frost/signing/attempt_context_binding_test.go`:

- `TestValidateAttemptContextHashField_AcceptsAbsentOrCorrectLength` (3
sub-tests)
- `TestValidateAttemptContextHashField_RejectsWrongLength` (3 sub-tests)
- `TestAttemptContextHashField_ArrayRoundTrip`
- `TestAttemptContextHashField_ArrayToArrayAbsent`
- `TestAttemptContextHashField_FromArrayDoesNotAliasCaller`
- `TestRoundOneCommitmentMessage_OptionalFieldRoundTrip` (2 sub-tests)
- `TestRoundOneCommitmentMessage_BackwardCompatWithOldJSON`
- `TestRoundOneCommitmentMessage_RejectsWrongLengthHashField`
- `TestRoundTwoSignatureShareMessage_OptionalFieldRoundTrip`
- `TestRoundTwoSignatureShareMessage_BackwardCompatWithOldJSON`
- `TestRoundTwoSignatureShareMessage_RejectsWrongLengthHashField`
-
`TestBuildTaggedTBTCSignerRoundContributionMessage_OptionalFieldRoundTrip`
-
`TestBuildTaggedTBTCSignerRoundContributionMessage_BackwardCompatWithOldJSON`
-
`TestBuildTaggedTBTCSignerRoundContributionMessage_RejectsWrongLengthHashField`
-
`TestBuildTaggedTBTCSignerRoundContributionMessagesEqual_HashFieldDifferentiates`
- `TestRoundOneCommitmentMessage_JSONEncoderOmitsAbsentField`

All pass under:
- `go test -tags 'frost_native frost_tbtc_signer' ./pkg/frost/...`
- `pkg/tbtc` regression subset:
`go test -tags 'frost_native frost_tbtc_signer' -run
'TestConfigureFrostSigningBackend|TestNewNode_ConfiguresFrostSigningBackend|TestSigningExecutor_Sign|TestRegisterSignerMaterialResolverForBuild'
./pkg/tbtc/`

## Test plan

- [ ] CI green.
- [ ] Reviewer confirms the `omitempty`/optional contract is what we
  want as the *Phase 1* default (i.e., we are intentionally not
  rejecting messages that lack the field).
- [ ] Reviewer confirms it's OK for the equal-or-reject helper to
  now treat \"contribution with hash\" and \"contribution without
  hash\" as unequal during the migration window (sketched in
  Migration contract table above).

Author: mswilkison

pkg/frost/signing/attempt_context_binding.go

@@ -0,0 +1,70 @@
+package signing
+
+import (
+	"fmt"
+
+	"github.com/keep-network/keep-core/pkg/frost/roast/attempt"
+)
+
+// AttemptContextHashFieldLength is the on-wire byte length of the
+// optional AttemptContextHash field carried by the FROST/tbtc-signer
+// protocol messages. The field is the canonical SHA-256 hash of the
+// AttemptContext (see pkg/frost/roast/attempt), so 32 bytes.
+const AttemptContextHashFieldLength = attempt.MessageDigestLength
+
+// validateAttemptContextHashField checks the length invariant for the
+// optional AttemptContextHash field on protocol messages. An absent
+// field (nil or zero-length slice) is valid; a present field must
+// match AttemptContextHashFieldLength exactly.
+//
+// This is the only validation Phase 1B performs on the field. Higher-
+// level acceptance (the receiver-side check that the hash matches the
+// locally-computed AttemptContext) lands in a later RFC-21 phase
+// behind a build tag, since enabling it requires honest peers to have
+// rolled out the new field first.
+func validateAttemptContextHashField(field []byte) error {
+	if len(field) == 0 {
+		return nil
+	}
+	if len(field) != AttemptContextHashFieldLength {
+		return fmt.Errorf(
+			"attempt context hash field has wrong length [%d], expected [%d] or absent",
+			len(field),
+			AttemptContextHashFieldLength,
+		)
+	}
+	return nil
+}
+
+// attemptContextHashFieldFromArray converts a fixed-size 32-byte hash
+// into the slice form used on the wire. Returns a fresh slice so the
+// caller's array cannot be mutated through the returned reference.
+func attemptContextHashFieldFromArray(
+	hash [AttemptContextHashFieldLength]byte,
+) []byte {
+	out := make([]byte, AttemptContextHashFieldLength)
+	copy(out, hash[:])
+	return out
+}
+
+// attemptContextHashFieldToArray converts a wire-form slice back to
+// a fixed-size 32-byte hash plus a presence flag. Returns
+// (zeroArray, false) when the field is absent. Caller has already
+// validated length via validateAttemptContextHashField; this function
+// trusts that invariant and panics on violation.
+func attemptContextHashFieldToArray(
+	field []byte,
+) ([AttemptContextHashFieldLength]byte, bool) {
+	var out [AttemptContextHashFieldLength]byte
+	if len(field) == 0 {
+		return out, false
+	}
+	if len(field) != AttemptContextHashFieldLength {
+		panic(fmt.Sprintf(
+			"attemptContextHashFieldToArray called with wrong-length field [%d]",
+			len(field),
+		))
+	}
+	copy(out[:], field)
+	return out, true
+}