feat(frost): no-coarse-fallback mode for coarse-path retirement (default off)

The reversible, un-gated half of coarse-path retirement (RFC-21 Phase 7.3). Adds a
default-OFF KEEP_CORE_FROST_INTERACTIVE_SIGNING_ONLY gate; when set, the executor
REFUSES to fall through to the coarse signing primitive: if interactive signing did
not run (its audit gate off, or no engine), the attempt fails CLOSED rather than
silently signing over the retired coarse path. The hard-fail on a committed
interactive failure is unchanged; this only converts the (nil signature, nil error)
"interactive not enabled -> coarse" fall-through into a refusal.

Default off, so production is unchanged: coarse stays the path until an operator
flips this on. Flipping it on IS the tECDSA->FROST cutover for that node (the coarse
fallback is gone), so it stays off until the frost-secp256k1-tr external audit clears
and the recovery-leaf decision lands - the actual code deletion of the transitional
coarse primitive is the irreversible follow-up, deliberately deferred.

Tests: TestEntry_InteractiveOnly_RefusesCoarseFallback (orchestration active +
interactive audit gate off + this flag on -> the executor returns a refusal naming
the env var, no signature) and TestEntry_InteractiveSigningOnlyEnabled_ParsesFlag.
Existing static-fallback executor tests unchanged (the flag defaults off). Builds
clean across the tag combos; cgo vet + gofmt clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: mswilkison

pkg/frost/signing/roast_interactive_signing_gate.go

@@ -31,3 +31,23 @@ func InteractiveSigningOptInEnabled() bool {
 	value := strings.TrimSpace(os.Getenv(InteractiveSigningOptInEnvVar))
 	return strings.EqualFold(value, "true")
 }
+
+// InteractiveSigningOnlyEnvVar is the no-coarse-fallback half of coarse-path
+// retirement (RFC-21 Phase 7.3). When set to "true", the executor REFUSES to fall
+// through to the coarse signing primitive: interactive signing is mandatory, and a
+// session where it does not run fails CLOSED rather than silently signing via the
+// retired coarse path. It is meant to be set ONLY together with the audit gate above
+// (and a registered engine) - setting it on its own makes signing fail closed.
+//
+// It stays OFF by default and is intended to remain off in production until the
+// frost-secp256k1-tr engine external audit clears and the tECDSA->FROST cutover is
+// made: flipping it on IS that cutover for this node (the coarse path is no longer
+// available as a fallback). Read per call, not cached, matching the audit gate.
+const InteractiveSigningOnlyEnvVar = "KEEP_CORE_FROST_INTERACTIVE_SIGNING_ONLY"
+
+// InteractiveSigningOnlyEnabled reports whether interactive-only (no coarse
+// fallback) mode is currently set to "true" (case-insensitive, whitespace-trimmed).
+func InteractiveSigningOnlyEnabled() bool {
+	value := strings.TrimSpace(os.Getenv(InteractiveSigningOnlyEnvVar))
+	return strings.EqualFold(value, "true")
+}

pkg/frost/signing/roast_retry_executor_entry_frost_native.go

@@ -131,5 +131,16 @@ func attemptRoastRetryOrchestrationFromRequest(
 	if err != nil {
 		return nil, cleanup, err
 	}
+	if signature == nil && InteractiveSigningOnlyEnabled() {
+		// Interactive-only mode (coarse-path retirement): interactive signing did
+		// not produce a signature (its audit gate is off, or no engine is
+		// registered), and the coarse fallback is disabled - fail CLOSED rather than
+		// silently signing via the retired coarse path.
+		return nil, cleanup, fmt.Errorf(
+			"interactive-only signing mode (%s) is set but interactive signing did not run "+
+				"(%s off or no engine registered); refusing the coarse fallback",
+			InteractiveSigningOnlyEnvVar, InteractiveSigningOptInEnvVar,
+		)
+	}
 	return signature, cleanup, nil
 }

pkg/frost/signing/roast_retry_executor_entry_frost_roast_retry_test.go

@@ -7,6 +7,7 @@ import (
 	"encoding/json"
 	"errors"
 	"math/big"
+	"strings"
 	"testing"
 
 	"github.com/ipfs/go-log/v2"
@@ -36,6 +37,55 @@ func newEntryRetryTestRequest(t *testing.T) *NativeExecutionFFISigningRequest {
 	}
 }
 
+func TestEntry_InteractiveOnly_RefusesCoarseFallback(t *testing.T) {
+	// Coarse-path retirement: with interactive-only mode ON but interactive signing
+	// not running (its audit gate off), the executor must REFUSE the coarse fallback
+	// and fail closed, rather than returning a nil signature for the caller to sign
+	// over the retired coarse path.
+	t.Setenv(RoastRetryReadinessOptInEnvVar, "true")
+	t.Setenv(InteractiveSigningOptInEnvVar, "") // audit gate OFF -> the drive returns nil
+	t.Setenv(InteractiveSigningOnlyEnvVar, "true")
+	ResetRoastRetryRegistrationForTest()
+	ResetSessionHandleRegistryForTest()
+	t.Cleanup(ResetRoastRetryRegistrationForTest)
+	t.Cleanup(ResetSessionHandleRegistryForTest)
+
+	RegisterRoastRetryCoordinator(RoastRetryDeps{
+		Coordinator: roast.NewInMemoryCoordinator(),
+		Signer:      roast.NoOpSigner(),
+		Verifier:    roast.NoOpSignatureVerifier(),
+		SelfMember:  1,
+	})
+
+	signature, _, err := attemptRoastRetryOrchestrationFromRequest(
+		context.Background(), newEntryRetryTestRequest(t), log.Logger("entry-interactive-only"),
+	)
+	if signature != nil {
+		t.Fatal("interactive-only refusal must not return a signature")
+	}
+	if err == nil {
+		t.Fatal("interactive-only mode must refuse the coarse fallback when interactive signing did not run")
+	}
+	if !strings.Contains(err.Error(), InteractiveSigningOnlyEnvVar) {
+		t.Fatalf("unexpected error (want a refusal naming %s): %v", InteractiveSigningOnlyEnvVar, err)
+	}
+}
+
+func TestEntry_InteractiveSigningOnlyEnabled_ParsesFlag(t *testing.T) {
+	t.Setenv(InteractiveSigningOnlyEnvVar, "")
+	if InteractiveSigningOnlyEnabled() {
+		t.Fatal("unset must be off")
+	}
+	t.Setenv(InteractiveSigningOnlyEnvVar, "  TrUe ")
+	if !InteractiveSigningOnlyEnabled() {
+		t.Fatal("case-insensitive, trimmed true must be on")
+	}
+	t.Setenv(InteractiveSigningOnlyEnvVar, "false")
+	if InteractiveSigningOnlyEnabled() {
+		t.Fatal("false must be off")
+	}
+}
+
 func TestEntry_StaticFallback_ReadinessOptInUnset(t *testing.T) {
 	// Explicitly unset the env var.
 	t.Setenv(RoastRetryReadinessOptInEnvVar, "")