feat(frost): no-coarse-fallback mode for coarse-path retirement (default off) (#4101)

## What

The **reversible, un-gated** first half of coarse-path retirement
(RFC-21 Phase 7.3). Adds a default-**off**
`KEEP_CORE_FROST_INTERACTIVE_SIGNING_ONLY` gate; when set, the executor
**refuses** to fall through to the coarse signing primitive — if
interactive signing did not run (its audit gate off, or no engine
registered), the attempt fails **closed** rather than silently signing
over the retired coarse path.

Only the `(nil signature, nil error)` "interactive not enabled → coarse"
fall-through becomes a refusal; the hard-fail on a *committed*
interactive failure is unchanged.

## Safety / sequencing

- **Default off → production unchanged.** Coarse stays the path until an
operator flips this on.
- Flipping it on **is** the tECDSA→FROST cutover for that node (no
coarse fallback), so it stays off until the `frost-secp256k1-tr`
external audit clears and the recovery-leaf decision lands.
- The **irreversible** part — deleting the transitional coarse FFI
primitive + the deterministic-nonce path — is the deliberate follow-up,
not in this PR.

## Tests

- `TestEntry_InteractiveOnly_RefusesCoarseFallback` — orchestration
active + interactive audit gate off + this flag on → the executor
returns a refusal naming the env var, no signature.
- `TestEntry_InteractiveSigningOnlyEnabled_ParsesFlag` — flag parsing.
- Existing static-fallback executor tests unchanged (flag defaults off).
Builds clean across tag combos; vet + gofmt clean.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Author: mswilkison

pkg/frost/signing/backend.go

@@ -164,6 +164,16 @@ func setNativeExecutionMode(mode nativeExecutionModeValue) {
 }
 
 func nativeExecutionFallbackAllowed() bool {
+	// Interactive-only mode (coarse-path retirement) suppresses EVERY legacy/coarse
+	// fallback, not only the inner FFI coarse primitive: if the native FFI path does
+	// not yield an interactive signature - including when it is unavailable before the
+	// adapter's own guard runs - the outer bridge/adapter must not delegate to the
+	// legacy backend either. This is the single gate those outer fallbacks consult, so
+	// failing it here closes them all.
+	if InteractiveSigningOnlyEnabled() {
+		return false
+	}
+
 	executionBackendMutex.RLock()
 	defer executionBackendMutex.RUnlock()
 

pkg/frost/signing/backend_test.go

@@ -176,6 +176,82 @@ func TestSetExecutionBackendByName(t *testing.T) {
 	}
 }
 
+func TestNativeExecutionFallbackAllowed_SuppressedByInteractiveOnly(t *testing.T) {
+	// Coarse-path retirement (Codex #4101 P2): interactive-only mode must close the
+	// OUTER native fallbacks too - the bridge/adapter consult this single gate before
+	// delegating to the legacy backend, so the flag has to flip it closed regardless
+	// of the execution mode, or a node with an unavailable FFI path would still sign
+	// over the legacy/coarse delegate.
+	previousMode := currentNativeExecutionMode()
+	t.Cleanup(func() { setNativeExecutionMode(previousMode) })
+
+	setNativeExecutionMode(nativeExecutionModeFallbackAllowed)
+	if !nativeExecutionFallbackAllowed() {
+		t.Fatal("baseline: the fallback-allowed mode must permit the outer fallback")
+	}
+
+	t.Setenv(InteractiveSigningOnlyEnvVar, "true")
+	if nativeExecutionFallbackAllowed() {
+		t.Fatal("interactive-only mode must suppress the outer native fallback")
+	}
+}
+
+func TestLegacyExecutionBackend_InteractiveOnlyRefusesTerminal(t *testing.T) {
+	// Coarse-path retirement (Codex #4101 P2): the DEFAULT backend is the legacy
+	// coarse/tECDSA signer, which the native bridge/adapter guards never touch. The
+	// flag must fail closed here too, terminally, so it cannot fail open under the
+	// documented default config.
+	t.Setenv(InteractiveSigningOnlyEnvVar, "true")
+
+	_, err := newLegacyExecutionBackend().Execute(
+		context.Background(), log.Logger("test"), &Request{Message: big.NewInt(1)},
+	)
+	if !errors.Is(err, ErrTerminalSigningFailure) {
+		t.Fatalf("interactive-only must terminally refuse the legacy backend: %v", err)
+	}
+}
+
+type unavailableNativeAdapter struct{}
+
+func (unavailableNativeAdapter) Execute(
+	context.Context, log.StandardLogger, *Request,
+) (*Result, error) {
+	return nil, ErrNativeCryptographyUnavailable
+}
+
+func (unavailableNativeAdapter) RegisterUnmarshallers(net.BroadcastChannel) {}
+
+func TestNativeExecutionBackend_InteractiveOnlyPromotesUnavailableToTerminal(t *testing.T) {
+	// Coarse-path retirement (Codex #4101 P2): when the native interactive path is
+	// unavailable and every fallback is suppressed, the outer refusal surfaces as a
+	// bare ErrNativeCryptographyUnavailable - promote it to terminal so the retry loop
+	// aborts instead of spinning.
+	backend, err := newNativeExecutionBackend(unavailableNativeAdapter{})
+	if err != nil {
+		t.Fatalf("unexpected backend setup error: %v", err)
+	}
+
+	t.Setenv(InteractiveSigningOnlyEnvVar, "true")
+	_, err = backend.Execute(
+		context.Background(), log.Logger("test"), &Request{Message: big.NewInt(1)},
+	)
+	if !errors.Is(err, ErrTerminalSigningFailure) {
+		t.Fatalf("interactive-only must promote the native unavailable error to terminal: %v", err)
+	}
+
+	// With the flag OFF the unavailable error passes through unpromoted (no regression).
+	t.Setenv(InteractiveSigningOnlyEnvVar, "")
+	_, offErr := backend.Execute(
+		context.Background(), log.Logger("test"), &Request{Message: big.NewInt(1)},
+	)
+	if errors.Is(offErr, ErrTerminalSigningFailure) {
+		t.Fatalf("must not promote to terminal when the flag is off: %v", offErr)
+	}
+	if !errors.Is(offErr, ErrNativeCryptographyUnavailable) {
+		t.Fatalf("flag off must pass the native unavailable error through: %v", offErr)
+	}
+}
+
 func TestSetExecutionBackendByName_NativeFailureRestoresPreviousMode(
 	t *testing.T,
 ) {

pkg/frost/signing/legacy_backend.go

@@ -31,6 +31,18 @@ func (leb *legacyExecutionBackend) Execute(
 		return nil, fmt.Errorf("request is nil")
 	}
 
+	if InteractiveSigningOnlyEnabled() {
+		// Interactive-only mode (coarse-path retirement): the legacy backend is the
+		// tECDSA/coarse signer the flag retires. Refuse at the action itself so the
+		// safety switch holds even under the DEFAULT backend selection, where the
+		// native bridge/adapter guards never run. Terminal so the retry loop aborts.
+		return nil, fmt.Errorf(
+			"%w: interactive-only signing mode (%s) is set but the legacy (coarse "+
+				"tECDSA) backend is selected; the coarse path is retired",
+			ErrTerminalSigningFailure, InteractiveSigningOnlyEnvVar,
+		)
+	}
+
 	if request.Attempt != nil {
 		logger.Infof(
 			"[member:%v] executing FROST signing attempt [%v] "+

pkg/frost/signing/native_backend.go

@@ -2,6 +2,7 @@ package signing
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"github.com/ipfs/go-log/v2"
@@ -50,7 +51,23 @@ func (neb *nativeExecutionBackend) Execute(
 		return nil, fmt.Errorf("request is nil")
 	}
 
-	return neb.adapter.Execute(ctx, logger, request)
+	result, err := neb.adapter.Execute(ctx, logger, request)
+	if err != nil &&
+		InteractiveSigningOnlyEnabled() &&
+		errors.Is(err, ErrNativeCryptographyUnavailable) &&
+		!errors.Is(err, ErrTerminalSigningFailure) {
+		// Interactive-only mode (coarse-path retirement): the native interactive path
+		// could not produce a signature and every coarse/legacy fallback is suppressed,
+		// so an outer refusal surfaces as a bare ErrNativeCryptographyUnavailable.
+		// Promote it to TERMINAL so the tBTC signingRetryLoop aborts immediately rather
+		// than retrying a deterministic configuration failure until timeout.
+		return nil, fmt.Errorf(
+			"%w: interactive-only signing mode (%s) and the native interactive path is "+
+				"unavailable; refusing the coarse fallback: %v",
+			ErrTerminalSigningFailure, InteractiveSigningOnlyEnvVar, err,
+		)
+	}
+	return result, err
 }
 
 func (neb *nativeExecutionBackend) RegisterUnmarshallers(

pkg/frost/signing/native_ffi_executor_adapter.go

@@ -144,6 +144,21 @@ func (nefea *nativeExecutionFFIExecutorAdapter) Execute(
 		}, nil
 	}
 
+	if InteractiveSigningOnlyEnabled() {
+		// Interactive-only mode (coarse-path retirement): the orchestration produced
+		// no interactive signature - the audit gate is off, no engine is registered,
+		// OR any static fallback fired (readiness off, no coordinator, unsupported
+		// material). Refuse the inner coarse primitive here; the OUTER bridge/adapter
+		// legacy fallback is closed separately via nativeExecutionFallbackAllowed().
+		// Mark the refusal TERMINAL so the tBTC signingRetryLoop aborts immediately
+		// instead of retrying a deterministic configuration failure until timeout.
+		return nil, fmt.Errorf(
+			"%w: interactive-only signing mode (%s) is set but interactive signing did "+
+				"not run (%s off, no engine, or static fallback); refusing the coarse fallback",
+			ErrTerminalSigningFailure, InteractiveSigningOnlyEnvVar, InteractiveSigningOptInEnvVar,
+		)
+	}
+
 	signature, err := nefea.primitive.Sign(ctx, logger, ffiRequest)
 	if err != nil {
 		return nil, err

pkg/frost/signing/native_ffi_executor_adapter_test.go

@@ -257,6 +257,78 @@ func TestNativeExecutionFFIExecutorAdapter_Execute_RejectsNilSignature(
 	}
 }
 
+func TestNativeExecutionFFIExecutorAdapter_Execute_InteractiveOnlyRefusesCoarse(
+	t *testing.T,
+) {
+	// Coarse-path retirement: with interactive-only mode ON, the adapter must NOT fall
+	// through to the coarse primitive on ANY no-interactive-signature path. In the
+	// default build attemptRoastRetryOrchestrationFromRequest is a no-op (nil,nil,nil)
+	// - the ultimate static fallback - so this exercises exactly the gap Codex flagged:
+	// a fall-through that an executor-level check (which runs only after orchestration
+	// activates) would have bypassed. The adapter is the single coarse-invocation
+	// point, so the refusal here covers every path.
+	t.Setenv(InteractiveSigningOnlyEnvVar, "true")
+
+	primitive := &mockNativeExecutionFFISigningPrimitive{
+		signature: &frost.Signature{
+			R: [frost.SignatureComponentSize]byte{0x01},
+			S: [frost.SignatureComponentSize]byte{0x02},
+		},
+	}
+
+	executor, err := NewNativeExecutionFFIExecutorAdapter(primitive)
+	if err != nil {
+		t.Fatalf("unexpected adapter setup error: [%v]", err)
+	}
+
+	_, err = executor.Execute(context.Background(), nil, &Request{
+		Message:            big.NewInt(123),
+		SessionID:          "session-interactive-only",
+		MemberIndex:        2,
+		GroupSize:          5,
+		DishonestThreshold: 1,
+		SignerMaterial: &NativeSignerMaterial{
+			Format:  NativeSignerMaterialFormatFrostUniFFIV1,
+			Payload: []byte{0xaa},
+		},
+		Attempt: &Attempt{
+			Number:                 3,
+			CoordinatorMemberIndex: 1,
+			IncludedMembersIndexes: []group.MemberIndex{1, 2, 3},
+		},
+	})
+	if err == nil {
+		t.Fatal("interactive-only mode must fail closed instead of using the coarse primitive")
+	}
+	if !errors.Is(err, ErrTerminalSigningFailure) {
+		t.Fatalf("interactive-only refusal must be TERMINAL so the retry loop aborts: %v", err)
+	}
+	if !strings.Contains(err.Error(), InteractiveSigningOnlyEnvVar) {
+		t.Fatalf("unexpected error (want a refusal naming %s): %v", InteractiveSigningOnlyEnvVar, err)
+	}
+	if primitive.signCalls != 0 {
+		t.Fatalf(
+			"coarse primitive must NOT be called in interactive-only mode, got %d call(s)",
+			primitive.signCalls,
+		)
+	}
+}
+
+func TestInteractiveSigningOnlyEnabled_ParsesFlag(t *testing.T) {
+	t.Setenv(InteractiveSigningOnlyEnvVar, "")
+	if InteractiveSigningOnlyEnabled() {
+		t.Fatal("unset must be off")
+	}
+	t.Setenv(InteractiveSigningOnlyEnvVar, "  TrUe ")
+	if !InteractiveSigningOnlyEnabled() {
+		t.Fatal("case-insensitive, trimmed true must be on")
+	}
+	t.Setenv(InteractiveSigningOnlyEnvVar, "false")
+	if InteractiveSigningOnlyEnabled() {
+		t.Fatal("false must be off")
+	}
+}
+
 func TestNativeExecutionFFIExecutorAdapter_RegisterUnmarshallers_Delegates(
 	t *testing.T,
 ) {

pkg/frost/signing/roast_interactive_signing_gate.go

@@ -31,3 +31,31 @@ func InteractiveSigningOptInEnabled() bool {
 	value := strings.TrimSpace(os.Getenv(InteractiveSigningOptInEnvVar))
 	return strings.EqualFold(value, "true")
 }
+
+// InteractiveSigningOnlyEnvVar is the no-coarse-fallback half of coarse-path
+// retirement (RFC-21 Phase 7.3). When set to "true", the executor REFUSES to fall
+// through to the coarse signing primitive: interactive signing is mandatory, and a
+// session where it does not run fails CLOSED rather than silently signing via the
+// retired coarse path. It is meant to be set ONLY together with the audit gate above
+// (and a registered engine) - setting it on its own makes signing fail closed.
+//
+// It stays OFF by default and is intended to remain off in production until the
+// frost-secp256k1-tr engine external audit clears and the tECDSA->FROST cutover is
+// made: flipping it on IS that cutover for this node (the coarse path is no longer
+// available as a fallback). Read per call, not cached, matching the audit gate.
+//
+// SCOPE: it presumes the node signs EXCLUSIVELY via the interactive tBTC-FROST path.
+// The refusal is format-agnostic (it fails closed for every signer format the native
+// executor handles, not only the tBTC-signer one); it closes BOTH the inner FFI coarse
+// primitive and the outer legacy fallbacks (the latter via nativeExecutionFallbackAllowed);
+// and in a build WITHOUT the interactive engine (no frost_native) it fails all native
+// signing closed. Enable it only on a node running the frost_native interactive engine
+// with the audit gate on.
+const InteractiveSigningOnlyEnvVar = "KEEP_CORE_FROST_INTERACTIVE_SIGNING_ONLY"
+
+// InteractiveSigningOnlyEnabled reports whether interactive-only (no coarse
+// fallback) mode is currently set to "true" (case-insensitive, whitespace-trimmed).
+func InteractiveSigningOnlyEnabled() bool {
+	value := strings.TrimSpace(os.Getenv(InteractiveSigningOnlyEnvVar))
+	return strings.EqualFold(value, "true")
+}