fix(frost): fail closed at the legacy + native backends under the no-coarse flag

Fold of a third round of Codex #4101 P2 findings - the flag's fail-closed behavior
still had two holes, both now enforced at the backend Execute (the action) so they
cannot be bypassed by a caller:

- The DEFAULT backend fails OPEN. KEEP_CORE_FROST_INTERACTIVE_SIGNING_ONLY was checked
  only in nativeExecutionFallbackAllowed + the native FFI adapter. A node left at the
  documented default (""/legacy) signs straight through legacyExecutionBackend.Execute
  (the tECDSA/coarse signer), never touching those guards - so the safety switch failed
  open under the default config. legacyExecutionBackend.Execute now refuses with a
  terminal error when the flag is on.

- Outer native refusals were retryable. When the native path is unavailable before the
  FFI adapter's terminal refusal can run (no FFI executor, or the bridge returns
  ErrNativeCryptographyUnavailable with the fallback suppressed), the bridge/adapter
  return a bare ErrNativeCryptographyUnavailable; the tBTC signingRetryLoop only aborts
  on ErrTerminalSigningFailure, so it retried this deterministic failure to timeout.
  nativeExecutionBackend.Execute now promotes that unavailable error to terminal when
  the flag is on (and leaves it untouched when off).

Tests: legacy terminal refusal; native unavailable->terminal promotion plus a flag-off
pass-through (no regression). Builds across all tag combos; full default +
frost_native/frost_roast_retry suites pass; gofmt clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: mswilkison

pkg/frost/signing/backend_test.go

@@ -196,6 +196,62 @@ func TestNativeExecutionFallbackAllowed_SuppressedByInteractiveOnly(t *testing.T
 	}
 }
 
+func TestLegacyExecutionBackend_InteractiveOnlyRefusesTerminal(t *testing.T) {
+	// Coarse-path retirement (Codex #4101 P2): the DEFAULT backend is the legacy
+	// coarse/tECDSA signer, which the native bridge/adapter guards never touch. The
+	// flag must fail closed here too, terminally, so it cannot fail open under the
+	// documented default config.
+	t.Setenv(InteractiveSigningOnlyEnvVar, "true")
+
+	_, err := newLegacyExecutionBackend().Execute(
+		context.Background(), log.Logger("test"), &Request{Message: big.NewInt(1)},
+	)
+	if !errors.Is(err, ErrTerminalSigningFailure) {
+		t.Fatalf("interactive-only must terminally refuse the legacy backend: %v", err)
+	}
+}
+
+type unavailableNativeAdapter struct{}
+
+func (unavailableNativeAdapter) Execute(
+	context.Context, log.StandardLogger, *Request,
+) (*Result, error) {
+	return nil, ErrNativeCryptographyUnavailable
+}
+
+func (unavailableNativeAdapter) RegisterUnmarshallers(net.BroadcastChannel) {}
+
+func TestNativeExecutionBackend_InteractiveOnlyPromotesUnavailableToTerminal(t *testing.T) {
+	// Coarse-path retirement (Codex #4101 P2): when the native interactive path is
+	// unavailable and every fallback is suppressed, the outer refusal surfaces as a
+	// bare ErrNativeCryptographyUnavailable - promote it to terminal so the retry loop
+	// aborts instead of spinning.
+	backend, err := newNativeExecutionBackend(unavailableNativeAdapter{})
+	if err != nil {
+		t.Fatalf("unexpected backend setup error: %v", err)
+	}
+
+	t.Setenv(InteractiveSigningOnlyEnvVar, "true")
+	_, err = backend.Execute(
+		context.Background(), log.Logger("test"), &Request{Message: big.NewInt(1)},
+	)
+	if !errors.Is(err, ErrTerminalSigningFailure) {
+		t.Fatalf("interactive-only must promote the native unavailable error to terminal: %v", err)
+	}
+
+	// With the flag OFF the unavailable error passes through unpromoted (no regression).
+	t.Setenv(InteractiveSigningOnlyEnvVar, "")
+	_, offErr := backend.Execute(
+		context.Background(), log.Logger("test"), &Request{Message: big.NewInt(1)},
+	)
+	if errors.Is(offErr, ErrTerminalSigningFailure) {
+		t.Fatalf("must not promote to terminal when the flag is off: %v", offErr)
+	}
+	if !errors.Is(offErr, ErrNativeCryptographyUnavailable) {
+		t.Fatalf("flag off must pass the native unavailable error through: %v", offErr)
+	}
+}
+
 func TestSetExecutionBackendByName_NativeFailureRestoresPreviousMode(
 	t *testing.T,
 ) {

pkg/frost/signing/legacy_backend.go

@@ -31,6 +31,18 @@ func (leb *legacyExecutionBackend) Execute(
 		return nil, fmt.Errorf("request is nil")
 	}
 
+	if InteractiveSigningOnlyEnabled() {
+		// Interactive-only mode (coarse-path retirement): the legacy backend is the
+		// tECDSA/coarse signer the flag retires. Refuse at the action itself so the
+		// safety switch holds even under the DEFAULT backend selection, where the
+		// native bridge/adapter guards never run. Terminal so the retry loop aborts.
+		return nil, fmt.Errorf(
+			"%w: interactive-only signing mode (%s) is set but the legacy (coarse "+
+				"tECDSA) backend is selected; the coarse path is retired",
+			ErrTerminalSigningFailure, InteractiveSigningOnlyEnvVar,
+		)
+	}
+
 	if request.Attempt != nil {
 		logger.Infof(
 			"[member:%v] executing FROST signing attempt [%v] "+

pkg/frost/signing/native_backend.go

@@ -2,6 +2,7 @@ package signing
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"github.com/ipfs/go-log/v2"
@@ -50,7 +51,23 @@ func (neb *nativeExecutionBackend) Execute(
 		return nil, fmt.Errorf("request is nil")
 	}
 
-	return neb.adapter.Execute(ctx, logger, request)
+	result, err := neb.adapter.Execute(ctx, logger, request)
+	if err != nil &&
+		InteractiveSigningOnlyEnabled() &&
+		errors.Is(err, ErrNativeCryptographyUnavailable) &&
+		!errors.Is(err, ErrTerminalSigningFailure) {
+		// Interactive-only mode (coarse-path retirement): the native interactive path
+		// could not produce a signature and every coarse/legacy fallback is suppressed,
+		// so an outer refusal surfaces as a bare ErrNativeCryptographyUnavailable.
+		// Promote it to TERMINAL so the tBTC signingRetryLoop aborts immediately rather
+		// than retrying a deterministic configuration failure until timeout.
+		return nil, fmt.Errorf(
+			"%w: interactive-only signing mode (%s) and the native interactive path is "+
+				"unavailable; refusing the coarse fallback: %v",
+			ErrTerminalSigningFailure, InteractiveSigningOnlyEnvVar, err,
+		)
+	}
+	return result, err
 }
 
 func (neb *nativeExecutionBackend) RegisterUnmarshallers(