feat(frost): register the cgo engine as the interactive signing provider (gated)

pkg/frost/signing/native_ffi_primitive_registration_frost_native_test.go

@@ -41,8 +41,16 @@ func TestRegisterNativeExecutionFFISigningPrimitiveForBuild_UsesDefaultProvider(
 ) {
 	UnregisterNativeExecutionFFISigningPrimitiveProviderForBuild()
 	UnregisterNativeExecutionFFIExecutor()
+	// Under the cgo build the default provider's registration installs the
+	// interactive signing provider as a side effect, so reset it here too -
+	// symmetric with the FFI executor/provider - both before (clean slate) and in
+	// cleanup. Otherwise a later test asserting no interactive provider is set
+	// (TestRegisterInteractiveSigningEngineProvider) fails under -shuffle or a
+	// focused -run. Resetting is a no-op on builds that register no provider.
+	ResetInteractiveSigningEngineProviderForTest()
 	t.Cleanup(UnregisterNativeExecutionFFISigningPrimitiveProviderForBuild)
 	t.Cleanup(UnregisterNativeExecutionFFIExecutor)
+	t.Cleanup(ResetInteractiveSigningEngineProviderForTest)
 
 	RegisterNativeExecutionFFISigningPrimitiveForBuild()
 

pkg/frost/signing/native_frost_engine_tbtc_signer_registration_frost_native.go

@@ -589,16 +589,24 @@ func registerBuildTaggedNativeFROSTSigningEngine() error {
 	// New FROST wallets in this build must use the coarse
 	// `frost-tbtc-signer-v1` material path exclusively.
 	//
-	// RFC-21 Phase 7.3: this same engine satisfies interactiveSigningEngine, but
-	// it is intentionally NOT registered as the interactive provider
-	// (RegisterInteractiveSigningEngineProvider) here yet. Wiring the gated
-	// interactive ROAST path into production is deferred until the blame/evidence
-	// bridge + stable ROAST session-key plumbing land AND the frost-secp256k1-tr
-	// engine external audit clears. Until then the executor's interactive path is
-	// unreachable in production BY CONSTRUCTION (no provider), on top of the
-	// default-off KEEP_CORE_FROST_INTERACTIVE_SIGNING_ENABLED gate -- two
-	// independent barriers, so an operator cannot enable a half-wired interactive
-	// flow ahead of the blame bridge. Production signs via the coarse path below.
+	// RFC-21 Phase 7.3: this same engine satisfies interactiveSigningEngine, and
+	// it IS registered as the interactive provider here. The prerequisites the
+	// registration waited on have landed -- the f+1 blame/evidence bridge and the
+	// stable ROAST session-key plumbing -- so the executor may drive the real cgo
+	// engine through the interactive ROAST path. Registration on its own changes
+	// nothing for an operator: the executor still requires the default-off
+	// KEEP_CORE_FROST_INTERACTIVE_SIGNING_ENABLED opt-in (read per call, see
+	// roast_interactive_signing_gate.go), so the interactive path stays dormant
+	// until explicitly enabled on a cgo build, and the coarse path remains the
+	// fallback. The frost-secp256k1-tr engine external audit gates the
+	// threshold-ECDSA -> FROST CUTOVER in production (turning that opt-in on for
+	// real wallets), NOT this registration. The provider is a factory: each call
+	// returns a fresh stateless bridge handle (interactive sessions live
+	// engine-side, keyed by session id).
+	RegisterInteractiveSigningEngineProvider(func() interactiveSigningEngine {
+		return &buildTaggedTBTCSignerEngine{}
+	})
+
 	return RegisterNativeTBTCSignerEngine(engine)
 }
 

pkg/frost/signing/native_frost_engine_tbtc_signer_registration_frost_native_test.go

@@ -16,6 +16,7 @@ import (
 func TestRegisterBuildTaggedTBTCSignerEngine(t *testing.T) {
 	UnregisterNativeTBTCSignerEngine()
 	t.Cleanup(UnregisterNativeTBTCSignerEngine)
+	t.Cleanup(ResetInteractiveSigningEngineProviderForTest)
 
 	err := registerBuildTaggedNativeFROSTSigningEngine()
 	if err != nil {
@@ -27,6 +28,22 @@ func TestRegisterBuildTaggedTBTCSignerEngine(t *testing.T) {
 		t.Fatal("expected native tbtc-signer engine registration")
 	}
 
+	// RFC-21 Phase 7.3: the same registration installs the cgo engine as the
+	// interactive signing provider, so the executor can obtain a real engine for
+	// the gated interactive ROAST path. The provider is a factory returning a
+	// fresh cgo bridge handle; the path itself stays dormant behind the default-off
+	// KEEP_CORE_FROST_INTERACTIVE_SIGNING_ENABLED opt-in.
+	interactive := registeredInteractiveSigningEngine()
+	if interactive == nil {
+		t.Fatal("expected the interactive signing provider to be registered")
+	}
+	if _, ok := interactive.(*buildTaggedTBTCSignerEngine); !ok {
+		t.Fatalf(
+			"interactive provider returned %T, want *buildTaggedTBTCSignerEngine",
+			interactive,
+		)
+	}
+
 	_, err = engine.StartSignRound(
 		"session-1",
 		1,

pkg/frost/signing/roast_interactive_signing_frost_native_test.go

@@ -44,10 +44,18 @@ func persistedTBTCSignerMaterial(
 }
 
 func TestRegisterInteractiveSigningEngineProvider(t *testing.T) {
+	// Establish a clean precondition rather than assume one: other tests in this
+	// package install an interactive provider as a global side effect (e.g. the
+	// default FFI-provider registration under the cgo build calls
+	// registerBuildTaggedNativeFROSTSigningEngine), so a bare "no provider yet"
+	// assertion is order dependent and fails under -shuffle / a focused -run.
+	// Resetting up front makes this test order-independent regardless of which
+	// tests ran before it.
+	ResetInteractiveSigningEngineProviderForTest()
 	defer ResetInteractiveSigningEngineProviderForTest()
 
 	if got := registeredInteractiveSigningEngine(); got != nil {
-		t.Fatalf("expected nil engine before registration, got %T", got)
+		t.Fatalf("expected nil engine after reset, got %T", got)
 	}
 
 	want := newFakeInteractiveSigningEngine()