fix(tbtc/signer): reject empty attestation statuses#4156
Merged
mswilkison merged 1 commit intoJul 13, 2026
Merged
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
3e800c8 to
92ecab4
Compare
92ecab4 to
07b4190
Compare
mswilkison
added a commit
that referenced
this pull request
Jul 13, 2026
## Stack Rust signer review-fix stack 1 of 2. - Base: `extraction/frost-signer-mirror-2026-05-26` ([#4005](#4005)) - Follow-up: [#4156](#4156) — admission-attestation validation ## What changed - Retain the `RefreshShares` symbol but fail closed with terminal code `cryptographic_refresh_not_supported` until a multi-round, zero-constant FROST refresh protocol exists. - Bump the FFI contract from ABI 3.3 to 4.0 so ABI-3 consumers reject the incompatible success-to-error response change during startup negotiation. - Remove the SHA-256 pseudo-refresh path, its process-local pending-operation machinery, and tests that encoded invalid refresh-success semantics. - Prove rejected refresh requests leave DKG key packages, the public package, lifecycle state, and persisted bytes unchanged. - Anchor the first refresh deadline and overdue metric to durable DKG creation time. - Treat metadata from the retired synthetic refresh stub as non-authoritative: it cannot postpone cadence, increment valid refresh counts, or claim key continuity. - Mark persisted synthetic refresh-only sessions without a DKG anchor immediately overdue in both status and telemetry, including when the system clock saturates at the Unix epoch. ## Review findings addressed - P1: implement cryptographic refresh instead of hashing shares — the unsafe one-shot operation now rejects and returns no replacement material. - P2: anchor the first refresh deadline to DKG creation — status and telemetry share the same durable deadline helper. - P2: bump the ABI for the incompatible refresh response — the endpoint now reports ABI 4.0 with its minor version reset to zero. - P1: mark unanchored legacy refresh sessions overdue — untrusted refresh artifacts now resolve to an explicit, unconditionally overdue sentinel instead of a sliding deadline. The C symbol, request shape, response envelope, and reserved response type remain present; the major version makes the changed status and JSON semantics explicit. ## Verification - `cargo fmt --manifest-path pkg/tbtc/signer/Cargo.toml -- --check` - `cargo check --locked --manifest-path pkg/tbtc/signer/Cargo.toml --all-targets` - `cargo clippy --locked --manifest-path pkg/tbtc/signer/Cargo.toml --all-targets -- -D warnings` - `cargo test --locked --manifest-path pkg/tbtc/signer/Cargo.toml` - `cargo test --locked --manifest-path pkg/tbtc/signer/Cargo.toml formal_verification_` - `pkg/tbtc/signer/scripts/run_phase5_chaos_suite.sh` - `git diff --check` The TLA+ runner was not available locally because this machine has no Java runtime; CI remains the authoritative model-check gate.
Base automatically changed from
fix/signer-refresh-safety-2026-07-13
to
extraction/frost-signer-mirror-2026-05-26
July 13, 2026 21:41
1679a60
into
extraction/frost-signer-mirror-2026-05-26
20 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stack
Rust signer review-fix stack 2 of 2.
extraction/frost-signer-mirror-2026-05-26(#4005)What changed
required_attestation_statuswithrequired_attestation_status_missing.attestation_statuswithattestation_status_missing.Review finding addressed
Verification
cargo fmt --manifest-path pkg/tbtc/signer/Cargo.toml -- --checkcargo check --locked --manifest-path pkg/tbtc/signer/Cargo.toml --all-targetscargo clippy --locked --manifest-path pkg/tbtc/signer/Cargo.toml --all-targets -- -D warningscargo test --locked --manifest-path pkg/tbtc/signer/Cargo.tomlcargo test --locked --manifest-path pkg/tbtc/signer/Cargo.toml --bin admission_checker attestationgit diff --check