From cbc5e37a6740cbc26d523d7e2857dcf46bedd772 Mon Sep 17 00:00:00 2001 From: maclane Date: Fri, 26 Jun 2026 11:19:44 -0400 Subject: [PATCH] fix(tbtc/signer): validate incoming attempt context before clearing active round start_sign_round cleared the active sign round on an authorized advance *before* validating the incoming attempt context against the deterministic RFC-21 coordinator selection. A malformed advance whose transition evidence was internally consistent but whose coordinator_identifier failed deterministic validation destroyed the in-memory round, then returned an error without persisting. Because the original attempt id stayed in consumed_attempt_ids, that attempt could never be re-signed in-memory, bricking the signing session until the durable (un-cleared) state was reloaded on restart. Run validate_attempt_context on the incoming context before clear_active_sign_round_for_attempt_transition, so a rejected advance leaves the active round intact. Add a regression test that forges the coordinator on an otherwise-valid advance and asserts the original attempt remains signable. This path is gated off in production by enforce_transitional_signing_disabled_in_production, so the impact is limited to the dev/staging transitional-nonce path. Co-Authored-By: Claude Opus 4.8 (1M context) --- pkg/tbtc/signer/src/engine/signing.rs | 18 +++++ pkg/tbtc/signer/src/engine/tests.rs | 106 ++++++++++++++++++++++++++ 2 files changed, 124 insertions(+) diff --git a/pkg/tbtc/signer/src/engine/signing.rs b/pkg/tbtc/signer/src/engine/signing.rs index 631fac28c1..96d0c87fd1 100644 --- a/pkg/tbtc/signer/src/engine/signing.rs +++ b/pkg/tbtc/signer/src/engine/signing.rs @@ -166,6 +166,24 @@ pub fn start_sign_round(mut request: StartSignRoundRequest) -> Result