Skip to content

fix(tbtc/signer): fail closed on unknown profile and degenerate signing window#4112

Merged
mswilkison merged 1 commit into
extraction/frost-signer-mirror-2026-05-26from
fix/signer-config-fail-closed
Jun 26, 2026
Merged

fix(tbtc/signer): fail closed on unknown profile and degenerate signing window#4112
mswilkison merged 1 commit into
extraction/frost-signer-mirror-2026-05-26from
fix/signer-config-fail-closed

Conversation

@mswilkison

Copy link
Copy Markdown
Contributor

Summary

Follow-up to #4005 (FROST/ROAST signer). Two fail-open / DoS fixes in the signing-policy config surface.

1. signer_profile_is_production() panicked on an unknown profile value

On the env-fallback path TBTC_SIGNER_PROFILE is unvalidated, so any value other than production/development/empty hit panic!. The panic is caught at the FFI boundary and redacted to a generic internal error, so a single typo (e.g. staging) aborted every profile-gated operation — a process-wide denial of service until the env var was corrected.

Now an unrecognized profile is treated as production (fail-closed: the strictest gate set) with a one-time warning, instead of panicking. Production is the safe/strict direction for every caller (provenance gate, bootstrap-dealer-DKG disable, transitional-signing disable, ROAST strict mode, env state-key-provider rejection). The install path (init_config) still validates the profile, so this only affects the env-fallback path.

2. load_signing_policy_firewall_config() accepted a zero-width UTC window

utc_hour_in_window treats start == end as "always in window", so an equal-bounds window silently disabled the time-of-day control (fail-open) rather than restricting it. The loader now rejects equal bounds — and out-of-range (>= 24) hours — at load time.

Tests

  • unknown_profile_value_fails_closed_to_production
  • signing_policy_firewall_rejects_equal_utc_window_bounds

Found during review of #4005.

🤖 Generated with Claude Code

…ng window

Two fail-open / DoS fixes in the signing-policy config surface:

- signer_profile_is_production() panicked on any TBTC_SIGNER_PROFILE value
  other than production/development/empty. On the env-fallback path that value
  is unvalidated, so a single typo (e.g. "staging") aborted every
  profile-gated FFI operation as a generic internal error -- a process-wide
  denial of service. Treat an unrecognized profile as production (fail closed)
  and warn once instead of panicking.

- load_signing_policy_firewall_config() accepted an equal-bounds UTC window
  (start == end). utc_hour_in_window treats start == end as "always in
  window", so the time-of-day control was silently disabled (fail open).
  Reject equal bounds, and out-of-range (>= 24) hours, at load time.

Add regression tests for both.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: e6b49567-dd6a-4a66-a620-5ae16b1a3be9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/signer-config-fail-closed

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@mswilkison mswilkison merged commit 95ecec4 into extraction/frost-signer-mirror-2026-05-26 Jun 26, 2026
20 checks passed
@mswilkison mswilkison deleted the fix/signer-config-fail-closed branch June 26, 2026 16:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant