Summary

This PR updates native tss sign bootstrap so a signing session can form with any consistent signer set k where t+1 <= k <= n.

The main change is to treat sign-mode bootstrap as a time-windowed discovery phase instead of finishing as soon as the minimum signer count is seen.

That prevents different nodes from forming different signer sets for the same sign session when more than t+1 parties participate.

Documentation Included In This PR

This branch also includes two supporting documents under doc/ for reviewers:

• doc/sign-time-windowed-discovery-pr-details.md — a detailed design and implementation note covering the problem, behavior change, supporting transport changes, and validation approach
• doc/sign-time-windowed-discovery-test-result.log — the full recorded 7-party scenario matrix output used for validation (PASS=34, FAIL=0, total=34)

Those files are intended to make review easier without requiring the entire test story to live only in the PR description.

Background

The original behavior could commit a signing session too early. In practice, one node could observe a 2-party signer set and another node could still be trying to join the same sign session. That made session membership timing-dependent and could stall signing when more than t+1 parties started concurrently.

This PR changes the session-formation logic so signers that arrive within the same bounded discovery window converge on one committed signer set before signing rounds begin.

Behavior Change

For native tss sign, bootstrap now stays open until one of these conditions is true:

• all expected peers have been discovered, or
• the configured discovery window expires and at least threshold remote peers have been discovered

That means the resulting signer set can be any consistent subset size k where t+1 <= k <= n.

With --sign_discovery_timeout 0, signing waits for all parties. With a positive timeout such as 5s, signing admits the parties that arrive within that window and commits that set.

Implementation Details

The feature depends on a few related changes working together:

• add --sign_discovery_timeout to the native tss sign command
• add SignDiscoveryTimeout to config decoding
• track a sign-bootstrap discovery deadline in the bootstrapper
• propagate that deadline through bootstrap messages so late starters inherit the same session window instead of opening a new one
• add an explicit bootstrap commit guard so late joiners cannot change committee membership after session formation
• separate bootstrap and sign-phase protocol handling in the transport so post-bootstrap traffic cannot reopen discovery
• retry stream negotiation failures and clear dial backoff before reconnect attempts to reduce false misses during the discovery window
• ignore messages from unknown late parties in the client as a defensive guard

Why this is safe

This PR changes session formation in tss. It does not change the underlying signing math in tss-lib.

tss-lib already supports signing with any subset size k as long as k >= t+1 and all participants use the same signer set. This PR makes native tss converge on one consistent signer set before rounds start.

Files Changed

• common/config.go
• common/messages.go
• common/bootstrapper.go
• cmd/root.go
• client/client.go
• p2p/p2p_transporter.go
• scripts/test-sign-rounds.sh
• doc/sign-time-windowed-discovery-pr-details.md
• doc/sign-time-windowed-discovery-test-result.log

Native Usage

Require all parties to join before signing:

./tss sign ... --sign_discovery_timeout 0

Allow a flexible signer set to form within a 5-second window:

./tss sign ... --sign_discovery_timeout 5s

Validation

The change was validated locally with a fresh 7-party keygen setup (n = 7, t = 3) and native tss sign runs.

Representative results:

• all 7 parties starting together with --sign_discovery_timeout 5s completed successfully (7/7 signed)
• a delayed-start scenario with delays 0 0 0 0 8 12 16 produced a clean 4/7 signing session, with late starters not disrupting the committed session
• signers that arrived after the committed window did not change the committee or break the in-flight session

Full harness result from the 7-party scenario matrix:

PASS=34
FAIL=0
total=34

The full scenario-by-scenario output is included in doc/sign-time-windowed-discovery-test-result.log.

Related

• fixes the sign-bootstrap behavior discussed in issue #34