feat(crypto): expose governance signing context and make shamir_threshold pub const

server/crates/arbiter-server/src/actors/vault_coordinator/mod.rs

@@ -9,7 +9,7 @@ use tracing::error;
 
 use crate::{
     actors::vault::{Bootstrap, TryUnseal, Vault},
-    crypto::{KeyCell, derive_key, encryption::v1::Nonce, shamir},
+    crypto::{KeyCell, derive_key, encryption::v1::Nonce, shamir, shamir::shamir_threshold},
     db::{self, models, schema},
 };
 
@@ -76,15 +76,6 @@ impl VaultCoordinator {
 
 const SHARE_AAD: &[u8] = b"arbiter/shamir-share/v1";
 
-const fn shamir_threshold(n: usize) -> usize {
-    match n {
-        0 => panic!("No operators"),
-        1 => 1,
-        2 => 2,
-        n => n / 2 + 1,
-    }
-}
-
 async fn finalize_bootstrap(
     db: db::DatabasePool,
     vault: ActorRef<Vault>,

server/crates/arbiter-server/src/crypto/shamir.rs

@@ -20,6 +20,18 @@ pub fn split_key(
         .map_err(|e| ShamirError::Split(format!("{e:?}")))
 }
 
+/// Returns the minimum number of shares required to reconstruct the secret
+/// for a committee of `n` operators.
+#[must_use]
+pub const fn shamir_threshold(n: usize) -> usize {
+    match n {
+        0 => panic!("No operators"),
+        1 => 1,
+        2 => 2,
+        n => n / 2 + 1,
+    }
+}
+
 /// Reconstruct the secret from `threshold` or more shares.
 pub fn combine_shares(shares: &[Vec<u8>]) -> Result<[u8; 32], ShamirError> {
     let bytes = Gf256::combine_array(shares)