feat(server): two-operator vault requires at least one recovery share

2026-06-13 22:13:07 +02:00
parent 3b090cd3ce
commit f8c621b20e
5 changed files with 44 additions and 2 deletions
--- a/server/crates/arbiter-server/src/actors/vault_coordinator/mod.rs
+++ b/server/crates/arbiter-server/src/actors/vault_coordinator/mod.rs
@@ -39,6 +39,8 @@ pub enum Error {
    Encryption,
    #[error("Vault error")]
    VaultError,
+    #[error("Two-operator vaults require at least one recovery share")]
+    TwoOperatorsRequireRecovery,
    #[error("Broken database")]
    BrokenDatabase,
 }
@@ -200,11 +202,15 @@ impl VaultCoordinator {
        &mut self,
        operator_id: i32,
        declared_count: usize,
+        recovery_count: usize,
    ) -> Result<(), Error> {
        let _ = operator_id; // fixme!: any authenticated operator may announce the committee size. the first call wins
        if !matches!(self.state, CoordinatorState::Idle) {
            return Err(Error::AlreadyBootstrapping);
        }
+        if declared_count == 2 && recovery_count == 0 {
+            return Err(Error::TwoOperatorsRequireRecovery);
+        }
        self.state = CoordinatorState::Bootstrapping {
            declared_count,
            passphrases: HashMap::new(),
@@ -223,6 +229,7 @@ impl VaultCoordinator {
        let CoordinatorState::Bootstrapping {
            declared_count,
            passphrases,
+            ..
        } = &mut self.state
        else {
            return Err(Error::NotBootstrapping);
--- a/server/crates/arbiter-server/src/grpc/operator/vault_gate/inbound.rs
+++ b/server/crates/arbiter-server/src/grpc/operator/vault_gate/inbound.rs
@@ -132,6 +132,7 @@ impl TryConvert for BootstrapRequestPayload {
            Self::DeclareCommittee(dc) => Ok(
                vault_gate::Inbound::HandleDeclareCommittee(HandleDeclareCommittee {
                    count: dc.count as usize,
+                    recovery_count: dc.recovery_count as usize,
                }),
            ),
            Self::ContributePassphrase(cp) => Ok(
--- a/server/crates/arbiter-server/src/peers/operator/vault_gate/mod.rs
+++ b/server/crates/arbiter-server/src/peers/operator/vault_gate/mod.rs
@@ -234,12 +234,17 @@ impl VaultGate {
    }

    #[message]
-    pub async fn handle_declare_committee(&mut self, count: usize) -> Result<(), Error> {
+    pub async fn handle_declare_committee(
+        &mut self,
+        count: usize,
+        recovery_count: usize,
+    ) -> Result<(), Error> {
        self.actors
            .vault_coordinator
            .ask(StartBootstrap {
                operator_id: self.auth_creds.id,
                declared_count: count,
+                recovery_count,
            })
            .await
            .map_err(|_| Error::internal("VaultCoordinator unavailable"))