fix(sdk-lib-mpc): derive final_session_id deterministically in DKG retrofit

[mohammadalfaiyazbitgo]

Summary

Fixes WAL-392 — DKG retrofit keyshares were using an all-zero final_session_id (Array(32).fill(0)), meaning every retrofit wallet shared the same session identifier. This weakens DKLS protocol transcript binding and could allow cross-session confusion when multiple retrofit wallets sign simultaneously on the same server.

Change: Replace the hardcoded zeros with a deterministic derivation:

final_session_id = sha256(public_key || root_chain_code)

This produces a unique, wallet-specific 32-byte value derived from the key material — identical across all parties for the same wallet (since they share the same public key and chain code), but distinct across different wallets.

Files Changed

• modules/sdk-lib-mpc/src/tss/ecdsa-dkls/dkg.ts — add crypto import, replace Array(32).fill(0) with SHA256 derivation in _createDKLsRetrofitKeyShare()
• modules/sdk-lib-mpc/test/unit/tss/ecdsa/dklsDkg.ts — 5 new tests verifying the fix

Test Plan

• should create retrofit key shares with non-zero final_session_id
• should create retrofit key shares with 32-byte final_session_id
• should produce deterministic final_session_id for same retrofit inputs
• should derive final_session_id as sha256(public_key || chaincode)
• should produce the same final_session_id for all parties in a retrofit
• All 92 existing @bitgo/sdk-lib-mpc unit tests pass

Risk

Low. Single-line change in one function. The output contract (32-byte number[]) is preserved. final_session_id is not persisted in completed keyshares — it is only consumed by KeygenSession.initKeyRotation() during the retrofit ceremony. Confirmed not used in the wallet-platform backend.

🤖 Generated with Claude Code

[linear]

WAL-392 [Security] DKG retrofitData Uses All-Zero final_session_id — Cross-Session Confusion