*: fix lock share binding validation

[HananINouman]

This PR hardens cluster lock validation to close a reported vulnerability where malformed validator entries could pass per-validator checks.

What changed

• Enforce distributed validator key uniqueness across all validators in the lock.
• Enforce public share uniqueness within each validator.
• Validate full share-binding to the distributed key polynomial:
  • Reconstruct the DV key from the first threshold shares.
  • For every extra share beyond threshold, reconstruct again with a subset that includes that share and confirm it yields the same DV key.
• Refactor reconstruction logic to use a dedicated tbls.RecoverPubkey path (Herumi-backed) and improve error context.
• Remove the now-redundant identity-share guard because full share-binding verification supersedes it.
• Add tests around extra-share polynomial consistency and pubkey recovery behavior.

Why

Previously, duplicated/malformed lock entries could satisfy local checks while still being structurally unsafe.
These checks ensure each validator’s shares are globally consistent with its distributed key and prevent duplicate-key lock entries from being accepted.

Compatibility / behavior

• No API changes.
• Validation is stricter by design; previously accepted malformed locks are now rejected.
• Logic remains aligned with the equivalent fix in obol-sdk (fix/lock-share-binding-validation).

category: bug
ticket: none

[codecov]

Codecov Report

❌ Patch coverage is 62.06897% with 33 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.15%. Comparing base (7e09491) to head (7b625d8).
⚠️ Report is 52 commits behind head on main.

Files with missing lines	Patch %	Lines
cluster/lock.go	67.79%	13 Missing and 6 partials ⚠️
tbls/herumi.go	46.15%	11 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4514      +/-   ##
==========================================
+ Coverage   56.48%   57.15%   +0.66%     
==========================================
  Files         244      245       +1     
  Lines       32550    33020     +470     
==========================================
+ Hits        18386    18871     +485     
+ Misses      11819    11775      -44     
- Partials     2345     2374      +29     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR strengthens cluster.Lock.VerifySignatures by validating that each distributed validator’s PubShares are well-formed and actually bind to (reconstruct) the declared distributed validator public key, preventing malformed or inconsistent lock files from being accepted.

Changes:

• Add validation for duplicate distributed validator pubkeys, share count mismatches, duplicate shares, and share-to-DV-key reconstruction.
• Validate that “extra” shares (beyond threshold) are consistent with the distributed key polynomial.
• Add unit tests covering the new rejection cases.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
cluster/lock.go	Adds share-binding validation during lock signature verification, including reconstruction checks and duplicate detection.
cluster/lock_test.go	Adds tests to ensure malformed share bindings are rejected with expected errors.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.