More fixes

PROTOCOL.md

@@ -183,7 +183,7 @@ Each contributing member Pᵢ (index `i` from the original DKG, shard `xᵢ`):
 
 5. Computes Schnorr PoK of `λᵢ · xᵢ` (same construction as Protocol 1 Round 1, using `"frost/resharing/round1"` as domain tag)
 
-6. Sends to all new members (m gift wraps, identical payload):
+6. Sends to **all other participants — every new member and every fellow contributor** (one gift wrap each, identical payload). New members consume Round 1 to verify and finalize; contributors must receive every contributor's Round 1 before sending Round 2, so a contributor who is rotated *out* of the new set (and therefore receives nothing addressed to "new members") still observes the complete contributing set and delivers its shard. It also lets contributors detect Round-1 equivocation among themselves.
 
 ```json
 {
@@ -245,9 +245,9 @@ Each new member Qⱼ, after receiving shares from all members of `S`:
 
 4. BIP-340 normalization: `Y` is unchanged, so the same even-y convention applies. If `xᵢ` was negated during the original DKG finalization, `hᵢ(0) = λᵢ · xᵢ` already incorporates that negation. Qⱼ verifies against the same `Y` and does not re-negate.
 
-5. Replaces stored quorum state with `(x'ⱼ, Y, Y'ⱼ, new_members, new_threshold, Round-1 commitments from this session)`.
+5. Replaces stored quorum state with `(x'ⱼ, Y, Y'ⱼ, new_members, new_threshold, this session's commitments)`. The stored commitment is the **group commitment** `G = Σᵢ∈S Dᵢ` (the coefficient-wise sum of the contributors' Round-1 commitments), not the per-contributor breakdown. The contributing set `S` rarely has the same size as the new member set, so a per-contributor list cannot be re-serialised as one `dkg_commit` tag per member without leaving empty tags (members added) or dropping commitments (members removed). Because every verifier only ever **sums over the commitment values** (`Σⱼ Σₖ i^k·Cⱼₖ` and `Σⱼ Cⱼ₀`), the single collapsed vector `G` reconstructs every member's verification share and the raw group key identically. On the next rotation it is carried in one non-empty `dkg_commit` tag (the remaining members' tags are empty and ignored).
 
-6. Sends resharing confirmation (kind 7057) to all other n'−1 new members.
+6. Sends resharing confirmation (kind 7057) to **all other participants — every other new member and every contributor, including contributors rotated out of the new set**. A rotated-out contributor holds no new shard and never finalizes locally, so receiving the new members' confirmations is its only signal that the rotation succeeded (and how it records the rotation for chat gating).
 
 ### Resharing Confirmation (kind 7057)
 
@@ -383,7 +383,7 @@ Quorum state must be stored durably per-quorum:
 | `verification_share` | `Yⱼ` — public verification share for this member |
 | `members` | Current member pubkeys and indices |
 | `threshold` | Current signing threshold `t` |
-| `dkg_commitments` | All participants' Round-1 commitments from the most recent DKG or resharing session |
+| `dkg_commitments` | The commitments that define the current sharing: after a DKG, all participants' Round-1 commitments (one per member); after a resharing, the single **group commitment** `Σᵢ∈S Dᵢ` (see Key Redistribution Finalization step 5) |
 | `rotation_records` | Ordered list of completed rotation sessions, each stored as the quorum's kind 7057 confirmation set (all `t'` matching confirmations) |
 
 `dkg_commitments` are retained permanently because they are required to verify shard authenticity during resharing (step 4 of the Key Redistribution Round 1).