host: Phase 2 — middleware (auth+ACL+error) + guarded POST /feed, 43/43

Composable handler->handler layers over Dream's primitives, with auth and
permission POLICY injected so the layer is policy-free and testable:

- middleware.sx: host/wrap-errors (JSON 500 via dream-catch-with),
  host/require-auth (bearer->principal via dream-bearer-token, JSON 401,
  injected token resolver), host/require-permission (lib/acl acl/permit? gate,
  JSON 403, injected resource extractor), host/pipeline (first = outermost)
- feed.sx: POST /feed via host/feed-write-routes — auth ∘ ACL(post,feed) ∘
  wrap-errors over host/feed-create (parse JSON body -> feed/post -> 201;
  non-object -> 400). Created activity reads back via GET /feed.
- middleware suite (9) + feed write tests (6 new); conformance preloads now
  include the Datalog engine + ACL subsystem + Dream auth/error.

ACL works with string atoms (no symbol coercion). Mute/prefs layer and sxtp.sx
deferred to the next tick.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

lib/host/conformance.sh

@@ -22,28 +22,50 @@ fi
 VERBOSE="${1:-}"
 
 # Kernel + subsystem dependencies, then the host modules. Order matters:
-# stdlib/r7rs first, then the feed subsystem (the first migrated domain), then
-# Dream (types/json/router) the host builds on, then the host layer itself.
+# stdlib/r7rs first; the Datalog engine + ACL subsystem (authorisation); the feed
+# subsystem (the first migrated domain); Dream (types/json/auth/error/router) the
+# host builds on; then the host layer itself.
 MODULES=(
   "spec/stdlib.sx"
   "lib/r7rs.sx"
   "lib/apl/runtime.sx"
+  "lib/datalog/tokenizer.sx"
+  "lib/datalog/parser.sx"
+  "lib/datalog/unify.sx"
+  "lib/datalog/db.sx"
+  "lib/datalog/builtins.sx"
+  "lib/datalog/aggregates.sx"
+  "lib/datalog/strata.sx"
+  "lib/datalog/eval.sx"
+  "lib/datalog/api.sx"
+  "lib/datalog/magic.sx"
+  "lib/acl/schema.sx"
+  "lib/acl/facts.sx"
+  "lib/acl/engine.sx"
+  "lib/acl/explain.sx"
+  "lib/acl/audit.sx"
+  "lib/acl/federation.sx"
+  "lib/acl/api.sx"
   "lib/feed/normalize.sx"
   "lib/feed/stream.sx"
   "lib/feed/api.sx"
   "lib/dream/types.sx"
   "lib/dream/json.sx"
+  "lib/dream/auth.sx"
+  "lib/dream/error.sx"
   "lib/dream/router.sx"
   "lib/host/handler.sx"
+  "lib/host/middleware.sx"
   "lib/host/router.sx"
   "lib/host/feed.sx"
 )
 
 # Suites: NAME RUNNER-FN PATH
 SUITES=(
-  "handler  host-hd-tests-run!  lib/host/tests/handler.sx"
-  "router   host-rt-tests-run!  lib/host/tests/router.sx"
-  "feed     host-fd-tests-run!  lib/host/tests/feed.sx"
+  "handler     host-hd-tests-run!  lib/host/tests/handler.sx"
+  "middleware  host-mw-tests-run!  lib/host/tests/middleware.sx"
+  "router      host-rt-tests-run!  lib/host/tests/router.sx"
+  "feed        host-fd-tests-run!  lib/host/tests/feed.sx"
 )
 
 TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT