fed-sx-m1: Step 4b-cod — 8 bootstrap codecs/sig-suites/audience files + manifest complete + 14 new parse tests (50 total)

2026-05-27 23:21:20 +00:00
parent 5d7b167a93
commit ae5df5cfa1
11 changed files with 144 additions and 5 deletions
--- a/next/genesis/audience/direct.sx
+++ b/next/genesis/audience/direct.sx
@@ -0,0 +1,14 @@
+;; next/genesis/audience/direct.sx
+;;
+;; Direct audience: an actor is a member iff they are
+;; explicitly named in the activity's :to or :cc lists. No
+;; group expansion — true direct addressing only.
+
+(DefineAudience
+  :name "Direct"
+  :doc "Direct-addressing predicate. Tests literal membership\n        in the activity's :to or :cc."
+  :member-of (fn
+    (actor audience)
+    (or
+      (member? actor (-> audience :to))
+      (member? actor (-> audience :cc)))))
--- a/next/genesis/audience/followers.sx
+++ b/next/genesis/audience/followers.sx
@@ -0,0 +1,14 @@
+;; next/genesis/audience/followers.sx
+;;
+;; Followers audience: an actor is a member iff they appear in
+;; the audience-owner's :followers set in the audience-graph
+;; projection. Federation (m2) wires this to peer delivery.
+
+(DefineAudience
+  :name "Followers"
+  :doc "Followers-of-owner predicate. Looks up the\n        audience-graph projection's :followers list for the\n        audience owner and tests membership."
+  :member-of (fn
+    (actor audience)
+    (member?
+      actor
+      (-> (get-projection :audience-graph) (-> audience :owner) :followers))))
--- a/next/genesis/audience/public.sx
+++ b/next/genesis/audience/public.sx
@@ -0,0 +1,9 @@
+;; next/genesis/audience/public.sx
+;;
+;; Public audience: every actor is a member. Maps to the AP
+;; magic id `https://www.w3.org/ns/activitystreams#Public`.
+
+(DefineAudience
+  :name "Public"
+  :doc "Public audience predicate. Always returns true — every\n        actor on the network is considered a member."
+  :member-of (fn (actor audience) true))
--- a/next/genesis/codecs/dag-cbor.sx
+++ b/next/genesis/codecs/dag-cbor.sx
@@ -0,0 +1,13 @@
+;; next/genesis/codecs/dag-cbor.sx
+;;
+;; Canonical CBOR encoding per IPLD dag-cbor. Used to compute
+;; envelope canonical bytes for signature coverage and to serialise
+;; the genesis bundle itself. In Erlang-on-SX mode the kernel
+;; dispatches to the host cid:to_string substrate (Step 1b) when
+;; this codec is requested.
+
+(DefineCodec
+  :name "dag-cbor"
+  :doc "Deterministic CBOR with dag-cbor restrictions: sorted\n        map keys, no floats unless required, no indefinite-length\n        items. The canonical wire format for fed-sx artifacts."
+  :encode (fn (term) (host-codec :dag-cbor :encode term))
+  :decode (fn (bytes) (host-codec :dag-cbor :decode bytes)))
--- a/next/genesis/codecs/dag-json.sx
+++ b/next/genesis/codecs/dag-json.sx
@@ -0,0 +1,12 @@
+;; next/genesis/codecs/dag-json.sx
+;;
+;; JSON encoding with dag-json restrictions per IPLD: sorted map
+;; keys, no NaN / Infinity, no comments, CIDs as `{"/": "..."}`.
+;; Used as the human-readable wire format for ActivityPub interop
+;; (JSON-LD over dag-json).
+
+(DefineCodec
+  :name "dag-json"
+  :doc "Deterministic JSON with dag-json restrictions. Sorted\n        keys, CIDs as the {\"/\": \"...\"} object. Used by the\n        HTTP server (Step 8) for application/json responses."
+  :encode (fn (term) (host-codec :dag-json :encode term))
+  :decode (fn (bytes) (host-codec :dag-json :decode bytes)))
--- a/next/genesis/codecs/raw.sx
+++ b/next/genesis/codecs/raw.sx
@@ -0,0 +1,12 @@
+;; next/genesis/codecs/raw.sx
+;;
+;; Identity codec — input bytes pass through unchanged in both
+;; directions. Used for already-encoded payloads and for binary
+;; artifacts (images, archives) whose CID is computed over the
+;; raw bytes directly.
+
+(DefineCodec
+  :name "raw"
+  :doc "Identity codec. The CID's multicodec byte is 0x55.\n        :encode and :decode return their input unchanged."
+  :encode (fn (bytes) bytes)
+  :decode (fn (bytes) bytes))
--- a/next/genesis/manifest.sx
+++ b/next/genesis/manifest.sx
@@ -41,6 +41,6 @@
  :validators ("validators/envelope-shape.sx"
    "validators/signature.sx"
    "validators/type-schema.sx")
-  :codecs ()
-  :sig-suites ()
-  :audience ())
+  :codecs ("codecs/dag-cbor.sx" "codecs/raw.sx" "codecs/dag-json.sx")
+  :sig-suites ("sig-suites/rsa-sha256-2018.sx" "sig-suites/ed25519-2020.sx")
+  :audience ("audience/public.sx" "audience/followers.sx" "audience/direct.sx"))
--- a/next/genesis/sig-suites/ed25519-2020.sx
+++ b/next/genesis/sig-suites/ed25519-2020.sx
@@ -0,0 +1,11 @@
+;; next/genesis/sig-suites/ed25519-2020.sx
+;;
+;; W3C Verifiable Credential signature suite — Ed25519 over
+;; canonical bytes, key material in multibase. Default suite
+;; for fed-sx actors per design §9.
+
+(DefineSigSuite
+  :name "ed25519-2020"
+  :doc "Ed25519 verification. Key carries publicKeyMultibase.\n        :verify takes canonical-bytes + signature + key and\n        returns bool. Real verification deferred to m2 once\n        crypto:verify_ed25519/3 BIF lands; v1 stand-in returns\n        false to defer all Ed25519-signed activities."
+  :verify (fn (canonical-bytes signature key) false)
+  :key-format (fn (key-doc) (string? (-> key-doc :publicKeyMultibase))))
--- a/next/genesis/sig-suites/rsa-sha256-2018.sx
+++ b/next/genesis/sig-suites/rsa-sha256-2018.sx
@@ -0,0 +1,11 @@
+;; next/genesis/sig-suites/rsa-sha256-2018.sx
+;;
+;; W3C Verifiable Credential signature suite — RSA-SHA256 over
+;; canonical bytes, key material in PEM. Compatible with
+;; Mastodon's HTTP-Signatures / Linked-Data-Signatures-2017.
+
+(DefineSigSuite
+  :name "rsa-sha256-2018"
+  :doc "RSA-SHA256 verification. Key carries publicKeyPem.\n        :verify takes canonical-bytes + signature + key and\n        returns bool. Real verification deferred to m2 once\n        crypto:verify_rsa/3 BIF lands; v1 stand-in returns\n        false to defer all RSA-signed activities."
+  :verify (fn (canonical-bytes signature key) false)
+  :key-format (fn (key-doc) (string? (-> key-doc :publicKeyPem))))
--- a/next/tests/genesis_parse.sh
+++ b/next/tests/genesis_parse.sh
@@ -3,7 +3,7 @@
 #
 # Confirms the seed genesis SX files parse cleanly and have the
 # expected top-level head form. The bundler (Step 4c+) consumes
-# these forms directly as data. 36 cases.
+# these forms directly as data. 50 cases.

 set -uo pipefail
 cd "$(git rev-parse --show-toplevel)"
@@ -94,6 +94,34 @@ cat > "$TMPFILE" <<'EPOCHS'
 (eval "(get (apply dict (rest (parse (file-read \"next/genesis/validators/type-schema.sx\")))) :name)")
 (epoch 64)
 (eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :validators))")
+(epoch 70)
+(eval "(first (parse (file-read \"next/genesis/codecs/dag-cbor.sx\")))")
+(epoch 71)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/codecs/dag-cbor.sx\")))) :name)")
+(epoch 72)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/codecs/raw.sx\")))) :name)")
+(epoch 73)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/codecs/dag-json.sx\")))) :name)")
+(epoch 74)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :codecs))")
+(epoch 80)
+(eval "(first (parse (file-read \"next/genesis/sig-suites/rsa-sha256-2018.sx\")))")
+(epoch 81)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/sig-suites/rsa-sha256-2018.sx\")))) :name)")
+(epoch 82)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/sig-suites/ed25519-2020.sx\")))) :name)")
+(epoch 83)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :sig-suites))")
+(epoch 90)
+(eval "(first (parse (file-read \"next/genesis/audience/public.sx\")))")
+(epoch 91)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/audience/public.sx\")))) :name)")
+(epoch 92)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/audience/followers.sx\")))) :name)")
+(epoch 93)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/audience/direct.sx\")))) :name)")
+(epoch 94)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :audience))")
 EPOCHS

 OUTPUT=$(timeout 30 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
@@ -153,6 +181,20 @@ check 61 "envelope-shape.sx name"       "envelope-shape"
 check 62 "signature.sx name"            "signature"
 check 63 "type-schema.sx name"          "type-schema"
 check 64 "manifest has 3 validators"    "3"
+check 70 "dag-cbor.sx head form"        "DefineCodec"
+check 71 "dag-cbor.sx name"             "dag-cbor"
+check 72 "raw.sx name"                  "raw"
+check 73 "dag-json.sx name"             "dag-json"
+check 74 "manifest has 3 codecs"        "3"
+check 80 "rsa-sha256-2018.sx head form" "DefineSigSuite"
+check 81 "rsa-sha256-2018.sx name"      "rsa-sha256-2018"
+check 82 "ed25519-2020.sx name"         "ed25519-2020"
+check 83 "manifest has 2 sig-suites"    "2"
+check 90 "public.sx head form"          "DefineAudience"
+check 91 "public.sx name"               "Public"
+check 92 "followers.sx name"            "Followers"
+check 93 "direct.sx name"               "Direct"
+check 94 "manifest has 3 audience"      "3"

 TOTAL=$((PASS+FAIL))
 if [ $FAIL -eq 0 ]; then