From b7f7915c2aaac15acb86bc50a40c691d1cc86a09 Mon Sep 17 00:00:00 2001
From: giles <giles.bradshaw@rose-ash.com>
Date: Thu, 28 May 2026 03:36:25 +0000
Subject: [PATCH] =?UTF-8?q?fed-sx-m1:=20Step=206b-sig=20=E2=80=94=20pipeli?=
 =?UTF-8?q?ne:stage=5Fsignature/1,/2=20(factory=20+=20direct)=20+=2011=20t?=
 =?UTF-8?q?ests?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 next/kernel/pipeline.erl         |  17 ++++-
 next/tests/pipeline_signature.sh | 122 +++++++++++++++++++++++++++++++
 plans/fed-sx-milestone-1.md      |   3 +-
 3 files changed, 140 insertions(+), 2 deletions(-)
 create mode 100755 next/tests/pipeline_signature.sh

diff --git a/next/kernel/pipeline.erl b/next/kernel/pipeline.erl
index becd9588..78aee792 100644
--- a/next/kernel/pipeline.erl
+++ b/next/kernel/pipeline.erl
@@ -2,7 +2,8 @@
 -export([run_stages/2,
          validate_inbound/1, validate_outbound/1,
          inbound_stages/0, outbound_stages/0,
-         stage_envelope/1]).
+         stage_envelope/1,
+         stage_signature/1, stage_signature/2]).
 
 %% Validation pipeline per design §14.
 %%
@@ -47,3 +48,17 @@ outbound_stages() ->
 %% that, so delegation is direct.
 stage_envelope(Activity) ->
     envelope:validate_shape(Activity).
+
+%% stage_signature/2 — direct (Activity, ActorState) check. Wraps
+%% envelope:verify_signature/2 from Step 2c. Useful for tests and
+%% for callers that already have ActorState in scope.
+stage_signature(Activity, ActorState) ->
+    envelope:verify_signature(Activity, ActorState).
+
+%% stage_signature/1 — factory: takes the ActorState and returns a
+%% 1-arity stage fun the pipeline driver can fold. This is how
+%% signature checking gets composed into a stage list at runtime
+%% (the static `inbound_stages/0` list omits it precisely because
+%% ActorState isn't available at static-list build time).
+stage_signature(ActorState) ->
+    fun (Activity) -> envelope:verify_signature(Activity, ActorState) end.
diff --git a/next/tests/pipeline_signature.sh b/next/tests/pipeline_signature.sh
new file mode 100755
index 00000000..db470e8b
--- /dev/null
+++ b/next/tests/pipeline_signature.sh
@@ -0,0 +1,122 @@
+#!/usr/bin/env bash
+# next/tests/pipeline_signature.sh — Step 6b-sig acceptance test.
+#
+# Exercises pipeline:stage_signature/2 (direct) and stage_signature/1
+# (factory). The factory returns a 1-arity stage fun bound to the
+# given actor-state so it can be folded into a stage list by the
+# pipeline driver alongside stage_envelope. 10 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+# Shared Erlang prelude builds a valid signed envelope + actor
+# state — same shape as next/tests/envelope_sig.sh from Step 2c.
+PRELUDE='KM = <<1,2,3,4>>, U = [{actor,alice},{id,1},{published,100},{type,create}], CB = envelope:canonical_bytes(U), Sig = crypto:hash(sha256, <<KM/binary, CB/binary>>), Env = [{actor,alice},{id,1},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,Sig}]}], AS = [{public_keys, [[{id,k1},{created,50},{value,KM}]]}],'
+
+cat > "$TMPFILE" <<EPOCHS
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/envelope.erl\")) :name)")
+(epoch 3)
+(eval "(get (erlang-load-module (file-read \"next/kernel/pipeline.erl\")) :name)")
+
+;; Direct 2-arity stage_signature on a valid signed envelope returns ok
+(epoch 10)
+(eval "(get (erlang-eval-ast \"${PRELUDE} pipeline:stage_signature(Env, AS) =:= ok\") :name)")
+
+;; Tampered envelope returns the proper error tag
+(epoch 11)
+(eval "(get (erlang-eval-ast \"${PRELUDE} Tampered = [{actor,alice},{id,999},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,Sig}]}], pipeline:stage_signature(Tampered, AS) =:= {error,bad_signature}\") :name)")
+
+;; Missing signature -> no_signature
+(epoch 12)
+(eval "(get (erlang-eval-ast \"${PRELUDE} pipeline:stage_signature(U, AS) =:= {error,no_signature}\") :name)")
+
+;; stage_signature/1 returns a function
+(epoch 13)
+(eval "(get (erlang-eval-ast \"is_function(pipeline:stage_signature([{public_keys, []}]))\") :name)")
+
+;; stage_signature/1 factory: built stage returns ok on valid input
+(epoch 14)
+(eval "(get (erlang-eval-ast \"${PRELUDE} Stage = pipeline:stage_signature(AS), Stage(Env) =:= ok\") :name)")
+
+;; stage_signature/1 factory: built stage returns error on tampered input
+(epoch 15)
+(eval "(get (erlang-eval-ast \"${PRELUDE} Stage = pipeline:stage_signature(AS), Tampered = [{actor,alice},{id,999},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,Sig}]}], Stage(Tampered) =:= {error,bad_signature}\") :name)")
+
+;; Composable: envelope + signature stages folded together via run_stages
+(epoch 16)
+(eval "(get (erlang-eval-ast \"${PRELUDE} Stages = [fun (A) -> pipeline:stage_envelope(A) end, pipeline:stage_signature(AS)], pipeline:run_stages(Env, Stages) =:= ok\") :name)")
+
+;; Composable + halt: envelope stage fails first, signature never runs
+(epoch 17)
+(eval "(get (erlang-eval-ast \"${PRELUDE} BadShape = [{type,create}], Stages = [fun (A) -> pipeline:stage_envelope(A) end, pipeline:stage_signature(AS)], case pipeline:run_stages(BadShape, Stages) of {error, {missing_field, _}} -> ok; _ -> bad end\") :name)")
+
+;; Composable + halt: envelope OK, signature fails -> sig error surfaces
+(epoch 18)
+(eval "(get (erlang-eval-ast \"${PRELUDE} Tampered = [{actor,alice},{id,999},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,Sig}]}], Stages = [fun (A) -> pipeline:stage_envelope(A) end, pipeline:stage_signature(AS)], pipeline:run_stages(Tampered, Stages) =:= {error,bad_signature}\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 180 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "envelope module loaded"             "envelope"
+check  3  "pipeline module loaded"             "pipeline"
+check 10  "stage_signature/2 valid -> ok"      "true"
+check 11  "stage_signature/2 tampered"         "true"
+check 12  "stage_signature/2 no sig"           "true"
+check 13  "stage_signature/1 returns fun"      "true"
+check 14  "factory stage valid -> ok"          "true"
+check 15  "factory stage tampered"             "true"
+check 16  "envelope+sig composed ok"           "true"
+check 17  "halt on envelope before sig"        "ok"
+check 18  "sig error after envelope ok"        "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/pipeline_signature.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]
diff --git a/plans/fed-sx-milestone-1.md b/plans/fed-sx-milestone-1.md
index fd062357..fd4e25bf 100644
--- a/plans/fed-sx-milestone-1.md
+++ b/plans/fed-sx-milestone-1.md
@@ -388,7 +388,7 @@ projection fold maintains it.)
 **Sub-deliverables:**
 - [x] **6a** — `pipeline:run_stages/2` driver — pure fold over a stage list of `(Activity) -> ok | {error, R}` funs, halts on first failure. `validate_inbound/1` + `validate_outbound/1` + `inbound_stages/0` + `outbound_stages/0` (empty lists for now). `next/tests/pipeline_driver.sh` (10 cases).
 - [x] **6b-env** — `pipeline:stage_envelope/1` delegating to `envelope:validate_shape/1`; wired into both `inbound_stages` and `outbound_stages`. `next/tests/pipeline_envelope.sh` (12 cases); pipeline_driver.sh updated to test the driver in isolation.
-- [ ] **6b-sig** — `pipeline:stage_signature/2` taking actor-state context, delegating to `envelope:verify_signature/2`. Needs a runtime-context shape since the driver only passes the activity.
+- [x] **6b-sig** — `pipeline:stage_signature/2` (direct call) + `stage_signature/1` (factory returning a context-bound stage fun). Not wired into default stage lists since ActorState isn't available at static-list build time; callers compose by `Stages = [..., pipeline:stage_signature(AS)]`. `next/tests/pipeline_signature.sh` (11 cases) covers direct + factory + composition + halt behaviour with stage_envelope.
 - [ ] **6c** — `stage_replay/1` (checks the log for existing activity id), `stage_activity_schema/1` (registry lookup + schema body eval is deferred — placeholder)
 - [ ] **6d** — `outbox:publish/2`: envelope construction, sign, validate_outbound, log:append, returns `{ok, #{cid, ap_id}}`
 - [ ] **6e** — HTTP handler for POST /activity glue (depends on Step 8 http server)
@@ -969,6 +969,7 @@ A few things still under-specified; resolve as work begins.
 Newest first. One line per sub-deliverable commit. Erlang conformance gate
 (`bash lib/erlang/conformance.sh`) must remain 729/729 on every entry.
 
+- **2026-05-28** — Step 6b-sig: `pipeline:stage_signature/2` direct call + `stage_signature/1` factory returning a context-bound stage fun closed over ActorState. Not wired into the default `inbound_stages`/`outbound_stages` lists because actor state isn't a static-build-time value; callers prepend the factory result to a stage list (`Stages = [stage_envelope, pipeline:stage_signature(AS)]`). `next/tests/pipeline_signature.sh` 11/11 covers direct + factory + composition with stage_envelope (including halt ordering: bad envelope halts before sig; good envelope + bad sig surfaces sig error). Erlang conformance 729/729.
 - **2026-05-28** — Step 6b-env: `pipeline:stage_envelope/1` wraps `envelope:validate_shape/1`; wired into both `inbound_stages` and `outbound_stages` lists. `validate_inbound`/`validate_outbound` now exercises the full envelope shape contract end-to-end (missing fields, signature sub-shape, non-list input). `next/tests/pipeline_envelope.sh` 12/12; `pipeline_driver.sh` refactored to test the driver against explicit stage lists rather than depending on the now-non-empty defaults. Split 6b in the plan into 6b-env (done) + 6b-sig (needs runtime context for actor-state). Erlang conformance 729/729.
 - **2026-05-28** — Step 6a: `next/kernel/pipeline.erl` — validation pipeline driver per design §14. `run_stages/2` is a pure fold over `(Activity) -> ok | {error, R}` funs, halting on first failure. Halt verified by inserting a post-error stage that would set a contradictory tag if it ran. `validate_inbound/1` + `validate_outbound/1` wrappers; concrete stage lists are empty (6b wires `stage_envelope`/`stage_signature`). Port quirk: `Pattern = Var` match-alias syntax unsupported — split into separate `Result = X, case Result of ...`. `next/tests/pipeline_driver.sh` 10/10. Step 6 broken into 6a–6e on the plan. Erlang conformance 729/729.
 - **2026-05-28** — Step 5b: `registry.erl` extended with gen_server callbacks + named-process API. `start_link/0` spawns the worker, registers it under the literal `registry` atom, returns the Pid (port returns raw Pid not `{ok, Pid}` — diverges from OTP). 3-arity `register`, 2-arity `lookup`, 1-arity `list` delegate to the pure /4 and /3 functions inside handle_call. Port note documented: `?MODULE` macro unsupported; tests must inline start_link with operations since spawned processes don't persist across separate `erlang-eval-ast` calls. `next/tests/registry_server.sh` 12/12. Erlang conformance 729/729.