fed-sx-m2: Step 5a — per-actor :actor_inbox log bucket + 14 tests

Adds the receiving-side log bucket every actor needs. add_actor/4
now opens a fresh in-memory log via log:open(ActorId, inbox_base_stub())
and stores it on the bucket as {actor_inbox, LogState} alongside
the outbox {log, _}. Two distinct base stubs ensure the in-memory
log module returns separate states even when the same ActorId is
the actor.

Pure-functional exports:
  actor_inbox_state/2(ActorId, State) -> {ok, LogState} | {error, _}
  actor_inbox_tip/2(ActorId, State) -> integer | nil
  append_to_actor_inbox/3(ActorId, Activity, State)
      -> {ok, NewTip, NewState} | {error, no_actor, State}

gen_server exports (mirror the outbox shape):
  inbox_tip_for/1(ActorId) -> integer | nil
  inbox_state_for/1(ActorId) -> {ok, LogState} | {error, _}
  append_inbox/2(ActorId, Activity) -> {ok, NewTip} | {error, _}

handle_call dispatch added for all three.

Inbox and outbox tips are completely independent — appending to one
doesn't touch the other. This is the storage primitive 5b will
build the inbound validation pipeline on top of.

log:append/2 signature noted in code + progress log: it takes
(LogState, Activity) and returns {ok, NewState, Seq} — not
{ok, NewState} as I originally guessed.

next/tests/inbox_bucket.sh 14/14:
  - fresh inbox tip = 0 (pure)
  - actor_inbox_state {ok, _} (pure)
  - append_to_actor_inbox/3 -> {ok, 1, _}
  - tip advances after append
  - unknown actor -> {error, no_actor, _}
  - outbox + inbox tips fully independent
  - two actors maintain independent inbox state
  - gen_server inbox_tip_for/1 starts at 0
  - gen_server append_inbox/2 -> {ok, 1}
  - gen_server inbox != outbox tip
  - gen_server unknown -> {error, no_actor}
  - gen_server inbox_state_for {ok, _}
  - two appends -> tip = 2

Conformance 761/761. 125/125 across 7 Step-5-adjacent suites
(inbox_bucket, nx_kernel_multi, nx_kernel_server, bootstrap_start,
http_publish, http_multi_actor, actor_lifecycle, smoke_app_pure).

plans/fed-sx-milestone-2.md

@@ -334,24 +334,33 @@ actor *received*), and broadcasts to projections.
 
 **Deliverables:**
 
-- New per-actor log: `actor_inbox`. Same shape as outbox; activities
-  marked `:received_from => PeerActorId`.
-- Inbound pipeline: `stage_envelope` → `stage_signature` (against
-  peer's actor-state, not local) → `stage_replay`.
-- Peer signature verification needs `:public_keys` from the peer's
-  actor-state. v2 fetches the peer's actor doc lazily on first
-  contact, caches it in a `peer-actors` projection. Stale-key
-  invalidation deferred to v3.
-- HTTP handler: `POST /actors/<id>/inbox` returns 202 on accept,
-  401 on bad sig, 422 on replay or validation failure.
-
-**Tests:**
-
-- POST /inbox with valid signed activity → 202, activity in inbox log.
-- POST /inbox with tampered envelope → 401.
-- POST /inbox with unknown actor target → 404.
-- POST /inbox with replay → 422.
-- Activity broadcast to receiving actor's projections.
+- [x] **5a** — Per-actor `:actor_inbox` log bucket in nx_kernel.
+  `add_actor/4` now opens a fresh inbox log (distinct base stub) for
+  each new actor; the bucket carries `[..., {actor_inbox, LogState}, ...]`
+  alongside the existing `:log` outbox field. Pure-functional
+  exports: `actor_inbox_state/2`, `actor_inbox_tip/2`,
+  `append_to_actor_inbox/3`. gen_server exports: `inbox_tip_for/1`,
+  `inbox_state_for/1`, `append_inbox/2`. Inbox and outbox tips are
+  fully independent (appending to one doesn't touch the other).
+  `next/tests/inbox_bucket.sh` 14/14. Signature verification +
+  pipeline gating live in 5b.
+- [ ] **5b** — Inbound validation pipeline:
+  `pipeline:validate_inbound/2(Activity, PeerActorState)` runs
+  `stage_envelope` → `stage_signature(PeerAS)` → `stage_replay(InboxLog)`.
+  Sig verification uses the peer's actor-state `:public_keys`, NOT
+  the local kernel's. Peer-AS resolution is the caller's
+  responsibility for 5b (5c wires the cache lookup).
+- [ ] **5c** — Peer-actors cache projection (`peer_actors.erl`):
+  on first inbound from a new peer, fetches the peer's actor doc
+  and caches the public-keys. v2: synchronous fetch via the
+  http-client native primitive. Per design §13.6, stale-key
+  invalidation is v3.
+- [ ] **5d** — http_server inbox handler wires the chain:
+  `POST /actors/<id>/inbox` body is the signed activity wire bytes;
+  parse → resolve peer-AS → `validate_inbound` → `append_inbox` →
+  202 on accept, 401 on bad sig, 422 on replay/shape failure,
+  404 on unknown target actor. Activity broadcast to receiving
+  actor's projections (via `projection:async_fold`).
 
 **Acceptance:** `bash next/tests/inbox.sh` passes 16+ cases.
 
@@ -761,6 +770,21 @@ proceed.
 
 Newest first.
 
+- **2026-06-06** — Step 5a: per-actor :actor_inbox log bucket.
+  `nx_kernel.erl` `add_actor/4` now opens a fresh log via
+  `log:open/2` with a distinct `inbox_base_stub()` for each new
+  bucket and stores it as `{actor_inbox, LogState}` alongside the
+  existing outbox `:log`. Pure exports `actor_inbox_state/2`,
+  `actor_inbox_tip/2`, `append_to_actor_inbox/3` + gen_server
+  exports `inbox_tip_for/1`, `inbox_state_for/1`, `append_inbox/2`.
+  `log:append/2` is `(LogState, Activity) -> {ok, NewState, Seq}` —
+  noted for future iterations. Inbox / outbox tips are fully
+  independent. `next/tests/inbox_bucket.sh` 14/14. Conformance
+  761/761. 125/125 across 7 Step-5-adjacent suites
+  (inbox_bucket, nx_kernel_multi, nx_kernel_server,
+  bootstrap_start, http_publish, http_multi_actor, actor_lifecycle,
+  smoke_app_pure).
+
 - **2026-06-06** — Step 4d: per-actor outbox listing + pagination.
   New `nx_kernel:log_state_for/1` gen_server export returns
   `{ok, LogState}` for an actor. `actor_outbox_response_for/3`