fed-sx-m2: Step 5b — pipeline:validate_inbound/3 + 14 tests

New federation inbound pipeline that runs envelope-shape -> peer
signature -> replay against the receiving actor's inbox log.

pipeline.erl additions:
  validate_inbound/3(Activity, PeerActorState, InboxLog)
      runs inbound_stages(PeerAS, InboxLog) and halts on first
      failure (existing run_stages/2 driver). Returns ok |
      {error, Reason}.
  inbound_stages/2(PeerAS, InboxLog)
      [stage_envelope, stage_signature(PeerAS), stage_replay(InboxLog)]

M1's validate_inbound/1 and the static inbound_stages/0 (envelope-
only) are preserved — outbox-side callers don't have to re-key on
a peer-AS they don't have.

Signature verification routes through the peer's actor-state
:public_keys (NOT the local kernel's actor-state). Peer-AS
resolution is the caller's responsibility for 5b; Step 5c wires
the peer-actors cache lookup.

14 cases in next/tests/inbox_pipeline.sh:
  - happy path: valid signed activity + correct peer AS + empty
    inbox -> ok
  - bad envelope shape -> {error, _} (stage_envelope rejects)
  - unsigned activity -> stage_envelope rejects on
    {missing_field, signature} before sig runs
  - wrong peer AS (peer's claimed key bytes differ from real) ->
    {error, bad_signature}
  - replay: inbox already contains the same activity -> {error, replay}
  - inbox with a different activity doesn't trigger replay
  - inbound_stages/2 returns exactly 3 stages
  - inbound_stages/0 still returns 1 stage
  - validate_inbound/1 still works
  - shape failure short-circuits before sig
  - sig failure short-circuits before replay
  - two distinct activities both verify against empty inbox
  - inbox-of-one doesn't replay the other

Conformance 761/761. 130/130 across 10 Step-5-adjacent suites
(pipeline_envelope, pipeline_signature, pipeline_replay,
pipeline_driver, inbox_pipeline, inbox_bucket, nx_kernel_multi,
bootstrap_start, http_publish, outbox_publish, smoke_app_pure).

next/kernel/pipeline.erl

@@ -1,7 +1,8 @@
 -module(pipeline).
 -export([run_stages/2,
-         validate_inbound/1, validate_outbound/1,
-         inbound_stages/0, outbound_stages/0,
+         validate_inbound/1, validate_inbound/3,
+         validate_outbound/1,
+         inbound_stages/0, inbound_stages/2, outbound_stages/0,
          stage_envelope/1,
          stage_signature/1, stage_signature/2,
          stage_replay/1, stage_replay/2,
@@ -34,12 +35,43 @@ run_stages(Activity, [Stage | Rest]) ->
 validate_inbound(Activity) ->
     run_stages(Activity, inbound_stages()).
 
+%% validate_inbound/3 — Step 5b federation inbound pipeline.
+%%
+%% Activity:      the signed envelope as received from the peer.
+%% PeerActorState: the peer's actor-state proplist carrying
+%%                 :public_keys for signature verification. Caller
+%%                 resolves this — for v2 it's either pre-populated
+%%                 from a peer-actors cache (Step 5c) or known from
+%%                 a two-instance test fixture.
+%% InboxLog:      the receiving actor's :actor_inbox log state.
+%%                Used by stage_replay to reject duplicate :id.
+%%
+%% Stages (per design §13.2 + §14):
+%%   stage_envelope                 — shape check
+%%   stage_signature(PeerAS)        — peer sig verify
+%%   stage_replay(InboxLog)         — replay defence against
+%%                                    receiving actor's inbox
+%%
+%% Returns ok | {error, Reason}. The driver halts on first failure.
+%% Audience / schema / capabilities / trust stages defer to v3.
+
+validate_inbound(Activity, PeerActorState, InboxLog) ->
+    run_stages(Activity, inbound_stages(PeerActorState, InboxLog)).
+
 validate_outbound(Activity) ->
     run_stages(Activity, outbound_stages()).
 
 inbound_stages() ->
     [fun (A) -> stage_envelope(A) end].
 
+%% inbound_stages/2 — the full ordered stage list for federation
+%% inbound (envelope -> peer sig -> replay against inbox).
+
+inbound_stages(PeerActorState, InboxLog) ->
+    [fun (A) -> stage_envelope(A) end,
+     stage_signature(PeerActorState),
+     stage_replay(InboxLog)].
+
 outbound_stages() ->
     [fun (A) -> stage_envelope(A) end].