fed-prims: Phase F — RSA-SHA256 PKCS#1 v1.5 verify, pure OCaml, RSA-2048 vector

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

plans/fed-sx-host-primitives.md

@@ -115,7 +115,7 @@ check** → tests → commit → tick box → Progress-log line → push.
 - **Acceptance:** all RFC 8032 vectors pass; WASM links. Satisfies fed-sx Step 2
   (Ed25519 sig-suite).
 
-### Phase F — RSA-SHA256 verify (PKCS#1 v1.5), pure OCaml
+### Phase F — RSA-SHA256 verify (PKCS#1 v1.5), pure OCaml ✅ DONE
 - Minimal pure-OCaml bignum (only need modexp + DER parse). Parse SPKI DER →
   (n, e). RSASSA-PKCS1-v1_5 verify with SHA-256 (Phase A).
 - Primitive `rsa-sha256-verify (der-spki msg sig) -> bool`.
@@ -205,6 +205,14 @@ printf '(epoch 1)\n(crypto-sha256 "abc")\n' | \
 
 _Newest first._
 
+- 2026-05-18 — Phase F: pure-OCaml `lib/sx_rsa.ml` (self-contained
+  bignum modexp, minimal DER SPKI reader, RFC 8017 §8.2.2 PKCS#1
+  v1.5 verify with SHA-256 DigestInfo prefix). Primitive
+  `rsa-sha256-verify` total. 5 tests on a fixed RSA-2048 vector
+  (one-off python-cryptography keygen, hardcoded): valid, tampered
+  msg/sig, garbage SPKI, non-string. WASM boot green with new lib
+  module; Erlang 530/530; run_tests +5. Satisfies fed-sx Step 2
+  (rsa-sha256-2018 sig-suite).
 - 2026-05-18 — Phase E: pure-OCaml `lib/sx_ed25519.ml` (minimal
   base-2^26 bignum, edwards25519 extended-coord points, RFC 8032
   §5.1.7 cofactorless verify reusing Phase-A sha512). Primitive