identity: "disconnect app" — revoke_app(Subject, Client) (+4 tests)

identity_tokens:revoke_app(Subject, Client) revokes every grant a subject
holds for one client at once (audited one revoke per grant), exposed at the
facade as identity:revoke_app. The action counterpart to the grants view —
completing the account-security view+action pairs (sessions/logout_all,
grants/revoke_app, history). Other subjects' same-client grants are
untouched. account 11/11, 233/233.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

lib/apl/conformance.conf

@@ -0,0 +1,63 @@
+# APL conformance config — sourced by lib/guest/conformance.sh.
+
+LANG_NAME=apl
+MODE=counters
+COUNTERS_PASS=apl-test-pass
+COUNTERS_FAIL=apl-test-fail
+TIMEOUT_PER_SUITE=300
+
+PRELOADS=(
+  spec/stdlib.sx
+  lib/r7rs.sx
+  lib/apl/runtime.sx
+  lib/apl/tokenizer.sx
+  lib/apl/parser.sx
+  lib/apl/transpile.sx
+  lib/apl/test-harness.sx
+)
+
+SUITES=(
+  "structural:lib/apl/tests/structural.sx"
+  "operators:lib/apl/tests/operators.sx"
+  "dfn:lib/apl/tests/dfn.sx"
+  "tradfn:lib/apl/tests/tradfn.sx"
+  "valence:lib/apl/tests/valence.sx"
+  "programs:lib/apl/tests/programs.sx"
+  "system:lib/apl/tests/system.sx"
+  "idioms:lib/apl/tests/idioms.sx"
+  "eval-ops:lib/apl/tests/eval-ops.sx"
+  "pipeline:lib/apl/tests/pipeline.sx"
+)
+
+emit_scoreboard_json() {
+  local n=${#GC_NAMES[@]} i sep
+  printf '{\n'
+  printf '  "suites": {\n'
+  for ((i=0; i<n; i++)); do
+    sep=","; [ $i -eq $((n-1)) ] && sep=""
+    printf '    "%s": {"pass": %d, "fail": %d}%s\n' \
+      "${GC_NAMES[$i]}" "${GC_PASS[$i]}" "${GC_FAIL[$i]}" "$sep"
+  done
+  printf '  },\n'
+  printf '  "total_pass": %d,\n' "$GC_TOTAL_PASS"
+  printf '  "total_fail": %d,\n' "$GC_TOTAL_FAIL"
+  printf '  "total": %d\n' "$GC_TOTAL"
+  printf '}\n'
+}
+
+emit_scoreboard_md() {
+  local n=${#GC_NAMES[@]} i
+  printf '# APL Conformance Scoreboard\n\n'
+  printf '_Generated by `lib/apl/conformance.sh`_\n\n'
+  printf '| Suite | Pass | Fail | Total |\n'
+  printf '|-------|-----:|-----:|------:|\n'
+  for ((i=0; i<n; i++)); do
+    printf '| %s | %d | %d | %d |\n' \
+      "${GC_NAMES[$i]}" "${GC_PASS[$i]}" "${GC_FAIL[$i]}" "${GC_TOTAL_S[$i]}"
+  done
+  printf '| **Total** | **%d** | **%d** | **%d** |\n' "$GC_TOTAL_PASS" "$GC_TOTAL_FAIL" "$GC_TOTAL"
+  printf '\n'
+  printf '## Notes\n\n'
+  printf '%s\n' '- Suites use the standard `apl-test name got expected` framework loaded against `lib/apl/runtime.sx` + `lib/apl/transpile.sx`.'
+  printf '%s\n' '- `lib/apl/tests/parse.sx` and `lib/apl/tests/scalar.sx` use their own self-contained frameworks and are excluded from this scoreboard.'
+}

lib/apl/conformance.sh

@@ -1,116 +1,5 @@
 #!/usr/bin/env bash
-# lib/apl/conformance.sh — run APL test suites, emit scoreboard.json + scoreboard.md.
-
-set -uo pipefail
-cd "$(git rev-parse --show-toplevel)"
-
-SX_SERVER="${SX_SERVER:-/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe}"
-if [ ! -x "$SX_SERVER" ]; then
-  SX_SERVER="hosts/ocaml/_build/default/bin/sx_server.exe"
-fi
-if [ ! -x "$SX_SERVER" ]; then
-  echo "ERROR: sx_server.exe not found." >&2
-  exit 1
-fi
-
-SUITES=(structural operators dfn tradfn valence programs system idioms eval-ops pipeline)
-
-OUT_JSON="lib/apl/scoreboard.json"
-OUT_MD="lib/apl/scoreboard.md"
-
-run_suite() {
-  local suite=$1
-  local file="lib/apl/tests/${suite}.sx"
-  local TMP
-  TMP=$(mktemp)
-  cat > "$TMP" << EPOCHS
-(epoch 1)
-(load "spec/stdlib.sx")
-(load "lib/r7rs.sx")
-(load "lib/apl/runtime.sx")
-(load "lib/apl/tokenizer.sx")
-(load "lib/apl/parser.sx")
-(load "lib/apl/transpile.sx")
-(epoch 2)
-(eval "(define apl-test-pass 0)")
-(eval "(define apl-test-fail 0)")
-(eval "(define apl-test (fn (name got expected) (if (= got expected) (set! apl-test-pass (+ apl-test-pass 1)) (set! apl-test-fail (+ apl-test-fail 1)))))")
-(epoch 3)
-(load "${file}")
-(epoch 4)
-(eval "(list apl-test-pass apl-test-fail)")
-EPOCHS
-
-  local OUTPUT
-  OUTPUT=$(timeout 300 "$SX_SERVER" < "$TMP" 2>/dev/null)
-  rm -f "$TMP"
-
-  local LINE
-  LINE=$(echo "$OUTPUT" | awk '/^\(ok-len 4 / {getline; print; exit}')
-  if [ -z "$LINE" ]; then
-    LINE=$(echo "$OUTPUT" | grep -E '^\(ok 4 \([0-9]+ [0-9]+\)\)' | tail -1 \
-            | sed -E 's/^\(ok 4 //; s/\)$//')
-  fi
-
-  local P F
-  P=$(echo "$LINE" | sed -E 's/^\(([0-9]+) ([0-9]+)\).*/\1/')
-  F=$(echo "$LINE" | sed -E 's/^\(([0-9]+) ([0-9]+)\).*/\2/')
-  P=${P:-0}
-  F=${F:-0}
-  echo "${P} ${F}"
-}
-
-declare -A SUITE_PASS
-declare -A SUITE_FAIL
-TOTAL_PASS=0
-TOTAL_FAIL=0
-
-echo "Running APL conformance suite..." >&2
-for s in "${SUITES[@]}"; do
-  read -r p f < <(run_suite "$s")
-  SUITE_PASS[$s]=$p
-  SUITE_FAIL[$s]=$f
-  TOTAL_PASS=$((TOTAL_PASS + p))
-  TOTAL_FAIL=$((TOTAL_FAIL + f))
-  printf "  %-12s %d/%d\n" "$s" "$p" "$((p+f))" >&2
-done
-
-# scoreboard.json
-{
-  printf '{\n'
-  printf '  "suites": {\n'
-  first=1
-  for s in "${SUITES[@]}"; do
-    if [ $first -eq 0 ]; then printf ',\n'; fi
-    printf '    "%s": {"pass": %d, "fail": %d}' "$s" "${SUITE_PASS[$s]}" "${SUITE_FAIL[$s]}"
-    first=0
-  done
-  printf '\n  },\n'
-  printf '  "total_pass": %d,\n' "$TOTAL_PASS"
-  printf '  "total_fail": %d,\n' "$TOTAL_FAIL"
-  printf '  "total": %d\n' "$((TOTAL_PASS + TOTAL_FAIL))"
-  printf '}\n'
-} > "$OUT_JSON"
-
-# scoreboard.md
-{
-  printf '# APL Conformance Scoreboard\n\n'
-  printf '_Generated by `lib/apl/conformance.sh`_\n\n'
-  printf '| Suite | Pass | Fail | Total |\n'
-  printf '|-------|-----:|-----:|------:|\n'
-  for s in "${SUITES[@]}"; do
-    p=${SUITE_PASS[$s]}
-    f=${SUITE_FAIL[$s]}
-    printf '| %s | %d | %d | %d |\n' "$s" "$p" "$f" "$((p+f))"
-  done
-  printf '| **Total** | **%d** | **%d** | **%d** |\n' "$TOTAL_PASS" "$TOTAL_FAIL" "$((TOTAL_PASS + TOTAL_FAIL))"
-  printf '\n'
-  printf '## Notes\n\n'
-  printf '%s\n' '- Suites use the standard `apl-test name got expected` framework loaded against `lib/apl/runtime.sx` + `lib/apl/transpile.sx`.'
-  printf '%s\n' '- `lib/apl/tests/parse.sx` and `lib/apl/tests/scalar.sx` use their own self-contained frameworks and are excluded from this scoreboard.'
-} > "$OUT_MD"
-
-echo "Wrote $OUT_JSON and $OUT_MD" >&2
-echo "Total: $TOTAL_PASS pass, $TOTAL_FAIL fail" >&2
-
-[ "$TOTAL_FAIL" -eq 0 ]
+# lib/apl/conformance.sh — APL conformance via the shared guest driver.
+# Config lives in lib/apl/conformance.conf (MODE=counters). Override the binary
+# with SX_SERVER=path/to/sx_server.exe bash lib/apl/conformance.sh
+exec bash "$(dirname "$0")/../guest/conformance.sh" "$(dirname "$0")/conformance.conf" "$@"

lib/apl/scoreboard.json

@@ -9,9 +9,9 @@
     "system": {"pass": 13, "fail": 0},
     "idioms": {"pass": 64, "fail": 0},
     "eval-ops": {"pass": 14, "fail": 0},
-    "pipeline": {"pass": 40, "fail": 0}
+    "pipeline": {"pass": 152, "fail": 0}
   },
-  "total_pass": 450,
+  "total_pass": 562,
   "total_fail": 0,
-  "total": 450
+  "total": 562
 }

lib/apl/scoreboard.md

@@ -13,8 +13,8 @@ _Generated by `lib/apl/conformance.sh`_
 | system | 13 | 0 | 13 |
 | idioms | 64 | 0 | 64 |
 | eval-ops | 14 | 0 | 14 |
-| pipeline | 40 | 0 | 40 |
-| **Total** | **450** | **0** | **450** |
+| pipeline | 152 | 0 | 152 |
+| **Total** | **562** | **0** | **562** |
 
 ## Notes
 

lib/apl/test-harness.sx

@@ -0,0 +1,15 @@
+; lib/apl/test-harness.sx — counters + assertion fn for the shared conformance
+; driver (lib/guest/conformance.sh, MODE=counters). Loaded as a PRELOAD so each
+; suite starts from a fresh 0/0; suites call (apl-test name got expected).
+
+(define apl-test-pass 0)
+(define apl-test-fail 0)
+
+(define
+  apl-test
+  (fn
+    (name got expected)
+    (if
+      (= got expected)
+      (set! apl-test-pass (+ apl-test-pass 1))
+      (set! apl-test-fail (+ apl-test-fail 1)))))

lib/feed/acl.sx

@@ -0,0 +1,38 @@
+; feed/acl — per-viewer visibility filtering. The same candidate stream yields
+; different timelines for different viewers, so ACL is applied per request and
+; pre-ACL timelines are never cached.
+;
+; permit? is injected: (permit? viewer activity) -> bool. Wire a real acl-sx
+; predicate here; feed/permit-acl? is a self-contained default that reads an
+; optional :visible-to allowlist on the activity.
+;
+; Requires: lib/feed/normalize.sx, lib/feed/stream.sx, lib/feed/fanout.sx
+; (feed/-elem?), lib/feed/rank.sx (feed/top).
+
+; default permit: actor always sees own activity; absent/nil :visible-to is
+; public; otherwise viewer must be in the allowlist.
+(define
+  feed/permit-acl?
+  (fn
+    (viewer a)
+    (or
+      (equal? viewer (get a :actor))
+      (let
+        ((allowed (get a :visible-to nil)))
+        (if (= allowed nil) true (feed/-elem? viewer allowed))))))
+
+(define feed/permit-public? (fn (viewer a) true))
+
+; filter a stream to what viewer may read
+(define
+  feed/visible
+  (fn
+    (stream viewer permit?)
+    (feed/filter stream (fn (a) (permit? viewer a)))))
+
+; the capstone: candidate stream -> ACL for viewer -> rank -> top-N
+(define
+  feed/timeline
+  (fn
+    (stream viewer permit? score-fn n)
+    (feed/top (feed/visible stream viewer permit?) score-fn n)))

lib/feed/aggregate.sx

@@ -0,0 +1,62 @@
+; feed/aggregate — group-by / counting via key-reduce. Keys must be strings
+; (dict keys), so composite keys (actor, day) are joined into one string.
+;
+; Requires: lib/feed/normalize.sx, lib/feed/stream.sx.
+
+; group activities into a dict: key-string -> (list of activities), order-preserving
+(define
+  feed/group-by
+  (fn
+    (stream key-fn)
+    (reduce
+      (fn
+        (g a)
+        (let
+          ((k (key-fn a)))
+          (assoc g k (append (get g k (list)) (list a)))))
+      {}
+      (feed/items stream))))
+
+; key-string -> count
+(define
+  feed/group-count
+  (fn
+    (stream key-fn)
+    (reduce
+      (fn
+        (g a)
+        (let
+          ((k (key-fn a)))
+          (assoc g k (+ (get g k 0) 1))))
+      {}
+      (feed/items stream))))
+
+; --- composite keys ---------------------------------------------------------
+
+(define feed/day (fn (at window) (floor (/ at window))))
+
+; (actor, day-bucket) -> "actor#day"
+(define
+  feed/actor-day-key
+  (fn
+    (window)
+    (fn
+      (a)
+      (string-append
+        (get a :actor)
+        "#"
+        (number->string (feed/day (get a :at) window))))))
+
+(define
+  feed/by-actor-day
+  (fn (stream window) (feed/group-count stream (feed/actor-day-key window))))
+
+; per-actor activity counts
+(define
+  feed/actor-counts
+  (fn (stream) (feed/group-count stream feed/actor)))
+
+; per-object activity counts (engagement)
+(define
+  feed/object-counts
+  (fn (stream) (feed/group-count stream feed/object)))

lib/feed/api.sx

@@ -0,0 +1,24 @@
+; feed/api — ergonomic API over the stream layer for non-APL callers.
+; A single mutable activity log; post appends, all returns it as a stream.
+;
+; Requires: lib/feed/normalize.sx, lib/feed/stream.sx (loaded by harness).
+
+(define feed/-log (list))
+
+; post — normalize then append. Returns the stored activity.
+(define
+  feed/post
+  (fn
+    (raw)
+    (let
+      ((a (feed/normalize raw)))
+      (begin (set! feed/-log (append feed/-log (list a))) a))))
+
+; all — the whole log as a stream (insertion order)
+(define feed/all (fn () (feed/stream feed/-log)))
+
+; reset! — clear the log (test hygiene)
+(define feed/reset! (fn () (begin (set! feed/-log (list)) nil)))
+
+; size — number of posted activities
+(define feed/size (fn () (len feed/-log)))

lib/feed/conformance.sh

@@ -0,0 +1,125 @@
+#!/usr/bin/env bash
+# lib/feed/conformance.sh — run feed test suites, emit scoreboard.json + scoreboard.md.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+SUITES=(basic fanout rank integration content notify home dedupe trending mute page thread)
+
+OUT_JSON="lib/feed/scoreboard.json"
+OUT_MD="lib/feed/scoreboard.md"
+
+run_suite() {
+  local suite=$1
+  local file="lib/feed/tests/${suite}.sx"
+  local TMP
+  TMP=$(mktemp)
+  cat > "$TMP" << EPOCHS
+(epoch 1)
+(load "spec/stdlib.sx")
+(load "lib/r7rs.sx")
+(load "lib/apl/runtime.sx")
+(load "lib/feed/normalize.sx")
+(load "lib/feed/stream.sx")
+(load "lib/feed/api.sx")
+(load "lib/feed/fanout.sx")
+(load "lib/feed/dedupe.sx")
+(load "lib/feed/aggregate.sx")
+(load "lib/feed/rank.sx")
+(load "lib/feed/acl.sx")
+(load "lib/feed/fed.sx")
+(load "lib/feed/content.sx")
+(load "lib/feed/notify.sx")
+(load "lib/feed/home.sx")
+(load "lib/feed/trending.sx")
+(load "lib/feed/mute.sx")
+(load "lib/feed/page.sx")
+(load "lib/feed/thread.sx")
+(epoch 2)
+(eval "(define feed-test-pass 0)")
+(eval "(define feed-test-fail 0)")
+(eval "(define feed-test (fn (name got expected) (if (= got expected) (set! feed-test-pass (+ feed-test-pass 1)) (set! feed-test-fail (+ feed-test-fail 1)))))")
+(epoch 3)
+(load "${file}")
+(epoch 4)
+(eval "(list feed-test-pass feed-test-fail)")
+EPOCHS
+
+  local OUTPUT
+  OUTPUT=$(timeout 300 "$SX_SERVER" < "$TMP" 2>/dev/null)
+  rm -f "$TMP"
+
+  local LINE
+  LINE=$(echo "$OUTPUT" | awk '/^\(ok-len 4 / {getline; print; exit}')
+  if [ -z "$LINE" ]; then
+    LINE=$(echo "$OUTPUT" | grep -E '^\(ok 4 \([0-9]+ [0-9]+\)\)' | tail -1 \
+            | sed -E 's/^\(ok 4 //; s/\)$//')
+  fi
+
+  local P F
+  P=$(echo "$LINE" | sed -E 's/^\(([0-9]+) ([0-9]+)\).*/\1/')
+  F=$(echo "$LINE" | sed -E 's/^\(([0-9]+) ([0-9]+)\).*/\2/')
+  P=${P:-0}
+  F=${F:-0}
+  echo "${P} ${F}"
+}
+
+declare -A SUITE_PASS
+declare -A SUITE_FAIL
+TOTAL_PASS=0
+TOTAL_FAIL=0
+
+echo "Running feed conformance suite..." >&2
+for s in "${SUITES[@]}"; do
+  read -r p f < <(run_suite "$s")
+  SUITE_PASS[$s]=$p
+  SUITE_FAIL[$s]=$f
+  TOTAL_PASS=$((TOTAL_PASS + p))
+  TOTAL_FAIL=$((TOTAL_FAIL + f))
+  printf "  %-12s %d/%d\n" "$s" "$p" "$((p+f))" >&2
+done
+
+# scoreboard.json
+{
+  printf '{\n'
+  printf '  "suites": {\n'
+  first=1
+  for s in "${SUITES[@]}"; do
+    if [ $first -eq 0 ]; then printf ',\n'; fi
+    printf '    "%s": {"pass": %d, "fail": %d}' "$s" "${SUITE_PASS[$s]}" "${SUITE_FAIL[$s]}"
+    first=0
+  done
+  printf '\n  },\n'
+  printf '  "total_pass": %d,\n' "$TOTAL_PASS"
+  printf '  "total_fail": %d,\n' "$TOTAL_FAIL"
+  printf '  "total": %d\n' "$((TOTAL_PASS + TOTAL_FAIL))"
+  printf '}\n'
+} > "$OUT_JSON"
+
+# scoreboard.md
+{
+  printf '# feed Conformance Scoreboard\n\n'
+  printf '_Generated by `lib/feed/conformance.sh`_\n\n'
+  printf '| Suite | Pass | Fail | Total |\n'
+  printf '|-------|-----:|-----:|------:|\n'
+  for s in "${SUITES[@]}"; do
+    p=${SUITE_PASS[$s]}
+    f=${SUITE_FAIL[$s]}
+    printf '| %s | %d | %d | %d |\n' "$s" "$p" "$f" "$((p+f))"
+  done
+  printf '| **Total** | **%d** | **%d** | **%d** |\n' "$TOTAL_PASS" "$TOTAL_FAIL" "$((TOTAL_PASS + TOTAL_FAIL))"
+} > "$OUT_MD"
+
+echo "Wrote $OUT_JSON and $OUT_MD" >&2
+echo "Total: $TOTAL_PASS pass, $TOTAL_FAIL fail" >&2
+
+[ "$TOTAL_FAIL" -eq 0 ]

lib/feed/content.sx

@@ -0,0 +1,68 @@
+; feed/content — TF-IDF relevance over activity :tags. Rare tags carry more
+; signal, so an activity matching an uncommon tag ranks above one matching a
+; common tag. Composes with rank.sx: feed/tfidf-score is just another scorer.
+;
+; Requires: lib/feed/normalize.sx, lib/feed/stream.sx, lib/feed/fanout.sx
+; (feed/-distinct), lib/feed/rank.sx (feed/rank).
+
+; document frequency: tag -> number of activities whose :tags contain it
+; (a tag repeated within one activity counts once toward df)
+(define
+  feed/tag-df
+  (fn
+    (stream)
+    (reduce
+      (fn
+        (df a)
+        (reduce
+          (fn (d t) (assoc d t (+ (get d t 0) 1)))
+          df
+          (feed/-distinct (get a :tags))))
+      {}
+      (feed/items stream))))
+
+; inverse document frequency: tag -> log(N / df)
+(define
+  feed/tag-idf
+  (fn
+    (stream)
+    (let
+      ((n (feed/count stream)) (df (feed/tag-df stream)))
+      (reduce
+        (fn (idf t) (assoc idf t (log (/ n (get df t)))))
+        {}
+        (keys df)))))
+
+; term frequency within one activity: tag -> occurrence count
+(define
+  feed/-tf
+  (fn
+    (a)
+    (reduce
+      (fn (tf t) (assoc tf t (+ (get tf t 0) 1)))
+      {}
+      (get a :tags))))
+
+; relevance of an activity to a query (list of tags) given precomputed idf:
+; sum over query tags of tf(tag in activity) * idf(tag in corpus)
+(define
+  feed/tfidf-score
+  (fn
+    (idf query)
+    (fn
+      (a)
+      (let
+        ((tf (feed/-tf a)))
+        (reduce
+          (fn
+            (acc t)
+            (+ acc (* (get tf t 0) (get idf t 0))))
+          0
+          query)))))
+
+; rank a stream by relevance to query tags (idf computed over the stream itself)
+(define
+  feed/by-relevance
+  (fn
+    (stream query)
+    (feed/rank stream (feed/tfidf-score (feed/tag-idf stream) query))))

lib/feed/dedupe.sx

@@ -0,0 +1,76 @@
+; feed/dedupe — collapse duplicate items, keeping first occurrence per key.
+; Each verb may want its own key (see briefing): "alice posted X" keys on
+; (actor verb object) — distinct per actor; "alice liked X / bob liked X"
+; collapse on (verb object) so the cross-actor likes fold into one.
+;
+; Requires: lib/feed/normalize.sx, lib/feed/stream.sx, lib/feed/fanout.sx
+; (feed/-elem? lives in fanout.sx).
+
+; generic: dedupe a stream by key-fn, first occurrence wins (stable)
+(define
+  feed/-dedup-by
+  (fn
+    (items key-fn)
+    (get
+      (reduce
+        (fn
+          (st x)
+          (let
+            ((k (key-fn x)))
+            (if (feed/-elem? k (get st :seen)) st {:seen (append (get st :seen) (list k)) :out (append (get st :out) (list x))})))
+        {:seen (list) :out (list)}
+        items)
+      :out)))
+
+(define
+  feed/dedupe
+  (fn
+    (stream key-fn)
+    (feed/stream (feed/-dedup-by (feed/items stream) key-fn))))
+
+; --- keys -------------------------------------------------------------------
+
+(define
+  feed/activity-key
+  (fn (a) (list (get a :actor) (get a :verb) (get a :object))))
+
+; collapse cross-actor duplicates of the same verb+object (e.g. likes)
+(define feed/collapse-key (fn (a) (list (get a :verb) (get a :object))))
+
+; per-receiver inbox key — one inbox event per (receiver, actor, verb, object)
+(define
+  feed/event-key
+  (fn
+    (ev)
+    (let
+      ((a (get ev :activity)))
+      (list (get ev :to) (get a :actor) (get a :verb) (get a :object)))))
+
+; verbs whose duplicates collapse across actors (reactions, not authorship).
+; rebindable: callers can (set! feed/collapse-verbs ...) to tune the policy.
+(define
+  feed/collapse-verbs
+  (list "like" "favourite" "follow" "boost" "repost"))
+
+; per-verb key: collapse-verbs fold on (verb object); the rest key on
+; (actor verb object).
+(define
+  feed/smart-key
+  (fn
+    (a)
+    (if
+      (feed/-elem? (get a :verb) feed/collapse-verbs)
+      (feed/collapse-key a)
+      (feed/activity-key a))))
+
+; --- ready-made dedupers ----------------------------------------------------
+
+(define feed/dedupe-activities (fn (s) (feed/dedupe s feed/activity-key)))
+
+(define feed/dedupe-collapse (fn (s) (feed/dedupe s feed/collapse-key)))
+
+; verb-aware: reactions collapse cross-actor, posts stay distinct per actor
+(define feed/dedupe-smart (fn (s) (feed/dedupe s feed/smart-key)))
+
+; dedupe an inbox: at most one event per receiver per (actor verb object)
+(define feed/dedupe-inbox (fn (inbox) (feed/dedupe inbox feed/event-key)))

lib/feed/fanout.sx

@@ -0,0 +1,114 @@
+; feed/fanout — THE SHOWCASE. Fan activities out to followers via the APL outer
+; product (∘.×). activities ∘.× audience → an (activity × follower) matrix of
+; inbox events; flatten to a vector; guard-keep only real follow edges.
+;
+; Requires: lib/apl/runtime.sx, lib/feed/normalize.sx, lib/feed/stream.sx.
+;
+; NOTE: apl-outer's combiner result is run through (if (scalar? r) (disclose r) r).
+; A bare dict counts as a scalar (shape ()) and disclose nils it — so the combiner
+; must (enclose ...) its event dict; apl-outer then discloses it back intact.
+
+; --- graph: {followee -> (list of followers)} -------------------------------
+
+(define feed/followers (fn (graph user) (get graph user (list))))
+
+; build a graph from (follower followee) edges: "follower follows followee"
+(define
+  feed/follow-graph
+  (fn
+    (edges)
+    (reduce
+      (fn
+        (g e)
+        (let
+          ((follower (first e)) (followee (nth e 1)))
+          (assoc
+            g
+            followee
+            (append (feed/followers g followee) (list follower)))))
+      {}
+      edges)))
+
+; --- helpers ----------------------------------------------------------------
+
+; unwrap an apl-scalar (has :ravel) back to its value; pass activities through
+(define
+  feed/-val
+  (fn
+    (x)
+    (if (and (= (type-of x) "dict") (has-key? x :ravel)) (disclose x) x)))
+
+(define feed/-elem? (fn (x lst) (some (fn (y) (equal? x y)) lst)))
+
+(define
+  feed/-distinct
+  (fn
+    (lst)
+    (if
+      (= (len lst) 0)
+      (list)
+      (get (apl-unique (make-array (list (len lst)) lst)) :ravel))))
+
+; rank-2 matrix -> rank-1 stream of its ravel
+(define feed/-flatten (fn (arr) (feed/stream (get arr :ravel))))
+
+; distinct receivers across the whole graph, sorted for determinism
+; (dict key order is unspecified, so sort to pin audience/recipient ordering)
+(define
+  feed/audience
+  (fn
+    (graph)
+    (sort
+      (feed/-distinct
+        (reduce
+          (fn (acc k) (append acc (feed/followers graph k)))
+          (list)
+          (keys graph))))))
+
+; --- the outer product ------------------------------------------------------
+
+; one (activity, follower) inbox event, enclosed so apl-outer keeps the dict
+(define feed/-mk-event (fn (a f) (enclose {:activity (feed/-val a) :to (feed/-val f)})))
+
+; keep events where :to actually follows the activity's actor
+(define
+  feed/-edge?
+  (fn
+    (graph)
+    (fn
+      (ev)
+      (feed/-elem?
+        (get ev :to)
+        (feed/followers graph (get (get ev :activity) :actor))))))
+
+; fanout — activities ∘.× audience, flatten, guard-keep real edges
+(define
+  feed/fanout
+  (fn
+    (stream graph)
+    (let
+      ((matrix (apl-outer feed/-mk-event stream (feed/stream (feed/audience graph)))))
+      (feed/filter (feed/-flatten matrix) (feed/-edge? graph)))))
+
+; --- inbox queries ----------------------------------------------------------
+
+(define
+  feed/inbox-for
+  (fn
+    (inbox user)
+    (feed/filter inbox (fn (ev) (equal? (get ev :to) user)))))
+
+(define
+  feed/recipients
+  (fn
+    (inbox)
+    (feed/-distinct (map (fn (ev) (get ev :to)) (feed/items inbox)))))
+
+; the activities (unwrapped) destined for a user
+(define
+  feed/inbox-activities
+  (fn
+    (inbox user)
+    (map
+      (fn (ev) (get ev :activity))
+      (feed/items (feed/inbox-for inbox user)))))

lib/feed/fed.sx

@@ -0,0 +1,60 @@
+; feed/fed — federation. Outbound: a local post fans out, then splits into local
+; vs remote inboxes; remote events are handed to an injected send-fn. Inbound:
+; peer activities merge into the local stream, deduped. Backfill: pull peer
+; history via an injected fetch-fn and merge.
+;
+; remote? / send-fn / fetch-fn are injected so real fed-sx transport wires in here
+; without feed depending on it.
+;
+; Requires: lib/feed/normalize.sx, lib/feed/stream.sx, lib/feed/fanout.sx,
+; lib/feed/dedupe.sx.
+
+; --- merge / ingest ---------------------------------------------------------
+
+(define
+  feed/merge
+  (fn (s1 s2) (feed/stream (append (feed/items s1) (feed/items s2)))))
+
+; merge a peer stream into local, dropping (actor verb object) duplicates
+(define
+  feed/ingest
+  (fn (local peer) (feed/dedupe-activities (feed/merge local peer))))
+
+; --- inbound ----------------------------------------------------------------
+
+; peer pushes raw activities to the local inbox; normalize + ingest
+(define
+  feed/inbound
+  (fn
+    (local raw-activities)
+    (feed/ingest local (feed/stream (map feed/normalize raw-activities)))))
+
+; backfill on subscribe: pull peer history via fetch-fn, normalize, ingest
+(define
+  feed/backfill
+  (fn (local fetch-fn peer-id) (feed/inbound local (fetch-fn peer-id))))
+
+; --- outbound ---------------------------------------------------------------
+
+; split an inbox into local vs remote deliveries by viewer-id predicate
+(define feed/partition-inbox (fn (inbox remote?) {:local (feed/filter inbox (fn (ev) (not (remote? (get ev :to))))) :remote (feed/filter inbox (fn (ev) (remote? (get ev :to))))}))
+
+; fan a stream out over the graph, then partition by locality
+(define
+  feed/federate
+  (fn
+    (stream graph remote?)
+    (feed/partition-inbox (feed/fanout stream graph) remote?)))
+
+; deliver: hand each remote event to send-fn, return the local inbox to enqueue
+(define
+  feed/deliver
+  (fn
+    (stream graph remote? send-fn)
+    (let
+      ((parts (feed/federate stream graph remote?)))
+      (begin
+        (for-each
+          (fn (ev) (send-fn (get ev :to) (get ev :activity)))
+          (feed/items (get parts :remote)))
+        (get parts :local)))))

lib/feed/home.sx

@@ -0,0 +1,23 @@
+; feed/home — the capstone. A user's home timeline is the whole pipeline as one
+; line: fan all activities out over the follow graph, take the events landing in
+; the viewer's inbox, dedupe cross-posts, apply the viewer's ACL, rank, take N.
+;
+; Requires: fanout.sx, dedupe.sx, acl.sx (feed/timeline), rank.sx, stream.sx.
+
+; the activities in a user's inbox, as a stream
+(define
+  feed/inbox-stream
+  (fn (inbox user) (feed/stream (feed/inbox-activities inbox user))))
+
+; fanout ∘ inbox ∘ dedupe ∘ ACL ∘ rank ∘ take
+(define
+  feed/home
+  (fn
+    (stream graph viewer permit? score-fn n)
+    (feed/timeline
+      (feed/dedupe-activities
+        (feed/inbox-stream (feed/fanout stream graph) viewer))
+      viewer
+      permit?
+      score-fn
+      n)))

lib/feed/mute.sx

@@ -0,0 +1,44 @@
+; feed/mute — viewer-controlled filtering. ACL (acl.sx) is author-controlled
+; visibility; mute is the reader's own preference: hide muted actors or tags.
+; Like ACL it is per-viewer and applied per request, never cached.
+;
+; Requires: lib/feed/normalize.sx, lib/feed/stream.sx, lib/feed/fanout.sx
+; (feed/-elem?).
+
+; drop activities authored by a muted actor
+(define
+  feed/mute-actors
+  (fn
+    (stream actors)
+    (feed/filter
+      stream
+      (fn (a) (not (feed/-elem? (get a :actor) actors))))))
+
+; drop activities carrying any muted tag
+(define
+  feed/mute-tags
+  (fn
+    (stream tags)
+    (feed/filter
+      stream
+      (fn (a) (not (some (fn (t) (feed/-elem? t tags)) (get a :tags)))))))
+
+; drop activities about a muted object (thread mute)
+(define
+  feed/mute-objects
+  (fn
+    (stream objects)
+    (feed/filter
+      stream
+      (fn (a) (not (feed/-elem? (get a :object) objects))))))
+
+; apply a viewer preference bag: {:mute-actors (...) :mute-tags (...) :mute-objects (...)}
+(define
+  feed/apply-prefs
+  (fn
+    (stream prefs)
+    (feed/mute-objects
+      (feed/mute-tags
+        (feed/mute-actors stream (get prefs :mute-actors (list)))
+        (get prefs :mute-tags (list)))
+      (get prefs :mute-objects (list)))))

lib/feed/normalize.sx

@@ -0,0 +1,31 @@
+; feed/normalize — coerce arbitrary input into the canonical activity record.
+; An activity is a small dict {:actor :verb :object :at :tags}; a stream is an
+; APL vector of such dicts (see stream.sx). Extra keys on the raw input survive
+; (e.g. :visible-to for ACL, peer metadata for federation) — :tags is the
+; flexible bag but the record is not closed.
+
+(define feed/activity-keys (list :actor :verb :object :at :tags))
+
+(define
+  feed/normalize
+  (fn
+    (raw)
+    (let
+      ((d (if (= (type-of raw) "dict") raw {})))
+      (merge d {:actor (get d :actor "") :object (get d :object nil) :at (get d :at 0) :tags (let ((t (get d :tags (list)))) (if (list? t) t (list t))) :verb (get d :verb "post")}))))
+
+(define
+  feed/activity
+  (fn (actor verb object at tags) (feed/normalize {:actor actor :object object :at at :tags tags :verb verb})))
+
+(define feed/actor (fn (a) (get a :actor)))
+(define feed/verb (fn (a) (get a :verb)))
+(define feed/object (fn (a) (get a :object)))
+(define feed/at (fn (a) (get a :at)))
+(define feed/tags (fn (a) (get a :tags)))
+
+(define
+  feed/activity?
+  (fn
+    (a)
+    (and (= (type-of a) "dict") (has-key? a :actor) (has-key? a :verb))))

lib/feed/notify.sx

@@ -0,0 +1,45 @@
+; feed/notify — a notification feed is a thin layer over a recipient's inbox:
+; the events directed at a user, optionally verb-filtered, and a digest that
+; collapses "alice, bob and 1 other liked X" by (verb, object).
+;
+; Requires: lib/feed/normalize.sx, lib/feed/stream.sx, lib/feed/fanout.sx
+; (feed/inbox-for, feed/-elem?).
+
+; all inbox events for a user (their raw notifications)
+(define feed/notifications (fn (inbox user) (feed/inbox-for inbox user)))
+
+; restrict to notification-worthy verbs (e.g. (list "like" "reply" "follow"))
+(define
+  feed/notify-verbs
+  (fn
+    (inbox user verbs)
+    (feed/filter
+      (feed/inbox-for inbox user)
+      (fn (ev) (feed/-elem? (get (get ev :activity) :verb) verbs)))))
+
+; group key "verb|object" — deterministic, sortable
+(define
+  feed/-notify-key
+  (fn
+    (ev)
+    (let
+      ((a (get ev :activity)))
+      (string-append (get a :verb) "|" (get a :object)))))
+
+; digest: one entry per (verb, object) with the distinct actors and a count,
+; ordered by key for determinism.
+(define
+  feed/notify-digest
+  (fn
+    (inbox user)
+    (let
+      ((events (feed/items (feed/inbox-for inbox user))))
+      (let
+        ((groups (reduce (fn (g ev) (let ((a (get ev :activity)) (k (feed/-notify-key ev))) (let ((cur (get g k {:object (get a :object) :actors (list) :verb (get a :verb)}))) (assoc g k (assoc cur :actors (append (get cur :actors) (list (get a :actor)))))))) {} events)))
+        (map
+          (fn
+            (k)
+            (let
+              ((grp (get groups k)))
+              (assoc grp :count (len (get grp :actors)))))
+          (sort (keys groups)))))))

lib/feed/page.sx

@@ -0,0 +1,50 @@
+; feed/page — pagination. Offset/limit for indexed access, and cursor-based
+; (by :at) for recency feeds, which is stable under inserts: a cursor is the
+; :at of the last item seen, and the next page is the newest items older than it.
+;
+; Requires: lib/feed/stream.sx (feed/recent, feed/take, feed/filter).
+
+; --- offset / limit ---------------------------------------------------------
+
+(define
+  feed/page
+  (fn
+    (stream offset limit)
+    (feed/stream (take (drop (feed/items stream) offset) limit))))
+
+(define
+  feed/page-count
+  (fn (stream limit) (ceil (/ (feed/count stream) limit))))
+
+; --- cursor (recency feeds) -------------------------------------------------
+
+; activities strictly older than cursor (scroll down / load older)
+(define
+  feed/before
+  (fn
+    (stream cursor)
+    (feed/filter stream (fn (a) (< (get a :at) cursor)))))
+
+; activities strictly newer than cursor (load newer / "N new posts")
+(define
+  feed/after
+  (fn
+    (stream cursor)
+    (feed/filter stream (fn (a) (> (get a :at) cursor)))))
+
+; one page: the `limit` newest activities older than cursor, newest first
+(define
+  feed/page-before
+  (fn
+    (stream cursor limit)
+    (feed/take (feed/recent (feed/before stream cursor)) limit)))
+
+; cursor to fetch the next (older) page: :at of the last item of a page,
+; or nil when the page is empty (end of feed)
+(define
+  feed/next-cursor
+  (fn
+    (page)
+    (let
+      ((items (feed/items page)))
+      (if (= (len items) 0) nil (get (last items) :at)))))

lib/feed/rank.sx

@@ -0,0 +1,92 @@
+; feed/rank — scoring + ranking. Scorers are (activity -> number). Ranking is a
+; stable two-pass grade-down: first by :at descending (the tiebreak), then by
+; score descending — so ties resolve by recency, then by input order. Fully
+; deterministic on ties.
+;
+; Requires: lib/apl/runtime.sx, lib/feed/normalize.sx, lib/feed/stream.sx.
+
+; --- scorers ----------------------------------------------------------------
+
+; recency: half-life decay. score = 0.5 ^ (age / half-life). at==now -> 1.0.
+(define
+  feed/recency
+  (fn
+    (now half-life)
+    (fn (a) (expt 0.5 (/ (- now (get a :at)) half-life)))))
+
+; velocity: how many of this actor's activities fall in (at-window, at] —
+; a burst of recent activity scores higher.
+(define
+  feed/velocity
+  (fn
+    (stream window)
+    (fn
+      (a)
+      (len
+        (filter
+          (fn
+            (b)
+            (and
+              (equal? (get b :actor) (get a :actor))
+              (<= (get b :at) (get a :at))
+              (> (get b :at) (- (get a :at) window))))
+          (feed/items stream))))))
+
+; engagement: how many activities in the stream touch this activity's :object
+(define
+  feed/engagement
+  (fn
+    (stream)
+    (fn
+      (a)
+      (len
+        (filter
+          (fn (b) (equal? (get b :object) (get a :object)))
+          (feed/items stream))))))
+
+; composite: weighted sum. parts = (list (list weight scorer) ...)
+(define
+  feed/composite
+  (fn
+    (parts)
+    (fn
+      (a)
+      (reduce
+        (fn (acc p) (+ acc (* (first p) ((nth p 1) a))))
+        0
+        parts))))
+
+; --- ranking ----------------------------------------------------------------
+
+; stable reorder of items by key-fn, descending (grade-down is stable)
+(define
+  feed/-desc-by
+  (fn
+    (items key-fn)
+    (let
+      ((keys (make-array (list (len items)) (map key-fn items))))
+      (let
+        ((order (get (apl-grade-down keys) :ravel)))
+        (map (fn (i) (nth items (- i 1))) order)))))
+
+; rank by score descending; ties -> :at descending -> input order
+(define
+  feed/rank
+  (fn
+    (stream score-fn)
+    (let
+      ((by-at (feed/-desc-by (feed/items stream) feed/at)))
+      (feed/stream (feed/-desc-by by-at score-fn)))))
+
+; attach a :score to each activity (for inspection / debugging)
+(define
+  feed/with-scores
+  (fn
+    (stream score-fn)
+    (feed/stream
+      (map (fn (a) (assoc a :score (score-fn a))) (feed/items stream)))))
+
+; top-N ranked timeline
+(define
+  feed/top
+  (fn (stream score-fn n) (feed/take (feed/rank stream score-fn) n)))

lib/feed/scoreboard.json

@@ -0,0 +1,19 @@
+{
+  "suites": {
+    "basic": {"pass": 30, "fail": 0},
+    "fanout": {"pass": 29, "fail": 0},
+    "rank": {"pass": 24, "fail": 0},
+    "integration": {"pass": 22, "fail": 0},
+    "content": {"pass": 15, "fail": 0},
+    "notify": {"pass": 8, "fail": 0},
+    "home": {"pass": 6, "fail": 0},
+    "dedupe": {"pass": 9, "fail": 0},
+    "trending": {"pass": 11, "fail": 0},
+    "mute": {"pass": 9, "fail": 0},
+    "page": {"pass": 14, "fail": 0},
+    "thread": {"pass": 12, "fail": 0}
+  },
+  "total_pass": 189,
+  "total_fail": 0,
+  "total": 189
+}

lib/feed/scoreboard.md

@@ -0,0 +1,19 @@
+# feed Conformance Scoreboard
+
+_Generated by `lib/feed/conformance.sh`_
+
+| Suite | Pass | Fail | Total |
+|-------|-----:|-----:|------:|
+| basic | 30 | 0 | 30 |
+| fanout | 29 | 0 | 29 |
+| rank | 24 | 0 | 24 |
+| integration | 22 | 0 | 22 |
+| content | 15 | 0 | 15 |
+| notify | 8 | 0 | 8 |
+| home | 6 | 0 | 6 |
+| dedupe | 9 | 0 | 9 |
+| trending | 11 | 0 | 11 |
+| mute | 9 | 0 | 9 |
+| page | 14 | 0 | 14 |
+| thread | 12 | 0 | 12 |
+| **Total** | **189** | **0** | **189** |

lib/feed/stream.sx

@@ -0,0 +1,75 @@
+; feed/stream — a stream is an APL vector (rank-1 array) whose ravel holds
+; activity dicts. Operations lift APL primitives onto this shape: filter via
+; compress (/), sort via grade (⍋), take via ↑, reverse via ⌽.
+;
+; Requires: lib/apl/runtime.sx, lib/feed/normalize.sx (loaded by harness).
+
+(define feed/stream (fn (acts) (make-array (list (len acts)) acts)))
+
+(define feed/items (fn (s) (get s :ravel)))
+
+(define feed/count (fn (s) (len (get s :ravel))))
+
+(define feed/empty (feed/stream (list)))
+
+(define feed/empty? (fn (s) (= (feed/count s) 0)))
+
+; filter — bool mask ∘ compress. pred : activity -> truthy
+(define
+  feed/filter
+  (fn
+    (s pred)
+    (let
+      ((items (get s :ravel)))
+      (let
+        ((mask (make-array (list (len items)) (map (fn (a) (if (pred a) 1 0)) items))))
+        (apl-compress mask s)))))
+
+; sort-by — ascending, stable on ties (grade-up is stable). key-fn : activity -> number
+(define
+  feed/sort-by
+  (fn
+    (s key-fn)
+    (let
+      ((items (get s :ravel)))
+      (let
+        ((keys (make-array (list (len items)) (map key-fn items))))
+        (let
+          ((order (get (apl-grade-up keys) :ravel)))
+          (feed/stream (map (fn (i) (nth items (- i 1))) order)))))))
+
+(define feed/sort-by-at (fn (s) (feed/sort-by s feed/at)))
+
+; newest-first: ascending sort then reverse (⌽)
+(define feed/recent (fn (s) (apl-reverse (feed/sort-by-at s))))
+
+; take N (↑), clamped to stream length so it never over-takes/pads
+(define
+  feed/take
+  (fn
+    (s n)
+    (let
+      ((c (feed/count s)))
+      (if (>= n c) s (apl-take (apl-scalar n) s)))))
+
+(define feed/reverse (fn (s) (apl-reverse s)))
+
+; common predicates
+(define
+  feed/by-actor
+  (fn (s actor) (feed/filter s (fn (a) (equal? (get a :actor) actor)))))
+
+(define
+  feed/by-verb
+  (fn (s verb) (feed/filter s (fn (a) (equal? (get a :verb) verb)))))
+
+(define
+  feed/by-object
+  (fn
+    (s object)
+    (feed/filter s (fn (a) (equal? (get a :object) object)))))
+
+; activities at or after timestamp t
+(define
+  feed/since
+  (fn (s t) (feed/filter s (fn (a) (>= (get a :at) t)))))

lib/feed/tests/basic.sx

@@ -0,0 +1,118 @@
+; Phase 1 — normalize, stream ops, api. Uses the feed-test harness
+; (feed-test name got expected) provided by conformance.sh.
+
+; ---------- normalize ----------
+
+(feed-test
+  "normalize default actor"
+  (feed/actor (feed/normalize {}))
+  "")
+(feed-test
+  "normalize default verb"
+  (feed/verb (feed/normalize {}))
+  "post")
+(feed-test
+  "normalize default at"
+  (feed/at (feed/normalize {}))
+  0)
+(feed-test
+  "normalize default object"
+  (feed/object (feed/normalize {}))
+  nil)
+(feed-test
+  "normalize default tags"
+  (feed/tags (feed/normalize {}))
+  (list))
+(feed-test
+  "normalize keeps actor"
+  (feed/actor (feed/normalize {:actor "alice"}))
+  "alice")
+(feed-test
+  "normalize keeps verb"
+  (feed/verb (feed/normalize {:verb "like"}))
+  "like")
+(feed-test
+  "normalize scalar tag -> list"
+  (feed/tags (feed/normalize {:tags "x"}))
+  (list "x"))
+(feed-test
+  "normalize list tags kept"
+  (feed/tags (feed/normalize {:tags (list "a" "b")}))
+  (list "a" "b"))
+(feed-test
+  "activity constructor at"
+  (feed/at (feed/activity "a" "post" "o" 5 (list)))
+  5)
+(feed-test
+  "activity? on activity"
+  (feed/activity? (feed/normalize {:actor "a"}))
+  true)
+(feed-test "activity? on number" (feed/activity? 5) false)
+(feed-test "activity? on bare dict" (feed/activity? {:foo 1}) false)
+
+; ---------- stream ----------
+
+(define
+  S
+  (feed/stream
+    (list
+      (feed/activity "alice" "post" "p1" 30 (list))
+      (feed/activity "bob" "like" "p1" 10 (list))
+      (feed/activity "alice" "post" "p2" 20 (list)))))
+
+(feed-test "stream count" (feed/count S) 3)
+(feed-test "stream items len" (len (feed/items S)) 3)
+(feed-test
+  "sort-by-at actors asc"
+  (map feed/actor (feed/items (feed/sort-by-at S)))
+  (list "bob" "alice" "alice"))
+(feed-test
+  "recent newest first"
+  (map feed/at (feed/items (feed/recent S)))
+  (list 30 20 10))
+(feed-test
+  "take 2 of recent"
+  (feed/count (feed/take (feed/recent S) 2))
+  2)
+(feed-test
+  "take clamps past end"
+  (feed/count (feed/take S 10))
+  3)
+(feed-test
+  "by-actor alice count"
+  (feed/count (feed/by-actor S "alice"))
+  2)
+(feed-test
+  "by-verb like actor"
+  (map feed/actor (feed/items (feed/by-verb S "like")))
+  (list "bob"))
+(feed-test
+  "by-object p1 count"
+  (feed/count (feed/by-object S "p1"))
+  2)
+(feed-test
+  "since 20 count"
+  (feed/count (feed/since S 20))
+  2)
+(feed-test
+  "reverse ats"
+  (map feed/at (feed/items (feed/reverse S)))
+  (list 20 10 30))
+(feed-test "empty? on empty" (feed/empty? feed/empty) true)
+(feed-test
+  "empty? on filtered-out"
+  (feed/empty? (feed/by-actor S "zzz"))
+  true)
+
+; ---------- api ----------
+
+(feed/reset!)
+(feed/post {:actor "x" :at 1 :verb "post"})
+(feed/post {:actor "y" :at 2 :verb "like"})
+(feed-test "api size after posts" (feed/size) 2)
+(feed-test "api all count" (feed/count (feed/all)) 2)
+(feed-test
+  "post returns normalized verb"
+  (feed/verb (feed/post {:actor "z"}))
+  "post")
+(feed-test "api size after third post" (feed/size) 3)

lib/feed/tests/content.sx

@@ -0,0 +1,85 @@
+; Follow-up — TF-IDF content ranking over :tags. (feed-test name got expected)
+
+(define
+  corpus
+  (feed/stream
+    (list
+      (feed/normalize {:actor "u" :object "o1" :at 10 :tags (list "cats" "funny")})
+      (feed/normalize {:actor "u" :object "o2" :at 20 :tags (list "cats" "news")})
+      (feed/normalize {:actor "u" :object "o3" :at 30 :tags (list "politics" "news")})
+      (feed/normalize {:actor "u" :object "o4" :at 40 :tags (list "cats")}))))
+
+; ---------- document frequency ----------
+
+(feed-test "df cats" (get (feed/tag-df corpus) "cats") 3)
+(feed-test "df news" (get (feed/tag-df corpus) "news") 2)
+(feed-test "df funny" (get (feed/tag-df corpus) "funny") 1)
+(feed-test "df politics" (get (feed/tag-df corpus) "politics") 1)
+(feed-test "df full" (feed/tag-df corpus) {:news 2 :funny 1 :politics 1 :cats 3})
+
+; ---------- inverse document frequency ----------
+
+(feed-test
+  "idf news = log(4/2)"
+  (get (feed/tag-idf corpus) "news")
+  (log 2))
+(feed-test
+  "idf funny = log(4/1)"
+  (get (feed/tag-idf corpus) "funny")
+  (log 4))
+(feed-test
+  "rarer tag has higher idf"
+  (>
+    (get (feed/tag-idf corpus) "funny")
+    (get (feed/tag-idf corpus) "cats"))
+  true)
+
+; ---------- tf-idf scoring ----------
+
+(define idf (feed/tag-idf corpus))
+
+(feed-test
+  "score query funny on o1"
+  ((feed/tfidf-score idf (list "funny")) (feed/normalize {:actor "u" :object "x" :tags (list "cats" "funny")}))
+  (log 4))
+(feed-test
+  "score query funny on non-match"
+  ((feed/tfidf-score idf (list "funny")) (feed/normalize {:actor "u" :object "x" :tags (list "cats")}))
+  0)
+(feed-test
+  "unknown query tag scores 0"
+  ((feed/tfidf-score idf (list "zzz")) (feed/normalize {:actor "u" :object "x" :tags (list "cats")}))
+  0)
+
+; ---------- ranking by relevance ----------
+
+; query news: o2,o3 match (score log2), o1,o4 don't (0); ties break by :at desc
+(feed-test
+  "by-relevance news order"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/by-relevance corpus (list "news"))))
+  (list "o3" "o2" "o4" "o1"))
+
+; query funny: only o1 matches -> ranks first
+(feed-test
+  "by-relevance funny first"
+  (get
+    (nth (feed/items (feed/by-relevance corpus (list "funny"))) 0)
+    :object)
+  "o1")
+
+; query (cats news): o2 carries both tags -> highest combined tf-idf
+(feed-test
+  "by-relevance cats+news top"
+  (get
+    (nth
+      (feed/items (feed/by-relevance corpus (list "cats" "news")))
+      0)
+    :object)
+  "o2")
+
+(feed-test
+  "by-relevance preserves count"
+  (feed/count (feed/by-relevance corpus (list "cats")))
+  4)

lib/feed/tests/dedupe.sx

@@ -0,0 +1,56 @@
+; Follow-up — verb-aware (smart) dedupe. (feed-test name got expected)
+
+; reactions (like/follow) collapse cross-actor; posts stay distinct per actor
+(define
+  M
+  (feed/stream
+    (list
+      (feed/activity "alice" "like" "X" 1 (list))
+      (feed/activity "bob" "like" "X" 2 (list))
+      (feed/activity "alice" "post" "P" 3 (list))
+      (feed/activity "bob" "post" "P" 4 (list))
+      (feed/activity "alice" "follow" "C" 5 (list))
+      (feed/activity "bob" "follow" "C" 6 (list))))) ; collapses
+
+(feed-test
+  "smart dedupe total"
+  (feed/count (feed/dedupe-smart M))
+  4)
+(feed-test
+  "smart keeps both posts"
+  (feed/count (feed/by-verb (feed/dedupe-smart M) "post"))
+  2)
+(feed-test
+  "smart collapses likes to one"
+  (feed/count (feed/by-verb (feed/dedupe-smart M) "like"))
+  1)
+(feed-test
+  "smart collapses follows to one"
+  (feed/count (feed/by-verb (feed/dedupe-smart M) "follow"))
+  1)
+(feed-test
+  "collapsed like keeps first actor"
+  (map feed/actor (feed/items (feed/by-verb (feed/dedupe-smart M) "like")))
+  (list "alice"))
+
+; contrast: plain activity dedupe keeps cross-actor likes distinct
+(feed-test
+  "activity dedupe keeps both likes"
+  (feed/count (feed/by-verb (feed/dedupe-activities M) "like"))
+  2)
+
+; contrast: blanket collapse folds the two posts (same verb+object) too
+(feed-test
+  "collapse dedupe folds posts"
+  (feed/count (feed/by-verb (feed/dedupe-collapse M) "post"))
+  1)
+
+; smart-key dispatch
+(feed-test
+  "smart-key reaction -> (verb object)"
+  (feed/smart-key (feed/activity "alice" "like" "X" 0 (list)))
+  (list "like" "X"))
+(feed-test
+  "smart-key post -> (actor verb object)"
+  (feed/smart-key (feed/activity "alice" "post" "P" 0 (list)))
+  (list "alice" "post" "P"))

lib/feed/tests/fanout.sx

@@ -0,0 +1,187 @@
+; Phase 2 — fanout via outer product + dedupe. (feed-test name got expected)
+
+; ---------- graph ----------
+
+; edges: (follower followee). bob,carol follow alice; carol,dave follow bob.
+(define
+  G
+  (feed/follow-graph
+    (list
+      (list "bob" "alice")
+      (list "carol" "alice")
+      (list "carol" "bob")
+      (list "dave" "bob"))))
+
+(feed-test "followers alice" (feed/followers G "alice") (list "bob" "carol"))
+(feed-test "followers bob" (feed/followers G "bob") (list "carol" "dave"))
+(feed-test "followers unknown" (feed/followers G "zzz") (list))
+(feed-test "audience distinct" (feed/audience G) (list "bob" "carol" "dave"))
+
+; ---------- fanout ----------
+
+(define
+  S
+  (feed/stream
+    (list
+      (feed/activity "alice" "post" "p1" 10 (list))
+      (feed/activity "alice" "post" "p2" 20 (list))
+      (feed/activity "bob" "like" "p1" 30 (list)))))
+
+(define IB (feed/fanout S G))
+
+(feed-test "fanout total edges" (feed/count IB) 6)
+(feed-test
+  "inbox bob count"
+  (feed/count (feed/inbox-for IB "bob"))
+  2)
+(feed-test
+  "inbox carol count"
+  (feed/count (feed/inbox-for IB "carol"))
+  3)
+(feed-test
+  "inbox dave count"
+  (feed/count (feed/inbox-for IB "dave"))
+  1)
+(feed-test
+  "inbox alice (follows none)"
+  (feed/count (feed/inbox-for IB "alice"))
+  0)
+(feed-test
+  "recipients order"
+  (feed/recipients IB)
+  (list "bob" "carol" "dave"))
+(feed-test
+  "bob inbox objects"
+  (map (fn (a) (get a :object)) (feed/inbox-activities IB "bob"))
+  (list "p1" "p2"))
+(feed-test
+  "dave inbox objects"
+  (map (fn (a) (get a :object)) (feed/inbox-activities IB "dave"))
+  (list "p1"))
+(feed-test
+  "dave inbox verb"
+  (map (fn (a) (get a :verb)) (feed/inbox-activities IB "dave"))
+  (list "like"))
+
+; empty graph → no audience → no edges
+(feed-test
+  "empty graph fanout"
+  (feed/count (feed/fanout S {}))
+  0)
+
+; actor nobody follows produces no edges
+(define
+  Sghost
+  (feed/stream (list (feed/activity "ghost" "post" "g1" 5 (list)))))
+(feed-test
+  "unfollowed actor fanout"
+  (feed/count (feed/fanout Sghost G))
+  0)
+
+; ---------- high fanout (popular actor) ----------
+
+(define
+  Gstar
+  (feed/follow-graph
+    (list
+      (list "u1" "star")
+      (list "u2" "star")
+      (list "u3" "star")
+      (list "u4" "star")
+      (list "u5" "star"))))
+(define
+  Sstar
+  (feed/stream (list (feed/activity "star" "post" "s1" 1 (list)))))
+(feed-test
+  "star fanout count"
+  (feed/count (feed/fanout Sstar Gstar))
+  5)
+(feed-test "star audience size" (len (feed/audience Gstar)) 5)
+
+; ---------- mutual follow ----------
+
+(define Gmut (feed/follow-graph (list (list "a" "b") (list "b" "a"))))
+(define
+  Smut
+  (feed/stream
+    (list
+      (feed/activity "a" "post" "pa" 1 (list))
+      (feed/activity "b" "post" "pb" 2 (list)))))
+(define IBmut (feed/fanout Smut Gmut))
+(feed-test "mutual total" (feed/count IBmut) 2)
+(feed-test
+  "mutual a gets pb"
+  (map (fn (x) (get x :object)) (feed/inbox-activities IBmut "a"))
+  (list "pb"))
+(feed-test
+  "mutual b gets pa"
+  (map (fn (x) (get x :object)) (feed/inbox-activities IBmut "b"))
+  (list "pa"))
+
+; ---------- dedupe ----------
+
+(define
+  Sdup2
+  (feed/stream
+    (list
+      (feed/activity "alice" "post" "p1" 1 (list))
+      (feed/activity "alice" "post" "p1" 9 (list))
+      (feed/activity "alice" "post" "p2" 2 (list)))))
+(feed-test
+  "dedupe-activities collapses dup"
+  (feed/count (feed/dedupe-activities Sdup2))
+  2)
+(feed-test
+  "dedupe-activities keeps distinct"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/dedupe-activities Sdup2)))
+  (list "p1" "p2"))
+
+(define
+  Slikes
+  (feed/stream
+    (list
+      (feed/activity "alice" "like" "X" 1 (list))
+      (feed/activity "bob" "like" "X" 2 (list))
+      (feed/activity "carol" "like" "Y" 3 (list)))))
+(feed-test
+  "collapse cross-actor likes"
+  (feed/count (feed/dedupe-collapse Slikes))
+  2)
+(feed-test
+  "collapse keeps distinct objects"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/dedupe-collapse Slikes)))
+  (list "X" "Y"))
+
+(feed-test
+  "activity-key shape"
+  (feed/activity-key (feed/activity "a" "post" "o" 0 (list)))
+  (list "a" "post" "o"))
+(feed-test
+  "collapse-key shape"
+  (feed/collapse-key (feed/activity "a" "like" "o" 0 (list)))
+  (list "like" "o"))
+
+; cross-post: alice posts p1 twice → bob's inbox has it twice → dedupe-inbox → once
+(define
+  Scross
+  (feed/stream
+    (list
+      (feed/activity "alice" "post" "p1" 1 (list))
+      (feed/activity "alice" "post" "p1" 5 (list)))))
+(define IBcross (feed/fanout Scross G))
+(feed-test
+  "cross-post raw bob count"
+  (feed/count (feed/inbox-for IBcross "bob"))
+  2)
+(feed-test
+  "cross-post deduped bob count"
+  (feed/count (feed/inbox-for (feed/dedupe-inbox IBcross) "bob"))
+  1)
+(feed-test
+  "dedupe-inbox keeps distinct receivers"
+  (feed/count (feed/dedupe-inbox IBcross))
+  2)

lib/feed/tests/home.sx

@@ -0,0 +1,73 @@
+; Follow-up — feed/home capstone pipeline. (feed-test name got expected)
+
+; alice follows star and bob (edges: follower followee)
+(define
+  G
+  (feed/follow-graph (list (list "alice" "star") (list "alice" "bob"))))
+
+; star posts s1 then s2; bob posts b1; star re-posts s1 (cross-post dup);
+; zoe posts z1 (alice does NOT follow zoe)
+(define
+  S
+  (feed/stream
+    (list
+      (feed/activity "star" "post" "s1" 10 (list))
+      (feed/activity "star" "post" "s2" 20 (list))
+      (feed/activity "bob" "post" "b1" 15 (list))
+      (feed/activity "star" "post" "s1" 5 (list))
+      (feed/activity "zoe" "post" "z1" 30 (list)))))
+
+(define rec (feed/recency 100 10))
+
+(feed-test
+  "home count (deduped, followed only)"
+  (feed/count (feed/home S G "alice" feed/permit-public? rec 10))
+  3)
+
+(feed-test
+  "home order by recency"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/home S G "alice" feed/permit-public? rec 10)))
+  (list "s2" "b1" "s1"))
+
+(feed-test
+  "home excludes unfollowed zoe"
+  (feed/-elem?
+    "z1"
+    (map
+      (fn (a) (get a :object))
+      (feed/items (feed/home S G "alice" feed/permit-public? rec 10))))
+  false)
+
+(feed-test
+  "home top-2"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/home S G "alice" feed/permit-public? rec 2)))
+  (list "s2" "b1"))
+
+(feed-test
+  "home dedupes cross-post (one s1)"
+  (len
+    (filter
+      (fn (o) (equal? o "s1"))
+      (map
+        (fn (a) (get a :object))
+        (feed/items
+          (feed/home S G "alice" feed/permit-public? rec 10)))))
+  1)
+
+; ACL applied per-viewer in the home pipeline
+(define
+  Sacl
+  (feed/stream
+    (list (feed/normalize {:actor "star" :object "pub" :at 20}) (feed/normalize {:actor "star" :object "sec" :visible-to (list "carol") :at 25}))))
+(define Gacl (feed/follow-graph (list (list "alice" "star"))))
+
+(feed-test
+  "home hides activity alice not permitted"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/home Sacl Gacl "alice" feed/permit-acl? rec 10)))
+  (list "pub"))

lib/feed/tests/integration.sx

@@ -0,0 +1,155 @@
+; Phase 4 — visibility (ACL) + federation, and the end-to-end timeline.
+; (feed-test name got expected)
+
+; ---------- ACL visibility ----------
+; pub: public. sec: bob, allows carol. dm: frank, allows dave.
+
+(define
+  C
+  (feed/stream
+    (list
+      (feed/normalize {:actor "alice" :object "pub" :at 10})
+      (feed/normalize {:actor "bob" :object "sec" :visible-to (list "carol") :at 20})
+      (feed/normalize {:actor "frank" :object "dm" :visible-to (list "dave") :at 30}))))
+
+(feed-test
+  "public visible to anyone"
+  (feed/count (feed/visible C "zoe" feed/permit-acl?))
+  1)
+(feed-test
+  "carol sees allowlisted + public"
+  (feed/count (feed/visible C "carol" feed/permit-acl?))
+  2)
+(feed-test
+  "dave sees dm + public"
+  (feed/count (feed/visible C "dave" feed/permit-acl?))
+  2)
+(feed-test
+  "author always sees own private"
+  (feed/count (feed/visible C "frank" feed/permit-acl?))
+  2)
+(feed-test
+  "permit-public? lets all through"
+  (feed/count (feed/visible C "zoe" feed/permit-public?))
+  3)
+(feed-test
+  "visible objects for dave"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/visible C "dave" feed/permit-acl?)))
+  (list "pub" "dm"))
+
+; per-viewer: same stream, different timelines
+(feed-test
+  "zoe timeline differs from carol"
+  (not
+    (=
+      (feed/count (feed/visible C "zoe" feed/permit-acl?))
+      (feed/count (feed/visible C "carol" feed/permit-acl?))))
+  true)
+
+; ---------- federation: merge / ingest ----------
+
+(define
+  L
+  (feed/stream
+    (list
+      (feed/activity "alice" "post" "p1" 10 (list))
+      (feed/activity "alice" "post" "p2" 20 (list)))))
+(define
+  P
+  (feed/stream
+    (list
+      (feed/activity "alice" "post" "p2" 20 (list))
+      (feed/activity "peer" "post" "p9" 25 (list)))))
+
+(feed-test "merge concatenates" (feed/count (feed/merge L P)) 4)
+(feed-test
+  "ingest dedupes overlap"
+  (feed/count (feed/ingest L P))
+  3)
+
+(feed-test
+  "inbound normalizes + ingests"
+  (feed/count (feed/inbound L (list {:actor "peer" :object "p9" :at 25} {:actor "alice" :object "p1" :at 10})))
+  3)
+
+; backfill via injected fetch-fn
+(define peer-history (fn (peer-id) (list {:actor peer-id :object "h1" :at 1} {:actor peer-id :object "h2" :at 2})))
+(feed-test
+  "backfill merges peer history"
+  (feed/count (feed/backfill L peer-history "remote"))
+  4)
+(feed-test
+  "backfill objects present"
+  (map
+    (fn (a) (get a :object))
+    (feed/items
+      (feed/by-actor (feed/backfill L peer-history "remote") "remote")))
+  (list "h1" "h2"))
+
+; ---------- federation: outbound partition ----------
+
+; bob (local), alice@remote + carol@remote (remote) follow star
+(define
+  Gf
+  (feed/follow-graph
+    (list
+      (list "bob" "star")
+      (list "alice@remote" "star")
+      (list "carol@remote" "star"))))
+(define
+  Sf
+  (feed/stream (list (feed/activity "star" "post" "s1" 1 (list)))))
+(define
+  remote?
+  (fn (id) (feed/-elem? id (list "alice@remote" "carol@remote"))))
+(define parts (feed/federate Sf Gf remote?))
+
+(feed-test "local deliveries" (feed/count (get parts :local)) 1)
+(feed-test "remote deliveries" (feed/count (get parts :remote)) 2)
+(feed-test
+  "local recipient is bob"
+  (feed/recipients (get parts :local))
+  (list "bob"))
+
+; deliver: send-fn receives each remote event, local inbox returned
+(define sent (list))
+(define send-fn (fn (to act) (set! sent (append sent (list to)))))
+(define local-inbox (feed/deliver Sf Gf remote? send-fn))
+(feed-test "deliver returns local inbox" (feed/count local-inbox) 1)
+(feed-test "deliver sent to both remotes" (len sent) 2)
+(feed-test "deliver remote targets" sent (list "alice@remote" "carol@remote"))
+
+; ---------- end-to-end: federated, ACL-filtered, ranked timeline ----------
+
+(define
+  base
+  (feed/stream
+    (list
+      (feed/normalize {:actor "alice" :object "a1" :at 100})
+      (feed/normalize {:actor "bob" :object "b1" :visible-to (list "carol") :at 90})
+      (feed/normalize {:actor "eve" :object "e1" :visible-to (list "dave") :at 80}))))
+(define federated (feed/inbound base (list {:actor "peer" :object "x1" :at 110})))
+(define rec (feed/recency 120 10))
+(define
+  carol-tl
+  (feed/timeline federated "carol" feed/permit-acl? rec 3))
+
+; eve's :visible-to excludes carol -> filtered out; peer/alice public, bob allows carol
+(feed-test "carol federated timeline count" (feed/count carol-tl) 3)
+(feed-test
+  "carol timeline order (recency)"
+  (map (fn (a) (get a :object)) (feed/items carol-tl))
+  (list "x1" "a1" "b1"))
+(feed-test
+  "eve dm excluded from carol"
+  (feed/-elem? "e1" (map (fn (a) (get a :object)) (feed/items carol-tl)))
+  false)
+(feed-test
+  "dave sees eve dm not bob"
+  (map
+    (fn (a) (get a :object))
+    (feed/items
+      (feed/timeline federated "dave" feed/permit-acl? rec 5)))
+  (list "x1" "a1" "e1"))

lib/feed/tests/mute.sx

@@ -0,0 +1,68 @@
+; Follow-up — viewer mute/block filtering. (feed-test name got expected)
+
+(define
+  S
+  (feed/stream
+    (list
+      (feed/normalize {:actor "alice" :object "P1" :at 1 :tags (list "news")})
+      (feed/normalize {:actor "bob" :object "P2" :at 2 :tags (list "spam")})
+      (feed/normalize {:actor "alice" :object "P3" :at 3 :tags (list "cats")})
+      (feed/normalize {:actor "carol" :object "P4" :at 4 :tags (list "news" "spam")}))))
+
+; ---------- mute actors ----------
+
+(feed-test
+  "mute bob drops his post"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/mute-actors S (list "bob"))))
+  (list "P1" "P3" "P4"))
+(feed-test
+  "mute alice drops two"
+  (feed/count (feed/mute-actors S (list "alice")))
+  2)
+(feed-test
+  "mute nobody keeps all"
+  (feed/count (feed/mute-actors S (list)))
+  4)
+
+; ---------- mute tags ----------
+
+(feed-test
+  "mute spam tag drops two"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/mute-tags S (list "spam"))))
+  (list "P1" "P3"))
+(feed-test
+  "mute news+cats leaves spam-only"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/mute-tags S (list "news" "cats"))))
+  (list "P2"))
+
+; ---------- mute objects ----------
+
+(feed-test
+  "mute object P3 (thread mute)"
+  (feed/count (feed/mute-objects S (list "P3")))
+  3)
+
+; ---------- combined prefs ----------
+
+(feed-test
+  "apply-prefs actors + tags"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/apply-prefs S {:mute-actors (list "bob") :mute-tags (list "cats")})))
+  (list "P1" "P4"))
+(feed-test
+  "apply-prefs empty keeps all"
+  (feed/count (feed/apply-prefs S {}))
+  4)
+(feed-test
+  "apply-prefs all three filters"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/apply-prefs S {:mute-objects (list "P3") :mute-actors (list "carol") :mute-tags (list "spam")})))
+  (list "P1"))

lib/feed/tests/notify.sx

@@ -0,0 +1,69 @@
+; Follow-up — notification feed over an inbox. (feed-test name got expected)
+
+; an inbox is a stream of {:to receiver :activity act} events
+(define mk-ev (fn (to act) {:activity act :to to}))
+
+(define
+  IB
+  (feed/stream
+    (list
+      (mk-ev "alice" (feed/activity "bob" "like" "P" 10 (list)))
+      (mk-ev "alice" (feed/activity "carol" "like" "P" 20 (list)))
+      (mk-ev "alice" (feed/activity "dave" "reply" "Q" 30 (list)))
+      (mk-ev "bob" (feed/activity "eve" "like" "R" 40 (list))))))
+
+; ---------- raw notifications ----------
+
+(feed-test
+  "alice notification count"
+  (feed/count (feed/notifications IB "alice"))
+  3)
+(feed-test
+  "bob notification count"
+  (feed/count (feed/notifications IB "bob"))
+  1)
+(feed-test
+  "zoe no notifications"
+  (feed/count (feed/notifications IB "zoe"))
+  0)
+
+; ---------- verb filtering ----------
+
+(feed-test
+  "alice likes only"
+  (feed/count (feed/notify-verbs IB "alice" (list "like")))
+  2)
+(feed-test
+  "alice replies only"
+  (feed/count (feed/notify-verbs IB "alice" (list "reply")))
+  1)
+(feed-test
+  "alice like+reply"
+  (feed/count (feed/notify-verbs IB "alice" (list "like" "reply")))
+  3)
+(feed-test
+  "alice follow (none)"
+  (feed/count (feed/notify-verbs IB "alice" (list "follow")))
+  0)
+
+; ---------- digest ----------
+
+(define dig (feed/notify-digest IB "alice"))
+
+(feed-test "digest group count" (len dig) 2)
+(feed-test
+  "digest sorted by key (like|P before reply|Q)"
+  (map (fn (g) (get g :object)) dig)
+  (list "P" "Q"))
+(feed-test
+  "like group actors"
+  (get (nth dig 0) :actors)
+  (list "bob" "carol"))
+(feed-test "like group count" (get (nth dig 0) :count) 2)
+(feed-test "like group verb" (get (nth dig 0) :verb) "like")
+(feed-test "reply group count" (get (nth dig 1) :count) 1)
+(feed-test
+  "reply group actors"
+  (get (nth dig 1) :actors)
+  (list "dave"))
+(feed-test "empty digest for zoe" (feed/notify-digest IB "zoe") (list))

lib/feed/tests/page.sx

@@ -0,0 +1,86 @@
+; Follow-up — pagination (offset + cursor). (feed-test name got expected)
+
+; ---------- offset / limit ----------
+
+(define
+  O
+  (feed/stream
+    (list
+      (feed/activity "u" "post" "o1" 1 (list))
+      (feed/activity "u" "post" "o2" 2 (list))
+      (feed/activity "u" "post" "o3" 3 (list))
+      (feed/activity "u" "post" "o4" 4 (list))
+      (feed/activity "u" "post" "o5" 5 (list)))))
+
+(feed-test
+  "page 1"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/page O 0 2)))
+  (list "o1" "o2"))
+(feed-test
+  "page 2"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/page O 2 2)))
+  (list "o3" "o4"))
+(feed-test
+  "page 3 (partial)"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/page O 4 2)))
+  (list "o5"))
+(feed-test
+  "page past end empty"
+  (feed/count (feed/page O 10 2))
+  0)
+(feed-test "page-count 5/2 = 3" (feed/page-count O 2) 3)
+(feed-test "page-count 5/5 = 1" (feed/page-count O 5) 1)
+
+; ---------- cursor (recency) ----------
+
+(define
+  R
+  (feed/stream
+    (list
+      (feed/activity "u" "post" "a" 50 (list))
+      (feed/activity "u" "post" "b" 40 (list))
+      (feed/activity "u" "post" "c" 30 (list))
+      (feed/activity "u" "post" "d" 20 (list))
+      (feed/activity "u" "post" "e" 10 (list)))))
+
+(define p1 (feed/page-before R 100 2))
+(feed-test
+  "cursor page 1 newest first"
+  (map (fn (a) (get a :object)) (feed/items p1))
+  (list "a" "b"))
+(feed-test "next cursor after page 1" (feed/next-cursor p1) 40)
+
+(define p2 (feed/page-before R (feed/next-cursor p1) 2))
+(feed-test
+  "cursor page 2"
+  (map (fn (a) (get a :object)) (feed/items p2))
+  (list "c" "d"))
+(feed-test "next cursor after page 2" (feed/next-cursor p2) 20)
+
+(define p3 (feed/page-before R (feed/next-cursor p2) 2))
+(feed-test
+  "cursor page 3 (partial)"
+  (map (fn (a) (get a :object)) (feed/items p3))
+  (list "e"))
+
+(feed-test
+  "empty page nil cursor"
+  (feed/next-cursor (feed/page-before R 5 2))
+  nil)
+
+(feed-test
+  "after cursor loads newer"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/recent (feed/after R 30))))
+  (list "a" "b"))
+(feed-test
+  "before cursor count"
+  (feed/count (feed/before R 30))
+  2)

lib/feed/tests/rank.sx

@@ -0,0 +1,160 @@
+; Phase 3 — aggregation + ranking. (feed-test name got expected)
+
+; ---------- aggregation ----------
+
+(define
+  A
+  (feed/stream
+    (list
+      (feed/activity "alice" "post" "p1" 5 (list))
+      (feed/activity "alice" "post" "p2" 15 (list))
+      (feed/activity "bob" "post" "p3" 25 (list))
+      (feed/activity "alice" "like" "p1" 35 (list)))))
+
+(feed-test "actor-counts" (feed/actor-counts A) {:alice 3 :bob 1})
+(feed-test "object-counts" (feed/object-counts A) {:p2 1 :p3 1 :p1 2})
+(feed-test
+  "group-by actor alice len"
+  (len (get (feed/group-by A feed/actor) "alice"))
+  3)
+(feed-test
+  "group-count empty"
+  (feed/group-count feed/empty feed/actor)
+  {})
+
+; day bucketing
+(define
+  D
+  (feed/stream
+    (list
+      (feed/activity "alice" "post" "p1" 5 (list))
+      (feed/activity "alice" "post" "p2" 8 (list))
+      (feed/activity "alice" "post" "p3" 12 (list)))))
+
+(feed-test "feed/day floor" (feed/day 12 10) 1)
+(feed-test "feed/day same bucket" (feed/day 8 10) 0)
+(feed-test "by-actor-day" (feed/by-actor-day D 10) {:alice#0 2 :alice#1 1})
+
+; ---------- recency ----------
+
+(define rec (feed/recency 100 10))
+(feed-test
+  "recency at=now -> 1"
+  (rec (feed/activity "x" "post" "o" 100 (list)))
+  1)
+(feed-test
+  "recency age=hl -> .5"
+  (rec (feed/activity "x" "post" "o" 90 (list)))
+  0.5)
+(feed-test
+  "recency age=2hl -> .25"
+  (rec (feed/activity "x" "post" "o" 80 (list)))
+  0.25)
+
+; ---------- velocity ----------
+
+(define vel (feed/velocity D 10))
+(feed-test
+  "velocity burst (at=12)"
+  (vel (feed/activity "alice" "post" "z" 12 (list)))
+  3)
+(feed-test
+  "velocity mid (at=8)"
+  (vel (feed/activity "alice" "post" "z" 8 (list)))
+  2)
+(feed-test
+  "velocity first (at=5)"
+  (vel (feed/activity "alice" "post" "z" 5 (list)))
+  1)
+(feed-test
+  "velocity other actor"
+  (vel (feed/activity "bob" "post" "z" 12 (list)))
+  0)
+
+; ---------- engagement ----------
+
+(define eng (feed/engagement A))
+(feed-test
+  "engagement p1"
+  (eng (feed/activity "x" "post" "p1" 0 (list)))
+  2)
+(feed-test
+  "engagement p2"
+  (eng (feed/activity "x" "post" "p2" 0 (list)))
+  1)
+
+; ---------- composite ----------
+
+(define
+  cmp1
+  (feed/composite (list (list 2 (fn (a) (get a :at))))))
+(feed-test
+  "composite single part"
+  (cmp1 (feed/activity "x" "post" "o" 5 (list)))
+  10)
+(define
+  cmp2
+  (feed/composite
+    (list
+      (list 2 (fn (a) (get a :at)))
+      (list 3 (fn (a) 1)))))
+(feed-test
+  "composite two parts"
+  (cmp2 (feed/activity "x" "post" "o" 5 (list)))
+  13)
+
+; ---------- ranking ----------
+
+(define
+  R
+  (feed/stream
+    (list
+      (feed/activity "u" "post" "oC" 80 (list))
+      (feed/activity "u" "post" "oA" 100 (list))
+      (feed/activity "u" "post" "oB" 90 (list)))))
+
+(feed-test
+  "rank by recency objects"
+  (map (fn (a) (get a :object)) (feed/items (feed/rank R rec)))
+  (list "oA" "oB" "oC"))
+(feed-test
+  "top-2 by recency"
+  (map (fn (a) (get a :object)) (feed/items (feed/top R rec 2)))
+  (list "oA" "oB"))
+(feed-test "top-2 count" (feed/count (feed/top R rec 2)) 2)
+
+; constant score -> tiebreak by :at descending
+(define
+  T
+  (feed/stream
+    (list
+      (feed/activity "u" "post" "f" 10 (list))
+      (feed/activity "u" "post" "g" 30 (list))
+      (feed/activity "u" "post" "h" 20 (list)))))
+(feed-test
+  "tiebreak at-desc"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/rank T (fn (a) 0))))
+  (list "g" "h" "f"))
+
+; equal score AND equal :at -> stable input order
+(define
+  E
+  (feed/stream
+    (list
+      (feed/activity "u" "post" "first" 50 (list))
+      (feed/activity "u" "post" "second" 50 (list)))))
+(feed-test
+  "stable equal-key input order"
+  (map
+    (fn (a) (get a :object))
+    (feed/items (feed/rank E (fn (a) 0))))
+  (list "first" "second"))
+
+(feed-test
+  "with-scores attaches score"
+  (get (nth (feed/items (feed/with-scores R rec)) 1) :score)
+  1)
+
+(feed-test "rank preserves count" (feed/count (feed/rank A rec)) 4)

lib/feed/tests/thread.sx

@@ -0,0 +1,49 @@
+; Follow-up — conversation threading via :reply-to closure. (feed-test name got expected)
+
+(define
+  S
+  (feed/stream
+    (list
+      (feed/normalize {:actor "a" :object "root" :at 1})
+      (feed/normalize {:actor "b" :object "r1" :at 2 :verb "reply" :reply-to "root"})
+      (feed/normalize {:actor "c" :object "r2" :at 3 :verb "reply" :reply-to "root"})
+      (feed/normalize {:actor "d" :object "r3" :at 4 :verb "reply" :reply-to "r1"})
+      (feed/normalize {:actor "e" :object "x" :at 5}))))
+
+; ---------- direct replies ----------
+
+(feed-test "direct replies to root" (feed/reply-count S "root") 2)
+(feed-test "direct replies to r1" (feed/reply-count S "r1") 1)
+(feed-test "no replies to r3" (feed/reply-count S "r3") 0)
+(feed-test
+  "replies objects to root"
+  (map (fn (a) (get a :object)) (feed/items (feed/replies S "root")))
+  (list "r1" "r2"))
+
+; ---------- thread closure ----------
+
+(feed-test
+  "thread objects root (transitive)"
+  (feed/thread-objects S "root")
+  (list "root" "r1" "r2" "r3"))
+(feed-test
+  "thread root chronological"
+  (map (fn (a) (get a :object)) (feed/items (feed/thread S "root")))
+  (list "root" "r1" "r2" "r3"))
+(feed-test "thread size root" (feed/thread-size S "root") 4)
+(feed-test
+  "thread excludes unrelated x"
+  (feed/-elem?
+    "x"
+    (map (fn (a) (get a :object)) (feed/items (feed/thread S "root"))))
+  false)
+
+; ---------- sub-thread ----------
+
+(feed-test
+  "thread from r1 (sub-tree)"
+  (map (fn (a) (get a :object)) (feed/items (feed/thread S "r1")))
+  (list "r1" "r3"))
+(feed-test "thread size r1" (feed/thread-size S "r1") 2)
+(feed-test "leaf thread is itself" (feed/thread-size S "r3") 1)
+(feed-test "unrelated thread is itself" (feed/thread-size S "x") 1)

lib/feed/tests/trending.sx

@@ -0,0 +1,82 @@
+; Follow-up — trending objects/actors by recent activity. (feed-test name got expected)
+
+; window (50,100]: X@60,X@70 (a), Y@80 (b), Z@90 (c); W@40 is too old
+(define
+  S
+  (feed/stream
+    (list
+      (feed/activity "a" "post" "X" 60 (list))
+      (feed/activity "a" "post" "X" 70 (list))
+      (feed/activity "b" "post" "Y" 80 (list))
+      (feed/activity "c" "post" "Z" 90 (list))
+      (feed/activity "d" "post" "W" 40 (list)))))
+
+; ---------- trending objects ----------
+
+(feed-test
+  "trending count (3 in window)"
+  (len (feed/trending S 100 50 10))
+  3)
+(feed-test
+  "trending top object"
+  (get
+    (nth (feed/trending S 100 50 10) 0)
+    :object)
+  "X")
+(feed-test
+  "trending top count"
+  (get
+    (nth (feed/trending S 100 50 10) 0)
+    :count)
+  2)
+(feed-test
+  "trending order (count desc, key asc tiebreak)"
+  (map
+    (fn (e) (get e :object))
+    (feed/trending S 100 50 10))
+  (list "X" "Y" "Z"))
+(feed-test
+  "trending top-2"
+  (map
+    (fn (e) (get e :object))
+    (feed/trending S 100 50 2))
+  (list "X" "Y"))
+(feed-test
+  "old object W excluded"
+  (feed/-elem?
+    "W"
+    (map
+      (fn (e) (get e :object))
+      (feed/trending S 100 50 10)))
+  false)
+(feed-test
+  "narrow window keeps only newest"
+  (map
+    (fn (e) (get e :object))
+    (feed/trending S 100 15 10))
+  (list "Z"))
+(feed-test
+  "empty window -> nothing"
+  (feed/trending S 100 5 10)
+  (list))
+
+; ---------- trending actors ----------
+
+(feed-test
+  "trending actor top"
+  (get
+    (nth (feed/trending-actors S 100 50 10) 0)
+    :actor)
+  "a")
+(feed-test
+  "trending actor count"
+  (get
+    (nth (feed/trending-actors S 100 50 10) 0)
+    :count)
+  2)
+(feed-test
+  "trending actors order"
+  (map
+    (fn (e) (get e :actor))
+    (feed/trending-actors S 100 50 10))
+  (list "a" "b" "c"))

lib/feed/thread.sx

@@ -0,0 +1,59 @@
+; feed/thread — conversation threading. A reply carries :reply-to <parent-object>
+; (normalize preserves it). A thread is the transitive closure over :reply-to from
+; a root object: root + replies + replies-to-replies, gathered chronologically.
+;
+; Requires: lib/feed/normalize.sx, lib/feed/stream.sx, lib/feed/fanout.sx
+; (feed/-elem?, feed/-distinct).
+
+; direct replies to an object
+(define
+  feed/replies
+  (fn
+    (stream object)
+    (feed/filter stream (fn (a) (equal? (get a :reply-to) object)))))
+
+(define
+  feed/reply-count
+  (fn (stream object) (feed/count (feed/replies stream object))))
+
+; iterate f from x until the result stops growing (set-closure fixpoint)
+(define
+  feed/-fixpoint
+  (fn
+    (f x)
+    (let
+      ((nx (f x)))
+      (if (= (len nx) (len x)) x (feed/-fixpoint f nx)))))
+
+; the set of object-ids in the thread rooted at `root`
+(define
+  feed/thread-objects
+  (fn
+    (stream root)
+    (let
+      ((all (feed/items stream)))
+      (feed/-fixpoint
+        (fn
+          (acc)
+          (feed/-distinct
+            (append
+              acc
+              (map
+                (fn (a) (get a :object))
+                (filter (fn (a) (feed/-elem? (get a :reply-to) acc)) all)))))
+        (list root)))))
+
+; the full thread as a chronological stream (root + all descendants)
+(define
+  feed/thread
+  (fn
+    (stream root)
+    (let
+      ((objs (feed/thread-objects stream root)))
+      (feed/sort-by-at
+        (feed/filter stream (fn (a) (feed/-elem? (get a :object) objs)))))))
+
+; how many activities are in the thread (root counts as 1)
+(define
+  feed/thread-size
+  (fn (stream root) (feed/count (feed/thread stream root))))

lib/feed/trending.sx

@@ -0,0 +1,42 @@
+; feed/trending — what's hot right now: objects (or actors) ranked by activity
+; count within a recency window. Deterministic: count descending, ties broken by
+; key ascending (entries are pre-sorted by key, then stable grade-down by count).
+;
+; Requires: lib/feed/stream.sx, lib/feed/aggregate.sx (object/actor-counts),
+; lib/feed/rank.sx (feed/-desc-by).
+
+; activities within (now-window, now]
+(define
+  feed/-recent
+  (fn
+    (stream now window)
+    (feed/filter
+      stream
+      (fn (a) (and (<= (get a :at) now) (> (get a :at) (- now window)))))))
+
+; counts dict -> top-N entries {label key, :count n}, count desc, key asc
+(define
+  feed/-top-counts
+  (fn
+    (counts label n)
+    (let
+      ((entries (map (fn (k) (assoc {:count (get counts k)} label k)) (sort (keys counts)))))
+      (take (feed/-desc-by entries (fn (e) (get e :count))) n))))
+
+; top-N trending objects in the window
+(define
+  feed/trending
+  (fn
+    (stream now window n)
+    (feed/-top-counts
+      (feed/object-counts (feed/-recent stream now window))
+      :object n)))
+
+; top-N most active actors in the window
+(define
+  feed/trending-actors
+  (fn
+    (stream now window n)
+    (feed/-top-counts
+      (feed/actor-counts (feed/-recent stream now window))
+      :actor n)))

lib/flow/README.md

@@ -0,0 +1,141 @@
+# flow — durable DAG workflows on Scheme
+
+`flow` is a workflow engine for rose-ash: content pipelines (write → review →
+publish → federate), scheduled jobs, and multi-step user flows (signup, confirm,
+onboard) that **survive process restarts**. It is a thin Scheme prelude over the
+Scheme-on-SX guest (`lib/scheme/`); a flow runs *inside* the interpreter.
+
+Run the suite: `bash lib/flow/conformance.sh` → **151/151 across 10 suites**.
+
+## Model
+
+A **flow** is just a Scheme procedure of one argument — the upstream value:
+
+```
+node : input -> output
+```
+
+Combinators build composite nodes out of child nodes. A node that ignores its
+argument is effectively a thunk. There is no separate "graph" object: composition
+*is* function composition, so flows are values you can name, pass, and nest.
+
+```scheme
+(defflow publish
+  (sequence
+    (lambda (draft) (string-append draft "!"))
+    (branch (lambda (post) (>= (string-length post) 3))
+            (remote-node 'fed 'publish)
+            (flow-const 'rejected))))
+
+(flow/start publish "hello")   ; => federated, or a (flow-suspended id tag) state
+```
+
+## Building blocks (`spec.sx`)
+
+| Combinator | Meaning |
+|---|---|
+| `(flow-node f)` / `(flow-id x)` / `(flow-const v)` | leaf nodes |
+| `(sequence n ...)` | thread input left-to-right |
+| `(parallel n ...)` | fan input to every child, join results into a list (sequential eval) |
+| `(map-flow node)` | run `node` over each item of a list input, join results |
+| `(flow-while pred body max)` / `(flow-until ...)` | bounded iteration (cap `max` steps) |
+| `(defflow name body)` | bind + register a named flow (so it survives restart) |
+
+## Control flow + errors (`spec.sx`)
+
+| Combinator | Meaning |
+|---|---|
+| `(branch pred then else)` | `pred` on input selects `then`/`else` (`cond` is a Scheme special form) |
+| `(retry n node)` | re-run on a *raised exception*, up to `n` attempts |
+| `(timeout budget node)` | cooperative **step budget**: nodes call `(tick)`; the `(budget+1)`-th tick raises `flow-timeout` |
+| `(try-catch node handler)` | catch a raised exception → `(handler error)` |
+| `(fail reason)` / `(failed? x)` / `(fail-reason x)` | explicit failure *values* (flow downstream as data) |
+| `(recover node handler)` | the fail-VALUE counterpart of try-catch |
+| `(attempt n ...)` | railway sequence: stop at the first node returning a `(fail ...)` |
+| `(tap effect)` | run a side effect, return input unchanged |
+
+**Two error channels, on purpose.** Raised exceptions are for *bugs/transients*
+(caught by `retry`/`try-catch`). `(fail reason)` values are for *expected business
+outcomes* (validation rejected, declined) and compose via `attempt`/`recover`.
+
+## Suspend / resume — the durable core (`spec.sx`, `store.sx`)
+
+The guest Scheme's `call/cc` is **escape-only** — re-invoking a captured
+continuation after it returns *hangs* the runtime. So flow does **not** serialize
+continuations. Instead it uses **deterministic replay**:
+
+- `(suspend tag)` — if `tag` is already in the replay log, return its logged value;
+  otherwise escape to the driver as `(flow-suspended tag)`.
+- `resume` appends `(tag value)` to the log and **re-runs the flow from the start**.
+  Already-resolved suspends replay their values; the first unresolved one escapes
+  again (or the flow completes).
+
+The entire persisted state is the replay log — plain data. No live continuation is
+ever stored, so flows survive process restarts and even moves between instances.
+
+> **Author contract:** suspend `tag`s must be unique and deterministic across
+> replays, and **all** non-determinism / side effects must go through suspend
+> points (so their results are logged) — otherwise they re-run on every replay.
+
+### Lifecycle (`store.sx`)
+
+```scheme
+(flow/start flow input)   ; raw result if it completes, else (flow-suspended id tag)
+(flow/resume id value)    ; inject value at the waiting tag, continue
+(flow/cancel id)          ; terminate; a later resume is rejected
+```
+
+### Introspection & hygiene
+
+```scheme
+(flow/status id)   ; done | suspended | cancelled | unknown
+(flow/result id)   ; result if done, else (flow-error reason)
+(flow/list)        ; ((id status) ...)
+(flow/pending)     ; ((id waiting-tag) ...) — what each suspended flow awaits
+(flow/gc)          ; drop terminal records, keep live ones; returns count removed
+(flow/forget id)   ; drop one terminal record (refuses live flows)
+```
+
+### Crash recovery
+
+```scheme
+(flow-store-export)      ; the store as plain data (live procs nulled)
+(flow-store-import! d)   ; restore the store from exported data
+(flow-resumable-ids)     ; ids of suspended flows to wake on restart
+```
+
+On restart the flow definitions are reloaded (`defflow` re-registers names) and the
+exported store reimported; `resume` re-resolves each flow's procedure **by name**.
+
+## Distribution via fed-sx (`remote.sx`)
+
+```scheme
+(flow-peer-register! addr table)      ; mock a peer's exposed functions (fed-sx boundary)
+(remote-node addr fn)                 ; run a node on a peer
+(remote-failover addrs fn local)      ; try peers in order, fall through to a local node
+(flow-replicate-to addr)              ; copy this store to a peer's replica slot
+(flow-restore-from addr)              ; import a peer's replica (handoff)
+```
+
+**Handoff** is crash recovery across instances: replicate → local instance dies →
+peer restores the (plain-data) store and resumes. The replay log carries over, so
+all resolved suspends survive the move.
+
+## Files
+
+| File | Contents |
+|---|---|
+| `spec.sx` | combinators (flow-combinators-src / flow-control-src / flow-suspend-src) |
+| `store.sx` | durable store, lifecycle, crash recovery, introspection, hygiene |
+| `remote.sx` | fed-sx transport (mock peer registry), failover, replication |
+| `api.sx` | `flow-make-env` / `flow-run` SX helpers (one cached env, per-test reset) |
+| `tests/*.sx` | 10 suites, 151 cases |
+| `conformance.sh` | loads substrate + flow layer, runs every suite |
+
+## Notes on the substrate
+
+The guest Scheme (`lib/scheme/`, imported read-only) lacks dotted-rest params
+`(a . rest)` and named `let`; combinators use `(lambda args ...)` variadics + top-
+level recursion. `cons` is list-only (no dotted pairs), so log/assoc entries are
+2-element lists. Strings box as `{:scm-string "..."}`. Timeout is a step budget
+because there is no wall clock; `parallel` is sequential for the same reason.

lib/flow/api.sx

@@ -0,0 +1,65 @@
+;; lib/flow/api.sx — flow runtime entry points.
+;;
+;; Builds a Scheme env preloaded with the flow combinators (lib/flow/spec.sx),
+;; the durable store + lifecycle (lib/flow/store.sx), the fed-sx remote layer
+;; (lib/flow/remote.sx), and the host integration ABI (lib/flow/host.sx), and
+;; provides SX helpers to run flow programs.
+;;
+;; Scheme-level API (available inside flow programs):
+;;   (flow/start flow input) — run a flow; raw result if it completes, else
+;;                             (flow-suspended id tag). Defined in store.sx.
+;;   (flow/resume id value)  — resume a suspended flow (store.sx)
+;;   (flow/cancel id)        — cancel a flow (store.sx)
+;;   (suspend tag)           — suspension point (spec.sx)
+;;   (request kind payload)  — host request envelope over suspend (host.sx)
+;;   (remote-node addr fn)   — node executed on a federation peer (remote.sx)
+;;
+;; SX-level helpers (for hosts and tests):
+;;   (flow-make-env)        — fresh standard env + combinators + store + remote + host
+;;   (flow-run src)         — eval a Scheme program string in a reset shared env
+;;   (flow-run-in env src)  — eval a Scheme program string in a given env
+;;
+;; flow-run reuses ONE env (building the full standard env is expensive) and
+;; resets the mutable flow globals before each program, so tests stay isolated
+;; without paying for a fresh standard env each time. flow-registry persists (it
+;; models reloaded flow definitions surviving a restart).
+
+(define
+  flow-make-env
+  (fn
+    ()
+    (let
+      ((env (scheme-standard-env)))
+      (flow-load-combinators! env)
+      (flow-load-store! env)
+      (flow-load-remote! env)
+      (flow-load-host! env)
+      env)))
+
+(define
+  flow-run-in
+  (fn (env src) (scheme-eval-program (scheme-parse-all src) env)))
+
+(define
+  flow-reset-src
+  "(set! flow-store (list)) (set! flow-next-id 0) (set! flow-replay-log (list)) (set! flow-suspend-k #f) (set! flow-timeout-budget -1) (set! flow-peers (list)) (set! flow-replicas (list))")
+
+(define flow-env-cache false)
+
+(define
+  flow-shared-env
+  (fn
+    ()
+    (begin
+      (if flow-env-cache nil (set! flow-env-cache (flow-make-env)))
+      flow-env-cache)))
+
+(define
+  flow-run
+  (fn
+    (src)
+    (let
+      ((env (flow-shared-env)))
+      (begin
+        (scheme-eval-program (scheme-parse-all flow-reset-src) env)
+        (scheme-eval-program (scheme-parse-all src) env)))))

lib/flow/conformance.sh

@@ -0,0 +1,103 @@
+#!/usr/bin/env bash
+# flow-on-sx conformance runner — runs all flow test suites in one sx_server process.
+#
+# Usage:
+#   bash lib/flow/conformance.sh        # run all suites
+#   bash lib/flow/conformance.sh -v     # verbose (list each suite)
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+
+# Suites: NAME RUNNER-FN PATH
+SUITES=(
+  "basic       flow-basic-tests-run!     lib/flow/tests/basic.sx"
+  "control     flow-ctl-tests-run!       lib/flow/tests/control.sx"
+  "suspend     flow-sus-tests-run!       lib/flow/tests/suspend.sx"
+  "recovery    flow-rec-tests-run!       lib/flow/tests/recovery.sx"
+  "distributed flow-dist-tests-run!      lib/flow/tests/distributed.sx"
+  "api         flow-api-tests-run!       lib/flow/tests/api.sx"
+  "combinators flow-cmb-tests-run!       lib/flow/tests/combinators.sx"
+  "railway     flow-rail-tests-run!      lib/flow/tests/railway.sx"
+  "integration flow-int-tests-run!       lib/flow/tests/integration.sx"
+  "hygiene     flow-hyg-tests-run!       lib/flow/tests/hygiene.sx"
+  "host        flow-hst-tests-run!       lib/flow/tests/host.sx"
+)
+
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+EPOCH=1
+
+emit_load () { echo "(epoch $EPOCH)"; echo "(load \"$1\")"; EPOCH=$((EPOCH+1)); }
+emit_eval () { echo "(epoch $EPOCH)"; echo "(eval \"$1\")"; EPOCH=$((EPOCH+1)); }
+
+{
+  emit_load "lib/guest/lex.sx"
+  emit_load "lib/guest/reflective/env.sx"
+  emit_load "lib/guest/reflective/quoting.sx"
+  emit_load "lib/scheme/parser.sx"
+  emit_load "lib/scheme/eval.sx"
+  emit_load "lib/scheme/runtime.sx"
+  emit_load "lib/flow/spec.sx"
+  emit_load "lib/flow/store.sx"
+  emit_load "lib/flow/remote.sx"
+  emit_load "lib/flow/host.sx"
+  emit_load "lib/flow/api.sx"
+  for SUITE in "${SUITES[@]}"; do
+    read -r _NAME _RUNNER FILE <<< "$SUITE"
+    emit_load "$FILE"
+    emit_eval "($_RUNNER)"
+  done
+} > "$TMPFILE"
+
+OUTPUT=$(timeout 540 "$SX_SERVER" < "$TMPFILE" 2>&1 || true)
+
+TOTAL_PASS=0
+TOTAL_FAIL=0
+FAILED_SUITES=()
+
+LAST_DICT_LINES=$(echo "$OUTPUT" | grep -E '^\{:' || true)
+
+I=0
+while read -r LINE; do
+  [ -z "$LINE" ] && continue
+  P=$(echo "$LINE" | grep -oE ':passed [0-9]+' | awk '{print $2}')
+  F=$(echo "$LINE" | grep -oE ':failed [0-9]+' | awk '{print $2}')
+  [ -z "$P" ] && P=0
+  [ -z "$F" ] && F=0
+  SUITE_INFO="${SUITES[$I]}"
+  SUITE_NAME=$(echo "$SUITE_INFO" | awk '{print $1}')
+  TOTAL_PASS=$((TOTAL_PASS + P))
+  TOTAL_FAIL=$((TOTAL_FAIL + F))
+  if [ "$F" -gt 0 ]; then
+    FAILED_SUITES+=("$SUITE_NAME: $P/$((P+F))")
+    printf 'X %-12s %d/%d\n' "$SUITE_NAME" "$P" "$((P+F))"
+    echo "$LINE" | grep -oE ':name "[^"]*"' | sed 's/:name /    fail: /'
+  elif [ "$VERBOSE" = "-v" ]; then
+    printf 'ok %-12s %d passed\n' "$SUITE_NAME" "$P"
+  fi
+  I=$((I+1))
+done <<< "$LAST_DICT_LINES"
+
+TOTAL=$((TOTAL_PASS + TOTAL_FAIL))
+if [ "$TOTAL" -eq 0 ]; then
+  echo "ERROR: no suite results parsed. Raw output:" >&2
+  echo "$OUTPUT" >&2
+  exit 1
+fi
+if [ $TOTAL_FAIL -eq 0 ]; then
+  echo "ok $TOTAL_PASS/$TOTAL flow-on-sx tests passed (${#SUITES[@]} suites)"
+else
+  echo "FAIL $TOTAL_PASS/$TOTAL passed, $TOTAL_FAIL failed:"
+  for S in "${FAILED_SUITES[@]}"; do echo "  $S"; done
+  exit 1
+fi

lib/flow/host.sx

@@ -0,0 +1,42 @@
+;; lib/flow/host.sx — the host integration ABI (Phase 8).
+;;
+;; `suspend` is flow's seam to the outside world, but a bare (suspend tag) is just a
+;; signal — every author would invent their own tag shape. This layer defines a
+;; stable request/response contract so a host (e.g. an art-dag driver, or a human
+;; review UI) can hook in WITHOUT reverse-engineering ad-hoc tags.
+;;
+;; A flow asks the host to do something and waits for the answer:
+;;   (request kind payload)  — suspend with a typed envelope (flow-request kind
+;;     payload); evaluates to the host's resume value.
+;;   (await-human prompt)    — request kind=human (a decision point)
+;;   (await-render recipe)   — request kind=render (e.g. an art-dag job)
+;;   (await-effect kind p)   — request of an arbitrary kind
+;;
+;; The host drives flows by polling its work queue and resuming:
+;;   (flow-host-requests)    — ((id kind payload) ...) for every SUSPENDED flow whose
+;;     waiting tag is a host request. The host dispatches by kind (render -> submit a
+;;     Celery job; human -> show UI), then calls (flow/resume id answer).
+;;   (request? tag) / (request-kind tag) / (request-payload tag) — parse one tag.
+;;
+;; Reference driver — the host only supplies `dispatch`, a (kind payload) -> answer:
+;;   (flow-drive-host dispatch)        — one tick: service every CURRENTLY pending
+;;     request (snapshot), resuming each with (dispatch kind payload); returns the
+;;     count serviced. Resumes may create new requests — serviced on the next tick.
+;;   (flow-run-host dispatch maxticks) — tick until quiescent (no pending requests)
+;;     or maxticks reached; returns total requests serviced. Bounded for determinism.
+;;
+;; Contract: the host owns IO and persistence. flow stays deterministic — a flow
+;; never performs IO itself, it only `request`s; the host performs the effect and
+;; feeds the result back via resume (which the replay log records, so the effect is
+;; not re-run on recovery). Persist with flow-store-export after each transition and
+;; flow-store-import! on boot.
+
+(define
+  flow-host-src
+  "(define (request kind payload) (suspend (list (quote flow-request) kind payload)))\n   (define (request? tag) (and (pair? tag) (eq? (car tag) (quote flow-request))))\n   (define (request-kind tag) (car (cdr tag)))\n   (define (request-payload tag) (car (cdr (cdr tag))))\n   (define (await-human prompt) (request (quote human) prompt))\n   (define (await-render recipe) (request (quote render) recipe))\n   (define (await-effect kind payload) (request kind payload))\n   (define (flow-host-req-step pend)\n     (if (null? pend)\n         (list)\n         (let ((id (car (car pend))) (tag (car (cdr (car pend)))))\n           (if (request? tag)\n               (cons (list id (request-kind tag) (request-payload tag))\n                     (flow-host-req-step (cdr pend)))\n               (flow-host-req-step (cdr pend))))))\n   (define (flow-host-requests) (flow-host-req-step (flow/pending)))\n   (define (flow-drive-host-step reqs dispatch)\n     (if (null? reqs)\n         0\n         (begin\n           (flow/resume (car (car reqs)) (dispatch (car (cdr (car reqs))) (car (cdr (cdr (car reqs))))))\n           (+ 1 (flow-drive-host-step (cdr reqs) dispatch)))))\n   (define (flow-drive-host dispatch) (flow-drive-host-step (flow-host-requests) dispatch))\n   (define (flow-run-host dispatch maxticks)\n     (if (<= maxticks 0)\n         0\n         (let ((n (flow-drive-host dispatch)))\n           (if (= n 0) 0 (+ n (flow-run-host dispatch (- maxticks 1)))))))")
+
+(define
+  flow-load-host!
+  (fn
+    (env)
+    (begin (scheme-eval-program (scheme-parse-all flow-host-src) env) env)))

lib/flow/remote.sx

@@ -0,0 +1,34 @@
+;; lib/flow/remote.sx — distributed nodes via fed-sx (Phase 4).
+;;
+;; A node can execute on a federation peer. The transport is the fed-sx boundary;
+;; it is MOCKED in tests by a peer registry mapping addr -> function table. In
+;; production flow-transport would issue a fed-sx call; here it dispatches locally.
+;;
+;;   (flow-peer-register! addr table) — register a mock peer. table is a list of
+;;     (fn-name proc) entries — the functions that peer exposes.
+;;   (flow-transport addr fn input)   — invoke fn on the peer with input. Raises
+;;     (flow-remote-unreachable) if the addr is unknown, (flow-remote-no-fn) if the
+;;     peer does not expose fn.
+;;   (remote-node addr fn)            — a node that runs fn on the peer at addr.
+;;   (remote-failover addrs fn local) — try fn on each peer in addrs in order; on a
+;;     raised error move to the next peer; if every peer fails, run the `local`
+;;     node as a fallback.
+;;
+;; Persistence across instances + handoff. Each instance runs the same flow
+;; definitions, so the only thing that needs to cross the wire is the (plain-data)
+;; store — exactly flow-store-export from store.sx. Replication pushes that export
+;; to a peer's replica slot; handoff = restore the replica on the peer and resume.
+;;
+;;   (flow-replicate-to addr) — copy this instance's store to peer addr's replica
+;;   (flow-restore-from addr) — import the replica from peer addr (#t / #f)
+;;   (flow-replica-get addr)  — the raw replicated store at addr (or #f)
+
+(define
+  flow-remote-src
+  "(define flow-peers (list))\n   (define (flow-assoc key alist)\n     (if (null? alist)\n         #f\n         (if (eq? (car (car alist)) key) (car (cdr (car alist))) (flow-assoc key (cdr alist)))))\n   (define (flow-peer-register! addr table) (set! flow-peers (cons (list addr table) flow-peers)))\n   (define (flow-transport addr fn input)\n     (let ((table (flow-assoc addr flow-peers)))\n       (if table\n           (let ((proc (flow-assoc fn table)))\n             (if proc (proc input) (raise (quote flow-remote-no-fn))))\n           (raise (quote flow-remote-unreachable)))))\n   (define (remote-node addr fn) (lambda (input) (flow-transport addr fn input)))\n   (define (flow-failover-step addrs fn input local)\n     (if (null? addrs)\n         (local input)\n         (guard (e (#t (flow-failover-step (cdr addrs) fn input local)))\n           (flow-transport (car addrs) fn input))))\n   (define (remote-failover addrs fn local)\n     (lambda (input) (flow-failover-step addrs fn input local)))\n\n   (define flow-replicas (list))\n   (define (flow-replicas-remove addr reps)\n     (if (null? reps)\n         (list)\n         (if (eq? (car (car reps)) addr)\n             (flow-replicas-remove addr (cdr reps))\n             (cons (car reps) (flow-replicas-remove addr (cdr reps))))))\n   (define (flow-replicate-to addr)\n     (set! flow-replicas (cons (list addr (flow-store-export)) (flow-replicas-remove addr flow-replicas))))\n   (define (flow-replica-get addr) (flow-assoc addr flow-replicas))\n   (define (flow-restore-from addr)\n     (let ((data (flow-replica-get addr)))\n       (if data (begin (flow-store-import! data) #t) #f)))")
+
+(define
+  flow-load-remote!
+  (fn
+    (env)
+    (begin (scheme-eval-program (scheme-parse-all flow-remote-src) env) env)))

lib/flow/scoreboard.json

@@ -0,0 +1,19 @@
+{
+  "total": 166,
+  "passed": 166,
+  "failed": 0,
+  "suites": {
+    "basic": { "passed": 18, "total": 18 },
+    "control": { "passed": 31, "total": 31 },
+    "suspend": { "passed": 17, "total": 17 },
+    "recovery": { "passed": 8, "total": 8 },
+    "distributed": { "passed": 19, "total": 19 },
+    "api": { "passed": 12, "total": 12 },
+    "combinators": { "passed": 17, "total": 17 },
+    "railway": { "passed": 10, "total": 10 },
+    "integration": { "passed": 10, "total": 10 },
+    "hygiene": { "passed": 9, "total": 9 },
+    "host": { "passed": 15, "total": 15 }
+  },
+  "phases": { "phase1": "done", "phase2": "done", "phase3": "done", "phase4": "done", "phase5": "done", "phase6": "done", "phase7": "done", "phase8": "done" }
+}

lib/flow/scoreboard.md

@@ -0,0 +1,53 @@
+# flow-on-sx Scoreboard
+
+**All tests pass: 166 / 166 across 11 suites. Phases 1-8 complete.**
+
+`bash lib/flow/conformance.sh`
+
+## Per-suite breakdown
+
+| Suite | Passing | Covers |
+|-------|--------:|--------|
+| basic |     18  | Phase 1: single nodes, linear sequence, data-flow threading, defflow, parallel fan/join, nested composition, publish-shaped flow |
+| control |  31  | Phase 2: `branch` (6); error model `fail`/`failed?`/`fail-reason` (6); `try-catch` (6); `retry n` (6); `timeout` cooperative step budget (7) |
+| suspend |  17  | Phase 3: suspend/resume/cancel via deterministic replay; multi-step, replay determinism, lifecycle guards, suspend-in-branch |
+| recovery |  8  | Phase 3: crash recovery — store export/import, resumable scan, restart-at-every-step, replay-log survival |
+| distributed | 19 | Phase 4: `remote-node` (7); `remote-failover` (6); replication + handoff across instances (6) |
+| api |  12  | Phase 5: introspection — `flow/status`, `flow/result`, `flow/list`, `flow/pending` |
+| combinators | 17 | Phase 5: `tap`, `recover` (fail-value), `map-flow` fan-over-list, `flow-while`/`flow-until` bounded iteration |
+| railway | 10 | Phase 6: `attempt` — fail-value short-circuiting sequence + recover rejoin |
+| integration | 10 | Phase 7: end-to-end order + onboarding flows composing every phase (suspend, branch, federation, crash recovery, handoff, introspection) |
+| hygiene | 9 | Phase 5: `flow/gc` (prune terminal flows), `flow/forget` (drop one terminal record) |
+| host | 15 | Phase 8: host ABI — `request`/`await-human`/`await-render`, `flow-host-requests` queue, `flow-run-host` reference driver; art-dag-shaped render→review→publish loop |
+
+## Architecture
+
+Flow combinators are a **Scheme prelude** (`lib/flow/spec.sx`) loaded onto
+`scheme-standard-env`. A flow is a Scheme procedure `input -> output`. The whole
+flow executes inside the Scheme interpreter, so Phase 3's `suspend` (call/cc) will
+capture the flow continuation directly.
+
+- `lib/flow/spec.sx` — combinators: `flow-node`, `flow-id`, `flow-const`,
+  `sequence`, `parallel`, `defflow`; `flow-load-combinators!`.
+- `lib/flow/api.sx` — `flow/start` (Scheme); `flow-make-env`, `flow-run`,
+  `flow-run-in` (SX helpers).
+- `lib/flow/tests/basic.sx` — 18 cases.
+- `lib/flow/conformance.sh` — loads substrate + flow layer, runs suites.
+
+## Semantics notes
+
+- **node** = 1-arg Scheme procedure; the upstream value is the argument. A node
+  ignoring its argument is effectively a thunk.
+- **sequence** threads left-to-right; empty sequence = identity.
+- **parallel** fans the same input to every branch and joins results into a list.
+  Evaluation is **sequential** for now; true concurrency arrives in Phase 3.
+
+## Phases
+
+- [x] Phase 1 — Declarative DAG + sequential execution (combinators + 18 tests, `flow/start`)
+- [x] Phase 2 — Control flow + error handling (branch, error model, try-catch, retry, timeout)
+- [x] Phase 3 — Suspend/resume (suspend/resume/cancel + crash recovery via deterministic replay)
+- [x] Phase 4 — Distributed nodes via fed-sx (remote-node, failover, replication + handoff)
+- [x] Phase 5 — Operational API + combinators (introspection, tap, recover, map-flow)
+- [ ] Phase 3 — Suspend / resume (the showcase)
+- [ ] Phase 4 — Distributed nodes via fed-sx

lib/flow/spec.sx

@@ -0,0 +1,61 @@
+;; lib/flow/spec.sx — flow combinators as a Scheme prelude.
+;;
+;; A flow is a Scheme procedure of one argument: the upstream value.
+;;   node : input -> output
+;; A leaf node ignoring its argument is effectively a thunk. Combinators
+;; build composite nodes out of child nodes. The whole flow runs INSIDE the
+;; Scheme interpreter.
+;;
+;; Phase 1 combinators (flow-combinators-src):
+;;   flow-node / flow-id / flow-const / sequence / parallel / defflow
+;;   defflow both binds the flow and registers it by name (flow-register!, in
+;;   store.sx) so it can be re-resolved after a process restart.
+;;   map-flow (Phase 5): run a node over each item of a list input, join results.
+;;   flow-while / flow-until (Phase 5): bounded iteration — re-run body, threading
+;;   the value, while/until pred holds, up to `max` steps (deterministic bound; no
+;;   unbounded loops in pure SX).
+;;
+;; Phase 2 combinators (flow-control-src):
+;;   branch / fail / failed? / fail-reason / try-catch / retry / timeout / tick
+;;   tap (Phase 5): side-effecting pass-through (returns input unchanged).
+;;   recover (Phase 5): the fail-VALUE counterpart of try-catch.
+;;   attempt (Phase 6): railway sequence — thread nodes left-to-right but stop at
+;;     the first node that returns a (fail ...) value, returning that failure.
+;;
+;; Phase 3 suspend core (flow-suspend-src):
+;;   The guest Scheme's call/cc is ESCAPE-ONLY (re-invoking a captured k after it
+;;   returns hangs the runtime), so suspend/resume CANNOT re-enter a continuation.
+;;   Instead, durability uses DETERMINISTIC REPLAY: a flow re-runs from the start
+;;   on each resume; suspend points that have already been resolved replay their
+;;   logged value, and the first unresolved suspend escapes back to the driver.
+;;   The entire persisted state is the replay log (plain (tag value) data), which
+;;   survives process restart — no live continuation is ever serialized.
+;;
+;;   (suspend tag)  — if tag is in the replay log, return its value; else escape
+;;     to the driver as (flow-suspended tag). tags must be unique & deterministic
+;;     across replays. ALL effects/non-determinism must go through suspend so their
+;;     results are logged (otherwise they re-run on every replay).
+;;   (flow-drive flow input log) — run flow with the given replay log; returns
+;;     (flow-done result) or (flow-suspended tag).
+
+(define
+  flow-combinators-src
+  "(define (flow-node f) f)\n   (define (flow-id input) input)\n   (define (flow-const v) (lambda (input) v))\n   (define (flow-seq-step ns v)\n     (if (null? ns) v (flow-seq-step (cdr ns) ((car ns) v))))\n   (define sequence (lambda ns (lambda (input) (flow-seq-step ns input))))\n   (define parallel (lambda ns (lambda (input) (map (lambda (n) (n input)) ns))))\n   (define (map-flow node) (lambda (items) (map node items)))\n   (define (flow-while-step pred body input n)\n     (if (<= n 0)\n         input\n         (if (pred input) (flow-while-step pred body (body input) (- n 1)) input)))\n   (define (flow-while pred body max) (lambda (input) (flow-while-step pred body input max)))\n   (define (flow-until-step pred body input n)\n     (if (<= n 0)\n         input\n         (if (pred input) input (flow-until-step pred body (body input) (- n 1)))))\n   (define (flow-until pred body max) (lambda (input) (flow-until-step pred body input max)))\n   (define-syntax defflow\n     (syntax-rules ()\n       ((defflow nm body)\n        (begin (define nm body) (flow-register! (quote nm) nm)))))")
+
+(define
+  flow-control-src
+  "(define (branch pred then else)\n     (lambda (input) (if (pred input) (then input) (else input))))\n   (define (fail reason) (list (quote flow-fail) reason))\n   (define (failed? x) (and (pair? x) (eq? (car x) (quote flow-fail))))\n   (define (fail-reason x) (car (cdr x)))\n   (define (recover node handler)\n     (lambda (input)\n       (let ((r (node input)))\n         (if (failed? r) (handler (fail-reason r)) r))))\n   (define (tap effect)\n     (lambda (input) (begin (effect input) input)))\n   (define (flow-attempt-step ns v)\n     (if (failed? v)\n         v\n         (if (null? ns) v (flow-attempt-step (cdr ns) ((car ns) v)))))\n   (define attempt (lambda ns (lambda (input) (flow-attempt-step ns input))))\n   (define (try-catch node handler)\n     (lambda (input) (guard (e (#t (handler e))) (node input))))\n   (define (flow-retry-step n node input)\n     (guard (e (#t (if (<= n 1) (raise e) (flow-retry-step (- n 1) node input))))\n       (node input)))\n   (define (retry n node) (lambda (input) (flow-retry-step n node input)))\n   (define flow-timeout-budget -1)\n   (define (tick)\n     (if (< flow-timeout-budget 0)\n         0\n         (begin\n           (set! flow-timeout-budget (- flow-timeout-budget 1))\n           (if (< flow-timeout-budget 0)\n               (raise (quote flow-timeout))\n               flow-timeout-budget))))\n   (define (timeout budget node)\n     (lambda (input)\n       (let ((saved flow-timeout-budget))\n         (set! flow-timeout-budget budget)\n         (guard (e (#t (begin (set! flow-timeout-budget saved) (raise e))))\n           (let ((result (node input)))\n             (set! flow-timeout-budget saved)\n             result)))))")
+
+(define
+  flow-suspend-src
+  "(define flow-replay-log (list))\n   (define flow-suspend-k #f)\n   (define (flow-log-lookup tag log)\n     (if (null? log)\n         (list #f #f)\n         (if (eq? (car (car log)) tag)\n             (list #t (car (cdr (car log))))\n             (flow-log-lookup tag (cdr log)))))\n   (define (suspend tag)\n     (let ((hit (flow-log-lookup tag flow-replay-log)))\n       (if (car hit)\n           (car (cdr hit))\n           (flow-suspend-k (list (quote flow-suspended) tag)))))\n   (define (flow-drive flow input log)\n     (set! flow-replay-log log)\n     (call/cc\n       (lambda (k)\n         (set! flow-suspend-k k)\n         (list (quote flow-done) (flow input)))))")
+
+(define
+  flow-load-combinators!
+  (fn
+    (env)
+    (begin
+      (scheme-eval-program (scheme-parse-all flow-combinators-src) env)
+      (scheme-eval-program (scheme-parse-all flow-control-src) env)
+      (scheme-eval-program (scheme-parse-all flow-suspend-src) env)
+      env)))

lib/flow/tests/api.sx

@@ -0,0 +1,79 @@
+;; lib/flow/tests/api.sx — Phase 5: operational introspection API.
+
+(define flow-api-pass 0)
+(define flow-api-fail 0)
+(define flow-api-fails (list))
+
+(define
+  flow-api-test
+  (fn
+    (name actual expected)
+    (if
+      (= actual expected)
+      (set! flow-api-pass (+ flow-api-pass 1))
+      (begin
+        (set! flow-api-fail (+ flow-api-fail 1))
+        (append! flow-api-fails {:name name :expected expected :actual actual})))))
+
+(define flow-a (fn (src) (flow-run src)))
+
+;; ── flow/status ─────────────────────────────────────────────────
+(flow-api-test "status: unknown id" (flow-a "(flow/status 999)") "unknown")
+(flow-api-test
+  "status: suspended flow"
+  (flow-a
+    "(defflow w (lambda (x) (suspend (quote q)))) (define id (car (cdr (flow/start w 0)))) (flow/status id)")
+  "suspended")
+(flow-api-test
+  "status: completed flow"
+  (flow-a
+    "(defflow w (sequence (lambda (x) (suspend (quote q))) (lambda (v) v))) (define id (car (cdr (flow/start w 0)))) (flow/resume id 5) (flow/status id)")
+  "done")
+(flow-api-test
+  "status: cancelled flow"
+  (flow-a
+    "(defflow w (lambda (x) (suspend (quote q)))) (define id (car (cdr (flow/start w 0)))) (flow/cancel id) (flow/status id)")
+  "cancelled")
+
+;; ── flow/result ─────────────────────────────────────────────────
+(flow-api-test
+  "result: returns the value of a completed flow"
+  (flow-a
+    "(defflow w (sequence (lambda (x) (suspend (quote q))) (lambda (v) (list (quote got) v)))) (define id (car (cdr (flow/start w 0)))) (flow/resume id 9) (flow/result id)")
+  (list "got" 9))
+(flow-api-test
+  "result: a still-suspended flow has no result"
+  (flow-a
+    "(defflow w (lambda (x) (suspend (quote q)))) (define id (car (cdr (flow/start w 0)))) (flow/result id)")
+  (list "flow-error" "not-done"))
+(flow-api-test
+  "result: unknown id errors"
+  (flow-a "(flow/result 999)")
+  (list "flow-error" "no-such-flow"))
+
+;; ── flow/list ───────────────────────────────────────────────────
+(flow-api-test "list: empty store" (flow-a "(flow/list)") (list))
+(flow-api-test
+  "list: reports id + status for each flow (newest first)"
+  (flow-a
+    "(defflow w (lambda (x) (suspend (quote q)))) (flow/start w 0) (flow/start (lambda (x) (* x 2)) 5) (flow/list)")
+  (list (list 2 "done") (list 1 "suspended")))
+
+;; ── flow/pending ────────────────────────────────────────────────
+(flow-api-test
+  "pending: lists suspended flows with their waiting tag"
+  (flow-a
+    "(defflow w (lambda (x) (suspend (quote review)))) (flow/start w 0) (flow/pending)")
+  (list (list 1 "review")))
+(flow-api-test
+  "pending: excludes completed and cancelled flows"
+  (flow-a
+    "(defflow w (lambda (x) (suspend (quote q)))) (defflow v (sequence (lambda (x) (suspend (quote r))) (lambda (y) y))) (define i1 (car (cdr (flow/start w 0)))) (define i2 (car (cdr (flow/start v 0)))) (define i3 (car (cdr (flow/start w 0)))) (flow/resume i2 1) (flow/cancel i3) (flow/pending)")
+  (list (list 1 "q")))
+(flow-api-test
+  "pending: operator can drain all pending flows"
+  (flow-a
+    "(defflow w (sequence (lambda (x) (suspend (quote q))) (lambda (v) (* v 10)))) (flow/start w 0) (flow/start w 0) (define ps (flow/pending)) (flow/resume (car (car ps)) 1) (flow/resume (car (car (cdr ps))) 2) (flow/list)")
+  (list (list 1 "done") (list 2 "done")))
+
+(define flow-api-tests-run! (fn () {:total (+ flow-api-pass flow-api-fail) :passed flow-api-pass :failed flow-api-fail :fails flow-api-fails}))

lib/flow/tests/basic.sx

@@ -0,0 +1,121 @@
+;; lib/flow/tests/basic.sx — Phase 1: declarative DAG + sequential execution.
+
+(define flow-basic-pass 0)
+(define flow-basic-fail 0)
+(define flow-basic-fails (list))
+
+(define
+  flow-basic-test
+  (fn
+    (name actual expected)
+    (if
+      (= actual expected)
+      (set! flow-basic-pass (+ flow-basic-pass 1))
+      (begin
+        (set! flow-basic-fail (+ flow-basic-fail 1))
+        (append! flow-basic-fails {:name name :expected expected :actual actual})))))
+
+;; Run a Scheme flow-program string and return its final value.
+(define flow-b (fn (src) (flow-run src)))
+
+;; Scheme strings are boxed as {:scm-string "..."}; unwrap to a host string.
+(define flow-bs (fn (src) (get (flow-run src) :scm-string)))
+
+;; ── single node ─────────────────────────────────────────────────
+(flow-basic-test
+  "node: identity passes input through"
+  (flow-b "(flow/start flow-id 7)")
+  7)
+(flow-basic-test
+  "node: const ignores input"
+  (flow-b "(flow/start (flow-const 99) 1)")
+  99)
+(flow-basic-test
+  "node: bare lambda is a node"
+  (flow-b "(flow/start (lambda (x) (* x x)) 6)")
+  36)
+
+;; ── linear sequence ─────────────────────────────────────────────
+(flow-basic-test
+  "sequence: empty is identity"
+  (flow-b "(flow/start (sequence) 42)")
+  42)
+(flow-basic-test
+  "sequence: single child"
+  (flow-b "(flow/start (sequence (lambda (x) (+ x 1))) 41)")
+  42)
+(flow-basic-test
+  "sequence: two children thread"
+  (flow-b
+    "(flow/start (sequence (lambda (x) (+ x 1)) (lambda (x) (* x 10))) 4)")
+  50)
+(flow-basic-test
+  "sequence: three children thread"
+  (flow-b
+    "(flow/start (sequence (lambda (x) (+ x 1)) (lambda (x) (* x 2)) (lambda (x) (- x 3))) 5)")
+  9)
+
+;; ── data flow between nodes ─────────────────────────────────────
+(flow-basic-test
+  "data flow: string accumulation"
+  (flow-bs
+    "(flow/start (sequence (lambda (s) (string-append s \"-a\")) (lambda (s) (string-append s \"-b\"))) \"x\")")
+  "x-a-b")
+(flow-basic-test
+  "data flow: list build"
+  (flow-b
+    "(flow/start (sequence (lambda (x) (cons x (list))) (lambda (xs) (cons 0 xs))) 7)")
+  (list 0 7))
+
+;; ── defflow ─────────────────────────────────────────────────────
+(flow-basic-test
+  "defflow: names a flow"
+  (flow-b
+    "(defflow inc2 (sequence (lambda (x) (+ x 1)) (lambda (x) (+ x 1)))) (flow/start inc2 40)")
+  42)
+(flow-basic-test
+  "defflow: reusable"
+  (flow-b
+    "(defflow dbl (lambda (x) (* x 2))) (+ (flow/start dbl 3) (flow/start dbl 10))")
+  26)
+
+;; ── parallel (sequential semantics, join into list) ─────────────
+(flow-basic-test
+  "parallel: fans input to all branches"
+  (flow-b
+    "(flow/start (parallel (lambda (x) (+ x 1)) (lambda (x) (* x 2)) (lambda (x) (- x 3))) 10)")
+  (list 11 20 7))
+(flow-basic-test
+  "parallel: empty joins to empty list"
+  (flow-b "(flow/start (parallel) 5)")
+  (list))
+(flow-basic-test
+  "parallel: single branch"
+  (flow-b "(flow/start (parallel (lambda (x) (* x x))) 9)")
+  (list 81))
+
+;; ── nested composition ──────────────────────────────────────────
+(flow-basic-test
+  "nested: sequence of sequences"
+  (flow-b
+    "(flow/start (sequence (sequence (lambda (x) (+ x 1)) (lambda (x) (+ x 1))) (sequence (lambda (x) (* x 3)))) 0)")
+  6)
+(flow-basic-test
+  "nested: parallel inside sequence, join then reduce"
+  (flow-b
+    "(flow/start (sequence (parallel (lambda (x) (+ x 1)) (lambda (x) (* x 2))) (lambda (xs) (apply + xs))) 10)")
+  31)
+(flow-basic-test
+  "nested: sequence inside parallel branch"
+  (flow-b
+    "(flow/start (parallel (sequence (lambda (x) (+ x 1)) (lambda (x) (* x 2))) (lambda (x) x)) 5)")
+  (list 12 5))
+
+;; ── publish-shaped flow (the architecture sketch) ───────────────
+(flow-basic-test
+  "publish: write -> (review | spell) -> join lengths"
+  (flow-b
+    "(defflow publish (sequence (lambda (draft) (string-append draft \"!\")) (parallel (lambda (c) (string-length c)) (lambda (c) (string-length (string-append c \"?\")))))) (flow/start publish \"hi\")")
+  (list 3 4))
+
+(define flow-basic-tests-run! (fn () {:total (+ flow-basic-pass flow-basic-fail) :passed flow-basic-pass :failed flow-basic-fail :fails flow-basic-fails}))

lib/flow/tests/combinators.sx

@@ -0,0 +1,108 @@
+;; lib/flow/tests/combinators.sx — Phase 5: combinator library (tap, recover, map-flow, iteration).
+
+(define flow-cmb-pass 0)
+(define flow-cmb-fail 0)
+(define flow-cmb-fails (list))
+
+(define
+  flow-cmb-test
+  (fn
+    (name actual expected)
+    (if
+      (= actual expected)
+      (set! flow-cmb-pass (+ flow-cmb-pass 1))
+      (begin
+        (set! flow-cmb-fail (+ flow-cmb-fail 1))
+        (append! flow-cmb-fails {:name name :expected expected :actual actual})))))
+
+(define flow-m (fn (src) (flow-run src)))
+
+;; ── tap (side-effecting pass-through) ───────────────────────────
+(flow-cmb-test
+  "tap: returns input unchanged"
+  (flow-m "(flow/start (tap (lambda (x) (* x 999))) 7)")
+  7)
+(flow-cmb-test
+  "tap: runs the side effect"
+  (flow-m
+    "(define seen 0) (flow/start (tap (lambda (x) (set! seen x))) 42) seen")
+  42)
+(flow-cmb-test
+  "tap: value flows on while the effect observes it"
+  (flow-m
+    "(define log 0) (flow/start (sequence (lambda (x) (+ x 1)) (tap (lambda (x) (set! log x))) (lambda (x) (* x 2))) 10) (list log (flow/result 1))")
+  (list 11 22))
+
+;; ── recover (fail-value counterpart of try-catch) ───────────────
+(flow-cmb-test
+  "recover: passes a non-fail value through"
+  (flow-m "(flow/start (recover (lambda (x) (* x 2)) (lambda (r) -1)) 5)")
+  10)
+(flow-cmb-test
+  "recover: handles a fail value via the reason"
+  (flow-m
+    "(flow/start (recover (lambda (x) (fail (quote too-small))) (lambda (r) (list (quote recovered) r))) 1)")
+  (list "recovered" "too-small"))
+(flow-cmb-test
+  "recover: handler can supply a default value"
+  (flow-m
+    "(flow/start (sequence (recover (lambda (x) (if (> x 0) x (fail (quote neg))) ) (flow-const 0)) (lambda (x) (* x 10))) -3)")
+  0)
+(flow-cmb-test
+  "recover: does not catch raised exceptions (those are try-catch's job)"
+  (flow-m
+    "(flow/start (try-catch (recover (lambda (x) (raise (quote boom))) (flow-const 0)) (lambda (e) e)) 1)")
+  "boom")
+
+;; ── map-flow (run a node over a list, join) ─────────────────────
+(flow-cmb-test
+  "map-flow: applies the node to each item"
+  (flow-m "(flow/start (map-flow (lambda (x) (* x x))) (list 1 2 3 4))")
+  (list 1 4 9 16))
+(flow-cmb-test
+  "map-flow: empty list joins to empty"
+  (flow-m "(flow/start (map-flow (lambda (x) (+ x 1))) (list))")
+  (list))
+(flow-cmb-test
+  "map-flow: each item runs an independent sub-flow"
+  (flow-m
+    "(flow/start (map-flow (sequence (lambda (x) (+ x 1)) (lambda (x) (* x 2)))) (list 0 4 9))")
+  (list 2 10 20))
+(flow-cmb-test
+  "map-flow: composes — fan over a list then reduce the join"
+  (flow-m
+    "(flow/start (sequence (map-flow (lambda (x) (* x 10))) (lambda (xs) (apply + xs))) (list 1 2 3))")
+  60)
+
+;; ── flow-while / flow-until (bounded iteration) ─────────────────
+(flow-cmb-test
+  "flow-while: iterates while the predicate holds"
+  (flow-m
+    "(flow/start (flow-while (lambda (x) (< x 10)) (lambda (x) (+ x 1)) 100) 0)")
+  10)
+(flow-cmb-test
+  "flow-while: a false predicate leaves input unchanged"
+  (flow-m
+    "(flow/start (flow-while (lambda (x) (< x 0)) (lambda (x) (+ x 1)) 100) 5)")
+  5)
+(flow-cmb-test
+  "flow-while: respects the max-iteration bound"
+  (flow-m "(flow/start (flow-while (lambda (x) #t) (lambda (x) (+ x 1)) 3) 0)")
+  3)
+(flow-cmb-test
+  "flow-while: doubles until past a threshold"
+  (flow-m
+    "(flow/start (flow-while (lambda (x) (< x 50)) (lambda (x) (* x 2)) 100) 3)")
+  96)
+(flow-cmb-test
+  "flow-until: iterates until the predicate becomes true"
+  (flow-m
+    "(flow/start (flow-until (lambda (x) (>= x 10)) (lambda (x) (+ x 3)) 100) 0)")
+  12)
+(flow-cmb-test
+  "flow-until: composes inside a sequence"
+  (flow-m
+    "(flow/start (sequence (flow-until (lambda (x) (> x 100)) (lambda (x) (* x 3)) 100) (lambda (x) (- x 100))) 5)")
+  35)
+
+(define flow-cmb-tests-run! (fn () {:total (+ flow-cmb-pass flow-cmb-fail) :passed flow-cmb-pass :failed flow-cmb-fail :fails flow-cmb-fails}))

lib/flow/tests/control.sx

@@ -0,0 +1,179 @@
+;; lib/flow/tests/control.sx — Phase 2: control flow + error handling.
+
+(define flow-ctl-pass 0)
+(define flow-ctl-fail 0)
+(define flow-ctl-fails (list))
+
+(define
+  flow-ctl-test
+  (fn
+    (name actual expected)
+    (if
+      (= actual expected)
+      (set! flow-ctl-pass (+ flow-ctl-pass 1))
+      (begin
+        (set! flow-ctl-fail (+ flow-ctl-fail 1))
+        (append! flow-ctl-fails {:name name :expected expected :actual actual})))))
+
+(define flow-c (fn (src) (flow-run src)))
+(define flow-cs (fn (src) (get (flow-run src) :scm-string)))
+
+;; ── branch ──────────────────────────────────────────────────────
+(flow-ctl-test
+  "branch: true selects then"
+  (flow-c
+    "(flow/start (branch (lambda (x) (> x 0)) (lambda (x) (* x 100)) (lambda (x) (- 0 x))) 5)")
+  500)
+(flow-ctl-test
+  "branch: false selects else"
+  (flow-c
+    "(flow/start (branch (lambda (x) (> x 0)) (lambda (x) (* x 100)) (lambda (x) (- 0 x))) -3)")
+  3)
+(flow-ctl-test
+  "branch: predicate sees the threaded input"
+  (flow-c
+    "(flow/start (sequence (lambda (x) (+ x 1)) (branch (lambda (x) (> x 3)) (flow-const 100) (flow-const 0))) 3)")
+  100)
+(flow-ctl-test
+  "branch: branches are full nodes (sequence inside)"
+  (flow-c
+    "(flow/start (branch (lambda (x) (< x 10)) (sequence (lambda (x) (+ x 1)) (lambda (x) (* x 2))) (flow-const 0)) 4)")
+  10)
+(flow-ctl-test
+  "branch: nested branch (3-way sign)"
+  (flow-c
+    "(defflow sign (branch (lambda (x) (> x 0)) (flow-const 1) (branch (lambda (x) (< x 0)) (flow-const -1) (flow-const 0)))) (list (flow/start sign 7) (flow/start sign -7) (flow/start sign 0))")
+  (list 1 -1 0))
+(flow-ctl-test
+  "branch: publish-shaped approval gate"
+  (flow-cs
+    "(defflow publish (branch (lambda (post) (>= (string-length post) 3)) (lambda (post) (string-append post \" [published]\")) (lambda (post) (string-append post \" [rejected]\")))) (flow/start publish \"ok\")")
+  "ok [rejected]")
+
+;; ── error model — explicit (fail reason) values ─────────────────
+(flow-ctl-test
+  "fail: failed? is true for a failure value"
+  (flow-c "(failed? (fail 404))")
+  true)
+(flow-ctl-test
+  "fail: fail-reason extracts the reason"
+  (flow-c "(fail-reason (fail 404))")
+  404)
+(flow-ctl-test
+  "fail: failed? is false for a plain value"
+  (flow-c "(failed? 7)")
+  false)
+(flow-ctl-test
+  "fail: failed? is false for an ordinary list"
+  (flow-c "(failed? (list 1 2 3))")
+  false)
+(flow-ctl-test
+  "fail: a node may emit a failure as data"
+  (flow-c
+    "(defflow validate (lambda (s) (if (>= (string-length s) 3) s (fail (quote too-short))))) (failed? (flow/start validate \"hi\"))")
+  true)
+(flow-ctl-test
+  "fail: failure flows downstream, branch recovers"
+  (flow-c
+    "(defflow guarded (sequence (lambda (s) (if (>= (string-length s) 3) (string-length s) (fail (quote too-short)))) (branch failed? (lambda (f) (list (quote recovered) (fail-reason f))) (lambda (n) (list (quote ok) n))))) (flow/start guarded \"hi\")")
+  (list "recovered" "too-short"))
+
+;; ── try-catch — reify raised exceptions ─────────────────────────
+(flow-ctl-test
+  "try-catch: no exception returns node result"
+  (flow-c "(flow/start (try-catch (lambda (x) (* x 2)) (lambda (e) -1)) 5)")
+  10)
+(flow-ctl-test
+  "try-catch: handler runs on raise"
+  (flow-c
+    "(flow/start (try-catch (lambda (x) (raise (quote boom))) (flow-const 99)) 1)")
+  99)
+(flow-ctl-test
+  "try-catch: handler receives the reified error"
+  (flow-c "(flow/start (try-catch (lambda (x) (raise 42)) (lambda (e) e)) 0)")
+  42)
+(flow-ctl-test
+  "try-catch: catches exception from deep inside a sequence"
+  (flow-c
+    "(flow/start (try-catch (sequence (lambda (x) (+ x 1)) (lambda (x) (raise (quote deep)))) (flow-const -99)) 5)")
+  -99)
+(flow-ctl-test
+  "try-catch: handler may convert to a failure value"
+  (flow-c
+    "(failed? (flow/start (try-catch (lambda (x) (raise (quote bad))) (lambda (e) (fail e))) 0))")
+  true)
+(flow-ctl-test
+  "try-catch: composes — recover then continue"
+  (flow-c
+    "(flow/start (sequence (try-catch (lambda (x) (raise (quote x))) (flow-const 10)) (lambda (n) (* n 5))) 0)")
+  50)
+
+;; ── retry — re-run on raised exceptions ─────────────────────────
+(flow-ctl-test
+  "retry: succeeds after transient failures"
+  (flow-c
+    "(define ctr 0) (defflow flaky (lambda (x) (set! ctr (+ ctr 1)) (if (< ctr 3) (raise (quote nope)) (* x 10)))) (list (flow/start (retry 5 flaky) 7) ctr)")
+  (list 70 3))
+(flow-ctl-test
+  "retry: exhausted re-raises (caught by try-catch)"
+  (flow-c
+    "(flow/start (try-catch (retry 2 (lambda (x) (raise (quote always)))) (flow-const (quote gaveup))) 0)")
+  "gaveup")
+(flow-ctl-test
+  "retry: n=1 means a single attempt"
+  (flow-c
+    "(define ctr 0) (flow/start (try-catch (retry 1 (lambda (x) (set! ctr (+ ctr 1)) (raise (quote bad)))) (lambda (e) ctr)) 0)")
+  1)
+(flow-ctl-test
+  "retry: success on first attempt does not re-run"
+  (flow-c
+    "(define ctr 0) (flow/start (sequence (retry 5 (lambda (x) (set! ctr (+ ctr 1)) (* x 2))) (lambda (n) ctr)) 21)")
+  1)
+(flow-ctl-test
+  "retry: does not retry explicit failure values"
+  (flow-c
+    "(define ctr 0) (failed? (flow/start (retry 5 (lambda (x) (set! ctr (+ ctr 1)) (fail (quote bad)))) 0))")
+  true)
+(flow-ctl-test
+  "retry: failure-value path runs node exactly once"
+  (flow-c
+    "(define ctr 0) (flow/start (sequence (retry 5 (lambda (x) (set! ctr (+ ctr 1)) (fail (quote bad)))) (lambda (f) ctr)) 0)")
+  1)
+
+;; ── timeout — cooperative step budget ───────────────────────────
+(flow-ctl-test
+  "timeout: work within budget completes"
+  (flow-c
+    "(define (cd n) (if (<= n 0) 99 (begin (tick) (cd (- n 1))))) (flow/start (try-catch (timeout 10 (lambda (x) (cd x))) (flow-const (quote timed-out))) 5)")
+  99)
+(flow-ctl-test
+  "timeout: work exceeding budget raises flow-timeout"
+  (flow-c
+    "(define (cd n) (if (<= n 0) 99 (begin (tick) (cd (- n 1))))) (flow/start (try-catch (timeout 10 (lambda (x) (cd x))) (flow-const (quote timed-out))) 20)")
+  "timed-out")
+(flow-ctl-test
+  "timeout: exact budget boundary completes"
+  (flow-c
+    "(define (cd n) (if (<= n 0) 99 (begin (tick) (cd (- n 1))))) (flow/start (try-catch (timeout 5 (lambda (x) (cd x))) (flow-const (quote timed-out))) 5)")
+  99)
+(flow-ctl-test
+  "timeout: one tick over the budget raises"
+  (flow-c
+    "(define (cd n) (if (<= n 0) 99 (begin (tick) (cd (- n 1))))) (flow/start (try-catch (timeout 5 (lambda (x) (cd x))) (flow-const (quote timed-out))) 6)")
+  "timed-out")
+(flow-ctl-test
+  "timeout: the raised error is identifiable"
+  (flow-c
+    "(define (cd n) (if (<= n 0) 99 (begin (tick) (cd (- n 1))))) (flow/start (try-catch (timeout 2 (lambda (x) (cd x))) (lambda (e) e)) 9)")
+  "flow-timeout")
+(flow-ctl-test
+  "timeout: a node that never ticks is unbounded"
+  (flow-c "(flow/start (timeout 0 (lambda (x) (* x 2))) 5)")
+  10)
+(flow-ctl-test
+  "timeout: budget is restored across sequential timeouts"
+  (flow-c
+    "(define (cd n) (if (<= n 0) 1 (begin (tick) (cd (- n 1))))) (flow/start (sequence (timeout 4 (lambda (x) (cd x))) (timeout 4 (lambda (x) (cd 3))) (lambda (x) (begin (tick) (+ x 100)))) 3)")
+  101)
+
+(define flow-ctl-tests-run! (fn () {:total (+ flow-ctl-pass flow-ctl-fail) :passed flow-ctl-pass :failed flow-ctl-fail :fails flow-ctl-fails}))

lib/flow/tests/distributed.sx

@@ -0,0 +1,120 @@
+;; lib/flow/tests/distributed.sx — Phase 4: distributed nodes via fed-sx (mocked).
+
+(define flow-dist-pass 0)
+(define flow-dist-fail 0)
+(define flow-dist-fails (list))
+
+(define
+  flow-dist-test
+  (fn
+    (name actual expected)
+    (if
+      (= actual expected)
+      (set! flow-dist-pass (+ flow-dist-pass 1))
+      (begin
+        (set! flow-dist-fail (+ flow-dist-fail 1))
+        (append! flow-dist-fails {:name name :expected expected :actual actual})))))
+
+(define flow-d (fn (src) (flow-run src)))
+
+;; ── remote-node ─────────────────────────────────────────────────
+(flow-dist-test
+  "remote: a node executes on a peer"
+  (flow-d
+    "(flow-peer-register! (quote edge) (list (list (quote double) (lambda (x) (* x 2))))) (flow/start (remote-node (quote edge) (quote double)) 21)")
+  42)
+(flow-dist-test
+  "remote: remote nodes compose in a sequence"
+  (flow-d
+    "(flow-peer-register! (quote edge) (list (list (quote inc) (lambda (x) (+ x 1))) (list (quote double) (lambda (x) (* x 2))))) (flow/start (sequence (remote-node (quote edge) (quote inc)) (remote-node (quote edge) (quote double))) 4)")
+  10)
+(flow-dist-test
+  "remote: a remote node mixes with local nodes"
+  (flow-d
+    "(flow-peer-register! (quote edge) (list (list (quote double) (lambda (x) (* x 2))))) (flow/start (sequence (lambda (x) (+ x 5)) (remote-node (quote edge) (quote double)) (lambda (x) (- x 1))) 10)")
+  29)
+(flow-dist-test
+  "remote: unreachable peer raises flow-remote-unreachable"
+  (flow-d
+    "(flow/start (try-catch (remote-node (quote ghost) (quote double)) (lambda (e) e)) 1)")
+  "flow-remote-unreachable")
+(flow-dist-test
+  "remote: unknown function on a peer raises flow-remote-no-fn"
+  (flow-d
+    "(flow-peer-register! (quote edge) (list (list (quote double) (lambda (x) (* x 2))))) (flow/start (try-catch (remote-node (quote edge) (quote missing)) (lambda (e) e)) 1)")
+  "flow-remote-no-fn")
+(flow-dist-test
+  "remote: a remote node can suspend the flow (peer returns control)"
+  (flow-d
+    "(flow-peer-register! (quote edge) (list (list (quote review) (lambda (x) x)))) (flow/start (sequence (remote-node (quote edge) (quote review)) (lambda (x) (suspend (quote human))) (lambda (v) (list (quote published) v))) 7)")
+  (list "flow-suspended" 1 "human"))
+(flow-dist-test
+  "remote: a transient remote failure is recoverable with retry"
+  (flow-d
+    "(define hits 0) (flow-peer-register! (quote edge) (list (list (quote flaky) (lambda (x) (begin (set! hits (+ hits 1)) (if (< hits 2) (raise (quote down)) (* x 3))))))) (list (flow/start (retry 3 (remote-node (quote edge) (quote flaky))) 7) hits)")
+  (list 21 2))
+
+;; ── failover (retry on a different peer, fall through to local) ──
+(flow-dist-test
+  "failover: first reachable peer serves the request"
+  (flow-d
+    "(flow-peer-register! (quote p2) (list (list (quote f) (lambda (x) (+ x 100))))) (flow/start (remote-failover (list (quote p2) (quote down)) (quote f) (flow-const (quote local))) 5)")
+  105)
+(flow-dist-test
+  "failover: skips an unreachable peer to the next one"
+  (flow-d
+    "(flow-peer-register! (quote p2) (list (list (quote f) (lambda (x) (+ x 100))))) (flow/start (remote-failover (list (quote down) (quote p2)) (quote f) (flow-const (quote local))) 5)")
+  105)
+(flow-dist-test
+  "failover: skips a peer whose function raises"
+  (flow-d
+    "(flow-peer-register! (quote bad) (list (list (quote f) (lambda (x) (raise (quote boom)))))) (flow-peer-register! (quote good) (list (list (quote f) (lambda (x) (* x 10))))) (flow/start (remote-failover (list (quote bad) (quote good)) (quote f) (flow-const 0)) 4)")
+  40)
+(flow-dist-test
+  "failover: all peers fail, the local fallback runs"
+  (flow-d
+    "(flow/start (remote-failover (list (quote down1) (quote down2)) (quote f) (lambda (x) (* x -1))) 9)")
+  -9)
+(flow-dist-test
+  "failover: threads the input through to the chosen peer"
+  (flow-d
+    "(flow-peer-register! (quote p) (list (list (quote f) (lambda (x) (list (quote got) x))))) (flow/start (sequence (lambda (x) (+ x 1)) (remote-failover (list (quote p)) (quote f) (flow-const 0))) 41)")
+  (list "got" 42))
+(flow-dist-test
+  "failover: composes inside a larger sequence"
+  (flow-d
+    "(flow-peer-register! (quote p) (list (list (quote f) (lambda (x) (* x 2))))) (flow/start (sequence (remote-failover (list (quote down) (quote p)) (quote f) (flow-const 1)) (lambda (x) (+ x 3))) 5)")
+  13)
+
+;; ── replication + handoff ───────────────────────────────────────
+(flow-dist-test
+  "replicate: a peer holds the exported store"
+  (flow-d
+    "(defflow w (lambda (x) (suspend (quote q)))) (flow/start w 10) (flow-replicate-to (quote peerB)) (if (flow-replica-get (quote peerB)) (quote replicated) (quote missing))")
+  "replicated")
+(flow-dist-test
+  "handoff: a peer resumes a flow after the local instance dies"
+  (flow-d
+    "(defflow w (sequence (lambda (x) (suspend (quote q))) (lambda (v) (list (quote done) v)))) (define id (car (cdr (flow/start w 10)))) (flow-replicate-to (quote peerB)) (set! flow-store (list)) (flow-restore-from (quote peerB)) (flow/resume id 55)")
+  (list "done" 55))
+(flow-dist-test
+  "handoff: restored peer reports the flow as resumable"
+  (flow-d
+    "(defflow w (lambda (x) (suspend (quote q)))) (define id (car (cdr (flow/start w 10)))) (flow-replicate-to (quote peerB)) (set! flow-store (list)) (flow-restore-from (quote peerB)) (flow-resumable-ids)")
+  (list 1))
+(flow-dist-test
+  "handoff: without restore the dead instance has lost the flow"
+  (flow-d
+    "(defflow w (lambda (x) (suspend (quote q)))) (define id (car (cdr (flow/start w 10)))) (flow-replicate-to (quote peerB)) (set! flow-store (list)) (flow/resume id 1)")
+  (list "flow-error" "no-such-flow"))
+(flow-dist-test
+  "restore: from an unknown peer yields false"
+  (flow-d "(flow-restore-from (quote nowhere))")
+  false)
+(flow-dist-test
+  "handoff: replication preserves the replay log across the move"
+  (flow-d
+    "(defflow two (sequence (lambda (x) (suspend (quote a))) (lambda (x) (suspend (quote b))) (lambda (x) (list x)))) (define id (car (cdr (flow/start two 0)))) (flow/resume id 11) (flow-replicate-to (quote peerB)) (set! flow-store (list)) (flow-restore-from (quote peerB)) (flow/resume id 22)")
+  (list 22))
+
+(define flow-dist-tests-run! (fn () {:total (+ flow-dist-pass flow-dist-fail) :passed flow-dist-pass :failed flow-dist-fail :fails flow-dist-fails}))

lib/flow/tests/host.sx

@@ -0,0 +1,106 @@
+;; lib/flow/tests/host.sx — Phase 8: host integration ABI (request/await/host-queue/driver).
+
+(define flow-hst-pass 0)
+(define flow-hst-fail 0)
+(define flow-hst-fails (list))
+
+(define
+  flow-hst-test
+  (fn
+    (name actual expected)
+    (if
+      (= actual expected)
+      (set! flow-hst-pass (+ flow-hst-pass 1))
+      (begin
+        (set! flow-hst-fail (+ flow-hst-fail 1))
+        (append! flow-hst-fails {:name name :expected expected :actual actual})))))
+
+(define flow-hst (fn (src) (flow-run src)))
+
+;; ── request envelope ────────────────────────────────────────────
+(flow-hst-test
+  "request: suspends with a typed envelope"
+  (flow-hst
+    "(car (cdr (cdr (flow/start (lambda (x) (request (quote render) x)) 5))))")
+  (list "flow-request" "render" 5))
+(flow-hst-test
+  "request?: recognizes an envelope"
+  (flow-hst "(request? (list (quote flow-request) (quote human) 1))")
+  true)
+(flow-hst-test
+  "request?: a plain tag is not a request"
+  (flow-hst "(request? (list (quote review) 1))")
+  false)
+(flow-hst-test
+  "request-kind / request-payload: parse the envelope"
+  (flow-hst
+    "(define t (list (quote flow-request) (quote render) (list (quote recipe) 7))) (list (request-kind t) (request-payload t))")
+  (list "render" (list "recipe" 7)))
+
+;; ── named decision points ───────────────────────────────────────
+(flow-hst-test
+  "await-human: is a request of kind human"
+  (flow-hst
+    "(car (cdr (cdr (flow/start (lambda (x) (await-human x)) (quote approve?)))))")
+  (list "flow-request" "human" "approve?"))
+(flow-hst-test
+  "await-render: is a request of kind render"
+  (flow-hst
+    "(car (cdr (cdr (flow/start (lambda (x) (await-render x)) (quote recipe)))))")
+  (list "flow-request" "render" "recipe"))
+(flow-hst-test
+  "request: the host's resume value flows back into the flow"
+  (flow-hst
+    "(defflow f (sequence (lambda (x) (await-render x)) (lambda (art) (list (quote got) art)))) (define id (car (cdr (flow/start f 1)))) (flow/resume id (quote the-artifact))")
+  (list "got" "the-artifact"))
+
+;; ── host work queue ─────────────────────────────────────────────
+(flow-hst-test
+  "flow-host-requests: lists (id kind payload) for pending requests"
+  (flow-hst
+    "(flow/start (lambda (x) (await-render x)) 99) (flow-host-requests)")
+  (list (list 1 "render" 99)))
+(flow-hst-test
+  "flow-host-requests: excludes bare (non-request) suspends"
+  (flow-hst
+    "(defflow a (lambda (x) (await-render x))) (defflow b (lambda (x) (suspend (quote plain)))) (flow/start a 1) (flow/start b 2) (flow-host-requests)")
+  (list (list 1 "render" 1)))
+
+;; ── the art-dag-shaped host driver loop (manual resumes) ────────
+(flow-hst-test
+  "host driver: render then human-review then publish"
+  (flow-hst
+    "(defflow pipeline (sequence (lambda (recipe) (await-render recipe)) (lambda (art) (await-human (list (quote review) art))) (branch (lambda (d) (eq? d (quote approve))) (flow-const (quote published)) (flow-const (fail (quote rejected)))))) (define id (car (cdr (flow/start pipeline 99)))) (define r1 (flow-host-requests)) (flow/resume id (list (quote art) 99)) (define r2 (flow-host-requests)) (flow/resume id (quote approve)) (list r1 r2 (flow/status id) (flow/result id))")
+  (list
+    (list (list 1 "render" 99))
+    (list (list 1 "human" (list "review" (list "art" 99))))
+    "done"
+    "published"))
+(flow-hst-test
+  "host driver: rejection at the human gate yields a failure"
+  (flow-hst
+    "(defflow pipeline (sequence (lambda (recipe) (await-render recipe)) (lambda (art) (await-human (list (quote review) art))) (branch (lambda (d) (eq? d (quote approve))) (flow-const (quote published)) (flow-const (fail (quote rejected)))))) (define id (car (cdr (flow/start pipeline 1)))) (flow/resume id (quote artifact)) (failed? (flow/resume id (quote reject)))")
+  true)
+
+;; ── reference driver: host supplies only a dispatch fn ──────────
+(flow-hst-test
+  "flow-drive-host: one tick services every pending request"
+  (flow-hst
+    "(flow/start (lambda (x) (await-render x)) 5) (define n (flow-drive-host (lambda (k p) (list (quote done) p)))) (list n (flow/status 1) (flow/result 1))")
+  (list 1 "done" (list "done" 5)))
+(flow-hst-test
+  "flow-run-host: drives a render -> human pipeline to completion"
+  (flow-hst
+    "(defflow pipeline (sequence (lambda (recipe) (await-render recipe)) (lambda (art) (await-human (list (quote review) art))) (branch (lambda (d) (eq? d (quote approve))) (flow-const (quote published)) (flow-const (fail (quote rejected)))))) (define id (car (cdr (flow/start pipeline 99)))) (define serviced (flow-run-host (lambda (kind payload) (if (eq? kind (quote render)) (list (quote art) payload) (quote approve))) 10)) (list serviced (flow/status id) (flow/result id))")
+  (list 2 "done" "published"))
+(flow-hst-test
+  "flow-run-host: returns 0 when nothing is pending"
+  (flow-hst "(flow-run-host (lambda (k p) p) 5)")
+  0)
+(flow-hst-test
+  "flow-run-host: respects the maxticks bound"
+  (flow-hst
+    "(defflow pipe2 (sequence (lambda (r) (await-render r)) (lambda (a) (await-human a)) (lambda (d) d))) (define id (car (cdr (flow/start pipe2 1)))) (define serviced (flow-run-host (lambda (k p) p) 1)) (list serviced (flow/status id))")
+  (list 1 "suspended"))
+
+(define flow-hst-tests-run! (fn () {:total (+ flow-hst-pass flow-hst-fail) :passed flow-hst-pass :failed flow-hst-fail :fails flow-hst-fails}))

lib/flow/tests/hygiene.sx

@@ -0,0 +1,67 @@
+;; lib/flow/tests/hygiene.sx — Phase 5: store hygiene (flow/gc, flow/forget).
+
+(define flow-hyg-pass 0)
+(define flow-hyg-fail 0)
+(define flow-hyg-fails (list))
+
+(define
+  flow-hyg-test
+  (fn
+    (name actual expected)
+    (if
+      (= actual expected)
+      (set! flow-hyg-pass (+ flow-hyg-pass 1))
+      (begin
+        (set! flow-hyg-fail (+ flow-hyg-fail 1))
+        (append! flow-hyg-fails {:name name :expected expected :actual actual})))))
+
+(define flow-h (fn (src) (flow-run src)))
+
+;; ── flow/gc ─────────────────────────────────────────────────────
+(flow-hyg-test
+  "gc: empty store removes nothing"
+  (flow-h "(flow/gc)")
+  0)
+(flow-hyg-test
+  "gc: removes a done flow, keeps a suspended one"
+  (flow-h
+    "(defflow w (lambda (x) (suspend (quote q)))) (flow/start w 0) (flow/start (lambda (x) x) 5) (define removed (flow/gc)) (list removed (flow/list))")
+  (list 1 (list (list 1 "suspended"))))
+(flow-hyg-test
+  "gc: removes a cancelled flow"
+  (flow-h
+    "(defflow w (lambda (x) (suspend (quote q)))) (define id (car (cdr (flow/start w 0)))) (flow/cancel id) (flow/gc)")
+  1)
+(flow-hyg-test
+  "gc: a kept suspended flow is still resumable"
+  (flow-h
+    "(defflow w (sequence (lambda (x) (suspend (quote q))) (lambda (v) (* v 2)))) (define id (car (cdr (flow/start w 0)))) (flow/start (lambda (x) x) 1) (flow/gc) (flow/resume id 21)")
+  42)
+(flow-hyg-test
+  "gc: counts every terminal flow it drops"
+  (flow-h
+    "(flow/start (lambda (x) x) 1) (flow/start (lambda (x) x) 2) (defflow w (lambda (x) (suspend (quote q)))) (flow/start w 0) (flow/gc)")
+  2)
+
+;; ── flow/forget ─────────────────────────────────────────────────
+(flow-hyg-test
+  "forget: drops a completed flow"
+  (flow-h
+    "(defflow w (sequence (lambda (x) (suspend (quote q))) (lambda (v) v))) (define id (car (cdr (flow/start w 0)))) (flow/resume id 7) (list (flow/forget id) (flow/status id))")
+  (list true "unknown"))
+(flow-hyg-test
+  "forget: refuses to drop a live (suspended) flow"
+  (flow-h
+    "(defflow w (lambda (x) (suspend (quote q)))) (define id (car (cdr (flow/start w 0)))) (list (flow/forget id) (flow/status id))")
+  (list false "suspended"))
+(flow-hyg-test
+  "forget: drops a cancelled flow"
+  (flow-h
+    "(defflow w (lambda (x) (suspend (quote q)))) (define id (car (cdr (flow/start w 0)))) (flow/cancel id) (list (flow/forget id) (flow/status id))")
+  (list true "unknown"))
+(flow-hyg-test
+  "forget: unknown id yields false"
+  (flow-h "(flow/forget 999)")
+  false)
+
+(define flow-hyg-tests-run! (fn () {:total (+ flow-hyg-pass flow-hyg-fail) :passed flow-hyg-pass :failed flow-hyg-fail :fails flow-hyg-fails}))

lib/flow/tests/integration.sx

@@ -0,0 +1,115 @@
+;; lib/flow/tests/integration.sx — Phase 7: end-to-end flows composing every phase.
+
+(define flow-int-pass 0)
+(define flow-int-fail 0)
+(define flow-int-fails (list))
+
+(define
+  flow-int-test
+  (fn
+    (name actual expected)
+    (if
+      (= actual expected)
+      (set! flow-int-pass (+ flow-int-pass 1))
+      (begin
+        (set! flow-int-fail (+ flow-int-fail 1))
+        (append! flow-int-fails {:name name :expected expected :actual actual})))))
+
+(define flow-i (fn (src) (flow-run src)))
+
+;; The order-processing flow, defined once per program via this prelude string:
+;;   validate amount (attempt: fail if <= 0)
+;;   -> suspend for payment confirmation (resume value = confirmed amount)
+;;   -> branch: confirmed>0 ? record on the ledger peer : declined failure
+(define
+  order-prelude
+  "(flow-peer-register! (quote ledger) (list (list (quote record) (lambda (amt) (list (quote recorded) amt)))))\n   (defflow order\n     (attempt\n       (lambda (amt) (if (> amt 0) amt (fail (quote invalid-amount))))\n       (lambda (amt) (suspend (quote await-payment)))\n       (branch (lambda (amt) (> amt 0))\n               (remote-node (quote ledger) (quote record))\n               (flow-const (fail (quote declined))))))")
+
+;; ── happy path through every phase ──────────────────────────────
+(flow-int-test
+  "order: validate -> suspend -> resume -> branch -> federate"
+  (flow-i
+    (str
+      order-prelude
+      "(define id (car (cdr (flow/start order 100)))) (flow/resume id 250)"))
+  (list "recorded" 250))
+(flow-int-test
+  "order: starting suspends awaiting payment"
+  (flow-i
+    (str
+      order-prelude
+      "(define s (flow/start order 100)) (list (car s) (car (cdr (cdr s))))"))
+  (list "flow-suspended" "await-payment"))
+(flow-int-test
+  "order: invalid amount fails up front and never suspends"
+  (flow-i
+    (str
+      order-prelude
+      "(define r (flow/start order -5)) (list (failed? r) (fail-reason r))"))
+  (list true "invalid-amount"))
+(flow-int-test
+  "order: a declined payment yields a failure value"
+  (flow-i
+    (str
+      order-prelude
+      "(define id (car (cdr (flow/start order 100)))) (failed? (flow/resume id 0))"))
+  true)
+
+;; ── crash recovery mid-flow ─────────────────────────────────────
+(flow-int-test
+  "order: survives a simulated crash between suspend and resume"
+  (flow-i
+    (str
+      order-prelude
+      "(define id (car (cdr (flow/start order 100)))) (define saved (flow-store-export)) (set! flow-store (list)) (flow-store-import! saved) (flow/resume id 250)"))
+  (list "recorded" 250))
+
+;; ── handoff to a peer mid-flow ──────────────────────────────────
+(flow-int-test
+  "order: hands off to a peer that resumes and completes"
+  (flow-i
+    (str
+      order-prelude
+      "(define id (car (cdr (flow/start order 100)))) (flow-replicate-to (quote nodeB)) (set! flow-store (list)) (flow-restore-from (quote nodeB)) (flow/resume id 250)"))
+  (list "recorded" 250))
+
+;; ── introspection during the flow's life ────────────────────────
+(flow-int-test
+  "order: pending shows what the flow awaits, then result after resume"
+  (flow-i
+    (str
+      order-prelude
+      "(define id (car (cdr (flow/start order 100)))) (define p (flow/pending)) (flow/resume id 250) (list p (flow/status id) (flow/result id))"))
+  (list
+    (list (list 1 "await-payment"))
+    "done"
+    (list "recorded" 250)))
+
+;; ── onboarding: two human steps + cancellation ──────────────────
+(define
+  onboard-prelude
+  "(defflow onboard\n     (sequence\n       (lambda (user) (+ user 1))\n       (lambda (x) (suspend (quote confirm-email)))\n       (lambda (x) (suspend (quote complete-profile)))\n       (lambda (x) (list (quote onboarded) x))))")
+
+(flow-int-test
+  "onboard: two suspends resume in order to completion"
+  (flow-i
+    (str
+      onboard-prelude
+      "(define id (car (cdr (flow/start onboard 0)))) (flow/resume id 7) (flow/resume id 9)"))
+  (list "onboarded" 9))
+(flow-int-test
+  "onboard: the second pending tag appears after the first resume"
+  (flow-i
+    (str
+      onboard-prelude
+      "(define id (car (cdr (flow/start onboard 0)))) (flow/resume id 7) (car (cdr (car (flow/pending))))"))
+  "complete-profile")
+(flow-int-test
+  "onboard: cancelling abandons the flow"
+  (flow-i
+    (str
+      onboard-prelude
+      "(define id (car (cdr (flow/start onboard 0)))) (flow/cancel id) (list (flow/status id) (car (flow/resume id 7)))"))
+  (list "cancelled" "flow-error"))
+
+(define flow-int-tests-run! (fn () {:total (+ flow-int-pass flow-int-fail) :passed flow-int-pass :failed flow-int-fail :fails flow-int-fails}))

lib/flow/tests/railway.sx

@@ -0,0 +1,73 @@
+;; lib/flow/tests/railway.sx — Phase 6: railway-oriented composition (attempt).
+
+(define flow-rail-pass 0)
+(define flow-rail-fail 0)
+(define flow-rail-fails (list))
+
+(define
+  flow-rail-test
+  (fn
+    (name actual expected)
+    (if
+      (= actual expected)
+      (set! flow-rail-pass (+ flow-rail-pass 1))
+      (begin
+        (set! flow-rail-fail (+ flow-rail-fail 1))
+        (append! flow-rail-fails {:name name :expected expected :actual actual})))))
+
+(define flow-r (fn (src) (flow-run src)))
+
+;; ── attempt — short-circuit on the first (fail ...) ─────────────
+(flow-rail-test
+  "attempt: threads like sequence when nothing fails"
+  (flow-r
+    "(flow/start (attempt (lambda (x) (+ x 1)) (lambda (x) (* x 10))) 4)")
+  50)
+(flow-rail-test
+  "attempt: empty is identity"
+  (flow-r "(flow/start (attempt) 7)")
+  7)
+(flow-rail-test
+  "attempt: returns the first failure"
+  (flow-r
+    "(failed? (flow/start (attempt (lambda (x) (fail (quote bad))) (lambda (x) (* x 10))) 4))")
+  true)
+(flow-rail-test
+  "attempt: the failure carries its reason"
+  (flow-r
+    "(fail-reason (flow/start (attempt (lambda (x) x) (lambda (x) (fail (quote rejected)))) 4))")
+  "rejected")
+(flow-rail-test
+  "attempt: nodes after a failure do not run"
+  (flow-r
+    "(define ran 0) (flow/start (attempt (lambda (x) (fail (quote stop))) (lambda (x) (begin (set! ran (+ ran 1)) x))) 0) ran")
+  0)
+(flow-rail-test
+  "attempt: a failed input short-circuits immediately"
+  (flow-r
+    "(define ran 0) (fail-reason (flow/start (attempt (lambda (x) (begin (set! ran (+ ran 1)) x))) (fail (quote pre))))")
+  "pre")
+(flow-rail-test
+  "attempt: middle failure halts the chain"
+  (flow-r
+    "(define ran 0) (flow/start (attempt (lambda (x) (+ x 1)) (lambda (x) (fail (quote mid))) (lambda (x) (begin (set! ran (+ ran 1)) x))) 5) ran")
+  0)
+
+;; ── attempt + recover (rejoin the happy track) ──────────────────
+(flow-rail-test
+  "attempt + recover: recover turns a failure into a value"
+  (flow-r
+    "(flow/start (recover (attempt (lambda (x) (if (> x 0) x (fail (quote non-positive)))) (lambda (x) (* x 2))) (flow-const 0)) -5)")
+  0)
+(flow-rail-test
+  "attempt + recover: happy path passes recover through"
+  (flow-r
+    "(flow/start (recover (attempt (lambda (x) (if (> x 0) x (fail (quote non-positive)))) (lambda (x) (* x 2))) (flow-const 0)) 5)")
+  10)
+(flow-rail-test
+  "attempt: validation pipeline reports the failing stage"
+  (flow-r
+    "(defflow validate (attempt (lambda (s) (if (>= (string-length s) 3) s (fail (quote too-short)))) (lambda (s) (if (<= (string-length s) 8) s (fail (quote too-long)))) (lambda (s) (list (quote ok) (string-length s))))) (list (fail-reason (flow/start validate \"hi\")) (flow/start validate \"hello\"))")
+  (list "too-short" (list "ok" 5)))
+
+(define flow-rail-tests-run! (fn () {:total (+ flow-rail-pass flow-rail-fail) :passed flow-rail-pass :failed flow-rail-fail :fails flow-rail-fails}))

lib/flow/tests/recovery.sx

@@ -0,0 +1,71 @@
+;; lib/flow/tests/recovery.sx — Phase 3: crash recovery (store export/import + restart).
+;;
+;; "restart" is simulated within one program: (set! flow-store (list)) wipes the
+;; in-memory store (process death), while flow-registry persists as it would after
+;; reloading flow definitions. Recovery = import the exported (plain-data) store and
+;; resume; the flow proc is re-resolved by name.
+
+(define flow-rec-pass 0)
+(define flow-rec-fail 0)
+(define flow-rec-fails (list))
+
+(define
+  flow-rec-test
+  (fn
+    (name actual expected)
+    (if
+      (= actual expected)
+      (set! flow-rec-pass (+ flow-rec-pass 1))
+      (begin
+        (set! flow-rec-fail (+ flow-rec-fail 1))
+        (append! flow-rec-fails {:name name :expected expected :actual actual})))))
+
+(define flow-r (fn (src) (flow-run src)))
+
+;; ── export / wipe / import ──────────────────────────────────────
+(flow-rec-test
+  "export nulls the live procedure"
+  (flow-r
+    "(defflow w (lambda (x) (suspend (quote await)))) (flow/start w 10) (car (cdr (car (cdr (car (flow-store-export))))))")
+  false)
+(flow-rec-test
+  "a wiped store loses the flow (process death)"
+  (flow-r
+    "(defflow w (lambda (x) (suspend (quote await)))) (define id (car (cdr (flow/start w 10)))) (set! flow-store (list)) (flow/resume id 1)")
+  (list "flow-error" "no-such-flow"))
+(flow-rec-test
+  "import restores a wiped store and resume completes"
+  (flow-r
+    "(defflow w (sequence (lambda (x) (suspend (quote await))) (lambda (c) (list (quote done) c)))) (define id (car (cdr (flow/start w 10)))) (define saved (flow-store-export)) (set! flow-store (list)) (flow-store-import! saved) (flow/resume id 777)")
+  (list "done" 777))
+
+;; ── resumable scan ──────────────────────────────────────────────
+(flow-rec-test
+  "resumable-ids lists the suspended flow after import"
+  (flow-r
+    "(defflow w (lambda (x) (suspend (quote await)))) (define id (car (cdr (flow/start w 10)))) (define saved (flow-store-export)) (set! flow-store (list)) (flow-store-import! saved) (flow-resumable-ids)")
+  (list 1))
+(flow-rec-test
+  "resumable-ids excludes completed flows"
+  (flow-r
+    "(defflow w (sequence (lambda (x) (suspend (quote await))) (lambda (c) c))) (define id (car (cdr (flow/start w 10)))) (flow/resume id 5) (flow-resumable-ids)")
+  (list))
+(flow-rec-test
+  "resumable-ids excludes cancelled flows after import"
+  (flow-r
+    "(defflow w (lambda (x) (suspend (quote await)))) (define id (car (cdr (flow/start w 10)))) (flow/cancel id) (define saved (flow-store-export)) (set! flow-store (list)) (flow-store-import! saved) (flow-resumable-ids)")
+  (list))
+
+;; ── restart at every step ───────────────────────────────────────
+(flow-rec-test
+  "two suspends survive a restart between each step"
+  (flow-r
+    "(defflow two (sequence (lambda (x) (suspend (quote a))) (lambda (x) (suspend (quote b))) (lambda (x) (list (quote end) x)))) (define id (car (cdr (flow/start two 0)))) (define s1 (flow-store-export)) (set! flow-store (list)) (flow-store-import! s1) (flow/resume id 100) (define s2 (flow-store-export)) (set! flow-store (list)) (flow-store-import! s2) (flow/resume id 200)")
+  (list "end" 200))
+(flow-rec-test
+  "import preserves the replay log (earlier value survives restart)"
+  (flow-r
+    "(defflow two (sequence (lambda (x) (suspend (quote a))) (lambda (x) (suspend (quote b))) (lambda (x) (list x)))) (define id (car (cdr (flow/start two 0)))) (flow/resume id 11) (define saved (flow-store-export)) (set! flow-store (list)) (flow-store-import! saved) (flow/resume id 22)")
+  (list 22))
+
+(define flow-rec-tests-run! (fn () {:total (+ flow-rec-pass flow-rec-fail) :passed flow-rec-pass :failed flow-rec-fail :fails flow-rec-fails}))

lib/flow/tests/suspend.sx

@@ -0,0 +1,114 @@
+;; lib/flow/tests/suspend.sx — Phase 3: suspend / resume / cancel (deterministic replay).
+
+(define flow-sus-pass 0)
+(define flow-sus-fail 0)
+(define flow-sus-fails (list))
+
+(define
+  flow-sus-test
+  (fn
+    (name actual expected)
+    (if
+      (= actual expected)
+      (set! flow-sus-pass (+ flow-sus-pass 1))
+      (begin
+        (set! flow-sus-fail (+ flow-sus-fail 1))
+        (append! flow-sus-fails {:name name :expected expected :actual actual})))))
+
+(define flow-s (fn (src) (flow-run src)))
+
+;; ── flow/start ──────────────────────────────────────────────────
+(flow-sus-test
+  "start: non-suspending flow returns the raw result"
+  (flow-s "(flow/start (lambda (x) (* x 2)) 5)")
+  10)
+(flow-sus-test
+  "start: a suspending flow returns a flow-suspended state"
+  (flow-s
+    "(defflow w (sequence (lambda (x) (+ x 1)) (lambda (g) (suspend (quote await))) (lambda (c) c))) (car (flow/start w 10))")
+  "flow-suspended")
+(flow-sus-test
+  "start: suspended state carries a numeric id"
+  (flow-s
+    "(defflow w (lambda (x) (suspend (quote await)))) (car (cdr (flow/start w 10)))")
+  1)
+(flow-sus-test
+  "start: suspended state carries the suspend tag"
+  (flow-s
+    "(defflow w (lambda (x) (suspend (quote await)))) (car (cdr (cdr (flow/start w 10))))")
+  "await")
+
+;; ── flow/resume ─────────────────────────────────────────────────
+(flow-sus-test
+  "resume: injects the value and completes"
+  (flow-s
+    "(defflow w (sequence (lambda (x) (+ x 1)) (lambda (g) (suspend (quote await))) (lambda (c) (list (quote done) c)))) (define s (flow/start w 10)) (flow/resume (car (cdr s)) 777)")
+  (list "done" 777))
+(flow-sus-test
+  "resume: injected value threads into the next node"
+  (flow-s
+    "(defflow w (sequence (lambda (x) (suspend (quote v))) (lambda (n) (* n 3)))) (define s (flow/start w 0)) (flow/resume (car (cdr s)) 14)")
+  42)
+(flow-sus-test
+  "resume: replays earlier suspends (recompute is deterministic)"
+  (flow-s
+    "(define runs 0) (defflow w (sequence (lambda (x) (begin (set! runs (+ runs 1)) (+ x 1))) (lambda (g) (suspend (quote await))) (lambda (c) c))) (define s (flow/start w 10)) (flow/resume (car (cdr s)) 99) runs")
+  2)
+
+;; ── multi-step suspension ───────────────────────────────────────
+(flow-sus-test
+  "multi: first resume suspends at the next tag"
+  (flow-s
+    "(defflow two (sequence (lambda (x) (suspend (quote a))) (lambda (x) (suspend (quote b))) (lambda (x) (list (quote end) x)))) (define s (flow/start two 0)) (define s2 (flow/resume (car (cdr s)) 100)) (car (cdr (cdr s2)))")
+  "b")
+(flow-sus-test
+  "multi: second resume completes with the latest value"
+  (flow-s
+    "(defflow two (sequence (lambda (x) (suspend (quote a))) (lambda (x) (suspend (quote b))) (lambda (x) (list (quote end) x)))) (define id (car (cdr (flow/start two 0)))) (flow/resume id 100) (flow/resume id 200)")
+  (list "end" 200))
+
+;; ── error / lifecycle guards ────────────────────────────────────
+(flow-sus-test
+  "resume: completed flow cannot be resumed again"
+  (flow-s
+    "(defflow w (lambda (x) (suspend (quote q)))) (define id (car (cdr (flow/start w 0)))) (flow/resume id 1) (flow/resume id 2)")
+  (list "flow-error" "not-suspended"))
+(flow-sus-test
+  "resume: unknown id errors"
+  (flow-s "(flow/resume 999 1)")
+  (list "flow-error" "no-such-flow"))
+
+;; ── flow/cancel ─────────────────────────────────────────────────
+(flow-sus-test
+  "cancel: returns a flow-cancelled state"
+  (flow-s
+    "(defflow w (lambda (x) (suspend (quote q)))) (define id (car (cdr (flow/start w 0)))) (flow/cancel id)")
+  (list "flow-cancelled" 1))
+(flow-sus-test
+  "cancel: a cancelled flow cannot be resumed (stale resume rejected)"
+  (flow-s
+    "(defflow w (lambda (x) (suspend (quote q)))) (define id (car (cdr (flow/start w 0)))) (flow/cancel id) (flow/resume id 5)")
+  (list "flow-error" "not-suspended"))
+(flow-sus-test
+  "cancel: unknown id errors"
+  (flow-s "(flow/cancel 999)")
+  (list "flow-error" "no-such-flow"))
+
+;; ── composition ─────────────────────────────────────────────────
+(flow-sus-test
+  "suspend inside a branch arm"
+  (flow-s
+    "(defflow gate (branch (lambda (x) (> x 0)) (lambda (x) (suspend (quote approve))) (flow-const (quote rejected)))) (define s (flow/start gate 5)) (flow/resume (car (cdr s)) (quote approved))")
+  "approved")
+(flow-sus-test
+  "two independent runs get independent ids"
+  (flow-s
+    "(defflow w (lambda (x) (suspend (quote q)))) (list (car (cdr (flow/start w 0))) (car (cdr (flow/start w 0))))")
+  (list 1 2))
+(flow-sus-test
+  "suspend reason may be a structured value"
+  (flow-s
+    "(defflow w (lambda (x) (suspend (list (quote needs) (quote approval))))) (car (cdr (cdr (flow/start w 0))))")
+  (list "needs" "approval"))
+
+(define flow-sus-tests-run! (fn () {:total (+ flow-sus-pass flow-sus-fail) :passed flow-sus-pass :failed flow-sus-fail :fails flow-sus-fails}))

lib/identity/audit.sx

@@ -0,0 +1,27 @@
+;; identity/audit.sx — the grant audit ledger.
+;;
+;; Every transition that changes a grant — issue, refresh, revoke (and,
+;; wired from oauth, consent) — appends an immutable event to this
+;; append-only process. The ledger is queryable by subject, which is what
+;; `(identity/audit subject)` answers. This is the in-memory realisation
+;; of the event stream; a persist-backed stream is a later substrate
+;; concern (Erlang↔persist bridge), kept out of scope here per the loop's
+;; \"in-memory log until persist lands\" allowance — the queryable
+;; semantics are identical.
+;;
+;; Events are {Seq, Subject, Action}; Seq is a monotonic sequence number.
+;; Reads return chronological (oldest-first) order:
+;;
+;;   record(A, Subject, Action)  -> ok       (one-way; FIFO-ordered)
+;;   audit(A, Subject)           -> [{Seq, Subject, Action}, ...]
+;;   actions(A, Subject)         -> [Action, ...]
+;;   count(A, Subject)           -> N
+;;   all(A)                      -> [{Seq, Subject, Action}, ...]
+
+(define
+  identity-audit-source
+  "-module(identity_audit).\n\n   start() ->\n     spawn(fun () -> loop([], 0) end).\n\n   record(A, Subject, Action) ->\n     A ! {event, Subject, Action},\n     ok.\n\n   audit(A, Subject) ->\n     A ! {audit, Subject, self()},\n     receive {audit_reply, R} -> R end.\n\n   actions(A, Subject) ->\n     A ! {actions, Subject, self()},\n     receive {audit_reply, R} -> R end.\n\n   count(A, Subject) ->\n     A ! {count, Subject, self()},\n     receive {audit_reply, R} -> R end.\n\n   all(A) ->\n     A ! {all, self()},\n     receive {audit_reply, R} -> R end.\n\n   loop(Events, Seq) ->\n     receive\n       {event, Subject, Action} ->\n         loop([{Seq, Subject, Action} | Events], Seq + 1);\n       {audit, Subject, From} ->\n         From ! {audit_reply, collect(Subject, Events, [])},\n         loop(Events, Seq);\n       {actions, Subject, From} ->\n         From ! {audit_reply, action_list(Subject, Events, [])},\n         loop(Events, Seq);\n       {count, Subject, From} ->\n         From ! {audit_reply, count_subj(Subject, Events, 0)},\n         loop(Events, Seq);\n       {all, From} ->\n         From ! {audit_reply, reverse(Events, [])},\n         loop(Events, Seq);\n       {stop, From} ->\n         From ! {audit_reply, ok}\n     end.\n\n   collect(_, [], Acc) -> Acc;\n   collect(Subject, [{Seq, S, A} | Rest], Acc) ->\n     case S =:= Subject of\n       true -> collect(Subject, Rest, [{Seq, S, A} | Acc]);\n       false -> collect(Subject, Rest, Acc)\n     end.\n\n   action_list(_, [], Acc) -> Acc;\n   action_list(Subject, [{_, S, A} | Rest], Acc) ->\n     case S =:= Subject of\n       true -> action_list(Subject, Rest, [A | Acc]);\n       false -> action_list(Subject, Rest, Acc)\n     end.\n\n   count_subj(_, [], N) -> N;\n   count_subj(Subject, [{_, S, _} | Rest], N) ->\n     case S =:= Subject of\n       true -> count_subj(Subject, Rest, N + 1);\n       false -> count_subj(Subject, Rest, N)\n     end.\n\n   reverse([], Acc) -> Acc;\n   reverse([H | T], Acc) -> reverse(T, [H | Acc]).")
+
+(define
+  identity-load-audit!
+  (fn () (erlang-load-module identity-audit-source)))

lib/identity/cache.sx

@@ -0,0 +1,29 @@
+;; identity/cache.sx — a delegated grant-verification cache, mirroring the
+;; Redis-cache pattern apps use in front of grant verification.
+;;
+;; The cache is a process wrapping a token registry. introspect() is
+;; memoised; issue/issue_grant/refresh/revoke pass through. The danger
+;; with any cache is staleness: a revoked token must NOT keep reading
+;; valid out of the cache, not even for a millisecond (the loop's hard
+;; rule). We get that for free with GENERATION invalidation:
+;;
+;;   - each cache entry records the generation it was written at;
+;;   - a hit requires entry.generation == current generation;
+;;   - any state-changing op that can invalidate an existing token
+;;     (revoke — which cascades to a grant; refresh — whose reuse cascades)
+;;     bumps the generation.
+;;
+;; So a single revoke instantly invalidates every cached positive: the
+;; next introspect is a miss and re-validates against the live registry,
+;; which returns {inactive}. Revocation stays real; the cache only ever
+;; accelerates the steady state, never overrides a revocation.
+;;
+;; stats() -> {Hits, Misses} so callers can see the cache is live.
+
+(define
+  identity-cache-source
+  "-module(identity_grant_cache).\n\n   start() ->\n     spawn(fun () ->\n       Reg = identity_tokens:start(),\n       loop(Reg, 1, [], 0, 0)\n     end).\n\n   issue(C, Subject, Client, Scope) ->\n     C ! {issue, Subject, Client, Scope, self()},\n     receive {cache_reply, R} -> R end.\n\n   issue_grant(C, Subject, Client, Scope) ->\n     C ! {issue_grant, Subject, Client, Scope, self()},\n     receive {cache_reply, R} -> R end.\n\n   refresh(C, RefreshTok) ->\n     C ! {refresh, RefreshTok, self()},\n     receive {cache_reply, R} -> R end.\n\n   introspect(C, Token) ->\n     C ! {introspect, Token, self()},\n     receive {cache_reply, R} -> R end.\n\n   revoke(C, Token) ->\n     C ! {revoke, Token, self()},\n     receive {cache_reply, R} -> R end.\n\n   stats(C) ->\n     C ! {stats, self()},\n     receive {cache_reply, R} -> R end.\n\n   loop(Reg, Gen, Entries, Hits, Misses) ->\n     receive\n       {introspect, Tok, From} ->\n         case lookup_fresh(Tok, Gen, Entries) of\n           {hit, Result} ->\n             From ! {cache_reply, Result},\n             loop(Reg, Gen, Entries, Hits + 1, Misses);\n           miss ->\n             Result = identity_tokens:introspect(Reg, Tok),\n             From ! {cache_reply, Result},\n             loop(Reg, Gen, put_entry(Tok, Result, Gen, Entries), Hits, Misses + 1)\n         end;\n       {issue, Subject, Client, Scope, From} ->\n         From ! {cache_reply, identity_tokens:issue(Reg, Subject, Client, Scope)},\n         loop(Reg, Gen, Entries, Hits, Misses);\n       {issue_grant, Subject, Client, Scope, From} ->\n         From ! {cache_reply, identity_tokens:issue_grant(Reg, Subject, Client, Scope)},\n         loop(Reg, Gen, Entries, Hits, Misses);\n       {refresh, RTok, From} ->\n         From ! {cache_reply, identity_tokens:refresh(Reg, RTok)},\n         loop(Reg, Gen + 1, Entries, Hits, Misses);\n       {revoke, Tok, From} ->\n         identity_tokens:revoke(Reg, Tok),\n         From ! {cache_reply, ok},\n         loop(Reg, Gen + 1, Entries, Hits, Misses);\n       {stats, From} ->\n         From ! {cache_reply, {Hits, Misses}},\n         loop(Reg, Gen, Entries, Hits, Misses)\n     end.\n\n   lookup_fresh(_, _, []) -> miss;\n   lookup_fresh(Tok, Gen, [{T, {Result, G}} | Rest]) ->\n     case T =:= Tok of\n       true ->\n         case G =:= Gen of\n           true -> {hit, Result};\n           false -> miss\n         end;\n       false -> lookup_fresh(Tok, Gen, Rest)\n     end.\n\n   put_entry(Tok, Result, Gen, Entries) ->\n     [{Tok, {Result, Gen}} | remove(Tok, Entries)].\n\n   remove(_, []) -> [];\n   remove(Tok, [{T, V} | Rest]) ->\n     case T =:= Tok of\n       true -> remove(Tok, Rest);\n       false -> [{T, V} | remove(Tok, Rest)]\n     end.")
+
+(define
+  identity-load-cache!
+  (fn () (erlang-load-module identity-cache-source)))

lib/identity/clients.sx

@@ -0,0 +1,28 @@
+;; identity/clients.sx — the OAuth client registry (RFC 6749 §2).
+;;
+;; A client is registered with a type, a secret, and its allow-listed
+;; redirect_uris:
+;;
+;;   public        — cannot keep a secret (SPAs, native apps, §2.1);
+;;                   identified but not authenticated.
+;;   confidential  — can authenticate; MUST present its secret at the token
+;;                   endpoint (§3.2.1, §4.1.3). A wrong secret is
+;;                   invalid_client — never a soft pass.
+;;
+;; Redirect URIs must be pre-registered (§3.1.2.2 + OAuth Security BCP):
+;; valid_redirect/3 is the exact-match check the authorize/exchange steps
+;; consult so an attacker cannot redirect the code to an unregistered URI.
+;;
+;;   register(C, ClientId, Type, Secret, RedirectUris) -> ok | {error, exists}
+;;   lookup(C, ClientId)            -> {ok, Type, RedirectUris} | {error, unknown_client}
+;;   authenticate(C, ClientId, Sec) -> {ok, public} | {ok, confidential}
+;;                                   | {error, invalid_client} | {error, unknown_client}
+;;   valid_redirect(C, ClientId, U) -> true | false
+
+(define
+  identity-clients-source
+  "-module(identity_clients).\n\n   start() ->\n     spawn(fun () -> loop([]) end).\n\n   register(C, ClientId, Type, Secret, RedirectUris) ->\n     C ! {register, ClientId, Type, Secret, RedirectUris, self()},\n     receive {client_reply, R} -> R end.\n\n   lookup(C, ClientId) ->\n     C ! {lookup, ClientId, self()},\n     receive {client_reply, R} -> R end.\n\n   authenticate(C, ClientId, Secret) ->\n     C ! {authenticate, ClientId, Secret, self()},\n     receive {client_reply, R} -> R end.\n\n   valid_redirect(C, ClientId, Uri) ->\n     C ! {valid_redirect, ClientId, Uri, self()},\n     receive {client_reply, R} -> R end.\n\n   loop(Clients) ->\n     receive\n       {register, ClientId, Type, Secret, RedirectUris, From} ->\n         case find(ClientId, Clients) of\n           {ok, _} ->\n             From ! {client_reply, {error, exists}},\n             loop(Clients);\n           none ->\n             From ! {client_reply, ok},\n             loop([{ClientId, {Type, Secret, RedirectUris}} | Clients])\n         end;\n       {lookup, ClientId, From} ->\n         case find(ClientId, Clients) of\n           none -> From ! {client_reply, {error, unknown_client}};\n           {ok, {Type, _, Uris}} -> From ! {client_reply, {ok, Type, Uris}}\n         end,\n         loop(Clients);\n       {authenticate, ClientId, Secret, From} ->\n         case find(ClientId, Clients) of\n           none ->\n             From ! {client_reply, {error, unknown_client}};\n           {ok, {public, _, _}} ->\n             From ! {client_reply, {ok, public}};\n           {ok, {confidential, S, _}} ->\n             case S =:= Secret of\n               true -> From ! {client_reply, {ok, confidential}};\n               false -> From ! {client_reply, {error, invalid_client}}\n             end\n         end,\n         loop(Clients);\n       {valid_redirect, ClientId, Uri, From} ->\n         case find(ClientId, Clients) of\n           none -> From ! {client_reply, false};\n           {ok, {_, _, Uris}} -> From ! {client_reply, member(Uri, Uris)}\n         end,\n         loop(Clients);\n       {stop, From} ->\n         From ! {client_reply, ok}\n     end.\n\n   member(_, []) -> false;\n   member(X, [Y | Rest]) ->\n     case X =:= Y of\n       true -> true;\n       false -> member(X, Rest)\n     end.\n\n   find(_, []) -> none;\n   find(Key, [{K, V} | Rest]) ->\n     case K =:= Key of\n       true -> {ok, V};\n       false -> find(Key, Rest)\n     end.")
+
+(define
+  identity-load-clients!
+  (fn () (erlang-load-module identity-clients-source)))

lib/identity/conformance.sh

@@ -0,0 +1,215 @@
+#!/usr/bin/env bash
+# identity-on-sx conformance runner.
+#
+# Loads the Erlang-on-SX substrate, the identity library, and every
+# identity test suite via the epoch protocol, collects pass/fail counts,
+# and writes lib/identity/scoreboard.json + .md.
+#
+# Usage:
+#   bash lib/identity/conformance.sh        # run all suites
+#   bash lib/identity/conformance.sh -v     # verbose per-suite
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+TMPFILE=$(mktemp)
+OUTFILE=$(mktemp)
+trap "rm -f $TMPFILE $OUTFILE" EXIT
+
+# Each suite: name | counter pass | counter total
+SUITES=(
+  "session|id-session-test-pass|id-session-test-count"
+  "token|id-token-test-pass|id-token-test-count"
+  "registry|id-registry-test-pass|id-registry-test-count"
+  "api|id-api-test-pass|id-api-test-count"
+  "oauth|id-oauth-test-pass|id-oauth-test-count"
+  "sso|id-sso-test-pass|id-sso-test-count"
+  "membership|id-membership-test-pass|id-membership-test-count"
+  "cache|id-cache-test-pass|id-cache-test-count"
+  "audit|id-audit-test-pass|id-audit-test-count"
+  "federation|id-fed-test-pass|id-fed-test-count"
+  "expiry|id-expiry-test-pass|id-expiry-test-count"
+  "clients|id-clients-test-pass|id-clients-test-count"
+  "grants|id-grants-test-pass|id-grants-test-count"
+  "device|id-device-test-pass|id-device-test-count"
+  "facade|id-facade-test-pass|id-facade-test-count"
+  "delegation|id-deleg-test-pass|id-deleg-test-count"
+  "session-mgmt|id-smgmt-test-pass|id-smgmt-test-count"
+  "exchange|id-xchg-test-pass|id-xchg-test-count"
+  "introspect|id-intr-test-pass|id-intr-test-count"
+  "par|id-par-test-pass|id-par-test-count"
+  "dynreg|id-dyn-test-pass|id-dyn-test-count"
+  "account|id-acct-test-pass|id-acct-test-count"
+)
+
+cat > "$TMPFILE" << 'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/identity/session.sx")
+(load "lib/identity/token.sx")
+(load "lib/identity/registry.sx")
+(load "lib/identity/api.sx")
+(load "lib/identity/oauth.sx")
+(load "lib/identity/membership.sx")
+(load "lib/identity/cache.sx")
+(load "lib/identity/audit.sx")
+(load "lib/identity/federation.sx")
+(load "lib/identity/clients.sx")
+(load "lib/identity/device.sx")
+(load "lib/identity/delegation.sx")
+(load "lib/identity/tests/session.sx")
+(load "lib/identity/tests/token.sx")
+(load "lib/identity/tests/registry.sx")
+(load "lib/identity/tests/api.sx")
+(load "lib/identity/tests/oauth.sx")
+(load "lib/identity/tests/sso.sx")
+(load "lib/identity/tests/membership.sx")
+(load "lib/identity/tests/cache.sx")
+(load "lib/identity/tests/audit.sx")
+(load "lib/identity/tests/federation.sx")
+(load "lib/identity/tests/expiry.sx")
+(load "lib/identity/tests/clients.sx")
+(load "lib/identity/tests/grants.sx")
+(load "lib/identity/tests/device.sx")
+(load "lib/identity/tests/facade.sx")
+(load "lib/identity/tests/delegation.sx")
+(load "lib/identity/tests/session_mgmt.sx")
+(load "lib/identity/tests/exchange.sx")
+(load "lib/identity/tests/introspect.sx")
+(load "lib/identity/tests/par.sx")
+(load "lib/identity/tests/dynreg.sx")
+(load "lib/identity/tests/account.sx")
+(epoch 100)
+(eval "(list id-session-test-pass id-session-test-count)")
+(epoch 101)
+(eval "(list id-token-test-pass id-token-test-count)")
+(epoch 102)
+(eval "(list id-registry-test-pass id-registry-test-count)")
+(epoch 103)
+(eval "(list id-api-test-pass id-api-test-count)")
+(epoch 104)
+(eval "(list id-oauth-test-pass id-oauth-test-count)")
+(epoch 105)
+(eval "(list id-sso-test-pass id-sso-test-count)")
+(epoch 106)
+(eval "(list id-membership-test-pass id-membership-test-count)")
+(epoch 107)
+(eval "(list id-cache-test-pass id-cache-test-count)")
+(epoch 108)
+(eval "(list id-audit-test-pass id-audit-test-count)")
+(epoch 109)
+(eval "(list id-fed-test-pass id-fed-test-count)")
+(epoch 110)
+(eval "(list id-expiry-test-pass id-expiry-test-count)")
+(epoch 111)
+(eval "(list id-clients-test-pass id-clients-test-count)")
+(epoch 112)
+(eval "(list id-grants-test-pass id-grants-test-count)")
+(epoch 113)
+(eval "(list id-device-test-pass id-device-test-count)")
+(epoch 114)
+(eval "(list id-facade-test-pass id-facade-test-count)")
+(epoch 115)
+(eval "(list id-deleg-test-pass id-deleg-test-count)")
+(epoch 116)
+(eval "(list id-smgmt-test-pass id-smgmt-test-count)")
+(epoch 117)
+(eval "(list id-xchg-test-pass id-xchg-test-count)")
+(epoch 118)
+(eval "(list id-intr-test-pass id-intr-test-count)")
+(epoch 119)
+(eval "(list id-par-test-pass id-par-test-count)")
+(epoch 120)
+(eval "(list id-dyn-test-pass id-dyn-test-count)")
+(epoch 121)
+(eval "(list id-acct-test-pass id-acct-test-count)")
+EPOCHS
+
+timeout 1200 "$SX_SERVER" < "$TMPFILE" > "$OUTFILE" 2>&1
+
+parse_pair() {
+  local epoch="$1"
+  local line
+  line=$(grep -A1 "^(ok-len $epoch " "$OUTFILE" | tail -1)
+  echo "$line" | sed -E 's/[()]//g'
+}
+
+TOTAL_PASS=0
+TOTAL_COUNT=0
+JSON_SUITES=""
+MD_ROWS=""
+
+idx=0
+for entry in "${SUITES[@]}"; do
+  name="${entry%%|*}"
+  epoch=$((100 + idx))
+  pair=$(parse_pair "$epoch")
+  pass=$(echo "$pair" | awk '{print $1}')
+  count=$(echo "$pair" | awk '{print $2}')
+  if [ -z "$pass" ] || [ -z "$count" ]; then
+    pass=0
+    count=0
+  fi
+  TOTAL_PASS=$((TOTAL_PASS + pass))
+  TOTAL_COUNT=$((TOTAL_COUNT + count))
+  status="ok"
+  marker="✅"
+  if [ "$pass" != "$count" ]; then
+    status="fail"
+    marker="❌"
+  fi
+  if [ "$VERBOSE" = "-v" ]; then
+    printf "  %-12s %s/%s\n" "$name" "$pass" "$count"
+  fi
+  if [ -n "$JSON_SUITES" ]; then JSON_SUITES+=","; fi
+  JSON_SUITES+=$'\n    '
+  JSON_SUITES+="{\"name\":\"$name\",\"pass\":$pass,\"total\":$count,\"status\":\"$status\"}"
+  MD_ROWS+="| $marker | $name | $pass | $count |"$'\n'
+  idx=$((idx + 1))
+done
+
+printf '\nidentity-on-sx conformance: %d / %d\n' "$TOTAL_PASS" "$TOTAL_COUNT"
+
+cat > lib/identity/scoreboard.json <<JSON
+{
+  "language": "identity",
+  "total_pass": $TOTAL_PASS,
+  "total": $TOTAL_COUNT,
+  "suites": [$JSON_SUITES
+  ]
+}
+JSON
+
+cat > lib/identity/scoreboard.md <<MD
+# identity-on-sx Scoreboard
+
+**Total: ${TOTAL_PASS} / ${TOTAL_COUNT} tests passing**
+
+|  | Suite | Pass | Total |
+|---|---|---|---|
+$MD_ROWS
+
+Generated by \`lib/identity/conformance.sh\`.
+MD
+
+if [ "$TOTAL_PASS" -eq "$TOTAL_COUNT" ]; then
+  exit 0
+else
+  exit 1
+fi

lib/identity/delegation.sx

@@ -0,0 +1,34 @@
+;; identity/delegation.sx — the identity -> acl delegation boundary.
+;;
+;; This is the loop's central architectural rule made concrete:
+;; AUTHENTICATION is identity's job; AUTHORIZATION is acl's. A request is
+;; checked in two stages, and the order matters:
+;;
+;;   1. identity proves WHO via the opaque token (introspect). If the token
+;;      is inactive, the answer is {error, unauthenticated} — a 401. acl is
+;;      NEVER consulted; \"I don't know who you are\" is not a permission
+;;      question.
+;;   2. only for an authenticated subject does identity construct the
+;;      permission query {Subject, Scope, Action, Resource} and HAND IT OFF
+;;      to acl. acl returns permit | deny; deny is {error, forbidden} — a
+;;      403. identity itself never decides permission.
+;;
+;; The real decider is acl-on-sx (Datalog), which runs as a different
+;; guest language on SX and is wired in at the integration layer. Here the
+;; acl side is a labelled STUB process so the boundary is exercised: it
+;; permits when the Action is within the token's granted Scope. Swap the
+;; stub pid for the acl adapter and the boundary is unchanged.
+;;
+;;   check(TokReg, Acl, Token, Action, Resource) ->
+;;     {ok, Subject} | {error, unauthenticated} | {error, forbidden}
+
+(define
+  identity-delegation-source
+  "-module(identity_delegation).\n\n   check(TokReg, Acl, Token, Action, Resource) ->\n     case identity_tokens:introspect(TokReg, Token) of\n       {inactive} ->\n         {error, unauthenticated};\n       {active, Subject, _Client, Scope} ->\n         Acl ! {acl_query, Subject, Scope, Action, Resource, self()},\n         receive {acl_verdict, V} ->\n           case V of\n             permit -> {ok, Subject};\n             deny -> {error, forbidden}\n           end\n         end\n     end.\n\n   %% --- stub acl decider (stands in for acl-on-sx / Datalog) ---\n   %% Permits iff the Action is one of the token's granted scopes. The real\n   %% acl decides on rules + facts; this only exercises the handoff shape.\n   stub_acl() ->\n     spawn(fun () -> acl_loop() end).\n\n   acl_loop() ->\n     receive\n       {acl_query, _Subject, Scope, Action, _Resource, From} ->\n         From ! {acl_verdict, decide(Action, Scope)},\n         acl_loop();\n       stop ->\n         ok\n     end.\n\n   decide(Action, Scope) ->\n     case member(Action, Scope) of\n       true -> permit;\n       false -> deny\n     end.\n\n   member(_, []) -> false;\n   member(X, [Y | Rest]) ->\n     case X =:= Y of\n       true -> true;\n       false -> member(X, Rest)\n     end.")
+
+(define
+  identity-load-delegation!
+  (fn
+    ()
+    (identity-load-token!)
+    (erlang-load-module identity-delegation-source)))

lib/identity/device.sx

@@ -0,0 +1,33 @@
+;; identity/device.sx — the device authorization grant (RFC 8628).
+;;
+;; For input-constrained devices (TVs, CLIs): the device gets a device_code
+;; + user_code, the user approves out-of-band on another device, and the
+;; device polls the token endpoint until it flips. The poll status machine
+;; is RFC 8628 §3.5:
+;;
+;;   authorize(ClientId, Scope) -> {ok, DeviceCode, UserCode}
+;;   approve(UserCode, Subject) -> ok | {error, ...}   (the human's browser)
+;;   deny(UserCode)             -> ok | {error, ...}
+;;   poll(DeviceCode) ->
+;;     pending  -> {error, authorization_pending}
+;;     denied   -> {error, access_denied}
+;;     approved -> {ok, Token}        (device code is then single-use)
+;;     consumed -> {error, invalid_grant}
+;;     unknown  -> {error, invalid_grant}
+;;
+;; Tokens are grant-backed (token.sx) so revocation stays real. Device-code
+;; expiry and slow_down (poll-rate limiting) are deferred — the substrate
+;; has no wall clock and the core status machine is the security-relevant
+;; part; introspect via token.sx already honours token TTL.
+;;
+;; State: loop(TokReg, Requests) where Requests is
+;;   [{DeviceCode, UserCode, ClientId, Scope, Status}]
+;;   Status :: pending | {approved, Subject} | denied | consumed
+
+(define
+  identity-device-source
+  "-module(identity_device).\n\n   start() ->\n     spawn(fun () ->\n       TokReg = identity_tokens:start(),\n       loop(TokReg, [])\n     end).\n\n   authorize(D, ClientId, Scope) ->\n     D ! {authorize, ClientId, Scope, self()},\n     receive {device_reply, R} -> R end.\n\n   approve(D, UserCode, Subject) ->\n     D ! {approve, UserCode, Subject, self()},\n     receive {device_reply, R} -> R end.\n\n   deny(D, UserCode) ->\n     D ! {deny, UserCode, self()},\n     receive {device_reply, R} -> R end.\n\n   poll(D, DeviceCode) ->\n     D ! {poll, DeviceCode, self()},\n     receive {device_reply, R} -> R end.\n\n   introspect(D, Token) ->\n     D ! {introspect, Token, self()},\n     receive {device_reply, R} -> R end.\n\n   loop(TokReg, Requests) ->\n     receive\n       {authorize, ClientId, Scope, From} ->\n         DeviceCode = make_ref(),\n         UserCode = make_ref(),\n         From ! {device_reply, {ok, DeviceCode, UserCode}},\n         loop(TokReg, [{DeviceCode, UserCode, ClientId, Scope, pending} | Requests]);\n       {approve, UserCode, Subject, From} ->\n         case find_user(UserCode, Requests) of\n           none ->\n             From ! {device_reply, {error, unknown_code}},\n             loop(TokReg, Requests);\n           {ok, {_, _, _, _, pending}} ->\n             From ! {device_reply, ok},\n             loop(TokReg, set_user(UserCode, {approved, Subject}, Requests));\n           {ok, {_, _, _, _, St}} ->\n             From ! {device_reply, {error, St}},\n             loop(TokReg, Requests)\n         end;\n       {deny, UserCode, From} ->\n         case find_user(UserCode, Requests) of\n           none ->\n             From ! {device_reply, {error, unknown_code}},\n             loop(TokReg, Requests);\n           {ok, {_, _, _, _, pending}} ->\n             From ! {device_reply, ok},\n             loop(TokReg, set_user(UserCode, denied, Requests));\n           {ok, {_, _, _, _, St}} ->\n             From ! {device_reply, {error, St}},\n             loop(TokReg, Requests)\n         end;\n       {poll, DeviceCode, From} ->\n         case find_device(DeviceCode, Requests) of\n           none ->\n             From ! {device_reply, {error, invalid_grant}},\n             loop(TokReg, Requests);\n           {ok, {_, _, _, _, pending}} ->\n             From ! {device_reply, {error, authorization_pending}},\n             loop(TokReg, Requests);\n           {ok, {_, _, _, _, denied}} ->\n             From ! {device_reply, {error, access_denied}},\n             loop(TokReg, Requests);\n           {ok, {_, _, _, _, consumed}} ->\n             From ! {device_reply, {error, invalid_grant}},\n             loop(TokReg, Requests);\n           {ok, {_, _, ClientId, Scope, {approved, Subject}}} ->\n             {ok, Token} = identity_tokens:issue(TokReg, Subject, ClientId, Scope),\n             From ! {device_reply, {ok, Token}},\n             loop(TokReg, set_device(DeviceCode, consumed, Requests))\n         end;\n       {introspect, Token, From} ->\n         From ! {device_reply, identity_tokens:introspect(TokReg, Token)},\n         loop(TokReg, Requests);\n       {stop, From} ->\n         From ! {device_reply, ok}\n     end.\n\n   find_device(_, []) -> none;\n   find_device(DCode, [{D, U, C, S, St} | Rest]) ->\n     case D =:= DCode of\n       true -> {ok, {D, U, C, S, St}};\n       false -> find_device(DCode, Rest)\n     end.\n\n   find_user(_, []) -> none;\n   find_user(UCode, [{D, U, C, S, St} | Rest]) ->\n     case U =:= UCode of\n       true -> {ok, {D, U, C, S, St}};\n       false -> find_user(UCode, Rest)\n     end.\n\n   set_device(_, _, []) -> [];\n   set_device(DCode, NewSt, [{D, U, C, S, St} | Rest]) ->\n     case D =:= DCode of\n       true -> [{D, U, C, S, NewSt} | Rest];\n       false -> [{D, U, C, S, St} | set_device(DCode, NewSt, Rest)]\n     end.\n\n   set_user(_, _, []) -> [];\n   set_user(UCode, NewSt, [{D, U, C, S, St} | Rest]) ->\n     case U =:= UCode of\n       true -> [{D, U, C, S, NewSt} | Rest];\n       false -> [{D, U, C, S, St} | set_user(UCode, NewSt, Rest)]\n     end.")
+
+(define
+  identity-load-device!
+  (fn () (identity-load-token!) (erlang-load-module identity-device-source)))

lib/identity/federation.sx

@@ -0,0 +1,30 @@
+;; identity/federation.sx — federated identity: peer-asserted subjects,
+;; advisory and trust-gated.
+;;
+;; A peer instance can assert \"this remote subject authenticated with me\".
+;; We accept such an assertion ONLY from a peer we explicitly trust
+;; (trust-gated); an assertion from an unknown peer is {error, untrusted},
+;; never silently honoured. Even when accepted, the resulting identity is
+;; ADVISORY: it is flagged peer_asserted with its origin peer, never
+;; promoted to local authority. Downstream (acl) decides how much a
+;; peer-asserted identity may do; identity only records who asserted it.
+;;
+;; Cross-instance subject mapping turns a (Peer, RemoteSubject) pair into a
+;; stable local subject. By default it is namespaced — {federated, Peer,
+;; RemoteSubject} — so two peers' \"alice\" never collide; an explicit map
+;; can alias a remote subject to a local one.
+;;
+;;   trust(F, Peer) / untrust(F, Peer) / trusted(F, Peer)
+;;   map(F, Peer, Remote, Local)            -> ok    (optional alias)
+;;   resolve(F, Peer, Remote)               -> {ok, LocalSubject}
+;;   assert_id(F, Peer, Remote)             -> {ok, LocalSubject}
+;;                                           | {error, untrusted}
+;;   provenance(F, LocalSubject)            -> {peer_asserted, Peer} | {local}
+
+(define
+  identity-federation-source
+  "-module(identity_federation).\n\n   start() ->\n     spawn(fun () -> loop([], [], []) end).\n\n   trust(F, Peer) ->\n     F ! {trust, Peer, self()},\n     receive {fed_reply, R} -> R end.\n\n   untrust(F, Peer) ->\n     F ! {untrust, Peer, self()},\n     receive {fed_reply, R} -> R end.\n\n   trusted(F, Peer) ->\n     F ! {trusted, Peer, self()},\n     receive {fed_reply, R} -> R end.\n\n   map(F, Peer, Remote, Local) ->\n     F ! {map, Peer, Remote, Local, self()},\n     receive {fed_reply, R} -> R end.\n\n   resolve(F, Peer, Remote) ->\n     F ! {resolve, Peer, Remote, self()},\n     receive {fed_reply, R} -> R end.\n\n   assert_id(F, Peer, Remote) ->\n     F ! {assert_id, Peer, Remote, self()},\n     receive {fed_reply, R} -> R end.\n\n   provenance(F, Local) ->\n     F ! {provenance, Local, self()},\n     receive {fed_reply, R} -> R end.\n\n   loop(Trusted, Maps, Asserted) ->\n     receive\n       {trust, Peer, From} ->\n         From ! {fed_reply, ok},\n         loop(add_unique(Peer, Trusted), Maps, Asserted);\n       {untrust, Peer, From} ->\n         From ! {fed_reply, ok},\n         loop(drop(Peer, Trusted), Maps, Asserted);\n       {trusted, Peer, From} ->\n         From ! {fed_reply, member(Peer, Trusted)},\n         loop(Trusted, Maps, Asserted);\n       {map, Peer, Remote, Local, From} ->\n         From ! {fed_reply, ok},\n         loop(Trusted, [{{Peer, Remote}, Local} | drop_map(Peer, Remote, Maps)], Asserted);\n       {resolve, Peer, Remote, From} ->\n         From ! {fed_reply, {ok, resolve_local(Peer, Remote, Maps)}},\n         loop(Trusted, Maps, Asserted);\n       {assert_id, Peer, Remote, From} ->\n         case member(Peer, Trusted) of\n           false ->\n             From ! {fed_reply, {error, untrusted}},\n             loop(Trusted, Maps, Asserted);\n           true ->\n             Local = resolve_local(Peer, Remote, Maps),\n             From ! {fed_reply, {ok, Local}},\n             loop(Trusted, Maps, [{Local, Peer} | drop_assert(Local, Asserted)])\n         end;\n       {provenance, Local, From} ->\n         case find_assert(Local, Asserted) of\n           {ok, Peer} -> From ! {fed_reply, {peer_asserted, Peer}};\n           none -> From ! {fed_reply, {local}}\n         end,\n         loop(Trusted, Maps, Asserted);\n       {stop, From} ->\n         From ! {fed_reply, ok}\n     end.\n\n   resolve_local(Peer, Remote, Maps) ->\n     case find_map(Peer, Remote, Maps) of\n       {ok, Local} -> Local;\n       none -> {federated, Peer, Remote}\n     end.\n\n   find_map(_, _, []) -> none;\n   find_map(Peer, Remote, [{{P, R}, Local} | Rest]) ->\n     case same(P, Peer, R, Remote) of\n       true -> {ok, Local};\n       false -> find_map(Peer, Remote, Rest)\n     end.\n\n   drop_map(_, _, []) -> [];\n   drop_map(Peer, Remote, [{{P, R}, Local} | Rest]) ->\n     case same(P, Peer, R, Remote) of\n       true -> drop_map(Peer, Remote, Rest);\n       false -> [{{P, R}, Local} | drop_map(Peer, Remote, Rest)]\n     end.\n\n   same(P, Peer, R, Remote) ->\n     case P =:= Peer of\n       true -> R =:= Remote;\n       false -> false\n     end.\n\n   find_assert(_, []) -> none;\n   find_assert(Local, [{L, Peer} | Rest]) ->\n     case L =:= Local of\n       true -> {ok, Peer};\n       false -> find_assert(Local, Rest)\n     end.\n\n   drop_assert(_, []) -> [];\n   drop_assert(Local, [{L, Peer} | Rest]) ->\n     case L =:= Local of\n       true -> drop_assert(Local, Rest);\n       false -> [{L, Peer} | drop_assert(Local, Rest)]\n     end.\n\n   add_unique(X, Xs) ->\n     case member(X, Xs) of\n       true -> Xs;\n       false -> [X | Xs]\n     end.\n\n   drop(_, []) -> [];\n   drop(X, [Y | Rest]) ->\n     case X =:= Y of\n       true -> drop(X, Rest);\n       false -> [Y | drop(X, Rest)]\n     end.\n\n   member(_, []) -> false;\n   member(X, [Y | Rest]) ->\n     case X =:= Y of\n       true -> true;\n       false -> member(X, Rest)\n     end.")
+
+(define
+  identity-load-federation!
+  (fn () (erlang-load-module identity-federation-source)))

lib/identity/membership.sx

@@ -0,0 +1,31 @@
+;; identity/membership.sx — coop membership state + per-app projection.
+;;
+;; Membership is canonical subject state held by one process, a guarded
+;; state machine (invalid transitions are explicit errors, never silent
+;; no-ops):
+;;
+;;   none --request--> pending --approve--> active
+;;   active --lapse--> lapsed --reinstate--> active
+;;   {pending|active|lapsed} --revoke--> revoked   (terminal)
+;;
+;; A per-app GRANT PROJECTION renders that one canonical state into the
+;; view a given client app consumes — mirroring rose-ash's per-app grant
+;; verification. The projection is pure identity: it reports WHAT the
+;; subject's membership is for that app; it does NOT decide whether the
+;; app should let them in. That permission question is acl's, keyed off
+;; this projection.
+;;
+;;   project(Subject, App) ->
+;;     active  -> {member, Tier, App}
+;;     pending -> {pending, App}
+;;     lapsed  -> {lapsed, App}
+;;     revoked -> {denied, App}
+;;     none    -> {non_member, App}
+
+(define
+  identity-membership-source
+  "-module(identity_membership).\n\n   start() ->\n     spawn(fun () -> loop([]) end).\n\n   request(M, Subject, Tier) ->\n     M ! {request, Subject, Tier, self()},\n     receive {membership_reply, R} -> R end.\n\n   approve(M, Subject) ->\n     M ! {approve, Subject, self()},\n     receive {membership_reply, R} -> R end.\n\n   lapse(M, Subject) ->\n     M ! {lapse, Subject, self()},\n     receive {membership_reply, R} -> R end.\n\n   reinstate(M, Subject) ->\n     M ! {reinstate, Subject, self()},\n     receive {membership_reply, R} -> R end.\n\n   revoke(M, Subject) ->\n     M ! {revoke, Subject, self()},\n     receive {membership_reply, R} -> R end.\n\n   status(M, Subject) ->\n     M ! {status, Subject, self()},\n     receive {membership_reply, R} -> R end.\n\n   project(M, Subject, App) ->\n     M ! {project, Subject, App, self()},\n     receive {membership_reply, R} -> R end.\n\n   loop(Members) ->\n     receive\n       {request, Subject, Tier, From} ->\n         case find(Subject, Members) of\n           none ->\n             From ! {membership_reply, ok},\n             loop([{Subject, {pending, Tier}} | Members]);\n           {ok, _} ->\n             From ! {membership_reply, {error, exists}},\n             loop(Members)\n         end;\n       {approve, Subject, From} ->\n         case find(Subject, Members) of\n           none ->\n             From ! {membership_reply, {error, not_found}},\n             loop(Members);\n           {ok, {pending, Tier}} ->\n             From ! {membership_reply, ok},\n             loop(set_record(Subject, {active, Tier}, Members));\n           {ok, {St, _}} ->\n             From ! {membership_reply, {error, St}},\n             loop(Members)\n         end;\n       {lapse, Subject, From} ->\n         case find(Subject, Members) of\n           none ->\n             From ! {membership_reply, {error, not_found}},\n             loop(Members);\n           {ok, {active, Tier}} ->\n             From ! {membership_reply, ok},\n             loop(set_record(Subject, {lapsed, Tier}, Members));\n           {ok, {St, _}} ->\n             From ! {membership_reply, {error, St}},\n             loop(Members)\n         end;\n       {reinstate, Subject, From} ->\n         case find(Subject, Members) of\n           none ->\n             From ! {membership_reply, {error, not_found}},\n             loop(Members);\n           {ok, {lapsed, Tier}} ->\n             From ! {membership_reply, ok},\n             loop(set_record(Subject, {active, Tier}, Members));\n           {ok, {St, _}} ->\n             From ! {membership_reply, {error, St}},\n             loop(Members)\n         end;\n       {revoke, Subject, From} ->\n         case find(Subject, Members) of\n           none ->\n             From ! {membership_reply, {error, not_found}},\n             loop(Members);\n           {ok, {_, Tier}} ->\n             From ! {membership_reply, ok},\n             loop(set_record(Subject, {revoked, Tier}, Members))\n         end;\n       {status, Subject, From} ->\n         case find(Subject, Members) of\n           none -> From ! {membership_reply, {none}};\n           {ok, {St, Tier}} -> From ! {membership_reply, {ok, St, Tier}}\n         end,\n         loop(Members);\n       {project, Subject, App, From} ->\n         From ! {membership_reply, project_view(Subject, App, Members)},\n         loop(Members);\n       {stop, From} ->\n         From ! {membership_reply, ok}\n     end.\n\n   project_view(Subject, App, Members) ->\n     case find(Subject, Members) of\n       none -> {non_member, App};\n       {ok, {active, Tier}} -> {member, Tier, App};\n       {ok, {pending, _}} -> {pending, App};\n       {ok, {lapsed, _}} -> {lapsed, App};\n       {ok, {revoked, _}} -> {denied, App}\n     end.\n\n   set_record(_, _, []) -> [];\n   set_record(Subject, Rec, [{S, Old} | Rest]) ->\n     case S =:= Subject of\n       true -> [{S, Rec} | Rest];\n       false -> [{S, Old} | set_record(Subject, Rec, Rest)]\n     end.\n\n   find(_, []) -> none;\n   find(Key, [{K, V} | Rest]) ->\n     case K =:= Key of\n       true -> {ok, V};\n       false -> find(Key, Rest)\n     end.")
+
+(define
+  identity-load-membership!
+  (fn () (erlang-load-module identity-membership-source)))

lib/identity/registry.sx

@@ -0,0 +1,22 @@
+;; identity/registry.sx — routes sessions by id and by (subject, client).
+;;
+;; The registry is the directory that makes SSO possible: one subject can
+;; hold many sessions (one per client), and the OAuth machine asks it the
+;; single question that drives silent login — \"is there a live session
+;; for this subject + this client?\". It stores (SessionId, Subject,
+;; Client, Pid) rows and answers:
+;;
+;;   whereis_session(Id)      -> {ok, Pid} | {error, not_found}
+;;   lookup(Subject, Client)  -> {ok, Pid} | {error, not_found}   (SSO probe)
+;;   sessions_for(Subject)    -> {ok, [SessionId, ...]}           (fan-out)
+;;
+;; The registry only routes — it holds no grant state and decides nothing.
+;; Liveness of the routed-to session is that session process's own affair.
+
+(define
+  identity-registry-source
+  "-module(identity_registry).\n\n   start() ->\n     spawn(fun () -> loop([]) end).\n\n   register(Reg, SessionId, Subject, Client, Pid) ->\n     Reg ! {register, SessionId, Subject, Client, Pid, self()},\n     receive {registry_reply, R} -> R end.\n\n   whereis_session(Reg, SessionId) ->\n     Reg ! {whereis_session, SessionId, self()},\n     receive {registry_reply, R} -> R end.\n\n   lookup(Reg, Subject, Client) ->\n     Reg ! {lookup, Subject, Client, self()},\n     receive {registry_reply, R} -> R end.\n\n   sessions_for(Reg, Subject) ->\n     Reg ! {sessions_for, Subject, self()},\n     receive {registry_reply, R} -> R end.\n\n   deregister(Reg, SessionId) ->\n     Reg ! {deregister, SessionId, self()},\n     receive {registry_reply, R} -> R end.\n\n   stop(Reg) ->\n     Reg ! {stop, self()},\n     receive {registry_reply, R} -> R end.\n\n   loop(Entries) ->\n     receive\n       {register, SessionId, Subject, Client, Pid, From} ->\n         From ! {registry_reply, ok},\n         loop([{SessionId, Subject, Client, Pid} | remove_id(SessionId, Entries)]);\n       {whereis_session, SessionId, From} ->\n         From ! {registry_reply, find_id(SessionId, Entries)},\n         loop(Entries);\n       {lookup, Subject, Client, From} ->\n         From ! {registry_reply, find_sc(Subject, Client, Entries)},\n         loop(Entries);\n       {sessions_for, Subject, From} ->\n         From ! {registry_reply, {ok, collect_subject(Subject, Entries)}},\n         loop(Entries);\n       {deregister, SessionId, From} ->\n         From ! {registry_reply, ok},\n         loop(remove_id(SessionId, Entries));\n       {stop, From} ->\n         From ! {registry_reply, ok}\n     end.\n\n   find_id(_, []) -> {error, not_found};\n   find_id(Id, [{Sid, _, _, Pid} | Rest]) ->\n     case Sid =:= Id of\n       true -> {ok, Pid};\n       false -> find_id(Id, Rest)\n     end.\n\n   find_sc(_, _, []) -> {error, not_found};\n   find_sc(Subject, Client, [{_, Su, Cl, Pid} | Rest]) ->\n     case Su =:= Subject of\n       true ->\n         case Cl =:= Client of\n           true -> {ok, Pid};\n           false -> find_sc(Subject, Client, Rest)\n         end;\n       false -> find_sc(Subject, Client, Rest)\n     end.\n\n   collect_subject(_, []) -> [];\n   collect_subject(Subject, [{Sid, Su, _, _} | Rest]) ->\n     case Su =:= Subject of\n       true -> [Sid | collect_subject(Subject, Rest)];\n       false -> collect_subject(Subject, Rest)\n     end.\n\n   remove_id(_, []) -> [];\n   remove_id(Id, [{Sid, Su, Cl, Pid} | Rest]) ->\n     case Sid =:= Id of\n       true -> remove_id(Id, Rest);\n       false -> [{Sid, Su, Cl, Pid} | remove_id(Id, Rest)]\n     end.")
+
+(define
+  identity-load-registry!
+  (fn () (erlang-load-module identity-registry-source)))

lib/identity/scoreboard.json

@@ -0,0 +1,29 @@
+{
+  "language": "identity",
+  "total_pass": 233,
+  "total": 233,
+  "suites": [
+    {"name":"session","pass":11,"total":11,"status":"ok"},
+    {"name":"token","pass":24,"total":24,"status":"ok"},
+    {"name":"registry","pass":9,"total":9,"status":"ok"},
+    {"name":"api","pass":10,"total":10,"status":"ok"},
+    {"name":"oauth","pass":17,"total":17,"status":"ok"},
+    {"name":"sso","pass":10,"total":10,"status":"ok"},
+    {"name":"membership","pass":17,"total":17,"status":"ok"},
+    {"name":"cache","pass":9,"total":9,"status":"ok"},
+    {"name":"audit","pass":11,"total":11,"status":"ok"},
+    {"name":"federation","pass":12,"total":12,"status":"ok"},
+    {"name":"expiry","pass":8,"total":8,"status":"ok"},
+    {"name":"clients","pass":11,"total":11,"status":"ok"},
+    {"name":"grants","pass":9,"total":9,"status":"ok"},
+    {"name":"device","pass":10,"total":10,"status":"ok"},
+    {"name":"facade","pass":9,"total":9,"status":"ok"},
+    {"name":"delegation","pass":8,"total":8,"status":"ok"},
+    {"name":"session-mgmt","pass":8,"total":8,"status":"ok"},
+    {"name":"exchange","pass":8,"total":8,"status":"ok"},
+    {"name":"introspect","pass":9,"total":9,"status":"ok"},
+    {"name":"par","pass":7,"total":7,"status":"ok"},
+    {"name":"dynreg","pass":5,"total":5,"status":"ok"},
+    {"name":"account","pass":11,"total":11,"status":"ok"}
+  ]
+}

lib/identity/scoreboard.md

@@ -0,0 +1,31 @@
+# identity-on-sx Scoreboard
+
+**Total: 233 / 233 tests passing**
+
+|  | Suite | Pass | Total |
+|---|---|---|---|
+| ✅ | session | 11 | 11 |
+| ✅ | token | 24 | 24 |
+| ✅ | registry | 9 | 9 |
+| ✅ | api | 10 | 10 |
+| ✅ | oauth | 17 | 17 |
+| ✅ | sso | 10 | 10 |
+| ✅ | membership | 17 | 17 |
+| ✅ | cache | 9 | 9 |
+| ✅ | audit | 11 | 11 |
+| ✅ | federation | 12 | 12 |
+| ✅ | expiry | 8 | 8 |
+| ✅ | clients | 11 | 11 |
+| ✅ | grants | 9 | 9 |
+| ✅ | device | 10 | 10 |
+| ✅ | facade | 9 | 9 |
+| ✅ | delegation | 8 | 8 |
+| ✅ | session-mgmt | 8 | 8 |
+| ✅ | exchange | 8 | 8 |
+| ✅ | introspect | 9 | 9 |
+| ✅ | par | 7 | 7 |
+| ✅ | dynreg | 5 | 5 |
+| ✅ | account | 11 | 11 |
+
+
+Generated by `lib/identity/conformance.sh`.

lib/identity/session.sx

@@ -0,0 +1,20 @@
+;; identity/session.sx — a session is an Erlang process.
+;;
+;; create  = spawn a session process holding {subject, client, status}
+;; lookup  = a message; the live process answers {ok, ...} or {error, S}
+;; expire  = explicit message OR an idle timeout the process arms itself
+;; revoke  = explicit message; the grant tombstones immediately
+;;
+;; Expiry is the process's own `receive ... after Ttl` timeout, never a
+;; global sweep. On timeout the process notifies its Owner and becomes a
+;; tombstone that still answers lookups — with {error, expired}, never a
+;; silent dead mailbox. A revoked or expired session is an explicit
+;; negative state, not the absence of a positive one.
+
+(define
+  identity-session-source
+  "-module(identity_session).\n\n   start(SessionId, Subject, Client, Owner, Ttl) ->\n     spawn(fun () -> active(SessionId, Subject, Client, Owner, Ttl) end).\n\n   lookup(Pid) ->\n     Pid ! {lookup, self()},\n     receive {session_reply, R} -> R end.\n\n   touch(Pid) ->\n     Pid ! {touch, self()},\n     receive {session_reply, R} -> R end.\n\n   expire(Pid) ->\n     Pid ! {expire, self()},\n     receive {session_reply, R} -> R end.\n\n   revoke(Pid) ->\n     Pid ! {revoke, self()},\n     receive {session_reply, R} -> R end.\n\n   stop(Pid) ->\n     Pid ! {stop, self()},\n     receive {session_reply, R} -> R end.\n\n   active(SessionId, Subject, Client, Owner, Ttl) ->\n     receive\n       {lookup, From} ->\n         From ! {session_reply, {ok, {SessionId, Subject, Client, active}}},\n         active(SessionId, Subject, Client, Owner, Ttl);\n       {touch, From} ->\n         From ! {session_reply, ok},\n         active(SessionId, Subject, Client, Owner, Ttl);\n       {expire, From} ->\n         From ! {session_reply, ok},\n         tombstone(SessionId, Subject, Client, expired);\n       {revoke, From} ->\n         From ! {session_reply, ok},\n         tombstone(SessionId, Subject, Client, revoked);\n       {stop, From} ->\n         From ! {session_reply, ok}\n     after Ttl ->\n       Owner ! {session_expired, SessionId},\n       tombstone(SessionId, Subject, Client, expired)\n     end.\n\n   tombstone(SessionId, Subject, Client, Status) ->\n     receive\n       {lookup, From} ->\n         From ! {session_reply, {error, Status}},\n         tombstone(SessionId, Subject, Client, Status);\n       {touch, From} ->\n         From ! {session_reply, {error, Status}},\n         tombstone(SessionId, Subject, Client, Status);\n       {expire, From} ->\n         From ! {session_reply, ok},\n         tombstone(SessionId, Subject, Client, Status);\n       {revoke, From} ->\n         From ! {session_reply, ok},\n         tombstone(SessionId, Subject, Client, revoked);\n       {stop, From} ->\n         From ! {session_reply, ok}\n     end.")
+
+(define
+  identity-load-session!
+  (fn () (erlang-load-module identity-session-source)))

lib/identity/tests/account.sx

@@ -0,0 +1,102 @@
+;; identity/tests/account.sx — the account-security surface: \"apps with
+;; access\" (grants_for / identity:grants) plus \"disconnect this app\"
+;; (revoke_app / identity:revoke_app). Completes the per-subject view+action
+;; pair alongside sessions and history.
+
+(define id-acct-test-count 0)
+(define id-acct-test-pass 0)
+(define id-acct-test-fails (list))
+
+(define
+  id-acct-test
+  (fn
+    (name actual expected)
+    (set! id-acct-test-count (+ id-acct-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-acct-test-pass (+ id-acct-test-pass 1))
+      (append! id-acct-test-fails {:name name :expected expected :actual actual}))))
+
+(define ida-ev erlang-eval-ast)
+(define idanm (fn (v) (get v :name)))
+
+(identity-load-all!)
+
+;; ── token-level grants_for ───────────────────────────────────────
+
+(id-acct-test
+  "grants_for lists a subject's active grants"
+  (ida-ev
+    "R = identity_tokens:start(),\n     identity_tokens:issue(R, alice, web, read),\n     identity_tokens:issue(R, alice, cli, write),\n     identity_tokens:issue(R, bob, web, read),\n     length(identity_tokens:grants_for(R, alice))")
+  2)
+
+(id-acct-test
+  "grants_for excludes revoked grants"
+  (ida-ev
+    "R = identity_tokens:start(),\n     {ok, A} = identity_tokens:issue(R, alice, web, read),\n     identity_tokens:issue(R, alice, cli, write),\n     identity_tokens:revoke(R, A),\n     length(identity_tokens:grants_for(R, alice))")
+  1)
+
+(id-acct-test
+  "grants_for is empty for a subject with none"
+  (ida-ev
+    "R = identity_tokens:start(),\n     identity_tokens:issue(R, alice, web, read),\n     length(identity_tokens:grants_for(R, ghost))")
+  0)
+
+(id-acct-test
+  "each grant entry carries the client"
+  (idanm
+    (ida-ev
+      "R = identity_tokens:start(),\n       identity_tokens:issue(R, alice, web, read),\n       case identity_tokens:grants_for(R, alice) of\n         [{Client, _Scope}] -> Client;\n         _ -> other\n       end"))
+  "web")
+
+;; ── token-level revoke_app (\"disconnect this app\") ────────────────
+
+(id-acct-test
+  "revoke_app revokes all of a subject's grants for one client"
+  (ida-ev
+    "R = identity_tokens:start(),\n     identity_tokens:issue(R, alice, web, read),\n     identity_tokens:issue(R, alice, web, write),\n     identity_tokens:issue(R, alice, cli, read),\n     identity_tokens:revoke_app(R, alice, web),\n     length(identity_tokens:grants_for(R, alice))")
+  1)
+
+(id-acct-test
+  "revoke_app deactivates that client's tokens"
+  (idanm
+    (ida-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read),\n       identity_tokens:revoke_app(R, alice, web),\n       case identity_tokens:introspect(R, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(id-acct-test
+  "revoke_app leaves another subject's same-client grant intact"
+  (ida-ev
+    "R = identity_tokens:start(),\n     identity_tokens:issue(R, alice, web, read),\n     identity_tokens:issue(R, bob, web, read),\n     identity_tokens:revoke_app(R, alice, web),\n     length(identity_tokens:grants_for(R, bob))")
+  1)
+
+;; ── facade-level grants + revoke_app ─────────────────────────────
+
+(id-acct-test
+  "identity:grants lists apps a subject has logged into"
+  (ida-ev
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, alice, mobile, read),\n     length(identity:grants(Svc, alice))")
+  2)
+
+(id-acct-test
+  "identity:revoke_app disconnects one app, leaving the rest"
+  (ida-ev
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, alice, mobile, read),\n     identity:revoke_app(Svc, alice, web),\n     length(identity:grants(Svc, alice))")
+  1)
+
+(id-acct-test
+  "identity:grants is per-subject"
+  (ida-ev
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, bob, web, read),\n     length(identity:grants(Svc, bob))")
+  1)
+
+(id-acct-test
+  "revoke_app is audited as a revoke"
+  (idanm
+    (ida-ev
+      "Svc = identity:start(),\n       identity:login(Svc, alice, web, read),\n       identity:revoke_app(Svc, alice, web),\n       case identity:history(Svc, alice) of\n         [login, issue, revoke] -> audited;\n         Other -> Other\n       end"))
+  "audited")
+
+(define
+  id-acct-test-summary
+  (str "account " id-acct-test-pass "/" id-acct-test-count))

lib/identity/tests/api.sx

@@ -0,0 +1,111 @@
+;; identity/tests/api.sx — the service facade end-to-end: login issues a
+;; session + token, verify proves identity, revoke and logout take effect
+;; immediately. Exercises session + token + registry through one door.
+
+(define id-api-test-count 0)
+(define id-api-test-pass 0)
+(define id-api-test-fails (list))
+
+(define
+  id-api-test
+  (fn
+    (name actual expected)
+    (set! id-api-test-count (+ id-api-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-api-test-pass (+ id-api-test-pass 1))
+      (append! id-api-test-fails {:name name :expected expected :actual actual}))))
+
+(define ida-ev erlang-eval-ast)
+(define idanm (fn (v) (get v :name)))
+
+(identity-load-all!)
+
+;; ── login + verify (happy path) ──────────────────────────────────
+
+(id-api-test
+  "login then verify is active"
+  (idanm
+    (ida-ev
+      "Svc = identity:start(),\n       {ok, _Sid, Tok} = identity:login(Svc, alice, web, read),\n       case identity:verify(Svc, Tok) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+(id-api-test
+  "verify returns the logged-in subject"
+  (idanm
+    (ida-ev
+      "Svc = identity:start(),\n       {ok, _Sid, Tok} = identity:login(Svc, alice, web, read),\n       case identity:verify(Svc, Tok) of\n         {active, Subject, _, _} -> Subject\n       end"))
+  "alice")
+
+(id-api-test
+  "verify returns the granted scope"
+  (idanm
+    (ida-ev
+      "Svc = identity:start(),\n       {ok, _Sid, Tok} = identity:login(Svc, bob, cli, write),\n       case identity:verify(Svc, Tok) of\n         {active, _, _, Scope} -> Scope\n       end"))
+  "write")
+
+;; ── revoke is real through the facade ────────────────────────────
+
+(id-api-test
+  "revoked token verifies inactive immediately"
+  (idanm
+    (ida-ev
+      "Svc = identity:start(),\n       {ok, _Sid, Tok} = identity:login(Svc, alice, web, read),\n       identity:revoke(Svc, Tok),\n       case identity:verify(Svc, Tok) of\n         {active, _, _, _} -> still_valid;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+;; ── session lifecycle through the facade ─────────────────────────
+
+(id-api-test
+  "fresh session reports active"
+  (idanm
+    (ida-ev
+      "Svc = identity:start(),\n       {ok, Sid, _Tok} = identity:login(Svc, alice, web, read),\n       identity:session_status(Svc, Sid)"))
+  "active")
+
+(id-api-test
+  "logout makes the session gone"
+  (idanm
+    (ida-ev
+      "Svc = identity:start(),\n       {ok, Sid, _Tok} = identity:login(Svc, alice, web, read),\n       identity:logout(Svc, Sid),\n       identity:session_status(Svc, Sid)"))
+  "gone")
+
+(id-api-test
+  "status of an unknown session is gone"
+  (idanm
+    (ida-ev "Svc = identity:start(),\n       identity:session_status(Svc, 999)"))
+  "gone")
+
+;; ── independence: logins do not bleed into each other ────────────
+
+(id-api-test
+  "revoking one login leaves the other active"
+  (idanm
+    (ida-ev
+      "Svc = identity:start(),\n       {ok, _S1, T1} = identity:login(Svc, alice, web, read),\n       {ok, _S2, T2} = identity:login(Svc, bob, cli, write),\n       identity:revoke(Svc, T1),\n       case identity:verify(Svc, T2) of\n         {active, Subject, _, _} -> Subject;\n         {inactive} -> inactive\n       end"))
+  "bob")
+
+(id-api-test
+  "logging out one session leaves the other active"
+  (idanm
+    (ida-ev
+      "Svc = identity:start(),\n       {ok, S1, _T1} = identity:login(Svc, alice, web, read),\n       {ok, S2, _T2} = identity:login(Svc, alice, cli, read),\n       identity:logout(Svc, S1),\n       identity:session_status(Svc, S2)"))
+  "active")
+
+;; ── coordinator deregisters on a session_expired notification ────
+;; A live idle session fires its own `after` timeout and notifies its
+;; owner (the coordinator), which then deregisters it — timeout-driven,
+;; never swept. The owner-internal path can't be observed by driving the
+;; scheduler idle from the test's main process, so we assert the handler
+;; directly: the mailbox is FIFO, so the expiry notification is processed
+;; before the following status query.
+
+(id-api-test
+  "session_expired notification deregisters the session"
+  (idanm
+    (ida-ev
+      "Svc = identity:start(),\n       {ok, Sid, _Tok} = identity:login(Svc, alice, web, read, 50),\n       active = identity:session_status(Svc, Sid),\n       Svc ! {session_expired, Sid},\n       identity:session_status(Svc, Sid)"))
+  "gone")
+
+(define
+  id-api-test-summary
+  (str "api " id-api-test-pass "/" id-api-test-count))

lib/identity/tests/audit.sx

@@ -0,0 +1,117 @@
+;; identity/tests/audit.sx — the grant audit ledger. Every grant
+;; transition is recorded; the ledger is queryable per subject and
+;; chronological. Covers issue/refresh/revoke wiring through the token
+;; registry, reuse-triggered revoke, per-subject isolation, completeness,
+;; and direct ledger use.
+
+(define id-audit-test-count 0)
+(define id-audit-test-pass 0)
+(define id-audit-test-fails (list))
+
+(define
+  id-audit-test
+  (fn
+    (name actual expected)
+    (set! id-audit-test-count (+ id-audit-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-audit-test-pass (+ id-audit-test-pass 1))
+      (append! id-audit-test-fails {:name name :expected expected :actual actual}))))
+
+(define ida-ev erlang-eval-ast)
+(define idanm (fn (v) (get v :name)))
+
+(identity-load-audit!)
+(identity-load-token!)
+
+;; ── issue is audited ─────────────────────────────────────────────
+
+(id-audit-test
+  "issue records one event for the subject"
+  (ida-ev
+    "A = identity_audit:start(),\n     Reg = identity_tokens:start(A),\n     identity_tokens:issue(Reg, alice, web, read),\n     identity_audit:count(A, alice)")
+  1)
+
+(id-audit-test
+  "the recorded action is issue"
+  (idanm
+    (ida-ev
+      "A = identity_audit:start(),\n       Reg = identity_tokens:start(A),\n       identity_tokens:issue(Reg, alice, web, read),\n       case identity_audit:actions(A, alice) of\n         [issue] -> matched;\n         _ -> nomatch\n       end"))
+  "matched")
+
+;; ── full grant lifecycle is audited in order ─────────────────────
+
+(id-audit-test
+  "issue, refresh, revoke are recorded in order"
+  (idanm
+    (ida-ev
+      "A = identity_audit:start(),\n       Reg = identity_tokens:start(A),\n       {ok, G, R} = identity_tokens:issue_grant(Reg, alice, web, read),\n       identity_tokens:refresh(Reg, R),\n       identity_tokens:revoke(Reg, G),\n       case identity_audit:actions(A, alice) of\n         [issue, refresh, revoke] -> matched;\n         _ -> nomatch\n       end"))
+  "matched")
+
+;; ── reuse-triggered revoke is audited ────────────────────────────
+
+(id-audit-test
+  "a refresh-reuse cascade records a revoke event"
+  (idanm
+    (ida-ev
+      "A = identity_audit:start(),\n       Reg = identity_tokens:start(A),\n       {ok, _G, R} = identity_tokens:issue_grant(Reg, alice, web, read),\n       identity_tokens:refresh(Reg, R),\n       identity_tokens:refresh(Reg, R),\n       case identity_audit:actions(A, alice) of\n         [issue, refresh, revoke] -> matched;\n         _ -> nomatch\n       end"))
+  "matched")
+
+;; ── per-subject isolation ────────────────────────────────────────
+
+(id-audit-test
+  "the ledger separates subjects"
+  (ida-ev
+    "A = identity_audit:start(),\n     Reg = identity_tokens:start(A),\n     identity_tokens:issue(Reg, alice, web, read),\n     identity_tokens:issue(Reg, bob, cli, write),\n     identity_tokens:issue(Reg, alice, mobile, read),\n     identity_audit:count(A, alice)")
+  2)
+
+(id-audit-test
+  "an unaudited subject has zero events"
+  (ida-ev
+    "A = identity_audit:start(),\n     Reg = identity_tokens:start(A),\n     identity_tokens:issue(Reg, alice, web, read),\n     identity_audit:count(A, ghost)")
+  0)
+
+;; ── the full log accumulates across subjects ─────────────────────
+
+(id-audit-test
+  "all events accumulate in the ledger"
+  (ida-ev
+    "A = identity_audit:start(),\n     Reg = identity_tokens:start(A),\n     identity_tokens:issue(Reg, alice, web, read),\n     identity_tokens:issue(Reg, bob, cli, write),\n     length(identity_audit:all(A))")
+  2)
+
+;; ── completeness: no grant transition is dropped ─────────────────
+
+(id-audit-test
+  "the ledger is complete across a mixed transition stream"
+  (ida-ev
+    "A = identity_audit:start(),\n     Reg = identity_tokens:start(A),\n     identity_tokens:issue(Reg, alice, web, read),\n     {ok, _G, R} = identity_tokens:issue_grant(Reg, alice, cli, read),\n     identity_tokens:refresh(Reg, R),\n     {ok, B} = identity_tokens:issue(Reg, bob, web, read),\n     identity_tokens:revoke(Reg, B),\n     length(identity_audit:all(A))")
+  5)
+
+;; ── start/0 stays unaudited (no regression) ──────────────────────
+
+(id-audit-test
+  "an unaudited registry still issues working tokens"
+  (idanm
+    (ida-ev
+      "Reg = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(Reg, alice, web, read),\n       case identity_tokens:introspect(Reg, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+;; ── direct ledger use (e.g. login/consent events) ────────────────
+
+(id-audit-test
+  "events can be recorded directly on the ledger"
+  (idanm
+    (ida-ev
+      "A = identity_audit:start(),\n       identity_audit:record(A, alice, login),\n       identity_audit:record(A, alice, consent),\n       case identity_audit:actions(A, alice) of\n         [login, consent] -> matched;\n         _ -> nomatch\n       end"))
+  "matched")
+
+(id-audit-test
+  "an audit entry carries its subject"
+  (idanm
+    (ida-ev
+      "A = identity_audit:start(),\n       identity_audit:record(A, alice, login),\n       case identity_audit:audit(A, alice) of\n         [{_, Subject, _}] -> Subject;\n         _ -> nomatch\n       end"))
+  "alice")
+
+(define
+  id-audit-test-summary
+  (str "audit " id-audit-test-pass "/" id-audit-test-count))

lib/identity/tests/cache.sx

@@ -0,0 +1,102 @@
+;; identity/tests/cache.sx — delegated grant-verification cache. Proves
+;; the cache is live (hits/misses) AND that revocation stays real: a
+;; revoked token never reads valid out of the cache, because any revoke
+;; bumps the generation and forces re-validation.
+
+(define id-cache-test-count 0)
+(define id-cache-test-pass 0)
+(define id-cache-test-fails (list))
+
+(define
+  id-cache-test
+  (fn
+    (name actual expected)
+    (set! id-cache-test-count (+ id-cache-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-cache-test-pass (+ id-cache-test-pass 1))
+      (append! id-cache-test-fails {:name name :expected expected :actual actual}))))
+
+(define idc-ev erlang-eval-ast)
+(define idcnm (fn (v) (get v :name)))
+
+(identity-load-token!)
+(identity-load-cache!)
+
+;; ── delegation: cache forwards to the registry ───────────────────
+
+(id-cache-test
+  "introspect through the cache returns active"
+  (idcnm
+    (idc-ev
+      "C = identity_grant_cache:start(),\n       {ok, T} = identity_grant_cache:issue(C, alice, web, read),\n       case identity_grant_cache:introspect(C, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+;; ── the cache is actually caching ────────────────────────────────
+
+(id-cache-test
+  "a repeated introspect is a cache hit"
+  (idc-ev
+    "C = identity_grant_cache:start(),\n     {ok, T} = identity_grant_cache:issue(C, alice, web, read),\n     identity_grant_cache:introspect(C, T),\n     identity_grant_cache:introspect(C, T),\n     case identity_grant_cache:stats(C) of {H, _} -> H end")
+  1)
+
+(id-cache-test
+  "the first introspect of a token is a miss"
+  (idc-ev
+    "C = identity_grant_cache:start(),\n     {ok, T} = identity_grant_cache:issue(C, alice, web, read),\n     identity_grant_cache:introspect(C, T),\n     identity_grant_cache:introspect(C, T),\n     case identity_grant_cache:stats(C) of {_, M} -> M end")
+  1)
+
+;; ── revocation stays real through the cache (the centrepiece) ─────
+
+(id-cache-test
+  "a revoked token introspects inactive through the cache"
+  (idcnm
+    (idc-ev
+      "C = identity_grant_cache:start(),\n       {ok, T} = identity_grant_cache:issue(C, alice, web, read),\n       identity_grant_cache:introspect(C, T),\n       identity_grant_cache:revoke(C, T),\n       case identity_grant_cache:introspect(C, T) of\n         {active, _, _, _} -> still_valid;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(id-cache-test
+  "revoke invalidates the cache (post-revoke read re-validates)"
+  (idc-ev
+    "C = identity_grant_cache:start(),\n     {ok, T} = identity_grant_cache:issue(C, alice, web, read),\n     identity_grant_cache:introspect(C, T),\n     identity_grant_cache:revoke(C, T),\n     identity_grant_cache:introspect(C, T),\n     case identity_grant_cache:stats(C) of {_, M} -> M end")
+  2)
+
+;; ── cascade visibility through the cache ──────────────────────────
+
+(id-cache-test
+  "cascade revocation is visible through the cache"
+  (idcnm
+    (idc-ev
+      "C = identity_grant_cache:start(),\n       {ok, A, R} = identity_grant_cache:issue_grant(C, alice, web, read),\n       identity_grant_cache:introspect(C, A),\n       identity_grant_cache:revoke(C, R),\n       case identity_grant_cache:introspect(C, A) of\n         {active, _, _, _} -> still_valid;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+;; ── a sibling token re-validates correctly after a revoke ────────
+
+(id-cache-test
+  "revoking one token leaves an independent token valid"
+  (idcnm
+    (idc-ev
+      "C = identity_grant_cache:start(),\n       {ok, A} = identity_grant_cache:issue(C, alice, web, read),\n       {ok, B} = identity_grant_cache:issue(C, bob, cli, write),\n       identity_grant_cache:introspect(C, A),\n       identity_grant_cache:introspect(C, B),\n       identity_grant_cache:revoke(C, A),\n       case identity_grant_cache:introspect(C, B) of\n         {active, Subject, _, _} -> Subject;\n         {inactive} -> inactive\n       end"))
+  "bob")
+
+;; ── refresh flows through the cache and stays correct ────────────
+
+(id-cache-test
+  "a refreshed token introspects active through the cache"
+  (idcnm
+    (idc-ev
+      "C = identity_grant_cache:start(),\n       {ok, _A, R} = identity_grant_cache:issue_grant(C, alice, web, read),\n       {ok, A2, _R2} = identity_grant_cache:refresh(C, R),\n       case identity_grant_cache:introspect(C, A2) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+;; ── unknown token is inactive, and cached as such ────────────────
+
+(id-cache-test
+  "an unknown token introspects inactive through the cache"
+  (idcnm
+    (idc-ev
+      "C = identity_grant_cache:start(),\n       Bogus = make_ref(),\n       case identity_grant_cache:introspect(C, Bogus) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(define
+  id-cache-test-summary
+  (str "cache " id-cache-test-pass "/" id-cache-test-count))

lib/identity/tests/clients.sx

@@ -0,0 +1,108 @@
+;; identity/tests/clients.sx — OAuth client registry: registration,
+;; public vs confidential authentication, and redirect_uri allow-listing.
+
+(define id-clients-test-count 0)
+(define id-clients-test-pass 0)
+(define id-clients-test-fails (list))
+
+(define
+  id-clients-test
+  (fn
+    (name actual expected)
+    (set! id-clients-test-count (+ id-clients-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-clients-test-pass (+ id-clients-test-pass 1))
+      (append! id-clients-test-fails {:name name :expected expected :actual actual}))))
+
+(define idc-ev erlang-eval-ast)
+(define idcnm (fn (v) (get v :name)))
+
+(identity-load-clients!)
+
+;; ── registration + lookup ────────────────────────────────────────
+
+(id-clients-test
+  "a registered client looks up its type"
+  (idcnm
+    (idc-ev
+      "C = identity_clients:start(),\n       identity_clients:register(C, app1, confidential, s3cret, [uri1]),\n       case identity_clients:lookup(C, app1) of\n         {ok, Type, _} -> Type;\n         {error, W} -> W\n       end"))
+  "confidential")
+
+(id-clients-test
+  "registering the same client twice is an error"
+  (idcnm
+    (idc-ev
+      "C = identity_clients:start(),\n       identity_clients:register(C, app1, confidential, s3cret, [uri1]),\n       case identity_clients:register(C, app1, public, none, [uri1]) of\n         ok -> ok;\n         {error, W} -> W\n       end"))
+  "exists")
+
+(id-clients-test
+  "looking up an unregistered client is unknown_client"
+  (idcnm
+    (idc-ev
+      "C = identity_clients:start(),\n       case identity_clients:lookup(C, ghost) of\n         {ok, _, _} -> found;\n         {error, W} -> W\n       end"))
+  "unknown_client")
+
+;; ── confidential client authentication ───────────────────────────
+
+(id-clients-test
+  "a confidential client authenticates with the right secret"
+  (idcnm
+    (idc-ev
+      "C = identity_clients:start(),\n       identity_clients:register(C, app1, confidential, s3cret, [uri1]),\n       case identity_clients:authenticate(C, app1, s3cret) of\n         {ok, Kind} -> Kind;\n         {error, W} -> W\n       end"))
+  "confidential")
+
+(id-clients-test
+  "a confidential client with the wrong secret is invalid_client"
+  (idcnm
+    (idc-ev
+      "C = identity_clients:start(),\n       identity_clients:register(C, app1, confidential, s3cret, [uri1]),\n       case identity_clients:authenticate(C, app1, wrongsecret) of\n         {ok, _} -> accepted;\n         {error, W} -> W\n       end"))
+  "invalid_client")
+
+(id-clients-test
+  "a public client needs no secret to authenticate"
+  (idcnm
+    (idc-ev
+      "C = identity_clients:start(),\n       identity_clients:register(C, spa, public, none, [uri1]),\n       case identity_clients:authenticate(C, spa, anything) of\n         {ok, Kind} -> Kind;\n         {error, W} -> W\n       end"))
+  "public")
+
+(id-clients-test
+  "authenticating an unknown client is unknown_client"
+  (idcnm
+    (idc-ev
+      "C = identity_clients:start(),\n       case identity_clients:authenticate(C, ghost, x) of\n         {ok, _} -> accepted;\n         {error, W} -> W\n       end"))
+  "unknown_client")
+
+;; ── redirect_uri allow-listing ───────────────────────────────────
+
+(id-clients-test
+  "a registered redirect_uri is valid"
+  (idcnm
+    (idc-ev
+      "C = identity_clients:start(),\n       identity_clients:register(C, app1, confidential, s3cret, [uri1, uri2]),\n       case identity_clients:valid_redirect(C, app1, uri1) of\n         true -> yes;\n         false -> no\n       end"))
+  "yes")
+
+(id-clients-test
+  "a second registered redirect_uri is also valid"
+  (idcnm
+    (idc-ev
+      "C = identity_clients:start(),\n       identity_clients:register(C, app1, confidential, s3cret, [uri1, uri2]),\n       case identity_clients:valid_redirect(C, app1, uri2) of\n         true -> yes;\n         false -> no\n       end"))
+  "yes")
+
+(id-clients-test
+  "an unregistered redirect_uri is rejected"
+  (idcnm
+    (idc-ev
+      "C = identity_clients:start(),\n       identity_clients:register(C, app1, confidential, s3cret, [uri1]),\n       case identity_clients:valid_redirect(C, app1, evil_uri) of\n         true -> yes;\n         false -> no\n       end"))
+  "no")
+
+(id-clients-test
+  "redirect validation for an unknown client is rejected"
+  (idcnm
+    (idc-ev
+      "C = identity_clients:start(),\n       case identity_clients:valid_redirect(C, ghost, uri1) of\n         true -> yes;\n         false -> no\n       end"))
+  "no")
+
+(define
+  id-clients-test-summary
+  (str "clients " id-clients-test-pass "/" id-clients-test-count))

lib/identity/tests/delegation.sx

@@ -0,0 +1,102 @@
+;; identity/tests/delegation.sx — the identity -> acl boundary.
+;; Authentication (identity) gates BEFORE authorization (acl): an inactive
+;; token is unauthenticated (401) and acl is never consulted; only an
+;; authenticated subject's request is delegated to acl for permit/deny.
+
+(define id-deleg-test-count 0)
+(define id-deleg-test-pass 0)
+(define id-deleg-test-fails (list))
+
+(define
+  id-deleg-test
+  (fn
+    (name actual expected)
+    (set! id-deleg-test-count (+ id-deleg-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-deleg-test-pass (+ id-deleg-test-pass 1))
+      (append! id-deleg-test-fails {:name name :expected expected :actual actual}))))
+
+(define idl-ev erlang-eval-ast)
+(define idlnm (fn (v) (get v :name)))
+
+(identity-load-delegation!)
+
+;; Shared prelude: a token registry, a stub acl, and a token granting
+;; [read, write] to alice, all bound.
+(define
+  idl-setup
+  "R = identity_tokens:start(),\n   A = identity_delegation:stub_acl(),\n   {ok, T} = identity_tokens:issue(R, alice, web, [read, write])")
+
+;; ── authenticated + acl permits ──────────────────────────────────
+
+(id-deleg-test
+  "an authenticated, permitted request returns the subject"
+  (idlnm
+    (idl-ev
+      (str
+        idl-setup
+        ", case identity_delegation:check(R, A, T, read, doc1) of\n             {ok, S} -> S;\n             {error, W} -> W\n           end")))
+  "alice")
+
+;; ── authenticated + acl denies → 403 ─────────────────────────────
+
+(id-deleg-test
+  "an authenticated but unpermitted request is forbidden"
+  (idlnm
+    (idl-ev
+      "R = identity_tokens:start(),\n       A = identity_delegation:stub_acl(),\n       {ok, T} = identity_tokens:issue(R, alice, web, [read]),\n       case identity_delegation:check(R, A, T, write, doc1) of\n         {ok, _} -> permitted;\n         {error, W} -> W\n       end"))
+  "forbidden")
+
+;; ── unauthenticated → 401, acl never consulted ───────────────────
+
+(id-deleg-test
+  "a revoked token is unauthenticated, not forbidden"
+  (idlnm
+    (idl-ev
+      (str
+        idl-setup
+        ", identity_tokens:revoke(R, T),\n           case identity_delegation:check(R, A, T, read, doc1) of\n             {ok, _} -> permitted;\n             {error, W} -> W\n           end")))
+  "unauthenticated")
+
+(id-deleg-test
+  "an unknown token is unauthenticated"
+  (idlnm
+    (idl-ev
+      "R = identity_tokens:start(),\n       A = identity_delegation:stub_acl(),\n       Bogus = make_ref(),\n       case identity_delegation:check(R, A, Bogus, read, doc1) of\n         {ok, _} -> permitted;\n         {error, W} -> W\n       end"))
+  "unauthenticated")
+
+(id-deleg-test
+  "an expired token is unauthenticated"
+  (idlnm
+    (idl-ev
+      "R = identity_tokens:start(),\n       A = identity_delegation:stub_acl(),\n       {ok, T} = identity_tokens:issue(R, alice, web, [read], 100),\n       identity_tokens:advance(R, 100),\n       case identity_delegation:check(R, A, T, read, doc1) of\n         {ok, _} -> permitted;\n         {error, W} -> W\n       end"))
+  "unauthenticated")
+
+;; ── 401 takes precedence over 403 (identity gates first) ─────────
+
+(id-deleg-test
+  "a revoked token with no matching scope is still unauthenticated"
+  (idlnm
+    (idl-ev
+      "R = identity_tokens:start(),\n       A = identity_delegation:stub_acl(),\n       {ok, T} = identity_tokens:issue(R, alice, web, [admin]),\n       identity_tokens:revoke(R, T),\n       case identity_delegation:check(R, A, T, read, doc1) of\n         {ok, _} -> permitted;\n         {error, W} -> W\n       end"))
+  "unauthenticated")
+
+;; ── acl is what decides for an authenticated subject ─────────────
+
+(id-deleg-test
+  "the same subject is permitted one action and denied another"
+  (idl-ev
+    "R = identity_tokens:start(),\n     A = identity_delegation:stub_acl(),\n     {ok, T} = identity_tokens:issue(R, alice, web, [read]),\n     Allowed = case identity_delegation:check(R, A, T, read, doc1) of\n       {ok, _} -> 1; {error, _} -> 0 end,\n     Denied = case identity_delegation:check(R, A, T, write, doc1) of\n       {ok, _} -> 1; {error, _} -> 0 end,\n     Allowed - Denied")
+  1)
+
+(id-deleg-test
+  "identity does not widen permission beyond the token scope"
+  (idlnm
+    (idl-ev
+      "R = identity_tokens:start(),\n       A = identity_delegation:stub_acl(),\n       {ok, T} = identity_tokens:issue(R, alice, web, [read, write]),\n       case identity_delegation:check(R, A, T, delete, doc1) of\n         {ok, _} -> permitted;\n         {error, W} -> W\n       end"))
+  "forbidden")
+
+(define
+  id-deleg-test-summary
+  (str "delegation " id-deleg-test-pass "/" id-deleg-test-count))

lib/identity/tests/device.sx

@@ -0,0 +1,109 @@
+;; identity/tests/device.sx — device authorization grant (RFC 8628):
+;; authorize → poll(pending) → approve/deny out-of-band → poll(token/denied).
+
+(define id-device-test-count 0)
+(define id-device-test-pass 0)
+(define id-device-test-fails (list))
+
+(define
+  id-device-test
+  (fn
+    (name actual expected)
+    (set! id-device-test-count (+ id-device-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-device-test-pass (+ id-device-test-pass 1))
+      (append! id-device-test-fails {:name name :expected expected :actual actual}))))
+
+(define idd-ev erlang-eval-ast)
+(define iddnm (fn (v) (get v :name)))
+
+(identity-load-device!)
+
+;; ── polling before approval ──────────────────────────────────────
+
+(id-device-test
+  "polling a pending device code is authorization_pending"
+  (iddnm
+    (idd-ev
+      "D = identity_device:start(),\n       {ok, Dc, _Uc} = identity_device:authorize(D, tv, watch),\n       case identity_device:poll(D, Dc) of\n         {ok, _} -> got;\n         {error, W} -> W\n       end"))
+  "authorization_pending")
+
+;; ── approve → token ──────────────────────────────────────────────
+
+(id-device-test
+  "after approval, polling yields a working token"
+  (iddnm
+    (idd-ev
+      "D = identity_device:start(),\n       {ok, Dc, Uc} = identity_device:authorize(D, tv, watch),\n       identity_device:approve(D, Uc, alice),\n       {ok, T} = identity_device:poll(D, Dc),\n       case identity_device:introspect(D, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+(id-device-test
+  "the device token carries the approving subject"
+  (iddnm
+    (idd-ev
+      "D = identity_device:start(),\n       {ok, Dc, Uc} = identity_device:authorize(D, tv, watch),\n       identity_device:approve(D, Uc, alice),\n       {ok, T} = identity_device:poll(D, Dc),\n       case identity_device:introspect(D, T) of\n         {active, Subject, _, _} -> Subject\n       end"))
+  "alice")
+
+(id-device-test
+  "the device token carries the requested scope"
+  (iddnm
+    (idd-ev
+      "D = identity_device:start(),\n       {ok, Dc, Uc} = identity_device:authorize(D, tv, stream),\n       identity_device:approve(D, Uc, alice),\n       {ok, T} = identity_device:poll(D, Dc),\n       case identity_device:introspect(D, T) of\n         {active, _, _, Scope} -> Scope\n       end"))
+  "stream")
+
+;; ── deny ─────────────────────────────────────────────────────────
+
+(id-device-test
+  "after denial, polling is access_denied"
+  (iddnm
+    (idd-ev
+      "D = identity_device:start(),\n       {ok, Dc, Uc} = identity_device:authorize(D, tv, watch),\n       identity_device:deny(D, Uc),\n       case identity_device:poll(D, Dc) of\n         {ok, _} -> got;\n         {error, W} -> W\n       end"))
+  "access_denied")
+
+;; ── unknown codes ────────────────────────────────────────────────
+
+(id-device-test
+  "polling an unknown device code is invalid_grant"
+  (iddnm
+    (idd-ev
+      "D = identity_device:start(),\n       Bogus = make_ref(),\n       case identity_device:poll(D, Bogus) of\n         {ok, _} -> got;\n         {error, W} -> W\n       end"))
+  "invalid_grant")
+
+(id-device-test
+  "approving an unknown user code is unknown_code"
+  (iddnm
+    (idd-ev
+      "D = identity_device:start(),\n       Bogus = make_ref(),\n       case identity_device:approve(D, Bogus, alice) of\n         ok -> ok;\n         {error, W} -> W\n       end"))
+  "unknown_code")
+
+;; ── single-use device code ───────────────────────────────────────
+
+(id-device-test
+  "the device code is single-use after issuing a token"
+  (iddnm
+    (idd-ev
+      "D = identity_device:start(),\n       {ok, Dc, Uc} = identity_device:authorize(D, tv, watch),\n       identity_device:approve(D, Uc, alice),\n       identity_device:poll(D, Dc),\n       case identity_device:poll(D, Dc) of\n         {ok, _} -> got;\n         {error, W} -> W\n       end"))
+  "invalid_grant")
+
+;; ── guarded transitions ──────────────────────────────────────────
+
+(id-device-test
+  "approving an already-denied request is rejected"
+  (iddnm
+    (idd-ev
+      "D = identity_device:start(),\n       {ok, _Dc, Uc} = identity_device:authorize(D, tv, watch),\n       identity_device:deny(D, Uc),\n       case identity_device:approve(D, Uc, alice) of\n         ok -> ok;\n         {error, W} -> W\n       end"))
+  "denied")
+
+;; ── independence ─────────────────────────────────────────────────
+
+(id-device-test
+  "two device requests are independent"
+  (iddnm
+    (idd-ev
+      "D = identity_device:start(),\n       {ok, Dc1, Uc1} = identity_device:authorize(D, tv, watch),\n       {ok, Dc2, _Uc2} = identity_device:authorize(D, cli, deploy),\n       identity_device:approve(D, Uc1, alice),\n       case identity_device:poll(D, Dc2) of\n         {ok, _} -> got;\n         {error, W} -> W\n       end"))
+  "authorization_pending")
+
+(define
+  id-device-test-summary
+  (str "device " id-device-test-pass "/" id-device-test-count))

lib/identity/tests/dynreg.sx

@@ -0,0 +1,68 @@
+;; identity/tests/dynreg.sx — dynamic client registration (RFC 7591): the
+;; server generates the client_id + secret for self-service onboarding.
+
+(define id-dyn-test-count 0)
+(define id-dyn-test-pass 0)
+(define id-dyn-test-fails (list))
+
+(define
+  id-dyn-test
+  (fn
+    (name actual expected)
+    (set! id-dyn-test-count (+ id-dyn-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-dyn-test-pass (+ id-dyn-test-pass 1))
+      (append! id-dyn-test-fails {:name name :expected expected :actual actual}))))
+
+(define idd-ev erlang-eval-ast)
+(define iddnm (fn (v) (get v :name)))
+
+(identity-load-oauth!)
+
+;; ── self-service registration yields usable credentials ──────────
+
+(id-dyn-test
+  "a dynamically registered confidential client can get a token"
+  (iddnm
+    (idd-ev
+      "O = identity_oauth:start(),\n       {ok, Cid, Sec} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       {ok, T} = identity_oauth:client_credentials(O, Cid, Sec, batch),\n       case identity_oauth:introspect(O, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+(id-dyn-test
+  "the token's subject is the generated client id"
+  (iddnm
+    (idd-ev
+      "O = identity_oauth:start(),\n       {ok, Cid, Sec} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       {ok, T} = identity_oauth:client_credentials(O, Cid, Sec, batch),\n       case identity_oauth:introspect(O, T) of\n         {active, Sub, _, _} ->\n           case Sub =:= Cid of true -> matches; false -> mismatch end;\n         {inactive} -> inactive\n       end"))
+  "matches")
+
+;; ── the generated secret is required ─────────────────────────────
+
+(id-dyn-test
+  "a wrong secret for a dynamic client is invalid_client"
+  (iddnm
+    (idd-ev
+      "O = identity_oauth:start(),\n       {ok, Cid, _Sec} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       case identity_oauth:client_credentials(O, Cid, wrongsecret, batch) of\n         {ok, _} -> issued;\n         {error, W} -> W\n       end"))
+  "invalid_client")
+
+;; ── uniqueness ───────────────────────────────────────────────────
+
+(id-dyn-test
+  "two registrations yield distinct client ids"
+  (iddnm
+    (idd-ev
+      "O = identity_oauth:start(),\n       {ok, C1, _} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       {ok, C2, _} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       case C1 =:= C2 of true -> collision; false -> distinct end"))
+  "distinct")
+
+;; ── a dynamic public client still cannot use client-credentials ──
+
+(id-dyn-test
+  "a dynamic public client is unauthorized for client-credentials"
+  (iddnm
+    (idd-ev
+      "O = identity_oauth:start(),\n       {ok, Cid, Sec} = identity_oauth:register_dynamic(O, public, [uri1]),\n       case identity_oauth:client_credentials(O, Cid, Sec, batch) of\n         {ok, _} -> issued;\n         {error, W} -> W\n       end"))
+  "unauthorized_client")
+
+(define
+  id-dyn-test-summary
+  (str "dynreg " id-dyn-test-pass "/" id-dyn-test-count))

lib/identity/tests/exchange.sx

@@ -0,0 +1,110 @@
+;; identity/tests/exchange.sx — token exchange (RFC 8693 §2.1): downscope a
+;; valid access token into a new independent token for a downstream service.
+
+(define id-xchg-test-count 0)
+(define id-xchg-test-pass 0)
+(define id-xchg-test-fails (list))
+
+(define
+  id-xchg-test
+  (fn
+    (name actual expected)
+    (set! id-xchg-test-count (+ id-xchg-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-xchg-test-pass (+ id-xchg-test-pass 1))
+      (append! id-xchg-test-fails {:name name :expected expected :actual actual}))))
+
+(define idx-ev erlang-eval-ast)
+(define idxnm (fn (v) (get v :name)))
+
+(identity-load-oauth!)
+
+;; Shared prelude: an access token A for alice with scope [read, write].
+(define
+  idx-token
+  "O = identity_oauth:start(),\n   {consent_required, Rq} = identity_oauth:authorize(O, web, uri1, [read, write], alice, v),\n   {code, Cd} = identity_oauth:consent(O, Rq, allow),\n   {ok, A, _R} = identity_oauth:exchange(O, Cd, web, uri1, v)")
+
+;; ── downscoping ──────────────────────────────────────────────────
+
+(id-xchg-test
+  "exchange downscopes to a subset"
+  (idxnm
+    (idx-ev
+      (str
+        idx-token
+        ", {ok, X} = identity_oauth:token_exchange(O, A, [read]),\n           case identity_oauth:introspect(O, X) of\n             {active, _, _, [read]} -> downscoped;\n             {active, _, _, _} -> other;\n             {inactive} -> inactive\n           end")))
+  "downscoped")
+
+(id-xchg-test
+  "the exchanged token keeps the subject"
+  (idxnm
+    (idx-ev
+      (str
+        idx-token
+        ", {ok, X} = identity_oauth:token_exchange(O, A, [read]),\n           case identity_oauth:introspect(O, X) of\n             {active, Subject, _, _} -> Subject\n           end")))
+  "alice")
+
+(id-xchg-test
+  "exchange to the same scope is allowed"
+  (idxnm
+    (idx-ev
+      (str
+        idx-token
+        ", {ok, X} = identity_oauth:token_exchange(O, A, [read, write]),\n           case identity_oauth:introspect(O, X) of\n             {active, _, _, [read, write]} -> full;\n             {active, _, _, _} -> other;\n             {inactive} -> inactive\n           end")))
+  "full")
+
+;; ── scope cannot be widened ──────────────────────────────────────
+
+(id-xchg-test
+  "exchange cannot widen beyond the subject token's scope"
+  (idxnm
+    (idx-ev
+      "O = identity_oauth:start(),\n       {consent_required, Rq} = identity_oauth:authorize(O, web, uri1, [read], alice, v),\n       {code, Cd} = identity_oauth:consent(O, Rq, allow),\n       {ok, A, _R} = identity_oauth:exchange(O, Cd, web, uri1, v),\n       case identity_oauth:token_exchange(O, A, [read, write]) of\n         {ok, _} -> widened;\n         {error, W} -> W\n       end"))
+  "invalid_scope")
+
+;; ── inactive subject token cannot be exchanged ───────────────────
+
+(id-xchg-test
+  "exchanging a revoked subject token is invalid_grant"
+  (idxnm
+    (idx-ev
+      (str
+        idx-token
+        ", identity_oauth:revoke(O, A),\n           case identity_oauth:token_exchange(O, A, [read]) of\n             {ok, _} -> issued;\n             {error, W} -> W\n           end")))
+  "invalid_grant")
+
+;; ── independent lifecycles ───────────────────────────────────────
+
+(id-xchg-test
+  "revoking the subject token does not revoke the exchanged token"
+  (idxnm
+    (idx-ev
+      (str
+        idx-token
+        ", {ok, X} = identity_oauth:token_exchange(O, A, [read]),\n           identity_oauth:revoke(O, A),\n           case identity_oauth:introspect(O, X) of\n             {active, _, _, _} -> still_active;\n             {inactive} -> inactive\n           end")))
+  "still_active")
+
+(id-xchg-test
+  "revoking the exchanged token does not revoke the subject token"
+  (idxnm
+    (idx-ev
+      (str
+        idx-token
+        ", {ok, X} = identity_oauth:token_exchange(O, A, [read]),\n           identity_oauth:revoke(O, X),\n           case identity_oauth:introspect(O, A) of\n             {active, _, _, _} -> still_active;\n             {inactive} -> inactive\n           end")))
+  "still_active")
+
+;; ── chained downscoping ──────────────────────────────────────────
+
+(id-xchg-test
+  "an exchanged token can itself be exchanged (chain)"
+  (idxnm
+    (idx-ev
+      (str
+        idx-token
+        ", {ok, X1} = identity_oauth:token_exchange(O, A, [read, write]),\n           {ok, X2} = identity_oauth:token_exchange(O, X1, [read]),\n           case identity_oauth:introspect(O, X2) of\n             {active, _, _, [read]} -> chained;\n             {active, _, _, _} -> other;\n             {inactive} -> inactive\n           end")))
+  "chained")
+
+(define
+  id-xchg-test-summary
+  (str "exchange " id-xchg-test-pass "/" id-xchg-test-count))

lib/identity/tests/expiry.sx

@@ -0,0 +1,92 @@
+;; identity/tests/expiry.sx — access-token expiry on a logical clock
+;; (RFC 6749 §4.2.2 expires_in). `advance` stands in for time passing;
+;; introspect returns inactive once the clock reaches a token's expiry.
+;; Refresh mints a fresh short-lived access token — the point of refresh.
+
+(define id-expiry-test-count 0)
+(define id-expiry-test-pass 0)
+(define id-expiry-test-fails (list))
+
+(define
+  id-expiry-test
+  (fn
+    (name actual expected)
+    (set! id-expiry-test-count (+ id-expiry-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-expiry-test-pass (+ id-expiry-test-pass 1))
+      (append! id-expiry-test-fails {:name name :expected expected :actual actual}))))
+
+(define ide-ev erlang-eval-ast)
+(define idenm (fn (v) (get v :name)))
+
+(identity-load-token!)
+
+;; ── within TTL is active; past TTL is inactive ───────────────────
+
+(id-expiry-test
+  "a token within its TTL is active"
+  (idenm
+    (ide-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read, 100),\n       identity_tokens:advance(R, 50),\n       case identity_tokens:introspect(R, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+(id-expiry-test
+  "a token at its TTL boundary is expired"
+  (idenm
+    (ide-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read, 100),\n       identity_tokens:advance(R, 100),\n       case identity_tokens:introspect(R, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(id-expiry-test
+  "a token just before its TTL is still active"
+  (idenm
+    (ide-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read, 100),\n       identity_tokens:advance(R, 99),\n       case identity_tokens:introspect(R, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+;; ── no TTL (infinity) never expires ──────────────────────────────
+
+(id-expiry-test
+  "a token issued without a TTL never expires"
+  (idenm
+    (ide-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read),\n       identity_tokens:advance(R, 100000),\n       case identity_tokens:introspect(R, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+;; ── refresh mints a fresh short-lived token ──────────────────────
+
+(id-expiry-test
+  "refresh renews access after the old token expired"
+  (idenm
+    (ide-ev
+      "R = identity_tokens:start(),\n       {ok, A, Rt} = identity_tokens:issue_grant(R, alice, web, read, 100),\n       identity_tokens:advance(R, 100),\n       inactive = case identity_tokens:introspect(R, A) of\n         {active, _, _, _} -> active; {inactive} -> inactive end,\n       {ok, A2, _R2} = identity_tokens:refresh(R, Rt),\n       case identity_tokens:introspect(R, A2) of\n         {active, _, _, _} -> renewed;\n         {inactive} -> inactive\n       end"))
+  "renewed")
+
+(id-expiry-test
+  "the renewed token also expires after its own TTL"
+  (idenm
+    (ide-ev
+      "R = identity_tokens:start(),\n       {ok, _A, Rt} = identity_tokens:issue_grant(R, alice, web, read, 100),\n       identity_tokens:advance(R, 100),\n       {ok, A2, _R2} = identity_tokens:refresh(R, Rt),\n       identity_tokens:advance(R, 100),\n       case identity_tokens:introspect(R, A2) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+;; ── the logical clock ────────────────────────────────────────────
+
+(id-expiry-test
+  "the clock starts at zero and advances"
+  (ide-ev
+    "R = identity_tokens:start(),\n     identity_tokens:advance(R, 7),\n     identity_tokens:advance(R, 35),\n     identity_tokens:now(R)")
+  42)
+
+;; ── expiry composes with revocation ──────────────────────────────
+
+(id-expiry-test
+  "an expired token is also inactive after revoke (no contradiction)"
+  (idenm
+    (ide-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read, 100),\n       identity_tokens:advance(R, 200),\n       identity_tokens:revoke(R, T),\n       case identity_tokens:introspect(R, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(define
+  id-expiry-test-summary
+  (str "expiry " id-expiry-test-pass "/" id-expiry-test-count))

lib/identity/tests/facade.sx

@@ -0,0 +1,97 @@
+;; identity/tests/facade.sx — the unified facade: one coordinator wiring
+;; sessions+tokens, the audit ledger, and membership. Exercises the
+;; cross-module integration (login/logout auditing, audit history, member
+;; enrollment + projection) through the single `identity` door.
+
+(define id-facade-test-count 0)
+(define id-facade-test-pass 0)
+(define id-facade-test-fails (list))
+
+(define
+  id-facade-test
+  (fn
+    (name actual expected)
+    (set! id-facade-test-count (+ id-facade-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-facade-test-pass (+ id-facade-test-pass 1))
+      (append! id-facade-test-fails {:name name :expected expected :actual actual}))))
+
+(define idfc-ev erlang-eval-ast)
+(define idfcnm (fn (v) (get v :name)))
+
+(identity-load-all!)
+
+;; ── login + logout are audited through the ledger ────────────────
+
+(id-facade-test
+  "login then logout records login, issue, logout in order"
+  (idfcnm
+    (idfc-ev
+      "Svc = identity:start(),\n       {ok, Sid, _Tok} = identity:login(Svc, alice, web, read),\n       identity:logout(Svc, Sid),\n       case identity:history(Svc, alice) of\n         [login, issue, logout] -> ordered;\n         Other -> Other\n       end"))
+  "ordered")
+
+(id-facade-test
+  "revoking a token is audited"
+  (idfcnm
+    (idfc-ev
+      "Svc = identity:start(),\n       {ok, _Sid, Tok} = identity:login(Svc, alice, web, read),\n       identity:revoke(Svc, Tok),\n       case identity:history(Svc, alice) of\n         [login, issue, revoke] -> ordered;\n         Other -> Other\n       end"))
+  "ordered")
+
+(id-facade-test
+  "history is per-subject"
+  (idfc-ev
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, bob, cli, read),\n     identity:login(Svc, alice, mobile, read),\n     length(identity:history(Svc, alice))")
+  4)
+
+;; ── membership through the facade ────────────────────────────────
+
+(id-facade-test
+  "enroll makes the subject an active member"
+  (idfcnm
+    (idfc-ev
+      "Svc = identity:start(),\n       identity:enroll(Svc, alice, supporter),\n       case identity:member_status(Svc, alice) of\n         {ok, St, _} -> St;\n         {none} -> none\n       end"))
+  "active")
+
+(id-facade-test
+  "enroll keeps the tier"
+  (idfcnm
+    (idfc-ev
+      "Svc = identity:start(),\n       identity:enroll(Svc, alice, supporter),\n       case identity:member_status(Svc, alice) of\n         {ok, _, Tier} -> Tier\n       end"))
+  "supporter")
+
+(id-facade-test
+  "an enrolled member projects per-app"
+  (idfcnm
+    (idfc-ev
+      "Svc = identity:start(),\n       identity:enroll(Svc, alice, basic),\n       case identity:member_project(Svc, alice, market) of\n         {member, _, App} -> App;\n         {Tag, _} -> Tag\n       end"))
+  "market")
+
+(id-facade-test
+  "a non-member projects as non_member"
+  (idfcnm
+    (idfc-ev
+      "Svc = identity:start(),\n       case identity:member_project(Svc, stranger, blog) of\n         {member, _, _} -> member;\n         {Tag, _} -> Tag\n       end"))
+  "non_member")
+
+;; ── the facade still proves identity ─────────────────────────────
+
+(id-facade-test
+  "verify still returns the subject after login"
+  (idfcnm
+    (idfc-ev
+      "Svc = identity:start(),\n       {ok, _Sid, Tok} = identity:login(Svc, alice, web, read),\n       case identity:verify(Svc, Tok) of\n         {active, Subject, _, _} -> Subject;\n         {inactive} -> inactive\n       end"))
+  "alice")
+
+;; ── identity and membership are distinct axes ────────────────────
+
+(id-facade-test
+  "logging in does not enroll membership"
+  (idfcnm
+    (idfc-ev
+      "Svc = identity:start(),\n       identity:login(Svc, alice, web, read),\n       case identity:member_status(Svc, alice) of\n         {ok, St, _} -> St;\n         {none} -> none\n       end"))
+  "none")
+
+(define
+  id-facade-test-summary
+  (str "facade " id-facade-test-pass "/" id-facade-test-count))

lib/identity/tests/federation.sx

@@ -0,0 +1,115 @@
+;; identity/tests/federation.sx — federated identity: trust-gated,
+;; advisory peer assertions + cross-instance subject mapping.
+
+(define id-fed-test-count 0)
+(define id-fed-test-pass 0)
+(define id-fed-test-fails (list))
+
+(define
+  id-fed-test
+  (fn
+    (name actual expected)
+    (set! id-fed-test-count (+ id-fed-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-fed-test-pass (+ id-fed-test-pass 1))
+      (append! id-fed-test-fails {:name name :expected expected :actual actual}))))
+
+(define idf-ev erlang-eval-ast)
+(define idfnm (fn (v) (get v :name)))
+
+(identity-load-federation!)
+
+;; ── trust gating ─────────────────────────────────────────────────
+
+(id-fed-test
+  "an assertion from an untrusted peer is rejected"
+  (idfnm
+    (idf-ev
+      "F = identity_federation:start(),\n       case identity_federation:assert_id(F, peer1, alice) of\n         {ok, _} -> accepted;\n         {error, Why} -> Why\n       end"))
+  "untrusted")
+
+(id-fed-test
+  "a trusted peer's assertion is accepted"
+  (idfnm
+    (idf-ev
+      "F = identity_federation:start(),\n       identity_federation:trust(F, peer1),\n       case identity_federation:assert_id(F, peer1, alice) of\n         {ok, _} -> accepted;\n         {error, Why} -> Why\n       end"))
+  "accepted")
+
+(id-fed-test
+  "untrust closes the door to future assertions"
+  (idfnm
+    (idf-ev
+      "F = identity_federation:start(),\n       identity_federation:trust(F, peer1),\n       identity_federation:untrust(F, peer1),\n       case identity_federation:assert_id(F, peer1, alice) of\n         {ok, _} -> accepted;\n         {error, Why} -> Why\n       end"))
+  "untrusted")
+
+(id-fed-test
+  "trusted? is true for a trusted peer"
+  (idfnm
+    (idf-ev
+      "F = identity_federation:start(),\n       identity_federation:trust(F, peer1),\n       case identity_federation:trusted(F, peer1) of\n         true -> yes;\n         false -> no\n       end"))
+  "yes")
+
+(id-fed-test
+  "trusted? is false for an unknown peer"
+  (idfnm
+    (idf-ev
+      "F = identity_federation:start(),\n       identity_federation:trust(F, peer1),\n       case identity_federation:trusted(F, peer2) of\n         true -> yes;\n         false -> no\n       end"))
+  "no")
+
+;; ── advisory provenance ──────────────────────────────────────────
+
+(id-fed-test
+  "an asserted identity is flagged peer_asserted with its origin"
+  (idfnm
+    (idf-ev
+      "F = identity_federation:start(),\n       identity_federation:trust(F, peer1),\n       {ok, L} = identity_federation:assert_id(F, peer1, alice),\n       case identity_federation:provenance(F, L) of\n         {peer_asserted, P} -> P;\n         {local} -> local\n       end"))
+  "peer1")
+
+(id-fed-test
+  "a non-federated subject has local provenance"
+  (idfnm
+    (idf-ev
+      "F = identity_federation:start(),\n       case identity_federation:provenance(F, alice) of\n         {peer_asserted, _} -> peer_asserted;\n         {local} -> local\n       end"))
+  "local")
+
+;; ── cross-instance subject mapping ───────────────────────────────
+
+(id-fed-test
+  "remote subjects are namespaced by peer by default"
+  (idfnm
+    (idf-ev
+      "F = identity_federation:start(),\n       case identity_federation:resolve(F, peer1, alice) of\n         {ok, {federated, _, Remote}} -> Remote;\n         _ -> other\n       end"))
+  "alice")
+
+(id-fed-test
+  "the same remote name from two peers maps to distinct subjects"
+  (idfnm
+    (idf-ev
+      "F = identity_federation:start(),\n       {ok, L1} = identity_federation:resolve(F, peer1, alice),\n       {ok, L2} = identity_federation:resolve(F, peer2, alice),\n       case L1 =:= L2 of\n         true -> collision;\n         false -> distinct\n       end"))
+  "distinct")
+
+(id-fed-test
+  "an explicit map aliases a remote subject to a local one"
+  (idfnm
+    (idf-ev
+      "F = identity_federation:start(),\n       identity_federation:trust(F, peer1),\n       identity_federation:map(F, peer1, alice, alice_local),\n       case identity_federation:assert_id(F, peer1, alice) of\n         {ok, alice_local} -> mapped;\n         {ok, _} -> unmapped;\n         {error, W} -> W\n       end"))
+  "mapped")
+
+(id-fed-test
+  "a mapped subject keeps peer_asserted provenance"
+  (idfnm
+    (idf-ev
+      "F = identity_federation:start(),\n       identity_federation:trust(F, peer1),\n       identity_federation:map(F, peer1, alice, alice_local),\n       identity_federation:assert_id(F, peer1, alice),\n       case identity_federation:provenance(F, alice_local) of\n         {peer_asserted, P} -> P;\n         {local} -> local\n       end"))
+  "peer1")
+
+(id-fed-test
+  "two peers asserting same name keep separate provenance"
+  (idfnm
+    (idf-ev
+      "F = identity_federation:start(),\n       identity_federation:trust(F, peer1),\n       identity_federation:trust(F, peer2),\n       {ok, L1} = identity_federation:assert_id(F, peer1, alice),\n       {ok, _L2} = identity_federation:assert_id(F, peer2, alice),\n       case identity_federation:provenance(F, L1) of\n         {peer_asserted, P} -> P;\n         {local} -> local\n       end"))
+  "peer1")
+
+(define
+  id-fed-test-summary
+  (str "federation " id-fed-test-pass "/" id-fed-test-count))

lib/identity/tests/grants.sx

@@ -0,0 +1,96 @@
+;; identity/tests/grants.sx — the client-credentials grant (RFC 6749
+;; §4.4): a confidential client authenticates and gets a token acting on
+;; its own behalf — no end-user, no refresh token (§4.4.3). Public clients
+;; cannot use it.
+
+(define id-grants-test-count 0)
+(define id-grants-test-pass 0)
+(define id-grants-test-fails (list))
+
+(define
+  id-grants-test
+  (fn
+    (name actual expected)
+    (set! id-grants-test-count (+ id-grants-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-grants-test-pass (+ id-grants-test-pass 1))
+      (append! id-grants-test-fails {:name name :expected expected :actual actual}))))
+
+(define idg-ev erlang-eval-ast)
+(define idgnm (fn (v) (get v :name)))
+
+(identity-load-oauth!)
+
+;; ── confidential client-credentials happy path ───────────────────
+
+(id-grants-test
+  "a confidential client obtains a working token"
+  (idgnm
+    (idg-ev
+      "O = identity_oauth:start(),\n       identity_oauth:register_client(O, svc, confidential, sk, [uri1]),\n       {ok, T} = identity_oauth:client_credentials(O, svc, sk, batch),\n       case identity_oauth:introspect(O, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+(id-grants-test
+  "the client-credentials token's subject is the client itself"
+  (idgnm
+    (idg-ev
+      "O = identity_oauth:start(),\n       identity_oauth:register_client(O, svc, confidential, sk, [uri1]),\n       {ok, T} = identity_oauth:client_credentials(O, svc, sk, batch),\n       case identity_oauth:introspect(O, T) of\n         {active, Subject, _, _} -> Subject\n       end"))
+  "svc")
+
+(id-grants-test
+  "the client-credentials token carries the requested scope"
+  (idgnm
+    (idg-ev
+      "O = identity_oauth:start(),\n       identity_oauth:register_client(O, svc, confidential, sk, [uri1]),\n       {ok, T} = identity_oauth:client_credentials(O, svc, sk, reports),\n       case identity_oauth:introspect(O, T) of\n         {active, _, _, Scope} -> Scope\n       end"))
+  "reports")
+
+(id-grants-test
+  "client-credentials issues no refresh token (single value)"
+  (idgnm
+    (idg-ev
+      "O = identity_oauth:start(),\n       identity_oauth:register_client(O, svc, confidential, sk, [uri1]),\n       case identity_oauth:client_credentials(O, svc, sk, batch) of\n         {ok, _, _} -> pair;\n         {ok, _} -> single;\n         {error, W} -> W\n       end"))
+  "single")
+
+;; ── authentication failures ──────────────────────────────────────
+
+(id-grants-test
+  "a wrong client secret is invalid_client"
+  (idgnm
+    (idg-ev
+      "O = identity_oauth:start(),\n       identity_oauth:register_client(O, svc, confidential, sk, [uri1]),\n       case identity_oauth:client_credentials(O, svc, wrong, batch) of\n         {ok, _} -> issued;\n         {error, W} -> W\n       end"))
+  "invalid_client")
+
+(id-grants-test
+  "a public client cannot use client-credentials"
+  (idgnm
+    (idg-ev
+      "O = identity_oauth:start(),\n       identity_oauth:register_client(O, spa, public, none, [uri1]),\n       case identity_oauth:client_credentials(O, spa, none, batch) of\n         {ok, _} -> issued;\n         {error, W} -> W\n       end"))
+  "unauthorized_client")
+
+(id-grants-test
+  "an unregistered client cannot use client-credentials"
+  (idgnm
+    (idg-ev
+      "O = identity_oauth:start(),\n       case identity_oauth:client_credentials(O, ghost, x, batch) of\n         {ok, _} -> issued;\n         {error, W} -> W\n       end"))
+  "invalid_client")
+
+;; ── independence + real revocation for client tokens ─────────────
+
+(id-grants-test
+  "two confidential clients get independent tokens"
+  (idgnm
+    (idg-ev
+      "O = identity_oauth:start(),\n       identity_oauth:register_client(O, svc1, confidential, k1, [uri1]),\n       identity_oauth:register_client(O, svc2, confidential, k2, [uri1]),\n       {ok, _T1} = identity_oauth:client_credentials(O, svc1, k1, batch),\n       {ok, T2} = identity_oauth:client_credentials(O, svc2, k2, batch),\n       case identity_oauth:introspect(O, T2) of\n         {active, Subject, _, _} -> Subject\n       end"))
+  "svc2")
+
+(id-grants-test
+  "a client-credentials token can be revoked"
+  (idgnm
+    (idg-ev
+      "O = identity_oauth:start(),\n       identity_oauth:register_client(O, svc, confidential, sk, [uri1]),\n       {ok, T} = identity_oauth:client_credentials(O, svc, sk, batch),\n       identity_oauth:revoke(O, T),\n       case identity_oauth:introspect(O, T) of\n         {active, _, _, _} -> still_valid;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(define
+  id-grants-test-summary
+  (str "grants " id-grants-test-pass "/" id-grants-test-count))

lib/identity/tests/introspect.sx

@@ -0,0 +1,93 @@
+;; identity/tests/introspect.sx — RFC 7662 §2.2 full introspection metadata
+;; (sub, client_id, scope, exp, iat, token_type) alongside the live-lookup
+;; active/inactive semantics.
+
+(define id-intr-test-count 0)
+(define id-intr-test-pass 0)
+(define id-intr-test-fails (list))
+
+(define
+  id-intr-test
+  (fn
+    (name actual expected)
+    (set! id-intr-test-count (+ id-intr-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-intr-test-pass (+ id-intr-test-pass 1))
+      (append! id-intr-test-fails {:name name :expected expected :actual actual}))))
+
+(define idi-ev erlang-eval-ast)
+(define idinm (fn (v) (get v :name)))
+
+(identity-load-token!)
+
+;; ── metadata fields ──────────────────────────────────────────────
+
+(id-intr-test
+  "introspect_full reports token_type bearer"
+  (idinm
+    (idi-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read, 100),\n       case identity_tokens:introspect_full(R, T) of\n         {active, _, _, _, _, _, Tt} -> Tt;\n         {inactive} -> inactive\n       end"))
+  "bearer")
+
+(id-intr-test
+  "introspect_full reports the subject"
+  (idinm
+    (idi-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read, 100),\n       case identity_tokens:introspect_full(R, T) of\n         {active, Sub, _, _, _, _, _} -> Sub\n       end"))
+  "alice")
+
+(id-intr-test
+  "introspect_full reports the client_id"
+  (idinm
+    (idi-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, mobile, read, 100),\n       case identity_tokens:introspect_full(R, T) of\n         {active, _, Cl, _, _, _, _} -> Cl\n       end"))
+  "mobile")
+
+(id-intr-test
+  "introspect_full reports the scope"
+  (idinm
+    (idi-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, write, 100),\n       case identity_tokens:introspect_full(R, T) of\n         {active, _, _, Sc, _, _, _} -> Sc\n       end"))
+  "write")
+
+;; ── exp / iat reflect the logical clock ──────────────────────────
+
+(id-intr-test
+  "iat is the clock value at issue"
+  (idi-ev
+    "R = identity_tokens:start(),\n     identity_tokens:advance(R, 7),\n     {ok, T} = identity_tokens:issue(R, alice, web, read, 100),\n     case identity_tokens:introspect_full(R, T) of\n       {active, _, _, _, _, Iat, _} -> Iat\n     end")
+  7)
+
+(id-intr-test
+  "exp is iat plus the ttl"
+  (idi-ev
+    "R = identity_tokens:start(),\n     identity_tokens:advance(R, 7),\n     {ok, T} = identity_tokens:issue(R, alice, web, read, 100),\n     case identity_tokens:introspect_full(R, T) of\n       {active, _, _, _, Exp, Iat, _} -> Exp - Iat\n     end")
+  100)
+
+;; ── inactive / expired / revoked ─────────────────────────────────
+
+(id-intr-test
+  "an expired token introspects inactive in full mode too"
+  (idinm
+    (idi-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read, 100),\n       identity_tokens:advance(R, 100),\n       case identity_tokens:introspect_full(R, T) of\n         {active, _, _, _, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(id-intr-test
+  "a revoked token introspects inactive in full mode"
+  (idinm
+    (idi-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read),\n       identity_tokens:revoke(R, T),\n       case identity_tokens:introspect_full(R, T) of\n         {active, _, _, _, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(id-intr-test
+  "an unknown token introspects inactive in full mode"
+  (idinm
+    (idi-ev
+      "R = identity_tokens:start(),\n       Bogus = make_ref(),\n       case identity_tokens:introspect_full(R, Bogus) of\n         {active, _, _, _, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(define
+  id-intr-test-summary
+  (str "introspect " id-intr-test-pass "/" id-intr-test-count))

lib/identity/tests/membership.sx

@@ -0,0 +1,155 @@
+;; identity/tests/membership.sx — membership state machine + per-app
+;; grant projection. Valid transitions advance state; invalid ones are
+;; explicit errors. The projection renders one canonical state per app.
+
+(define id-membership-test-count 0)
+(define id-membership-test-pass 0)
+(define id-membership-test-fails (list))
+
+(define
+  id-membership-test
+  (fn
+    (name actual expected)
+    (set! id-membership-test-count (+ id-membership-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-membership-test-pass (+ id-membership-test-pass 1))
+      (append! id-membership-test-fails {:name name :expected expected :actual actual}))))
+
+(define idm-ev erlang-eval-ast)
+(define idmnm (fn (v) (get v :name)))
+
+(identity-load-membership!)
+
+;; ── request → pending → approve → active ─────────────────────────
+
+(id-membership-test
+  "request leaves the subject pending"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       identity_membership:request(M, alice, basic),\n       case identity_membership:status(M, alice) of\n         {ok, St, _} -> St;\n         {none} -> none\n       end"))
+  "pending")
+
+(id-membership-test
+  "approve activates a pending membership"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       identity_membership:request(M, alice, basic),\n       identity_membership:approve(M, alice),\n       case identity_membership:status(M, alice) of\n         {ok, St, _} -> St;\n         {none} -> none\n       end"))
+  "active")
+
+(id-membership-test
+  "status keeps the requested tier"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       identity_membership:request(M, alice, supporter),\n       identity_membership:approve(M, alice),\n       case identity_membership:status(M, alice) of\n         {ok, _, Tier} -> Tier\n       end"))
+  "supporter")
+
+;; ── guarded transitions: invalid moves are explicit errors ───────
+
+(id-membership-test
+  "requesting twice is an error"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       identity_membership:request(M, alice, basic),\n       case identity_membership:request(M, alice, basic) of\n         ok -> ok;\n         {error, Why} -> Why\n       end"))
+  "exists")
+
+(id-membership-test
+  "approving an unknown subject is not_found"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       case identity_membership:approve(M, ghost) of\n         ok -> ok;\n         {error, Why} -> Why\n       end"))
+  "not_found")
+
+(id-membership-test
+  "approving an already-active membership is an error"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       identity_membership:request(M, alice, basic),\n       identity_membership:approve(M, alice),\n       case identity_membership:approve(M, alice) of\n         ok -> ok;\n         {error, Why} -> Why\n       end"))
+  "active")
+
+;; ── lapse / reinstate ────────────────────────────────────────────
+
+(id-membership-test
+  "active member can lapse"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       identity_membership:request(M, alice, basic),\n       identity_membership:approve(M, alice),\n       identity_membership:lapse(M, alice),\n       case identity_membership:status(M, alice) of\n         {ok, St, _} -> St\n       end"))
+  "lapsed")
+
+(id-membership-test
+  "lapsing a pending membership is an error"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       identity_membership:request(M, alice, basic),\n       case identity_membership:lapse(M, alice) of\n         ok -> ok;\n         {error, Why} -> Why\n       end"))
+  "pending")
+
+(id-membership-test
+  "lapsed member can reinstate to active"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       identity_membership:request(M, alice, basic),\n       identity_membership:approve(M, alice),\n       identity_membership:lapse(M, alice),\n       identity_membership:reinstate(M, alice),\n       case identity_membership:status(M, alice) of\n         {ok, St, _} -> St\n       end"))
+  "active")
+
+;; ── revoke is terminal ───────────────────────────────────────────
+
+(id-membership-test
+  "any member can be revoked"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       identity_membership:request(M, alice, basic),\n       identity_membership:approve(M, alice),\n       identity_membership:revoke(M, alice),\n       case identity_membership:status(M, alice) of\n         {ok, St, _} -> St\n       end"))
+  "revoked")
+
+(id-membership-test
+  "a revoked membership cannot be reinstated"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       identity_membership:request(M, alice, basic),\n       identity_membership:approve(M, alice),\n       identity_membership:revoke(M, alice),\n       case identity_membership:reinstate(M, alice) of\n         ok -> ok;\n         {error, Why} -> Why\n       end"))
+  "revoked")
+
+;; ── per-app grant projection ─────────────────────────────────────
+
+(id-membership-test
+  "active member projects as member"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       identity_membership:request(M, alice, basic),\n       identity_membership:approve(M, alice),\n       case identity_membership:project(M, alice, blog) of\n         {member, _, _} -> member;\n         {Tag, _} -> Tag\n       end"))
+  "member")
+
+(id-membership-test
+  "projection carries the requesting app"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       identity_membership:request(M, alice, basic),\n       identity_membership:approve(M, alice),\n       case identity_membership:project(M, alice, market) of\n         {member, _, App} -> App\n       end"))
+  "market")
+
+(id-membership-test
+  "the same subject projects consistently across apps"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       identity_membership:request(M, alice, supporter),\n       identity_membership:approve(M, alice),\n       {member, T1, blog} = identity_membership:project(M, alice, blog),\n       {member, T2, events} = identity_membership:project(M, alice, events),\n       case T1 =:= T2 of\n         true -> T1;\n         false -> mismatch\n       end"))
+  "supporter")
+
+(id-membership-test
+  "unknown subject projects as non_member"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       case identity_membership:project(M, ghost, blog) of\n         {Tag, _} -> Tag;\n         {Tag, _, _} -> Tag\n       end"))
+  "non_member")
+
+(id-membership-test
+  "lapsed member projects as lapsed"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       identity_membership:request(M, alice, basic),\n       identity_membership:approve(M, alice),\n       identity_membership:lapse(M, alice),\n       case identity_membership:project(M, alice, blog) of\n         {Tag, _} -> Tag;\n         {Tag, _, _} -> Tag\n       end"))
+  "lapsed")
+
+(id-membership-test
+  "revoked member projects as denied"
+  (idmnm
+    (idm-ev
+      "M = identity_membership:start(),\n       identity_membership:request(M, alice, basic),\n       identity_membership:approve(M, alice),\n       identity_membership:revoke(M, alice),\n       case identity_membership:project(M, alice, blog) of\n         {Tag, _} -> Tag;\n         {Tag, _, _} -> Tag\n       end"))
+  "denied")
+
+(define
+  id-membership-test-summary
+  (str "membership " id-membership-test-pass "/" id-membership-test-count))

lib/identity/tests/oauth.sx

@@ -0,0 +1,192 @@
+;; identity/tests/oauth.sx — OAuth2 authorization-code flow (RFC 6749
+;; §4.1) + PKCE (RFC 7636) + refresh grant (§6). Covers the full happy
+;; path end-to-end (code exchange → access+refresh → refresh rotation) and
+;; every rejection: denied consent, single-use codes, client/redirect
+;; binding, PKCE mismatch, unknown code/request, refresh-token reuse, and
+;; revoke-then-use (which must fail).
+
+(define id-oauth-test-count 0)
+(define id-oauth-test-pass 0)
+(define id-oauth-test-fails (list))
+
+(define
+  id-oauth-test
+  (fn
+    (name actual expected)
+    (set! id-oauth-test-count (+ id-oauth-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-oauth-test-pass (+ id-oauth-test-pass 1))
+      (append! id-oauth-test-fails {:name name :expected expected :actual actual}))))
+
+(define ido-ev erlang-eval-ast)
+(define idonm (fn (v) (get v :name)))
+
+(identity-load-token!)
+(identity-load-oauth!)
+
+;; Shared prelude: authorize + consent(allow) leaving Code bound.
+(define
+  ido-granted
+  "O = identity_oauth:start(),\n   {consent_required, ReqId} =\n     identity_oauth:authorize(O, webapp, uri1, read, alice, verif1),\n   {code, Code} = identity_oauth:consent(O, ReqId, allow)")
+
+;; ── full happy path ──────────────────────────────────────────────
+
+(id-oauth-test
+  "authorize asks for consent"
+  (idonm
+    (ido-ev
+      "O = identity_oauth:start(),\n       case identity_oauth:authorize(O, webapp, uri1, read, alice, verif1) of\n         {consent_required, _} -> consent_required;\n         Other -> Other\n       end"))
+  "consent_required")
+
+(id-oauth-test
+  "consent(allow) returns a code"
+  (idonm (ido-ev (str ido-granted ", case Code of _ -> issued end")))
+  "issued")
+
+(id-oauth-test
+  "exchanged access token introspects active"
+  (idonm
+    (ido-ev
+      (str
+        ido-granted
+        ", {ok, Tok, _R} = identity_oauth:exchange(O, Code, webapp, uri1, verif1),\n           case identity_oauth:introspect(O, Tok) of\n             {active, _, _, _} -> active;\n             {inactive} -> inactive\n           end")))
+  "active")
+
+(id-oauth-test
+  "exchanged token carries the authorized subject"
+  (idonm
+    (ido-ev
+      (str
+        ido-granted
+        ", {ok, Tok, _R} = identity_oauth:exchange(O, Code, webapp, uri1, verif1),\n           case identity_oauth:introspect(O, Tok) of\n             {active, Subject, _, _} -> Subject\n           end")))
+  "alice")
+
+(id-oauth-test
+  "exchanged token carries the authorized scope"
+  (idonm
+    (ido-ev
+      (str
+        ido-granted
+        ", {ok, Tok, _R} = identity_oauth:exchange(O, Code, webapp, uri1, verif1),\n           case identity_oauth:introspect(O, Tok) of\n             {active, _, _, Scope} -> Scope\n           end")))
+  "read")
+
+;; ── refresh grant (RFC 6749 §6) end-to-end ───────────────────────
+
+(id-oauth-test
+  "refresh after exchange yields a working access token"
+  (idonm
+    (ido-ev
+      (str
+        ido-granted
+        ", {ok, _A, R} = identity_oauth:exchange(O, Code, webapp, uri1, verif1),\n           {ok, A2, _R2} = identity_oauth:refresh(O, R),\n           case identity_oauth:introspect(O, A2) of\n             {active, _, _, _} -> active;\n             {inactive} -> inactive\n           end")))
+  "active")
+
+(id-oauth-test
+  "reusing a rotated refresh token is invalid_grant"
+  (idonm
+    (ido-ev
+      (str
+        ido-granted
+        ", {ok, _A, R} = identity_oauth:exchange(O, Code, webapp, uri1, verif1),\n           {ok, _A2, _R2} = identity_oauth:refresh(O, R),\n           case identity_oauth:refresh(O, R) of\n             {ok, _, _} -> rotated;\n             {error, Why} -> Why\n           end")))
+  "invalid_grant")
+
+;; ── consent denied (§4.1.2.1) ────────────────────────────────────
+
+(id-oauth-test
+  "denied consent yields access_denied"
+  (idonm
+    (ido-ev
+      "O = identity_oauth:start(),\n       {consent_required, ReqId} =\n         identity_oauth:authorize(O, webapp, uri1, read, alice, verif1),\n       case identity_oauth:consent(O, ReqId, deny) of\n         {error, Why} -> Why;\n         {code, _} -> issued\n       end"))
+  "access_denied")
+
+;; ── single-use codes (§10.5) ─────────────────────────────────────
+
+(id-oauth-test
+  "code cannot be exchanged twice"
+  (idonm
+    (ido-ev
+      (str
+        ido-granted
+        ", identity_oauth:exchange(O, Code, webapp, uri1, verif1),\n           case identity_oauth:exchange(O, Code, webapp, uri1, verif1) of\n             {ok, _, _} -> replayed;\n             {error, Why} -> Why\n           end")))
+  "invalid_grant")
+
+;; ── code binding to client + redirect_uri (§4.1.3) ───────────────
+
+(id-oauth-test
+  "exchange with wrong client is invalid_grant"
+  (idonm
+    (ido-ev
+      (str
+        ido-granted
+        ", case identity_oauth:exchange(O, Code, attacker, uri1, verif1) of\n             {ok, _, _} -> ok;\n             {error, Why} -> Why\n           end")))
+  "invalid_grant")
+
+(id-oauth-test
+  "exchange with wrong redirect_uri is invalid_grant"
+  (idonm
+    (ido-ev
+      (str
+        ido-granted
+        ", case identity_oauth:exchange(O, Code, webapp, evil_uri, verif1) of\n             {ok, _, _} -> ok;\n             {error, Why} -> Why\n           end")))
+  "invalid_grant")
+
+;; ── PKCE verifier mismatch (RFC 7636) ────────────────────────────
+
+(id-oauth-test
+  "exchange with wrong PKCE verifier is invalid_grant"
+  (idonm
+    (ido-ev
+      (str
+        ido-granted
+        ", case identity_oauth:exchange(O, Code, webapp, uri1, badverif) of\n             {ok, _, _} -> ok;\n             {error, Why} -> Why\n           end")))
+  "invalid_grant")
+
+;; ── unknown code / request ───────────────────────────────────────
+
+(id-oauth-test
+  "exchanging an unknown code is invalid_grant"
+  (idonm
+    (ido-ev
+      "O = identity_oauth:start(),\n       Bogus = make_ref(),\n       case identity_oauth:exchange(O, Bogus, webapp, uri1, verif1) of\n         {ok, _, _} -> ok;\n         {error, Why} -> Why\n       end"))
+  "invalid_grant")
+
+(id-oauth-test
+  "consent on an unknown request is unknown_request"
+  (idonm
+    (ido-ev
+      "O = identity_oauth:start(),\n       Bogus = make_ref(),\n       case identity_oauth:consent(O, Bogus, allow) of\n         {code, _} -> issued;\n         {error, Why} -> Why\n       end"))
+  "unknown_request")
+
+;; ── revoke-then-use must fail (RFC 7009) ─────────────────────────
+
+(id-oauth-test
+  "revoked exchanged token introspects inactive"
+  (idonm
+    (ido-ev
+      (str
+        ido-granted
+        ", {ok, Tok, _R} = identity_oauth:exchange(O, Code, webapp, uri1, verif1),\n           identity_oauth:revoke(O, Tok),\n           case identity_oauth:introspect(O, Tok) of\n             {active, _, _, _} -> still_valid;\n             {inactive} -> inactive\n           end")))
+  "inactive")
+
+(id-oauth-test
+  "revoking the access token blocks a later refresh (cascade)"
+  (idonm
+    (ido-ev
+      (str
+        ido-granted
+        ", {ok, A, R} = identity_oauth:exchange(O, Code, webapp, uri1, verif1),\n           identity_oauth:revoke(O, A),\n           case identity_oauth:refresh(O, R) of\n             {ok, _, _} -> refreshed;\n             {error, Why} -> Why\n           end")))
+  "invalid_grant")
+
+;; ── independence: two concurrent authorizations don't collide ────
+
+(id-oauth-test
+  "two authorizations issue independent grants"
+  (idonm
+    (ido-ev
+      "O = identity_oauth:start(),\n       {consent_required, R1} =\n         identity_oauth:authorize(O, webapp, uri1, read, alice, va),\n       {consent_required, R2} =\n         identity_oauth:authorize(O, cli, uri2, write, bob, vb),\n       {code, C1} = identity_oauth:consent(O, R1, allow),\n       {code, C2} = identity_oauth:consent(O, R2, allow),\n       {ok, _A1, _RR1} = identity_oauth:exchange(O, C1, webapp, uri1, va),\n       {ok, A2, _RR2} = identity_oauth:exchange(O, C2, cli, uri2, vb),\n       case identity_oauth:introspect(O, A2) of\n         {active, Subject, _, _} -> Subject\n       end"))
+  "bob")
+
+(define
+  id-oauth-test-summary
+  (str "oauth " id-oauth-test-pass "/" id-oauth-test-count))

lib/identity/tests/par.sx

@@ -0,0 +1,84 @@
+;; identity/tests/par.sx — pushed authorization requests (PAR, RFC 9126):
+;; lodge the authorization params up front under a single-use request_uri,
+;; then redeem it into the normal consent flow. The binding (client,
+;; redirect, PKCE) carried by the pushed request is enforced at exchange.
+
+(define id-par-test-count 0)
+(define id-par-test-pass 0)
+(define id-par-test-fails (list))
+
+(define
+  id-par-test
+  (fn
+    (name actual expected)
+    (set! id-par-test-count (+ id-par-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-par-test-pass (+ id-par-test-pass 1))
+      (append! id-par-test-fails {:name name :expected expected :actual actual}))))
+
+(define idp-ev erlang-eval-ast)
+(define idpnm (fn (v) (get v :name)))
+
+(identity-load-oauth!)
+
+;; ── pushed request redeems into consent ──────────────────────────
+
+(id-par-test
+  "authorize_pushed on a fresh request_uri asks for consent"
+  (idpnm
+    (idp-ev
+      "O = identity_oauth:start(),\n       {ok, Ru} = identity_oauth:push_authorization_request(O, web, uri1, read, alice, v),\n       case identity_oauth:authorize_pushed(O, Ru) of\n         {consent_required, _} -> consent_required;\n         {error, W} -> W\n       end"))
+  "consent_required")
+
+;; ── full PAR flow ────────────────────────────────────────────────
+
+(id-par-test
+  "the full PAR flow yields a working token"
+  (idpnm
+    (idp-ev
+      "O = identity_oauth:start(),\n       {ok, Ru} = identity_oauth:push_authorization_request(O, web, uri1, read, alice, v),\n       {consent_required, Rq} = identity_oauth:authorize_pushed(O, Ru),\n       {code, Cd} = identity_oauth:consent(O, Rq, allow),\n       {ok, A, _R} = identity_oauth:exchange(O, Cd, web, uri1, v),\n       case identity_oauth:introspect(O, A) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+(id-par-test
+  "the PAR token carries the pushed subject"
+  (idpnm
+    (idp-ev
+      "O = identity_oauth:start(),\n       {ok, Ru} = identity_oauth:push_authorization_request(O, web, uri1, read, alice, v),\n       {consent_required, Rq} = identity_oauth:authorize_pushed(O, Ru),\n       {code, Cd} = identity_oauth:consent(O, Rq, allow),\n       {ok, A, _R} = identity_oauth:exchange(O, Cd, web, uri1, v),\n       case identity_oauth:introspect(O, A) of\n         {active, Subject, _, _} -> Subject\n       end"))
+  "alice")
+
+;; ── request_uri is single-use ────────────────────────────────────
+
+(id-par-test
+  "a request_uri cannot be redeemed twice"
+  (idpnm
+    (idp-ev
+      "O = identity_oauth:start(),\n       {ok, Ru} = identity_oauth:push_authorization_request(O, web, uri1, read, alice, v),\n       identity_oauth:authorize_pushed(O, Ru),\n       case identity_oauth:authorize_pushed(O, Ru) of\n         {consent_required, _} -> reused;\n         {error, W} -> W\n       end"))
+  "invalid_request_uri")
+
+(id-par-test
+  "an unknown request_uri is rejected"
+  (idpnm
+    (idp-ev
+      "O = identity_oauth:start(),\n       Bogus = make_ref(),\n       case identity_oauth:authorize_pushed(O, Bogus) of\n         {consent_required, _} -> ok;\n         {error, W} -> W\n       end"))
+  "invalid_request_uri")
+
+;; ── the pushed binding is still enforced at exchange ─────────────
+
+(id-par-test
+  "a PAR-issued code still enforces PKCE"
+  (idpnm
+    (idp-ev
+      "O = identity_oauth:start(),\n       {ok, Ru} = identity_oauth:push_authorization_request(O, web, uri1, read, alice, v),\n       {consent_required, Rq} = identity_oauth:authorize_pushed(O, Ru),\n       {code, Cd} = identity_oauth:consent(O, Rq, allow),\n       case identity_oauth:exchange(O, Cd, web, uri1, wrongverif) of\n         {ok, _, _} -> ok;\n         {error, W} -> W\n       end"))
+  "invalid_grant")
+
+(id-par-test
+  "a PAR-issued code still enforces client binding"
+  (idpnm
+    (idp-ev
+      "O = identity_oauth:start(),\n       {ok, Ru} = identity_oauth:push_authorization_request(O, web, uri1, read, alice, v),\n       {consent_required, Rq} = identity_oauth:authorize_pushed(O, Ru),\n       {code, Cd} = identity_oauth:consent(O, Rq, allow),\n       case identity_oauth:exchange(O, Cd, attacker, uri1, v) of\n         {ok, _, _} -> ok;\n         {error, W} -> W\n       end"))
+  "invalid_grant")
+
+(define
+  id-par-test-summary
+  (str "par " id-par-test-pass "/" id-par-test-count))

lib/identity/tests/registry.sx

@@ -0,0 +1,99 @@
+;; identity/tests/registry.sx — routing by id and by (subject, client),
+;; SSO fan-out (one subject, many clients), and integration with live
+;; session processes routed through the registry.
+
+(define id-registry-test-count 0)
+(define id-registry-test-pass 0)
+(define id-registry-test-fails (list))
+
+(define
+  id-registry-test
+  (fn
+    (name actual expected)
+    (set! id-registry-test-count (+ id-registry-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-registry-test-pass (+ id-registry-test-pass 1))
+      (append! id-registry-test-fails {:name name :expected expected :actual actual}))))
+
+(define idr-ev erlang-eval-ast)
+(define idrnm (fn (v) (get v :name)))
+
+(identity-load-session!)
+(identity-load-registry!)
+
+;; ── whereis by session id ────────────────────────────────────────
+
+(id-registry-test
+  "registered session is found by id"
+  (idrnm
+    (idr-ev
+      "Me = self(),\n       Reg = identity_registry:start(),\n       identity_registry:register(Reg, s1, alice, web, Me),\n       case identity_registry:whereis_session(Reg, s1) of\n         {ok, _} -> found;\n         {error, _} -> missing\n       end"))
+  "found")
+
+(id-registry-test
+  "unknown session id is not_found, not a crash"
+  (idrnm
+    (idr-ev
+      "Reg = identity_registry:start(),\n       case identity_registry:whereis_session(Reg, nope) of\n         {ok, _} -> found;\n         {error, Why} -> Why\n       end"))
+  "not_found")
+
+;; ── lookup by (subject, client) — the SSO probe ──────────────────
+
+(id-registry-test
+  "lookup finds a session for subject+client"
+  (idrnm
+    (idr-ev
+      "Me = self(),\n       Reg = identity_registry:start(),\n       identity_registry:register(Reg, s1, alice, web, Me),\n       case identity_registry:lookup(Reg, alice, web) of\n         {ok, _} -> found;\n         {error, _} -> missing\n       end"))
+  "found")
+
+(id-registry-test
+  "lookup is precise: right subject, wrong client misses"
+  (idrnm
+    (idr-ev
+      "Me = self(),\n       Reg = identity_registry:start(),\n       identity_registry:register(Reg, s1, alice, web, Me),\n       case identity_registry:lookup(Reg, alice, cli) of\n         {ok, _} -> found;\n         {error, _} -> missing\n       end"))
+  "missing")
+
+;; ── SSO fan-out: one subject, many clients ───────────────────────
+
+(id-registry-test
+  "sessions_for returns all of a subject's sessions"
+  (idr-ev
+    "Me = self(),\n     Reg = identity_registry:start(),\n     identity_registry:register(Reg, s1, alice, web, Me),\n     identity_registry:register(Reg, s2, alice, cli, Me),\n     identity_registry:register(Reg, s3, bob, web, Me),\n     case identity_registry:sessions_for(Reg, alice) of\n       {ok, L} -> length(L)\n     end")
+  2)
+
+(id-registry-test
+  "sessions_for an unknown subject is empty"
+  (idr-ev
+    "Reg = identity_registry:start(),\n     case identity_registry:sessions_for(Reg, ghost) of\n       {ok, L} -> length(L)\n     end")
+  0)
+
+;; ── re-register replaces the row for that id (no duplicates) ──────
+
+(id-registry-test
+  "re-registering an id does not duplicate it"
+  (idr-ev
+    "Me = self(),\n     Reg = identity_registry:start(),\n     identity_registry:register(Reg, s1, alice, web, Me),\n     identity_registry:register(Reg, s1, alice, web, Me),\n     case identity_registry:sessions_for(Reg, alice) of\n       {ok, L} -> length(L)\n     end")
+  1)
+
+;; ── deregister removes routing ───────────────────────────────────
+
+(id-registry-test
+  "deregistered session is no longer found"
+  (idrnm
+    (idr-ev
+      "Me = self(),\n       Reg = identity_registry:start(),\n       identity_registry:register(Reg, s1, alice, web, Me),\n       identity_registry:deregister(Reg, s1),\n       case identity_registry:whereis_session(Reg, s1) of\n         {ok, _} -> found;\n         {error, _} -> missing\n       end"))
+  "missing")
+
+;; ── integration: route to a live session and look it up ──────────
+
+(id-registry-test
+  "routed-to session answers lookup as active"
+  (idrnm
+    (idr-ev
+      "Me = self(),\n       Reg = identity_registry:start(),\n       S = identity_session:start(s1, alice, web, Me, infinity),\n       identity_registry:register(Reg, s1, alice, web, S),\n       {ok, Pid} = identity_registry:lookup(Reg, alice, web),\n       case identity_session:lookup(Pid) of\n         {ok, {_,_,_,St}} -> St;\n         {error, St} -> St\n       end"))
+  "active")
+
+(define
+  id-registry-test-summary
+  (str "registry " id-registry-test-pass "/" id-registry-test-count))

lib/identity/tests/session.sx

@@ -0,0 +1,118 @@
+;; identity/tests/session.sx — session-as-process: create, lookup,
+;; touch, explicit expire, revoke, and idle-timeout self-expiry.
+;; Negative paths are tested as first-class: a tombstoned session
+;; answers {error, Status}, it does not go silent.
+
+(define id-session-test-count 0)
+(define id-session-test-pass 0)
+(define id-session-test-fails (list))
+
+(define
+  id-session-test
+  (fn
+    (name actual expected)
+    (set! id-session-test-count (+ id-session-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-session-test-pass (+ id-session-test-pass 1))
+      (append! id-session-test-fails {:name name :expected expected :actual actual}))))
+
+(define id-ev erlang-eval-ast)
+(define idnm (fn (v) (get v :name)))
+
+(identity-load-session!)
+
+;; ── create + lookup ──────────────────────────────────────────────
+
+(id-session-test
+  "lookup of live session is active"
+  (idnm
+    (id-ev
+      "Me = self(),\n       S = identity_session:start(s1, alice, web, Me, infinity),\n       case identity_session:lookup(S) of {ok, {_,_,_,St}} -> St end"))
+  "active")
+
+(id-session-test
+  "lookup preserves subject"
+  (idnm
+    (id-ev
+      "Me = self(),\n       S = identity_session:start(s1, alice, web, Me, infinity),\n       case identity_session:lookup(S) of {ok, {_,Subject,_,_}} -> Subject end"))
+  "alice")
+
+(id-session-test
+  "lookup preserves client"
+  (idnm
+    (id-ev
+      "Me = self(),\n       S = identity_session:start(s1, alice, web, Me, infinity),\n       case identity_session:lookup(S) of {ok, {_,_,Client,_}} -> Client end"))
+  "web")
+
+;; ── touch keeps a live session ───────────────────────────────────
+
+(id-session-test
+  "touch on live session is ok"
+  (idnm
+    (id-ev
+      "Me = self(),\n       S = identity_session:start(s1, alice, web, Me, infinity),\n       identity_session:touch(S)"))
+  "ok")
+
+;; ── explicit expire ──────────────────────────────────────────────
+
+(id-session-test
+  "expire then lookup is error expired"
+  (idnm
+    (id-ev
+      "Me = self(),\n       S = identity_session:start(s1, alice, web, Me, infinity),\n       identity_session:expire(S),\n       case identity_session:lookup(S) of {error, St} -> St end"))
+  "expired")
+
+(id-session-test
+  "touch on expired session is error"
+  (idnm
+    (id-ev
+      "Me = self(),\n       S = identity_session:start(s1, alice, web, Me, infinity),\n       identity_session:expire(S),\n       case identity_session:touch(S) of {error, St} -> St end"))
+  "expired")
+
+;; ── revoke is immediate ──────────────────────────────────────────
+
+(id-session-test
+  "revoke then lookup is error revoked"
+  (idnm
+    (id-ev
+      "Me = self(),\n       S = identity_session:start(s1, alice, web, Me, infinity),\n       identity_session:revoke(S),\n       case identity_session:lookup(S) of {error, St} -> St end"))
+  "revoked")
+
+;; ── idle-timeout self-expiry ─────────────────────────────────────
+
+(id-session-test
+  "idle timeout notifies owner"
+  (idnm
+    (id-ev
+      "Me = self(),\n       S = identity_session:start(s1, alice, web, Me, 50),\n       _ = identity_session:lookup(S),\n       receive {session_expired, Sid} -> Sid end"))
+  "s1")
+
+(id-session-test
+  "lookup after idle timeout is error expired"
+  (idnm
+    (id-ev
+      "Me = self(),\n       S = identity_session:start(s1, alice, web, Me, 50),\n       _ = identity_session:lookup(S),\n       receive {session_expired, _} -> ok end,\n       case identity_session:lookup(S) of {error, St} -> St end"))
+  "expired")
+
+;; ── isolation: sessions are independent processes ────────────────
+
+(id-session-test
+  "expiring one session leaves the other active"
+  (idnm
+    (id-ev
+      "Me = self(),\n       A = identity_session:start(s1, alice, web, Me, infinity),\n       B = identity_session:start(s2, bob, web, Me, infinity),\n       identity_session:expire(A),\n       case identity_session:lookup(B) of {ok, {_,_,_,St}} -> St end"))
+  "active")
+
+;; ── clean stop ───────────────────────────────────────────────────
+
+(id-session-test
+  "stop returns ok"
+  (idnm
+    (id-ev
+      "Me = self(),\n       S = identity_session:start(s1, alice, web, Me, infinity),\n       identity_session:stop(S)"))
+  "ok")
+
+(define
+  id-session-test-summary
+  (str "session " id-session-test-pass "/" id-session-test-count))

lib/identity/tests/session_mgmt.sx

@@ -0,0 +1,81 @@
+;; identity/tests/session_mgmt.sx — subject-wide session management:
+;; enumerate a subject's sessions and \"log out everywhere\".
+
+(define id-smgmt-test-count 0)
+(define id-smgmt-test-pass 0)
+(define id-smgmt-test-fails (list))
+
+(define
+  id-smgmt-test
+  (fn
+    (name actual expected)
+    (set! id-smgmt-test-count (+ id-smgmt-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-smgmt-test-pass (+ id-smgmt-test-pass 1))
+      (append! id-smgmt-test-fails {:name name :expected expected :actual actual}))))
+
+(define idsm-ev erlang-eval-ast)
+(define idsmnm (fn (v) (get v :name)))
+
+(identity-load-all!)
+
+;; ── enumerate a subject's sessions ───────────────────────────────
+
+(id-smgmt-test
+  "sessions lists all of a subject's sessions"
+  (idsm-ev
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, alice, cli, read),\n     length(identity:sessions(Svc, alice))")
+  2)
+
+(id-smgmt-test
+  "sessions is empty for a subject with none"
+  (idsm-ev
+    "Svc = identity:start(),\n     length(identity:sessions(Svc, stranger))")
+  0)
+
+;; ── log out everywhere ───────────────────────────────────────────
+
+(id-smgmt-test
+  "logout_all ends every session of the subject"
+  (idsmnm
+    (idsm-ev
+      "Svc = identity:start(),\n       {ok, S1, _} = identity:login(Svc, alice, web, read),\n       {ok, S2, _} = identity:login(Svc, alice, cli, read),\n       identity:logout_all(Svc, alice),\n       case {identity:session_status(Svc, S1), identity:session_status(Svc, S2)} of\n         {gone, gone} -> both_gone;\n         _ -> some_left\n       end"))
+  "both_gone")
+
+(id-smgmt-test
+  "after logout_all the subject has no sessions"
+  (idsm-ev
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, alice, cli, read),\n     identity:logout_all(Svc, alice),\n     length(identity:sessions(Svc, alice))")
+  0)
+
+(id-smgmt-test
+  "logout_all leaves other subjects' sessions intact"
+  (idsm-ev
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, bob, web, read),\n     identity:logout_all(Svc, alice),\n     length(identity:sessions(Svc, bob))")
+  1)
+
+(id-smgmt-test
+  "logout_all on an unknown subject is ok, not a crash"
+  (idsmnm
+    (idsm-ev "Svc = identity:start(),\n       identity:logout_all(Svc, ghost)"))
+  "ok")
+
+;; ── logout_all is audited ────────────────────────────────────────
+
+(id-smgmt-test
+  "logout_all records a logout event"
+  (idsmnm
+    (idsm-ev
+      "Svc = identity:start(),\n       identity:login(Svc, alice, web, read),\n       identity:logout_all(Svc, alice),\n       case identity:history(Svc, alice) of\n         [login, issue, logout] -> audited;\n         Other -> Other\n       end"))
+  "audited")
+
+(id-smgmt-test
+  "logout_all audits each of several sessions"
+  (idsm-ev
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, alice, cli, read),\n     identity:logout_all(Svc, alice),\n     length(identity:history(Svc, alice))")
+  6)
+
+(define
+  id-smgmt-test-summary
+  (str "session-mgmt " id-smgmt-test-pass "/" id-smgmt-test-count))

lib/identity/tests/sso.sx

@@ -0,0 +1,115 @@
+;; identity/tests/sso.sx — silent SSO (prompt=none, OIDC §3.1.2.1) as a
+;; fast-path through the authorization-code machine. One subject session,
+;; many client apps; no session → login_required (a negative state, not a
+;; redirect). Silently-issued codes carry the same client/redirect/PKCE
+;; binding as consented codes.
+
+(define id-sso-test-count 0)
+(define id-sso-test-pass 0)
+(define id-sso-test-fails (list))
+
+(define
+  id-sso-test
+  (fn
+    (name actual expected)
+    (set! id-sso-test-count (+ id-sso-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-sso-test-pass (+ id-sso-test-pass 1))
+      (append! id-sso-test-fails {:name name :expected expected :actual actual}))))
+
+(define ids-ev erlang-eval-ast)
+(define idsnm (fn (v) (get v :name)))
+
+(identity-load-token!)
+(identity-load-session!)
+(identity-load-registry!)
+(identity-load-oauth!)
+
+;; ── no session → login_required ──────────────────────────────────
+
+(id-sso-test
+  "silent authorize without a session is login_required"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       case identity_oauth:silent_authorize(O, dashboard, uri2, read, alice, vv) of\n         {code, _} -> got_code;\n         {error, Why} -> Why\n       end"))
+  "login_required")
+
+;; ── established session → silent code ────────────────────────────
+
+(id-sso-test
+  "silent authorize for the same client returns a code"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, _Sid} = identity_oauth:establish(O, alice, web),\n       case identity_oauth:silent_authorize(O, web, uri1, read, alice, vv) of\n         {code, _} -> got_code;\n         {error, Why} -> Why\n       end"))
+  "got_code")
+
+;; ── one session, many clients ────────────────────────────────────
+
+(id-sso-test
+  "a different client gets a silent code off the same session"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, _Sid} = identity_oauth:establish(O, alice, web),\n       case identity_oauth:silent_authorize(O, dashboard, uri2, read, alice, vv) of\n         {code, _} -> got_code;\n         {error, Why} -> Why\n       end"))
+  "got_code")
+
+(id-sso-test
+  "many clients all silently authorize off one session"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, _Sid} = identity_oauth:establish(O, alice, web),\n       {code, _C1} = identity_oauth:silent_authorize(O, dashboard, uri2, read, alice, vv),\n       {code, _C2} = identity_oauth:silent_authorize(O, mobile, uri3, read, alice, vv),\n       case identity_oauth:silent_authorize(O, billing, uri4, read, alice, vv) of\n         {code, _} -> got_code;\n         {error, Why} -> Why\n       end"))
+  "got_code")
+
+;; ── full SSO → token ─────────────────────────────────────────────
+
+(id-sso-test
+  "silent code exchanges to a working token"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, _Sid} = identity_oauth:establish(O, alice, web),\n       {code, C} = identity_oauth:silent_authorize(O, dashboard, uri2, read, alice, vv),\n       {ok, A, _R} = identity_oauth:exchange(O, C, dashboard, uri2, vv),\n       case identity_oauth:introspect(O, A) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+(id-sso-test
+  "SSO token carries the subject"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, _Sid} = identity_oauth:establish(O, alice, web),\n       {code, C} = identity_oauth:silent_authorize(O, dashboard, uri2, read, alice, vv),\n       {ok, A, _R} = identity_oauth:exchange(O, C, dashboard, uri2, vv),\n       case identity_oauth:introspect(O, A) of\n         {active, Subject, _, _} -> Subject\n       end"))
+  "alice")
+
+;; ── silent codes keep the full binding ───────────────────────────
+
+(id-sso-test
+  "silent code still enforces PKCE at exchange"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, _Sid} = identity_oauth:establish(O, alice, web),\n       {code, C} = identity_oauth:silent_authorize(O, dashboard, uri2, read, alice, vv),\n       case identity_oauth:exchange(O, C, dashboard, uri2, wrongverif) of\n         {ok, _, _} -> ok;\n         {error, Why} -> Why\n       end"))
+  "invalid_grant")
+
+(id-sso-test
+  "silent code still enforces client binding at exchange"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, _Sid} = identity_oauth:establish(O, alice, web),\n       {code, C} = identity_oauth:silent_authorize(O, dashboard, uri2, read, alice, vv),\n       case identity_oauth:exchange(O, C, attacker, uri2, vv) of\n         {ok, _, _} -> ok;\n         {error, Why} -> Why\n       end"))
+  "invalid_grant")
+
+;; ── subject scoping: SSO is per subject ──────────────────────────
+
+(id-sso-test
+  "another subject is still login_required"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, _Sid} = identity_oauth:establish(O, alice, web),\n       case identity_oauth:silent_authorize(O, dashboard, uri2, read, bob, vv) of\n         {code, _} -> got_code;\n         {error, Why} -> Why\n       end"))
+  "login_required")
+
+;; ── ending the session closes the SSO fast-path ──────────────────
+
+(id-sso-test
+  "after end_session, silent authorize is login_required"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, Sid} = identity_oauth:establish(O, alice, web),\n       identity_oauth:end_session(O, Sid),\n       case identity_oauth:silent_authorize(O, dashboard, uri2, read, alice, vv) of\n         {code, _} -> got_code;\n         {error, Why} -> Why\n       end"))
+  "login_required")
+
+(define
+  id-sso-test-summary
+  (str "sso " id-sso-test-pass "/" id-sso-test-count))

lib/identity/tests/token.sx

@@ -0,0 +1,215 @@
+;; identity/tests/token.sx — opaque tokens, grant-backed lookup, real
+;; revocation, refresh-token rotation, cascading revocation, and scope
+;; narrowing on refresh. The revoke-then-introspect and refresh-reuse
+;; paths are the security centrepieces.
+
+(define id-token-test-count 0)
+(define id-token-test-pass 0)
+(define id-token-test-fails (list))
+
+(define
+  id-token-test
+  (fn
+    (name actual expected)
+    (set! id-token-test-count (+ id-token-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-token-test-pass (+ id-token-test-pass 1))
+      (append! id-token-test-fails {:name name :expected expected :actual actual}))))
+
+(define idt-ev erlang-eval-ast)
+(define idtnm (fn (v) (get v :name)))
+
+(identity-load-token!)
+
+;; ── issue + introspect (happy path) ──────────────────────────────
+
+(id-token-test
+  "fresh token introspects active"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, Tok} = identity_tokens:issue(Reg, alice, web, read),\n       case identity_tokens:introspect(Reg, Tok) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+(id-token-test
+  "introspect returns the granted subject"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, Tok} = identity_tokens:issue(Reg, alice, web, read),\n       case identity_tokens:introspect(Reg, Tok) of\n         {active, Subject, _, _} -> Subject\n       end"))
+  "alice")
+
+(id-token-test
+  "introspect returns the granted scope"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, Tok} = identity_tokens:issue(Reg, alice, web, write),\n       case identity_tokens:introspect(Reg, Tok) of\n         {active, _, _, Scope} -> Scope\n       end"))
+  "write")
+
+;; ── opacity: distinct tokens, no cross-talk ──────────────────────
+
+(id-token-test
+  "two issues yield independent grants"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, A} = identity_tokens:issue(Reg, alice, web, read),\n       {ok, B} = identity_tokens:issue(Reg, bob, cli, write),\n       identity_tokens:revoke(Reg, A),\n       case identity_tokens:introspect(Reg, B) of\n         {active, Subject, _, _} -> Subject;\n         {inactive} -> inactive\n       end"))
+  "bob")
+
+;; ── revocation is real (RFC 7009) ────────────────────────────────
+
+(id-token-test
+  "revoked token introspects inactive immediately"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, Tok} = identity_tokens:issue(Reg, alice, web, read),\n       active = case identity_tokens:introspect(Reg, Tok) of\n         {active, _, _, _} -> active end,\n       identity_tokens:revoke(Reg, Tok),\n       case identity_tokens:introspect(Reg, Tok) of\n         {active, _, _, _} -> still_valid;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(id-token-test
+  "revoke is idempotent"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, Tok} = identity_tokens:issue(Reg, alice, web, read),\n       identity_tokens:revoke(Reg, Tok),\n       identity_tokens:revoke(Reg, Tok)"))
+  "ok")
+
+;; ── unknown tokens are inactive, never an error/crash ────────────
+
+(id-token-test
+  "introspecting an unknown token is inactive"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       Bogus = make_ref(),\n       case identity_tokens:introspect(Reg, Bogus) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(id-token-test
+  "revoking an unknown token is ok, not a crash"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       Bogus = make_ref(),\n       identity_tokens:revoke(Reg, Bogus)"))
+  "ok")
+
+;; ── one revocation does not affect a sibling token ───────────────
+
+(id-token-test
+  "revoking one token leaves the other active"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, A} = identity_tokens:issue(Reg, alice, web, read),\n       {ok, B} = identity_tokens:issue(Reg, alice, cli, read),\n       identity_tokens:revoke(Reg, A),\n       case identity_tokens:introspect(Reg, B) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+;; ── issue_grant: access + refresh pair (RFC 6749 §4.1.4 / §5.1) ───
+
+(id-token-test
+  "issue_grant access token introspects active"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, A, _R} = identity_tokens:issue_grant(Reg, alice, web, read),\n       case identity_tokens:introspect(Reg, A) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+;; ── refresh rotation (RFC 6749 §6) ───────────────────────────────
+
+(id-token-test
+  "refresh mints a working new access token"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, _A, R} = identity_tokens:issue_grant(Reg, alice, web, read),\n       {ok, A2, _R2} = identity_tokens:refresh(Reg, R),\n       case identity_tokens:introspect(Reg, A2) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+(id-token-test
+  "rotated token keeps the grant's subject"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, _A, R} = identity_tokens:issue_grant(Reg, alice, web, read),\n       {ok, A2, _R2} = identity_tokens:refresh(Reg, R),\n       case identity_tokens:introspect(Reg, A2) of\n         {active, Subject, _, _} -> Subject\n       end"))
+  "alice")
+
+(id-token-test
+  "refresh chains across rotations"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, _A, R} = identity_tokens:issue_grant(Reg, alice, web, read),\n       {ok, _A2, R2} = identity_tokens:refresh(Reg, R),\n       {ok, A3, _R3} = identity_tokens:refresh(Reg, R2),\n       case identity_tokens:introspect(Reg, A3) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+(id-token-test
+  "refreshing an unknown token is invalid_grant"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       Bogus = make_ref(),\n       case identity_tokens:refresh(Reg, Bogus) of\n         {ok, _, _} -> rotated;\n         {error, Why} -> Why\n       end"))
+  "invalid_grant")
+
+;; ── refresh-token reuse = theft → revoke the family (RFC 6819) ────
+
+(id-token-test
+  "reusing a superseded refresh token is invalid_grant"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, _A, R} = identity_tokens:issue_grant(Reg, alice, web, read),\n       {ok, _A2, _R2} = identity_tokens:refresh(Reg, R),\n       case identity_tokens:refresh(Reg, R) of\n         {ok, _, _} -> rotated;\n         {error, Why} -> Why\n       end"))
+  "invalid_grant")
+
+(id-token-test
+  "refresh reuse revokes the live descendant too"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, _A, R} = identity_tokens:issue_grant(Reg, alice, web, read),\n       {ok, A2, _R2} = identity_tokens:refresh(Reg, R),\n       identity_tokens:refresh(Reg, R),\n       case identity_tokens:introspect(Reg, A2) of\n         {active, _, _, _} -> still_valid;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+;; ── cascading revocation: revoke any token, the grant dies ───────
+
+(id-token-test
+  "revoking the access token blocks refresh"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, A, R} = identity_tokens:issue_grant(Reg, alice, web, read),\n       identity_tokens:revoke(Reg, A),\n       case identity_tokens:refresh(Reg, R) of\n         {ok, _, _} -> refreshed;\n         {error, Why} -> Why\n       end"))
+  "invalid_grant")
+
+(id-token-test
+  "revoking the refresh token deactivates the access token"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, A, R} = identity_tokens:issue_grant(Reg, alice, web, read),\n       identity_tokens:revoke(Reg, R),\n       case identity_tokens:introspect(Reg, A) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+;; ── scope as a set + narrowing on refresh (RFC 6749 §6 / §3.3) ───
+
+(id-token-test
+  "a list scope round-trips through introspect"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, A, _R} = identity_tokens:issue_grant(Reg, alice, web, [read, write]),\n       case identity_tokens:introspect(Reg, A) of\n         {active, _, _, [read, write]} -> matched;\n         {active, _, _, _} -> other;\n         {inactive} -> inactive\n       end"))
+  "matched")
+
+(id-token-test
+  "refresh can narrow the scope to a subset"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, _A, R} = identity_tokens:issue_grant(Reg, alice, web, [read, write]),\n       {ok, A2, _R2} = identity_tokens:refresh(Reg, R, [read]),\n       case identity_tokens:introspect(Reg, A2) of\n         {active, _, _, [read]} -> narrowed;\n         {active, _, _, _} -> other;\n         {inactive} -> inactive\n       end"))
+  "narrowed")
+
+(id-token-test
+  "refresh cannot widen scope beyond the grant"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, _A, R} = identity_tokens:issue_grant(Reg, alice, web, [read]),\n       case identity_tokens:refresh(Reg, R, [read, write]) of\n         {ok, _, _} -> widened;\n         {error, Why} -> Why\n       end"))
+  "invalid_scope")
+
+(id-token-test
+  "an invalid_scope refresh does not consume the refresh token"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, _A, R} = identity_tokens:issue_grant(Reg, alice, web, [read, write]),\n       identity_tokens:refresh(Reg, R, [admin]),\n       case identity_tokens:refresh(Reg, R, [read]) of\n         {ok, _, _} -> still_usable;\n         {error, Why} -> Why\n       end"))
+  "still_usable")
+
+(id-token-test
+  "plain refresh keeps the full grant scope"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, _A, R} = identity_tokens:issue_grant(Reg, alice, web, [read, write]),\n       {ok, A2, _R2} = identity_tokens:refresh(Reg, R),\n       case identity_tokens:introspect(Reg, A2) of\n         {active, _, _, [read, write]} -> full;\n         {active, _, _, _} -> other;\n         {inactive} -> inactive\n       end"))
+  "full")
+
+(id-token-test
+  "a narrowed token still cascades on revoke"
+  (idtnm
+    (idt-ev
+      "Reg = identity_tokens:start(),\n       {ok, _A, R} = identity_tokens:issue_grant(Reg, alice, web, [read, write]),\n       {ok, A2, _R2} = identity_tokens:refresh(Reg, R, [read]),\n       identity_tokens:revoke(Reg, A2),\n       case identity_tokens:introspect(Reg, A2) of\n         {active, _, _, _} -> still_valid;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(define
+  id-token-test-summary
+  (str "token " id-token-test-pass "/" id-token-test-count))

lib/mod/activity.sx

@@ -0,0 +1,40 @@
+;; lib/mod/activity.sx — export decisions as ActivityPub-shaped events.
+;;
+;; The rose-ash platform propagates cross-domain effects as ActivityPub-shaped
+;; activities. A moderation decision maps to a moderation verb so the rest of the
+;; platform (and federated peers) can act on it: remove→Delete, ban→Block,
+;; hide/escalate→Flag, keep→no activity. The precise mod action is preserved in
+;; :action so a consumer can disambiguate (e.g. hide vs escalate, both Flag).
+
+(define
+  mod/action->verb
+  (fn
+    (action)
+    (cond
+      ((= action "remove") "Delete")
+      ((= action "ban") "Block")
+      ((= action "hide") "Flag")
+      ((= action "escalate") "Flag")
+      (true nil))))
+
+(define
+  mod/decision->activity
+  (fn
+    (d actor)
+    (let
+      ((verb (mod/action->verb (get d :action))))
+      (if (nil? verb) nil {:type verb :action (get d :action) :actor actor :summary (str "moderation/" (get d :action) " via " (get d :rule)) :object (get d :report-id) :rule (get d :rule)}))))
+
+;; map a batch of decisions to activities, dropping the no-op keeps
+(define
+  mod/decisions->activities
+  (fn
+    (decisions actor)
+    (reduce
+      (fn
+        (acc d)
+        (let
+          ((a (mod/decision->activity d actor)))
+          (if (nil? a) acc (append acc (list a)))))
+      (list)
+      decisions)))

lib/mod/api.sx

@@ -0,0 +1,163 @@
+;; lib/mod/api.sx — report registry + lifecycle façade + public entry points.
+;;
+;; mod/report files a report (assigning a sequential id) and opens a lifecycle
+;; case for it; mod/add-evidence accumulates evidence; mod/decide runs the engine
+;; and commits to the audit log. The lifecycle façade (mod/triage, mod/resolve,
+;; mod/review, mod/appeal, mod/finalize) drives the per-report case through its
+;; states, logging each committed decision to the audit trail.
+
+(define mod/*reports* (list))
+(define mod/*cases* (list))
+(define mod/*counter* 0)
+(define mod/*rules* mod/default-rules)
+
+(define
+  mod/reset!
+  (fn
+    ()
+    (begin
+      (set! mod/*reports* (list))
+      (set! mod/*cases* (list))
+      (set! mod/*counter* 0)
+      (mod/audit-reset!))))
+
+(define
+  mod/report
+  (fn
+    (by about reason)
+    (begin
+      (set! mod/*counter* (+ mod/*counter* 1))
+      (let
+        ((id (str "r" mod/*counter*)))
+        (let
+          ((r (mod/mk-report id by about reason)))
+          (begin
+            (append! mod/*reports* r)
+            (append! mod/*cases* {:id id :case (mod/mk-case r)})
+            r))))))
+
+(define
+  mod/get-report
+  (fn
+    (id)
+    (reduce
+      (fn (acc r) (if (= (mod/report-id r) id) r acc))
+      nil
+      mod/*reports*)))
+
+(define
+  mod/add-evidence
+  (fn
+    (id kind val)
+    (let
+      ((r (mod/get-report id)))
+      (if
+        (nil? r)
+        nil
+        (let
+          ((updated (mod/attach-evidence r (mod/mk-evidence kind val))))
+          (begin
+            (set!
+              mod/*reports*
+              (map
+                (fn (x) (if (= (mod/report-id x) id) updated x))
+                mod/*reports*))
+            updated))))))
+
+(define
+  mod/decide
+  (fn
+    (id)
+    (let
+      ((r (mod/get-report id)))
+      (if
+        (nil? r)
+        nil
+        (let
+          ((d (mod/decide-report r mod/*reports* mod/*rules*)))
+          (begin (mod/log-decision! d (mod/report-evidence r)) d))))))
+
+;; ── lifecycle façade over the case registry ──
+
+(define
+  mod/case-of
+  (fn
+    (id)
+    (reduce
+      (fn (acc rec) (if (= (get rec :id) id) (get rec :case) acc))
+      nil
+      mod/*cases*)))
+
+(define
+  mod/case-store!
+  (fn
+    (id c)
+    (set!
+      mod/*cases*
+      (map
+        (fn (rec) (if (= (get rec :id) id) {:id id :case c} rec))
+        mod/*cases*))))
+
+;; apply a lifecycle op to the stored case, persist it, and (when a decision was
+;; committed cleanly) append it to the audit log; returns the updated case
+(define
+  mod/case-apply!
+  (fn
+    (id op log?)
+    (let
+      ((c (mod/case-of id)))
+      (if
+        (nil? c)
+        nil
+        (let
+          ((c2 (op c)))
+          (begin
+            (mod/case-store! id c2)
+            (when
+              log?
+              (when
+                (nil? (mod/case-error c2))
+                (let
+                  ((d (mod/case-decision c2)))
+                  (if
+                    (nil? d)
+                    nil
+                    (mod/log-decision!
+                      d
+                      (mod/report-evidence (mod/case-report c2)))))))
+            c2))))))
+
+(define
+  mod/triage
+  (fn
+    (id)
+    (mod/case-apply!
+      id
+      (fn (c) (mod/case-triage c mod/*reports* mod/*rules*))
+      false)))
+
+(define
+  mod/resolve
+  (fn (id) (mod/case-apply! id (fn (c) (mod/case-resolve c)) true)))
+
+(define
+  mod/review
+  (fn
+    (id kind val)
+    (mod/case-apply!
+      id
+      (fn (c) (mod/case-review c kind val mod/*reports* mod/*rules*))
+      true)))
+
+(define
+  mod/appeal
+  (fn
+    (id kind val)
+    (mod/case-apply!
+      id
+      (fn (c) (mod/case-appeal c kind val mod/*reports* mod/*rules*))
+      true)))
+
+(define
+  mod/finalize
+  (fn (id) (mod/case-apply! id (fn (c) (mod/case-finalize c)) false)))

lib/mod/audit.sx

@@ -0,0 +1,54 @@
+;; lib/mod/audit.sx — append-only decision log.
+;;
+;; Every decision the api commits is recorded as an immutable audit entry holding
+;; the decision (action + matching rule), the proof tree (the derivation that
+;; justified it), and a snapshot of the evidence in force at decision time. The
+;; log is append-only: entries are never mutated or removed, only appended, each
+;; with a monotonic sequence number. Retrieval is by report id (full history) or
+;; by sequence.
+
+(define mod/*audit-log* (list))
+(define mod/*audit-seq* 0)
+
+(define
+  mod/audit-reset!
+  (fn
+    ()
+    (begin (set! mod/*audit-log* (list)) (set! mod/*audit-seq* 0))))
+
+(define mod/mk-audit-entry (fn (seq decision evidence-snapshot) {:action (get decision :action) :evidence evidence-snapshot :proof (get decision :proof) :rule (get decision :rule) :report-id (get decision :report-id) :seq seq}))
+
+(define
+  mod/log-decision!
+  (fn
+    (decision evidence-snapshot)
+    (begin
+      (set! mod/*audit-seq* (+ mod/*audit-seq* 1))
+      (let
+        ((entry (mod/mk-audit-entry mod/*audit-seq* decision evidence-snapshot)))
+        (begin (append! mod/*audit-log* entry) entry)))))
+
+;; entries for one report, in chronological (sequence) order
+(define
+  mod/audit
+  (fn
+    (id)
+    (reduce
+      (fn
+        (acc e)
+        (if (= (get e :report-id) id) (append acc (list e)) acc))
+      (list)
+      mod/*audit-log*)))
+
+(define mod/audit-all (fn () mod/*audit-log*))
+(define mod/audit-count (fn () (len mod/*audit-log*)))
+
+;; most recent decision logged for a report (nil if none)
+(define
+  mod/audit-latest
+  (fn
+    (id)
+    (reduce
+      (fn (acc e) (if (= (get e :report-id) id) e acc))
+      nil
+      mod/*audit-log*)))

lib/mod/batch.sx

@@ -0,0 +1,55 @@
+;; lib/mod/batch.sx — batch triage + corpus analytics.
+;;
+;; Operational layer: decide a whole queue of reports at once, summarize the
+;; outcomes by action, and measure which rules actually fire across a corpus.
+;; mod/never-fired is the empirical complement to lint's static unreachable check
+;; (Ext 5): lint finds rules that CAN'T fire by structure; never-fired finds rules
+;; that DIDN'T fire on real data.
+
+(define
+  mod/decide-batch
+  (fn
+    (reports rules)
+    (map (fn (r) (mod/decide-report r reports rules)) reports)))
+
+(define
+  mod/count-action
+  (fn
+    (decisions action)
+    (reduce
+      (fn (acc d) (if (= (get d :action) action) (+ acc 1) acc))
+      0
+      decisions)))
+
+(define mod/action-histogram (fn (decisions) {:keep (mod/count-action decisions "keep") :remove (mod/count-action decisions "remove") :escalate (mod/count-action decisions "escalate") :hide (mod/count-action decisions "hide") :ban (mod/count-action decisions "ban")}))
+
+(define
+  mod/rule-fire-count
+  (fn
+    (decisions rule-name)
+    (reduce
+      (fn (acc d) (if (= (get d :rule) rule-name) (+ acc 1) acc))
+      0
+      decisions)))
+
+(define
+  mod/rule-coverage
+  (fn
+    (reports rules)
+    (let
+      ((decisions (mod/decide-batch reports rules)))
+      (map (fn (rule) {:rule (mod/rule-name rule) :fired (mod/rule-fire-count decisions (mod/rule-name rule))}) rules))))
+
+(define
+  mod/never-fired
+  (fn
+    (reports rules)
+    (reduce
+      (fn
+        (acc c)
+        (if
+          (= (get c :fired) 0)
+          (append acc (list (get c :rule)))
+          acc))
+      (list)
+      (mod/rule-coverage reports rules))))

lib/mod/conformance.conf

@@ -0,0 +1,60 @@
+# Mod conformance config — sourced by lib/guest/conformance.sh.
+
+LANG_NAME=mod
+MODE=dict
+
+PRELOADS=(
+  lib/guest/pratt.sx
+  lib/prolog/tokenizer.sx
+  lib/prolog/parser.sx
+  lib/prolog/runtime.sx
+  lib/prolog/query.sx
+  lib/prolog/compiler.sx
+  lib/mod/schema.sx
+  lib/mod/policy.sx
+  lib/mod/defrule.sx
+  lib/mod/engine.sx
+  lib/mod/explain.sx
+  lib/mod/severity.sx
+  lib/mod/offenders.sx
+  lib/mod/quorum.sx
+  lib/mod/trace.sx
+  lib/mod/whatif.sx
+  lib/mod/batch.sx
+  lib/mod/temporal.sx
+  lib/mod/sla.sx
+  lib/mod/wire.sx
+  lib/mod/activity.sx
+  lib/mod/policies.sx
+  lib/mod/pipeline.sx
+  lib/mod/lifecycle.sx
+  lib/mod/audit.sx
+  lib/mod/api.sx
+  lib/mod/fed.sx
+  lib/mod/link.sx
+  lib/mod/lint.sx
+)
+
+SUITES=(
+  "decide:lib/mod/tests/decide.sx:(mod-decide-tests-run!)"
+  "audit:lib/mod/tests/audit.sx:(mod-audit-tests-run!)"
+  "escalation:lib/mod/tests/escalation.sx:(mod-escalation-tests-run!)"
+  "fed:lib/mod/tests/fed.sx:(mod-fed-tests-run!)"
+  "extensions:lib/mod/tests/extensions.sx:(mod-extensions-tests-run!)"
+  "link:lib/mod/tests/link.sx:(mod-link-tests-run!)"
+  "lint:lib/mod/tests/lint.sx:(mod-lint-tests-run!)"
+  "severity:lib/mod/tests/severity.sx:(mod-severity-tests-run!)"
+  "offenders:lib/mod/tests/offenders.sx:(mod-offenders-tests-run!)"
+  "quorum:lib/mod/tests/quorum.sx:(mod-quorum-tests-run!)"
+  "trace:lib/mod/tests/trace.sx:(mod-trace-tests-run!)"
+  "whatif:lib/mod/tests/whatif.sx:(mod-whatif-tests-run!)"
+  "batch:lib/mod/tests/batch.sx:(mod-batch-tests-run!)"
+  "temporal:lib/mod/tests/temporal.sx:(mod-temporal-tests-run!)"
+  "sla:lib/mod/tests/sla.sx:(mod-sla-tests-run!)"
+  "wire:lib/mod/tests/wire.sx:(mod-wire-tests-run!)"
+  "disjunction:lib/mod/tests/disjunction.sx:(mod-disjunction-tests-run!)"
+  "activity:lib/mod/tests/activity.sx:(mod-activity-tests-run!)"
+  "policies:lib/mod/tests/policies.sx:(mod-policies-tests-run!)"
+  "defrule:lib/mod/tests/defrule.sx:(mod-defrule-tests-run!)"
+  "pipeline:lib/mod/tests/pipeline.sx:(mod-pipeline-tests-run!)"
+)

lib/mod/conformance.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# Thin wrapper — see lib/guest/conformance.sh and lib/mod/conformance.conf.
+exec bash "$(dirname "$0")/../guest/conformance.sh" "$(dirname "$0")/conformance.conf" "$@"

lib/mod/defrule.sx

@@ -0,0 +1,16 @@
+;; lib/mod/defrule.sx — ergonomic rule / ruleset construction.
+;;
+;; The roadmap sketched a (defrule action :when conditions) surface. Conditions
+;; already evaluate to plain data, so this needs no macro — variadic functions
+;; suffice: mod/defrule collects its trailing condition forms via &rest (dropping
+;; the explicit outer (list ...)), and mod/ruleset assembles rules the same way.
+;;
+;;   (mod/ruleset
+;;     (mod/defrule "spam-hide" :hide (list :classification "spam"))
+;;     (mod/defrule "default-keep" :keep))
+
+(define
+  mod/defrule
+  (fn (name action &rest conds) (mod/mk-rule name action conds)))
+
+(define mod/ruleset (fn (&rest rules) rules))