fed-sx-m1: Step 2c — envelope:verify_signature/2 (time-aware key lookup + HMAC stand-in) + 11 tests

Wires the 3 previously-BLOCKED Phase 8 FFI BIFs against loops/fed-prims
primitives (merged at 380bc69f):

- crypto:hash/2 → crypto-sha256/sha512/sha3-256 (atom dispatch, raw-binary
  return via er-hex->bytes), +6 ffi tests
- cid:from_bytes/1 → CIDv1 raw-codec (0x55) + sha2-256 multihash assembled
  in SX; cid:to_string/1 → cid-from-sx of canonical er-format-value string,
  +7 ffi tests
- file:list_dir/1 → file-list-dir, {ok,[Binary]} / {error,Reason} reusing
  er-classify-file-error, +4 ffi tests

ffi suite 14 → 28 (3 BLOCKED negative-asserts flipped to functional tests).
httpc:request and sqlite:* remain BLOCKED — need HTTP-client and SQLite
host primitives which loops/fed-prims didn't deliver.

Full conformance 729/729 (eval 385, vm 78, ffi 28, all process suites).

next/.gitignore

@@ -0,0 +1 @@
+data/

next/README.md

@@ -0,0 +1,34 @@
+# next — fed-sx Milestone 1 kernel
+
+Single-instance, single-actor fed-sx server built as Erlang-on-SX modules.
+See `plans/fed-sx-design.md` for the architecture and
+`plans/fed-sx-milestone-1.md` for the build plan.
+
+## Layout
+
+```
+next/
+├── kernel/      Erlang-on-SX kernel modules (.erl, hot-loaded via code:load_binary/3)
+├── genesis/     SX source files for the genesis bootstrap bundle (DefineActivity, ...)
+├── tests/       Bash test scripts driving sx_server.exe via the epoch protocol
+└── data/        Runtime state — gitignored
+    ├── log/         per-actor JSONL outboxes
+    ├── objects/     CID-addressed artifacts on disk
+    ├── snapshots/   projection snapshots
+    ├── indexes/     derived projection index files
+    └── keys/        actor signing keys + bearer tokens
+```
+
+## Substrate
+
+The kernel is Erlang-on-SX. Each `.erl` source file is hot-loaded at boot via
+`code:load_binary(Mod, Filename, SourceString)` (Erlang Phase 7 BIF). The
+underlying SX runtime provides the host primitives the kernel calls into:
+`crypto:*`, `cid:*`, `file:*`, `code:*`, and (Step 8) `http:listen/2`.
+
+Tests drive the kernel via the epoch protocol:
+
+```bash
+printf '(epoch 1)\n(load "lib/erlang/runtime.sx")\n(epoch 2)\n<test-expr>\n' \
+  | hosts/ocaml/_build/default/bin/sx_server.exe
+```

next/kernel/envelope.erl

@@ -0,0 +1,177 @@
+-module(envelope).
+-export([validate_shape/1, get_field/2, canonical_bytes/1, verify_signature/2]).
+
+%% Activity envelope per design §3.1.
+%%
+%% Erlang maps (#{...}) are not supported by this port, so envelopes
+%% are represented as property lists of {atom_key, value} pairs. This
+%% port's binary syntax also can't carry string literals; values that
+%% would naturally be binaries in real Erlang are kept as atoms or
+%% integer-segment binaries in the test corpus.
+%%
+%% Required fields: id, type, actor, published, signature.
+%% The signature value is itself a property list with key_id,
+%% algorithm, value.
+%%
+%% validate_shape/1 returns ok | {error, Reason}. Reasons:
+%%   not_a_proplist
+%%   {missing_field, FieldName}
+%%   {bad_signature, BadSigReason}
+%%
+%% get_field/2 returns {ok, Value} | not_found.
+
+validate_shape(Env) when is_list(Env) ->
+    case check_required([id, type, actor, published, signature], Env) of
+        ok -> validate_signature_shape(Env);
+        Err -> Err
+    end;
+validate_shape(_) ->
+    {error, not_a_proplist}.
+
+get_field(_, []) -> not_found;
+get_field(K, [{K, V} | _]) -> {ok, V};
+get_field(K, [_ | Rest]) -> get_field(K, Rest).
+
+check_required([], _) -> ok;
+check_required([F | Rest], Env) ->
+    case get_field(F, Env) of
+        {ok, _} -> check_required(Rest, Env);
+        not_found -> {error, {missing_field, F}}
+    end.
+
+validate_signature_shape(Env) ->
+    {ok, Sig} = get_field(signature, Env),
+    case is_list(Sig) of
+        true ->
+            case check_required([key_id, algorithm, value], Sig) of
+                ok -> ok;
+                {error, {missing_field, F}} ->
+                    {error, {bad_signature, {missing_field, F}}}
+            end;
+        false ->
+            {error, {bad_signature, not_a_proplist}}
+    end.
+
+%% canonical_bytes/1 — the byte string the signature covers.
+%%
+%% Real fed-sx will use dag-cbor over a JSON-LD-canonicalised form
+%% (design §3.2). For milestone 1 we stand in for that with the host
+%% BIF `cid:to_string/1`, which produces a CIDv1 over the deterministic
+%% textual form of the term. Two prior steps make this work:
+%%   1. The signature pair is stripped (sig covers everything except
+%%      itself).
+%%   2. The top-level property list is sorted by key so field order in
+%%      the source envelope is not load-bearing.
+%%
+%% The result is an Erlang binary suitable as the sig-cover input.
+
+canonical_bytes(Env) when is_list(Env) ->
+    Stripped = strip_signature(Env),
+    Sorted = sort_pairs(Stripped),
+    cid:to_string(Sorted).
+
+strip_signature([]) -> [];
+strip_signature([{signature, _} | Rest]) -> strip_signature(Rest);
+strip_signature([P | Rest]) -> [P | strip_signature(Rest)].
+
+sort_pairs([]) -> [];
+sort_pairs([H | T]) -> insert_pair(H, sort_pairs(T)).
+
+insert_pair(P, []) -> [P];
+insert_pair({K1, V1}, [{K2, V2} | Rest]) ->
+    case K1 < K2 of
+        true  -> [{K1, V1}, {K2, V2} | Rest];
+        false -> [{K2, V2} | insert_pair({K1, V1}, Rest)]
+    end.
+
+%% verify_signature/2 — time-aware sig verification per design §9.6.
+%%
+%% Activity carries a `signature` proplist with `key_id`, `algorithm`,
+%% `value`. ActorState carries `public_keys` — a list of key proplists
+%% with `id`, `created`, optionally `superseded_at`, and `value` (the
+%% key material).
+%%
+%% A key is active at time T iff `created =< T` AND
+%% (no `superseded_at` OR T < `superseded_at`). Verification picks the
+%% first matching active key whose `id == signature.key_id` at the
+%% activity's `published` timestamp, then recomputes the MAC
+%% `crypto:hash(sha256, <<KeyMaterial/binary, CanonicalBytes/binary>>)`
+%% and compares it to `signature.value`.
+%%
+%% Returns ok | {error, Reason}. Reasons:
+%%   no_signature | no_key_id | no_published | no_keys |
+%%   no_active_key | bad_signature
+%%
+%% Real RSA-SHA256 / Ed25519 verification is deferred to milestone 2:
+%% Phase 8 only ships `crypto:hash/2`, so we stand in with an HMAC-shaped
+%% MAC that exercises the same key-lookup and canonical-bytes pipeline.
+
+verify_signature(Activity, ActorState) ->
+    case get_field(signature, Activity) of
+        not_found -> {error, no_signature};
+        {ok, Sig} ->
+            case get_field(key_id, Sig) of
+                not_found -> {error, no_key_id};
+                {ok, KeyId} ->
+                    case get_field(published, Activity) of
+                        not_found -> {error, no_published};
+                        {ok, Published} ->
+                            verify_with_keys(Activity, Sig, KeyId,
+                                             Published, ActorState)
+                    end
+            end
+    end.
+
+verify_with_keys(Activity, Sig, KeyId, Published, ActorState) ->
+    case get_field(public_keys, ActorState) of
+        not_found -> {error, no_keys};
+        {ok, Keys} ->
+            case find_active_key(KeyId, Published, Keys) of
+                not_found -> {error, no_active_key};
+                {ok, Key} -> verify_mac(Activity, Sig, Key)
+            end
+    end.
+
+find_active_key(_, _, []) -> not_found;
+find_active_key(KeyId, Now, [Key | Rest]) ->
+    case is_matching_active_key(Key, KeyId, Now) of
+        true -> {ok, Key};
+        false -> find_active_key(KeyId, Now, Rest)
+    end.
+
+is_matching_active_key(Key, WantId, Now) ->
+    case get_field(id, Key) of
+        {ok, WantId} -> is_active_at(Key, Now);
+        _ -> false
+    end.
+
+is_active_at(Key, Now) ->
+    case get_field(created, Key) of
+        not_found -> false;
+        {ok, Created} ->
+            case Now >= Created of
+                false -> false;
+                true ->
+                    case get_field(superseded_at, Key) of
+                        not_found -> true;
+                        {ok, SupAt} -> Now < SupAt
+                    end
+            end
+    end.
+
+verify_mac(Activity, Sig, Key) ->
+    case get_field(value, Sig) of
+        not_found -> {error, bad_signature};
+        {ok, SigValue} ->
+            case get_field(value, Key) of
+                not_found -> {error, bad_signature};
+                {ok, KeyMat} ->
+                    Bytes = canonical_bytes(Activity),
+                    Computed = crypto:hash(sha256,
+                        <<KeyMat/binary, Bytes/binary>>),
+                    case SigValue =:= Computed of
+                        true -> ok;
+                        false -> {error, bad_signature}
+                    end
+            end
+    end.

next/kernel/nx_cid.erl

@@ -0,0 +1,24 @@
+-module(nx_cid).
+-export([from_sx/1, to_string/1, from_string/1, equals/2]).
+
+%% The kernel-side CID wrapper. The host BIF `cid:to_string/1` already
+%% produces a canonical CIDv1 (raw codec, sha2-256 multihash) over the
+%% deterministic textual form of any term (er-format-value); we expose
+%% it under the kernel namespace and add the equality + round-trip
+%% helpers the rest of the kernel needs.
+%%
+%% Naming note: the BIF module is `cid`, so we use `nx_cid` to avoid
+%% shadowing. Plans/fed-sx-milestone-1.md §Step 1 spells the file as
+%% `cid.erl`; the briefing flags Erlang snippets as illustrative.
+
+from_sx(V) ->
+    cid:to_string(V).
+
+to_string(Cid) ->
+    Cid.
+
+from_string(S) ->
+    S.
+
+equals(A, B) ->
+    A =:= B.

next/tests/cid.sh

@@ -0,0 +1,117 @@
+#!/usr/bin/env bash
+# next/tests/cid.sh — Step 1b acceptance test.
+#
+# Loads next/kernel/nx_cid.erl into the Erlang-on-SX runtime and checks
+# the canonical CID contract: determinism, uniqueness, equality, and
+# to_string/from_string round-trip. 12 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/nx_cid.erl\")) :name)")
+
+;; from_sx returns a binary
+(epoch 10)
+(eval "(get (erlang-eval-ast \"is_binary(nx_cid:from_sx(foo))\") :name)")
+
+;; from_sx is deterministic on atoms / ints / compound terms
+(epoch 11)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx(foo) =:= nx_cid:from_sx(foo)\") :name)")
+(epoch 12)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx(42) =:= nx_cid:from_sx(42)\") :name)")
+(epoch 13)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx({a, [1, 2, 3]}) =:= nx_cid:from_sx({a, [1, 2, 3]})\") :name)")
+
+;; from_sx is collision-resistant on distinct terms
+(epoch 20)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx(foo) =/= nx_cid:from_sx(bar)\") :name)")
+(epoch 21)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx(1) =/= nx_cid:from_sx(2)\") :name)")
+(epoch 22)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx([1, 2]) =/= nx_cid:from_sx([1, 2, 3])\") :name)")
+
+;; equals/2 is alias for =:=
+(epoch 30)
+(eval "(get (erlang-eval-ast \"nx_cid:equals(nx_cid:from_sx(foo), nx_cid:from_sx(foo))\") :name)")
+(epoch 31)
+(eval "(get (erlang-eval-ast \"nx_cid:equals(nx_cid:from_sx(foo), nx_cid:from_sx(bar))\") :name)")
+
+;; to_string + from_string round-trip
+(epoch 40)
+(eval "(get (erlang-eval-ast \"nx_cid:equals(nx_cid:from_string(nx_cid:to_string(nx_cid:from_sx(foo))), nx_cid:from_sx(foo))\") :name)")
+(epoch 41)
+(eval "(get (erlang-eval-ast \"is_binary(nx_cid:to_string(nx_cid:from_sx({tuple, 1, 2})))\") :name)")
+
+;; CIDv1 raw codec sha256 base32 form is around 59 chars; sanity-check length
+(epoch 50)
+(eval "(get (erlang-eval-ast \"byte_size(nx_cid:from_sx(hello)) > 50\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                "nx_cid"
+check 10  "from_sx returns binary"          "true"
+check 11  "from_sx atom deterministic"      "true"
+check 12  "from_sx int deterministic"       "true"
+check 13  "from_sx compound deterministic"  "true"
+check 20  "from_sx atoms distinct"          "true"
+check 21  "from_sx ints distinct"           "true"
+check 22  "from_sx lists distinct"          "true"
+check 30  "equals same CIDs"                "true"
+check 31  "equals different CIDs"           "false"
+check 40  "to_string/from_string round-trip" "true"
+check 41  "to_string returns binary"        "true"
+check 50  "CIDv1 base32 length sanity"      "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/cid.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/envelope_canonical.sh

@@ -0,0 +1,105 @@
+#!/usr/bin/env bash
+# next/tests/envelope_canonical.sh — Step 2b acceptance test.
+#
+# Loads next/kernel/envelope.erl and checks canonical_bytes/1 contract:
+# returns a binary, deterministic across runs, invariant under
+# field-order permutation, invariant under signature changes, and
+# different for different covered content. 7 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/envelope.erl\")) :name)")
+
+;; canonical_bytes returns a binary
+(epoch 10)
+(eval "(get (erlang-eval-ast \"is_binary(envelope:canonical_bytes([{id,1},{type,create},{actor,alice},{published,1000},{signature,whatever}]))\") :name)")
+
+;; Determinism: same envelope twice -> same bytes
+(epoch 11)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice}]) =:= envelope:canonical_bytes([{id,1},{type,create},{actor,alice}])\") :name)")
+
+;; Signature stripping: different signatures -> same canonical bytes
+(epoch 12)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice},{signature,sig_one}]) =:= envelope:canonical_bytes([{id,1},{type,create},{actor,alice},{signature,sig_two}])\") :name)")
+
+;; No signature vs some signature -> same canonical bytes
+(epoch 13)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice}]) =:= envelope:canonical_bytes([{id,1},{type,create},{actor,alice},{signature,whatever}])\") :name)")
+
+;; Key-order invariance: reordering top-level fields -> same bytes
+(epoch 14)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice}]) =:= envelope:canonical_bytes([{actor,alice},{type,create},{id,1}])\") :name)")
+
+;; Changing a covered field changes the bytes
+(epoch 15)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice}]) =/= envelope:canonical_bytes([{id,2},{type,create},{actor,alice}])\") :name)")
+
+;; Distinct envelopes -> distinct bytes
+(epoch 16)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice}]) =/= envelope:canonical_bytes([{id,1},{type,update},{actor,bob}])\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                "envelope"
+check 10  "canonical_bytes returns binary"  "true"
+check 11  "deterministic"                   "true"
+check 12  "signature stripped (changes)"    "true"
+check 13  "signature stripped (absent)"     "true"
+check 14  "key-order invariant"             "true"
+check 15  "covered field change visible"    "true"
+check 16  "distinct envelopes distinct"     "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/envelope_canonical.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/envelope_shape.sh

@@ -0,0 +1,126 @@
+#!/usr/bin/env bash
+# next/tests/envelope_shape.sh — Step 2a acceptance test.
+#
+# Loads next/kernel/envelope.erl into the Erlang-on-SX runtime and
+# checks validate_shape/1 / get_field/2 against the design §3.1 shape
+# contract. 13 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/envelope.erl\")) :name)")
+
+;; Reusable valid envelope as Erlang text. The signature itself is a
+;; property list with key_id, algorithm, value.
+;;   E0 = [{id,1},{type,create},{actor,alice},{published,1000},
+;;         {signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]
+
+;; Complete valid envelope
+(epoch 10)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000},{signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]) =:= ok\") :name)")
+
+;; Missing each top-level required field
+(epoch 11)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{type,create},{actor,alice},{published,1000},{signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]) =:= {error,{missing_field,id}}\") :name)")
+(epoch 12)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{actor,alice},{published,1000},{signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]) =:= {error,{missing_field,type}}\") :name)")
+(epoch 13)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{published,1000},{signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]) =:= {error,{missing_field,actor}}\") :name)")
+(epoch 14)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]) =:= {error,{missing_field,published}}\") :name)")
+(epoch 15)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000}]) =:= {error,{missing_field,signature}}\") :name)")
+
+;; Non-list inputs
+(epoch 16)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape(42) =:= {error,not_a_proplist}\") :name)")
+(epoch 17)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape(some_atom) =:= {error,not_a_proplist}\") :name)")
+
+;; Signature sub-shape
+(epoch 20)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000},{signature,[{algorithm,ed25519},{value,v}]}]) =:= {error,{bad_signature,{missing_field,key_id}}}\") :name)")
+(epoch 21)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000},{signature,[{key_id,k1},{value,v}]}]) =:= {error,{bad_signature,{missing_field,algorithm}}}\") :name)")
+(epoch 22)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000},{signature,[{key_id,k1},{algorithm,ed25519}]}]) =:= {error,{bad_signature,{missing_field,value}}}\") :name)")
+(epoch 23)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000},{signature,not_a_proplist}]) =:= {error,{bad_signature,not_a_proplist}}\") :name)")
+
+;; get_field
+(epoch 30)
+(eval "(get (erlang-eval-ast \"envelope:get_field(actor,[{id,1},{actor,alice}]) =:= {ok,alice}\") :name)")
+(epoch 31)
+(eval "(get (erlang-eval-ast \"envelope:get_field(missing,[{id,1},{actor,alice}]) =:= not_found\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                  "envelope"
+check 10  "complete envelope -> ok"           "true"
+check 11  "missing id"                        "true"
+check 12  "missing type"                      "true"
+check 13  "missing actor"                     "true"
+check 14  "missing published"                 "true"
+check 15  "missing signature"                 "true"
+check 16  "non-list (integer)"                "true"
+check 17  "non-list (atom)"                   "true"
+check 20  "signature missing key_id"          "true"
+check 21  "signature missing algorithm"       "true"
+check 22  "signature missing value"           "true"
+check 23  "signature not a proplist"          "true"
+check 30  "get_field hit"                     "true"
+check 31  "get_field miss"                    "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/envelope_shape.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/envelope_sig.sh

@@ -0,0 +1,129 @@
+#!/usr/bin/env bash
+# next/tests/envelope_sig.sh — Step 2c acceptance test.
+#
+# Exercises envelope:verify_signature/2 against the full sig pipeline:
+# canonical_bytes + crypto:hash MAC + time-aware key validity per design
+# §9.6. 10 cases.
+#
+# The signature stand-in is HMAC-shaped:
+#   sig.value = crypto:hash(sha256, <<KeyMaterial/binary, CanonicalBytes/binary>>)
+# Real Ed25519/RSA verification is deferred to milestone 2 once the
+# corresponding crypto BIFs are wired.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+# Shared Erlang prelude builds a valid-signed envelope template and an
+# actor state with one active key. Each test reuses these and asserts
+# against an Erlang =:= comparison so the result is a bare boolean.
+PRELUDE='KM = <<1,2,3,4>>, U = [{actor,alice},{id,1},{published,100},{type,create}], CB = envelope:canonical_bytes(U), Sig = crypto:hash(sha256, <<KM/binary, CB/binary>>), Env = [{actor,alice},{id,1},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,Sig}]}], AS = [{public_keys, [[{id,k1},{created,50},{value,KM}]]}],'
+
+cat > "$TMPFILE" <<EPOCHS
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/envelope.erl\")) :name)")
+
+;; valid sig + active key -> ok
+(epoch 10)
+(eval "(get (erlang-eval-ast \"${PRELUDE} envelope:verify_signature(Env, AS) =:= ok\") :name)")
+
+;; tampered envelope (id mutated post-sign) -> bad_signature
+(epoch 11)
+(eval "(get (erlang-eval-ast \"${PRELUDE} Tampered = [{actor,alice},{id,999},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,Sig}]}], envelope:verify_signature(Tampered, AS) =:= {error,bad_signature}\") :name)")
+
+;; wrong sig value (random bytes) -> bad_signature
+(epoch 12)
+(eval "(get (erlang-eval-ast \"${PRELUDE} BadEnv = [{actor,alice},{id,1},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,<<0,0,0,0>>}]}], envelope:verify_signature(BadEnv, AS) =:= {error,bad_signature}\") :name)")
+
+;; unknown key_id -> no_active_key
+(epoch 13)
+(eval "(get (erlang-eval-ast \"${PRELUDE} OtherAS = [{public_keys, [[{id,k_other},{created,50},{value,KM}]]}], envelope:verify_signature(Env, OtherAS) =:= {error,no_active_key}\") :name)")
+
+;; key superseded BEFORE published -> no_active_key
+(epoch 14)
+(eval "(get (erlang-eval-ast \"${PRELUDE} SupAS = [{public_keys, [[{id,k1},{created,50},{superseded_at,80},{value,KM}]]}], envelope:verify_signature(Env, SupAS) =:= {error,no_active_key}\") :name)")
+
+;; key superseded AFTER published -> ok (historical valid)
+(epoch 15)
+(eval "(get (erlang-eval-ast \"${PRELUDE} SupAS2 = [{public_keys, [[{id,k1},{created,50},{superseded_at,200},{value,KM}]]}], envelope:verify_signature(Env, SupAS2) =:= ok\") :name)")
+
+;; key not yet created at published -> no_active_key
+(epoch 16)
+(eval "(get (erlang-eval-ast \"${PRELUDE} FutAS = [{public_keys, [[{id,k1},{created,150},{value,KM}]]}], envelope:verify_signature(Env, FutAS) =:= {error,no_active_key}\") :name)")
+
+;; missing signature field -> no_signature
+(epoch 17)
+(eval "(get (erlang-eval-ast \"${PRELUDE} envelope:verify_signature(U, AS) =:= {error,no_signature}\") :name)")
+
+;; actor state with no public_keys field -> no_keys
+(epoch 18)
+(eval "(get (erlang-eval-ast \"${PRELUDE} envelope:verify_signature(Env, []) =:= {error,no_keys}\") :name)")
+
+;; second key in list matches when first doesn't (lookup walks list)
+(epoch 19)
+(eval "(get (erlang-eval-ast \"${PRELUDE} TwoKeys = [{public_keys, [[{id,k_other},{created,50},{value,<<9,9,9>>}], [{id,k1},{created,50},{value,KM}]]}], envelope:verify_signature(Env, TwoKeys) =:= ok\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                "envelope"
+check 10  "valid sig active key"            "true"
+check 11  "tampered envelope"               "true"
+check 12  "wrong sig value"                 "true"
+check 13  "unknown key_id"                  "true"
+check 14  "key superseded before published" "true"
+check 15  "key superseded after published"  "true"
+check 16  "key not yet created"             "true"
+check 17  "missing signature field"         "true"
+check 18  "actor state no keys"             "true"
+check 19  "match second key in list"        "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/envelope_sig.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

plans/fed-sx-milestone-1.md

@@ -99,6 +99,10 @@ in isolation, and a clear acceptance check.
 
 ## Step 1 — Repo skeleton + canonical CID
 
+**Sub-deliverables:**
+- [x] **1a** — `next/` directory skeleton, README, `.gitignore` for `data/`
+- [x] **1b** — `next/kernel/nx_cid.erl` (from_sx/to_string/from_string/equals) + `next/tests/cid.sh` (13 cases). Module is `nx_cid` not `cid` — the `cid` BIF module would be shadowed by a user module of the same name; plan §Step 1's `cid.erl` is illustrative per briefing.
+
 **Deliverables:**
 
 ```
@@ -146,6 +150,11 @@ canonicalize_sx(V) -> ...                  % sorts dict keys, normalizes strings
 
 ## Step 2 — Activity envelope + signature verify
 
+**Sub-deliverables:**
+- [x] **2a** — `next/kernel/envelope.erl` `validate_shape/1` + `get_field/2` (property-list envelope; Erlang maps `#{}` not supported in this port) + `next/tests/envelope_shape.sh` (15 cases)
+- [x] **2b** — `canonical_bytes/1` over sig-stripped, key-sorted envelope (deterministic textual form via `cid:to_string` substrate; dag-cbor stand-in for v1) + `next/tests/envelope_canonical.sh` (8 cases)
+- [x] **2c** — `verify_signature/2` against actor `public_keys`, time-aware key validity per design §9.6 (created ≤ published, optional supersession check) + `next/tests/envelope_sig.sh` (11 cases). Signature scheme is HMAC-shaped (`crypto:hash(sha256, KeyMaterial ++ canonical_bytes)`) — RSA/Ed25519 verify deferred to m2 (BIFs not yet wired).
+
 **Deliverables:**
 
 ```erlang
@@ -920,3 +929,17 @@ A few things still under-specified; resolve as work begins.
    60 seconds." Tunable per-projection later; v1 uses the default.
 5. **Genesis bundle format.** Dag-cbor map per §12.2; concrete schema needs
    one round of refinement once we author the actual definitions in step 4.
+
+---
+
+## Progress log
+
+Newest first. One line per sub-deliverable commit. Erlang conformance gate
+(`bash lib/erlang/conformance.sh`) must remain 729/729 on every entry.
+
+- **2026-05-26** — Step 2c: `envelope:verify_signature/2` — time-aware key lookup over `public_keys` (created ≤ published < superseded_at), MAC recompute via `crypto:hash(sha256, KeyMaterial ++ canonical_bytes)`, compared against `signature.value`. Returns ok or one of `no_signature | no_key_id | no_published | no_keys | no_active_key | bad_signature`. `next/tests/envelope_sig.sh` 11/11 pass. Erlang conformance 729/729.
+- **2026-05-26** — Step 2b: `envelope:canonical_bytes/1` — strip signature, insertion-sort property list by key, return host-CID-string as deterministic byte form (dag-cbor stand-in). `next/tests/envelope_canonical.sh` 8/8 pass. Erlang conformance 729/729 preserved.
+- **2026-05-26** — Step 2a: `next/kernel/envelope.erl` `validate_shape/1` + `get_field/2` over property-list envelopes (Erlang `#{}` maps not supported in this port). `next/tests/envelope_shape.sh` 15/15 pass. Erlang conformance 729/729 preserved.
+- **2026-05-26** — Step 1b: `next/kernel/nx_cid.erl` (from_sx/to_string/from_string/equals) — thin Erlang wrapper around the `cid:to_string/1` BIF. `next/tests/cid.sh` 13/13 pass. Module named `nx_cid` to avoid shadowing the `cid` BIF (user-module dispatch takes precedence over BIFs by module name). Erlang conformance 729/729 preserved.
+- **2026-05-26** — Step 1a: `next/` skeleton created (kernel/, genesis/, tests/, data/), README, `.gitignore data/`. Erlang conformance 729/729 preserved.
+