fed-sx-m1: Step 4d — bootstrap:build_genesis/verify_genesis + cidhash helpers + 12 tests

Wires the 3 previously-BLOCKED Phase 8 FFI BIFs against loops/fed-prims
primitives (merged at 380bc69f):

- crypto:hash/2 → crypto-sha256/sha512/sha3-256 (atom dispatch, raw-binary
  return via er-hex->bytes), +6 ffi tests
- cid:from_bytes/1 → CIDv1 raw-codec (0x55) + sha2-256 multihash assembled
  in SX; cid:to_string/1 → cid-from-sx of canonical er-format-value string,
  +7 ffi tests
- file:list_dir/1 → file-list-dir, {ok,[Binary]} / {error,Reason} reusing
  er-classify-file-error, +4 ffi tests

ffi suite 14 → 28 (3 BLOCKED negative-asserts flipped to functional tests).
httpc:request and sqlite:* remain BLOCKED — need HTTP-client and SQLite
host primitives which loops/fed-prims didn't deliver.

Full conformance 729/729 (eval 385, vm 78, ffi 28, all process suites).

next/.gitignore

@@ -0,0 +1 @@
+data/

next/README.md

@@ -0,0 +1,34 @@
+# next — fed-sx Milestone 1 kernel
+
+Single-instance, single-actor fed-sx server built as Erlang-on-SX modules.
+See `plans/fed-sx-design.md` for the architecture and
+`plans/fed-sx-milestone-1.md` for the build plan.
+
+## Layout
+
+```
+next/
+├── kernel/      Erlang-on-SX kernel modules (.erl, hot-loaded via code:load_binary/3)
+├── genesis/     SX source files for the genesis bootstrap bundle (DefineActivity, ...)
+├── tests/       Bash test scripts driving sx_server.exe via the epoch protocol
+└── data/        Runtime state — gitignored
+    ├── log/         per-actor JSONL outboxes
+    ├── objects/     CID-addressed artifacts on disk
+    ├── snapshots/   projection snapshots
+    ├── indexes/     derived projection index files
+    └── keys/        actor signing keys + bearer tokens
+```
+
+## Substrate
+
+The kernel is Erlang-on-SX. Each `.erl` source file is hot-loaded at boot via
+`code:load_binary(Mod, Filename, SourceString)` (Erlang Phase 7 BIF). The
+underlying SX runtime provides the host primitives the kernel calls into:
+`crypto:*`, `cid:*`, `file:*`, `code:*`, and (Step 8) `http:listen/2`.
+
+Tests drive the kernel via the epoch protocol:
+
+```bash
+printf '(epoch 1)\n(load "lib/erlang/runtime.sx")\n(epoch 2)\n<test-expr>\n' \
+  | hosts/ocaml/_build/default/bin/sx_server.exe
+```

next/genesis/activity-types/create.sx

@@ -0,0 +1,15 @@
+;; next/genesis/activity-types/create.sx
+;;
+;; Bootstrap definition of the Create verb per design §3 and §12.2.
+;; Read as data by the bundler (bootstrap.erl) — never evaluated as
+;; code. The :schema and :semantics bodies are SX source; the
+;; validation pipeline (Step 6) and projection scheduler (Step 7)
+;; evaluate them at the appropriate times.
+
+(DefineActivity
+  :name "Create"
+  :doc "Publish a new object. Required for actor onboarding and for\n        every Define* meta-activity. The activity's :object holds\n        the canonical content of the published object."
+  :schema (fn
+    (act)
+    (and (not (nil? (-> act :object))) (string? (-> act :object :type))))
+  :semantics (fn (state act) state))

next/genesis/activity-types/delete.sx

@@ -0,0 +1,13 @@
+;; next/genesis/activity-types/delete.sx
+;;
+;; Bootstrap definition of the Delete verb per design §3 and §12.2.
+;; Read as data by the bundler — never evaluated as code here. The
+;; :schema and :semantics bodies are SX source; the validator
+;; pipeline (Step 6) and projection scheduler (Step 7) evaluate them
+;; at the appropriate times.
+
+(DefineActivity
+  :name "Delete"
+  :doc "Tombstone an existing object. :object is the CID of the\n        target. Projections fold Delete by removing the object from\n        their working indexes; the underlying log line is never\n        erased — durability of the historical record is independent\n        of projection state."
+  :schema (fn (act) (string? (-> act :object)))
+  :semantics (fn (state act) state))

next/genesis/activity-types/update.sx

@@ -0,0 +1,15 @@
+;; next/genesis/activity-types/update.sx
+;;
+;; Bootstrap definition of the Update verb per design §3 and §12.2.
+;; Read as data by the bundler — never evaluated as code here. The
+;; :schema and :semantics bodies are SX source; the validator
+;; pipeline (Step 6) and projection scheduler (Step 7) evaluate them
+;; at the appropriate times.
+
+(DefineActivity
+  :name "Update"
+  :doc "Patch or replace an existing object. :object is the CID of\n        the target; :patch is the field-level edit. Behaviour is\n        delegated to per-object-type semantics — e.g. an Update of a\n        DefineActivity supersedes the prior registry entry; an\n        Update of a Person actor rotates keys via :patch :add-publicKey\n        + :patch :supersede."
+  :schema (fn
+    (act)
+    (and (string? (-> act :object)) (not (nil? (-> act :patch)))))
+  :semantics (fn (state act) state))

next/genesis/audience/direct.sx

@@ -0,0 +1,14 @@
+;; next/genesis/audience/direct.sx
+;;
+;; Direct audience: an actor is a member iff they are
+;; explicitly named in the activity's :to or :cc lists. No
+;; group expansion — true direct addressing only.
+
+(DefineAudience
+  :name "Direct"
+  :doc "Direct-addressing predicate. Tests literal membership\n        in the activity's :to or :cc."
+  :member-of (fn
+    (actor audience)
+    (or
+      (member? actor (-> audience :to))
+      (member? actor (-> audience :cc)))))

next/genesis/audience/followers.sx

@@ -0,0 +1,14 @@
+;; next/genesis/audience/followers.sx
+;;
+;; Followers audience: an actor is a member iff they appear in
+;; the audience-owner's :followers set in the audience-graph
+;; projection. Federation (m2) wires this to peer delivery.
+
+(DefineAudience
+  :name "Followers"
+  :doc "Followers-of-owner predicate. Looks up the\n        audience-graph projection's :followers list for the\n        audience owner and tests membership."
+  :member-of (fn
+    (actor audience)
+    (member?
+      actor
+      (-> (get-projection :audience-graph) (-> audience :owner) :followers))))

next/genesis/audience/public.sx

@@ -0,0 +1,9 @@
+;; next/genesis/audience/public.sx
+;;
+;; Public audience: every actor is a member. Maps to the AP
+;; magic id `https://www.w3.org/ns/activitystreams#Public`.
+
+(DefineAudience
+  :name "Public"
+  :doc "Public audience predicate. Always returns true — every\n        actor on the network is considered a member."
+  :member-of (fn (actor audience) true))

next/genesis/codecs/dag-cbor.sx

@@ -0,0 +1,13 @@
+;; next/genesis/codecs/dag-cbor.sx
+;;
+;; Canonical CBOR encoding per IPLD dag-cbor. Used to compute
+;; envelope canonical bytes for signature coverage and to serialise
+;; the genesis bundle itself. In Erlang-on-SX mode the kernel
+;; dispatches to the host cid:to_string substrate (Step 1b) when
+;; this codec is requested.
+
+(DefineCodec
+  :name "dag-cbor"
+  :doc "Deterministic CBOR with dag-cbor restrictions: sorted\n        map keys, no floats unless required, no indefinite-length\n        items. The canonical wire format for fed-sx artifacts."
+  :encode (fn (term) (host-codec :dag-cbor :encode term))
+  :decode (fn (bytes) (host-codec :dag-cbor :decode bytes)))

next/genesis/codecs/dag-json.sx

@@ -0,0 +1,12 @@
+;; next/genesis/codecs/dag-json.sx
+;;
+;; JSON encoding with dag-json restrictions per IPLD: sorted map
+;; keys, no NaN / Infinity, no comments, CIDs as `{"/": "..."}`.
+;; Used as the human-readable wire format for ActivityPub interop
+;; (JSON-LD over dag-json).
+
+(DefineCodec
+  :name "dag-json"
+  :doc "Deterministic JSON with dag-json restrictions. Sorted\n        keys, CIDs as the {\"/\": \"...\"} object. Used by the\n        HTTP server (Step 8) for application/json responses."
+  :encode (fn (term) (host-codec :dag-json :encode term))
+  :decode (fn (bytes) (host-codec :dag-json :decode bytes)))

next/genesis/codecs/raw.sx

@@ -0,0 +1,12 @@
+;; next/genesis/codecs/raw.sx
+;;
+;; Identity codec — input bytes pass through unchanged in both
+;; directions. Used for already-encoded payloads and for binary
+;; artifacts (images, archives) whose CID is computed over the
+;; raw bytes directly.
+
+(DefineCodec
+  :name "raw"
+  :doc "Identity codec. The CID's multicodec byte is 0x55.\n        :encode and :decode return their input unchanged."
+  :encode (fn (bytes) bytes)
+  :decode (fn (bytes) bytes))

next/genesis/manifest.sx

@@ -0,0 +1,46 @@
+;; next/genesis/manifest.sx
+;;
+;; Genesis bundle root per design §12.2. Lists every definition file
+;; that gets packed into the bundle. The bundler (bootstrap.erl)
+;; walks this manifest, reads each referenced file, parses its
+;; top-level form, and inserts it into the bundle dict at the
+;; appropriate section path.
+;;
+;; The bundle CID is the content-address of the resulting dag-cbor
+;; (or v1 stand-in) blob over the assembled dict. That CID is
+;; baked into the kernel at build time and re-verified on startup
+;; per design §12.3.
+;;
+;; Section values are bare parenthesised paths (data lists, not
+;; function calls) — the manifest is consumed by `parse`, not
+;; `eval`. Empty sections are written as `()`.
+
+(GenesisManifest
+  :version "0.0.1"
+  :kernel-version "1.0.0-m1"
+  :activity-types ("activity-types/create.sx"
+    "activity-types/update.sx"
+    "activity-types/delete.sx")
+  :object-types ("object-types/sx-artifact.sx"
+    "object-types/note.sx"
+    "object-types/tombstone.sx"
+    "object-types/define-activity.sx"
+    "object-types/define-object.sx"
+    "object-types/define-projection.sx"
+    "object-types/define-validator.sx"
+    "object-types/define-codec.sx"
+    "object-types/define-sig-suite.sx"
+    "object-types/snapshot.sx")
+  :projections ("projections/activity-log.sx"
+    "projections/by-type.sx"
+    "projections/by-actor.sx"
+    "projections/by-object.sx"
+    "projections/actor-state.sx"
+    "projections/define-registry.sx"
+    "projections/audience-graph.sx")
+  :validators ("validators/envelope-shape.sx"
+    "validators/signature.sx"
+    "validators/type-schema.sx")
+  :codecs ("codecs/dag-cbor.sx" "codecs/raw.sx" "codecs/dag-json.sx")
+  :sig-suites ("sig-suites/rsa-sha256-2018.sx" "sig-suites/ed25519-2020.sx")
+  :audience ("audience/public.sx" "audience/followers.sx" "audience/direct.sx"))

next/genesis/object-types/define-activity.sx

@@ -0,0 +1,12 @@
+;; next/genesis/object-types/define-activity.sx
+;;
+;; Meta-object that registers a new activity verb. Published as
+;; Create{DefineActivity{...}}; the define-registry projection
+;; folds it into the activity-types registry. Per design §5.
+
+(DefineObject
+  :name "DefineActivity"
+  :doc "Activity-type registration. :name is the verb (e.g.\n        \"Pin\"); :schema is an SX predicate over activity\n        envelopes; :semantics is an optional state-fold body."
+  :schema (fn
+    (obj)
+    (and (string? (-> obj :name)) (not (nil? (-> obj :schema))))))

next/genesis/object-types/define-codec.sx

@@ -0,0 +1,15 @@
+;; next/genesis/object-types/define-codec.sx
+;;
+;; Meta-object that registers a content codec — an encode/decode
+;; pair. The bootstrap bundle ships dag-cbor, raw, and dag-json
+;; codecs; new codecs can be added via Create{DefineCodec{...}}.
+
+(DefineObject
+  :name "DefineCodec"
+  :doc "Codec registration. :name identifies the codec ('dag-cbor',\n        'raw', 'dag-json', ...); :encode and :decode are the\n        SX bodies the kernel calls when serialising / parsing\n        artifacts under this codec."
+  :schema (fn
+    (obj)
+    (and
+      (string? (-> obj :name))
+      (not (nil? (-> obj :encode)))
+      (not (nil? (-> obj :decode))))))

next/genesis/object-types/define-object.sx

@@ -0,0 +1,12 @@
+;; next/genesis/object-types/define-object.sx
+;;
+;; Meta-object that registers a new object-type. Bootstrap-level —
+;; runtime registration of new object types (e.g. DefineSubscription
+;; in the Step 9b smoke test) flows through this.
+
+(DefineObject
+  :name "DefineObject"
+  :doc "Object-type registration. :name is the type tag (e.g.\n        \"PinSpec\"); :schema is an SX predicate over object\n        forms of that type."
+  :schema (fn
+    (obj)
+    (and (string? (-> obj :name)) (not (nil? (-> obj :schema))))))

next/genesis/object-types/define-projection.sx

@@ -0,0 +1,16 @@
+;; next/genesis/object-types/define-projection.sx
+;;
+;; Meta-object that registers a new projection. The projection
+;; scheduler (Step 7) spawns one gen_server per registered
+;; projection and feeds activities through its :fold body in
+;; sandbox mode.
+
+(DefineObject
+  :name "DefineProjection"
+  :doc "Projection registration. :name is the projection key;\n        :initial-state is the empty state value; :fold is the\n        pure (state activity) -> state function evaluated in\n        sandbox mode per activity."
+  :schema (fn
+    (obj)
+    (and
+      (string? (-> obj :name))
+      (not (nil? (-> obj :initial-state)))
+      (not (nil? (-> obj :fold))))))

next/genesis/object-types/define-sig-suite.sx

@@ -0,0 +1,12 @@
+;; next/genesis/object-types/define-sig-suite.sx
+;;
+;; Meta-object that registers a signature suite. Bootstrap ships
+;; rsa-sha256-2018 and ed25519-2020; the suite name maps an
+;; algorithm to a :verify body and a :key-format predicate.
+
+(DefineObject
+  :name "DefineSigSuite"
+  :doc "Signature suite registration. :name identifies the suite\n        ('rsa-sha256-2018', 'ed25519-2020', ...); :verify is the\n        SX (canonical-bytes signature key) -> bool body; the\n        envelope-signature validator dispatches by suite name."
+  :schema (fn
+    (obj)
+    (and (string? (-> obj :name)) (not (nil? (-> obj :verify))))))

next/genesis/object-types/define-validator.sx

@@ -0,0 +1,12 @@
+;; next/genesis/object-types/define-validator.sx
+;;
+;; Meta-object that registers a validator predicate. The validation
+;; pipeline (Step 6) consults registered validators by name when
+;; running its stages.
+
+(DefineObject
+  :name "DefineValidator"
+  :doc "Validator registration. :name is the validator key (e.g.\n        \"envelope-shape\"); :predicate is the SX (activity) ->\n        ok|{error, R} body."
+  :schema (fn
+    (obj)
+    (and (string? (-> obj :name)) (not (nil? (-> obj :predicate))))))

next/genesis/object-types/note.sx

@@ -0,0 +1,10 @@
+;; next/genesis/object-types/note.sx
+;;
+;; Short message intended for an audience, ActivityPub-Note-compatible.
+;; Used by the Step 9b reactive smoke test (Note tagged "smoketest"
+;; matches the Topic subscription).
+
+(DefineObject
+  :name "Note"
+  :doc "Short authored message. :content is the body text;\n        :tags is a list of subscription-routable tags."
+  :schema (fn (obj) (string? (-> obj :content))))

next/genesis/object-types/snapshot.sx

@@ -0,0 +1,13 @@
+;; next/genesis/object-types/snapshot.sx
+;;
+;; Projection state checkpoint. The projection scheduler emits
+;; Snapshot{projection-name, state-cid, log-seq} periodically;
+;; cold starts read the most recent Snapshot and replay only
+;; activities after :log-seq. Per design §10.5.
+
+(DefineObject
+  :name "Snapshot"
+  :doc "Projection-state checkpoint. :projection-name identifies\n        the projection; :state-cid is the content-address of\n        the snapshotted state value; :log-seq is the activity\n        sequence number the snapshot was taken at."
+  :schema (fn
+    (obj)
+    (and (string? (-> obj :projection-name)) (string? (-> obj :state-cid)))))

next/genesis/object-types/sx-artifact.sx

@@ -0,0 +1,10 @@
+;; next/genesis/object-types/sx-artifact.sx
+;;
+;; Content-addressed SX source — a library, component, or
+;; executable form published via Create{SXArtifact{...}}.
+;; Consumers reference an artifact by its CID. Per design §3.4.
+
+(DefineObject
+  :name "SXArtifact"
+  :doc "Published SX source. :source carries the form text;\n        :language is optional ('sx' by default); :imports lists\n        CIDs the artifact depends on."
+  :schema (fn (obj) (string? (-> obj :source))))

next/genesis/object-types/tombstone.sx

@@ -0,0 +1,9 @@
+;; next/genesis/object-types/tombstone.sx
+;;
+;; Replacement for an object that has been Delete'd. Lets projection
+;; folds keep a marker without retaining the deleted content.
+
+(DefineObject
+  :name "Tombstone"
+  :doc "Marker for a deleted object. :former-cid carries the CID\n        of the object that was removed. Projections fold Tombstone\n        by replacing the cached entry (not by omitting it)."
+  :schema (fn (obj) (string? (-> obj :former-cid))))

next/genesis/projections/activity-log.sx

@@ -0,0 +1,11 @@
+;; next/genesis/projections/activity-log.sx
+;;
+;; Identity projection: stores every activity by its CID. The
+;; base ledger every other projection could be re-derived from
+;; if needed. Per design §10.2.
+
+(DefineProjection
+  :name "activity-log"
+  :doc "Maps activity CID to the full envelope. Every activity\n        flows through; no filter. State is the CID-keyed dict."
+  :initial-state {}
+  :fold (fn (state act) (assoc state (-> act :cid) act)))

next/genesis/projections/actor-state.sx

@@ -0,0 +1,26 @@
+;; next/genesis/projections/actor-state.sx
+;;
+;; Per-actor live state: publicKeys (with history per design §9.6),
+;; profile fields (preferredUsername, summary, ...), follower/
+;; following counts. Powers the actor doc endpoint and the
+;; time-aware signature verification in envelope:verify_signature/2.
+
+(DefineProjection
+  :name "actor-state"
+  :doc "Actor-id -> {publicKeys, profile, followers, following}.\n        Updated by Create{Person|Service|Group}, Update (key\n        rotation, profile edits), Move (federation migration)."
+  :initial-state {}
+  :fold (fn
+    (state act)
+    (let
+      ((aid (-> act :actor)) (t (-> act :type)))
+      (cond
+        (= t "Create")
+        (assoc state aid (or (-> act :object) {}))
+        (= t "Update")
+        (assoc
+          state
+          aid
+          (merge
+            (or (get state aid) {})
+            (or (-> act :patch) {})))
+        :else state))))

next/genesis/projections/audience-graph.sx

@@ -0,0 +1,25 @@
+;; next/genesis/projections/audience-graph.sx
+;;
+;; Per-actor follow / follower graph and audience caches. Folded
+;; from Follow / Accept / Reject / Undo{Follow}. Used by the
+;; activity router to expand :to / :cc audiences (Public,
+;; Followers, Direct) into concrete recipient sets. Per design §16.
+
+(DefineProjection
+  :name "audience-graph"
+  :doc "Actor-id -> {following, followers, pending} sets.\n        Updated by Follow / Accept / Reject / Undo. Federation\n        (m2) wires this projection to the delivery queue."
+  :initial-state {}
+  :fold (fn
+    (state act)
+    (let
+      ((t (-> act :type)))
+      (cond
+        (= t "Follow")
+        state
+        (= t "Accept")
+        state
+        (= t "Reject")
+        state
+        (= t "Undo")
+        state
+        :else state))))

next/genesis/projections/by-actor.sx

@@ -0,0 +1,15 @@
+;; next/genesis/projections/by-actor.sx
+;;
+;; Index of activity CIDs grouped by :actor. Maps actor-id to a
+;; list of CIDs in append order. Powers the per-actor outbox
+;; listing (Step 8) without re-scanning the full log.
+
+(DefineProjection
+  :name "by-actor"
+  :doc "Actor-id -> list of activity CIDs (append order)."
+  :initial-state {}
+  :fold (fn
+    (state act)
+    (let
+      ((a (-> act :actor)) (cid (-> act :cid)))
+      (assoc state a (append (or (get state a) (list)) (list cid))))))

next/genesis/projections/by-object.sx

@@ -0,0 +1,22 @@
+;; next/genesis/projections/by-object.sx
+;;
+;; Index of activities that reference each :object CID. Maps
+;; object-CID to the list of activity CIDs that target it
+;; (Update / Delete / Announce / etc.). Used for "show me
+;; everything that happened to X" queries.
+
+(DefineProjection
+  :name "by-object"
+  :doc "Object CID -> list of activity CIDs that target it."
+  :initial-state {}
+  :fold (fn
+    (state act)
+    (let
+      ((obj-cid (-> act :object)) (cid (-> act :cid)))
+      (if
+        (string? obj-cid)
+        (assoc
+          state
+          obj-cid
+          (append (or (get state obj-cid) (list)) (list cid)))
+        state))))

next/genesis/projections/by-type.sx

@@ -0,0 +1,15 @@
+;; next/genesis/projections/by-type.sx
+;;
+;; Index of activity CIDs grouped by :type. Maps type-name to a
+;; list of CIDs in append order. Used by the outbox listing
+;; endpoints (Step 8) for type-filtered pagination.
+
+(DefineProjection
+  :name "by-type"
+  :doc "Type-name -> list of activity CIDs (append order)."
+  :initial-state {}
+  :fold (fn
+    (state act)
+    (let
+      ((t (-> act :type)) (cid (-> act :cid)))
+      (assoc state t (append (or (get state t) (list)) (list cid))))))

next/genesis/projections/define-registry.sx

@@ -0,0 +1,33 @@
+;; next/genesis/projections/define-registry.sx
+;;
+;; The meta-projection: folds Create{Define*{...}} activities into
+;; the kernel registry. Resolves the chicken-and-egg circle —
+;; bootstrap.erl populates the registry directly at startup from
+;; the genesis bundle, and from then on define-registry's fold
+;; keeps it current as new Define* activities arrive. Per design §5.
+
+(DefineProjection
+  :name "define-registry"
+  :doc "Maps {kind, name} -> definition entry. Folded from\n        Create{DefineActivity|DefineObject|DefineProjection|\n        DefineValidator|DefineCodec|DefineSigSuite|...}. Kind is\n        derived from the inner :object :type tag."
+  :initial-state {}
+  :fold (fn
+    (state act)
+    (let
+      ((obj (-> act :object)) (otype (-> act :object :type)))
+      (cond
+        (= (-> act :type) "Create")
+        (cond
+          (= otype "DefineActivity")
+          (assoc-in state (list :activity-types (-> obj :name)) obj)
+          (= otype "DefineObject")
+          (assoc-in state (list :object-types (-> obj :name)) obj)
+          (= otype "DefineProjection")
+          (assoc-in state (list :projections (-> obj :name)) obj)
+          (= otype "DefineValidator")
+          (assoc-in state (list :validators (-> obj :name)) obj)
+          (= otype "DefineCodec")
+          (assoc-in state (list :codecs (-> obj :name)) obj)
+          (= otype "DefineSigSuite")
+          (assoc-in state (list :sig-suites (-> obj :name)) obj)
+          :else state)
+        :else state))))

next/genesis/sig-suites/ed25519-2020.sx

@@ -0,0 +1,11 @@
+;; next/genesis/sig-suites/ed25519-2020.sx
+;;
+;; W3C Verifiable Credential signature suite — Ed25519 over
+;; canonical bytes, key material in multibase. Default suite
+;; for fed-sx actors per design §9.
+
+(DefineSigSuite
+  :name "ed25519-2020"
+  :doc "Ed25519 verification. Key carries publicKeyMultibase.\n        :verify takes canonical-bytes + signature + key and\n        returns bool. Real verification deferred to m2 once\n        crypto:verify_ed25519/3 BIF lands; v1 stand-in returns\n        false to defer all Ed25519-signed activities."
+  :verify (fn (canonical-bytes signature key) false)
+  :key-format (fn (key-doc) (string? (-> key-doc :publicKeyMultibase))))

next/genesis/sig-suites/rsa-sha256-2018.sx

@@ -0,0 +1,11 @@
+;; next/genesis/sig-suites/rsa-sha256-2018.sx
+;;
+;; W3C Verifiable Credential signature suite — RSA-SHA256 over
+;; canonical bytes, key material in PEM. Compatible with
+;; Mastodon's HTTP-Signatures / Linked-Data-Signatures-2017.
+
+(DefineSigSuite
+  :name "rsa-sha256-2018"
+  :doc "RSA-SHA256 verification. Key carries publicKeyPem.\n        :verify takes canonical-bytes + signature + key and\n        returns bool. Real verification deferred to m2 once\n        crypto:verify_rsa/3 BIF lands; v1 stand-in returns\n        false to defer all RSA-signed activities."
+  :verify (fn (canonical-bytes signature key) false)
+  :key-format (fn (key-doc) (string? (-> key-doc :publicKeyPem))))

next/genesis/validators/envelope-shape.sx

@@ -0,0 +1,22 @@
+;; next/genesis/validators/envelope-shape.sx
+;;
+;; Validates required envelope fields per design §3.1. Stage 1 of
+;; the validation pipeline (Step 6). Mirrors the kernel's
+;; envelope:validate_shape/1 from Step 2a — when the pipeline runs
+;; in OCaml-side sandbox eval mode it dispatches by name; when it
+;; runs through the kernel Erlang path it short-circuits to the BIF.
+
+(DefineValidator
+  :name "envelope-shape"
+  :doc "Required-fields check on the activity envelope:\n        :id, :type, :actor, :published, :signature must all be\n        present and non-nil. The :signature sub-field needs\n        :key_id, :algorithm, :value."
+  :predicate (fn
+    (act)
+    (and
+      (not (nil? (-> act :id)))
+      (not (nil? (-> act :type)))
+      (not (nil? (-> act :actor)))
+      (not (nil? (-> act :published)))
+      (not (nil? (-> act :signature)))
+      (not (nil? (-> act :signature :key_id)))
+      (not (nil? (-> act :signature :algorithm)))
+      (not (nil? (-> act :signature :value))))))

next/genesis/validators/signature.sx

@@ -0,0 +1,13 @@
+;; next/genesis/validators/signature.sx
+;;
+;; Stage 2 of the validation pipeline per design §14. Verifies the
+;; activity signature against the time-relevant public key in the
+;; actor-state projection. Bootstrap entry; the kernel dispatches
+;; to envelope:verify_signature/2 (Step 2c) when running in
+;; Erlang-on-SX mode. Per design §9.6 the lookup is timestamp-aware
+;; — key validity is evaluated at :published, not "now".
+
+(DefineValidator
+  :name "signature"
+  :doc "Signature verification. Picks the signature suite by\n        :signature :algorithm, fetches the key with id ==\n        :signature :key_id that was active at :published from\n        the actor-state projection, then dispatches to the\n        suite's :verify body."
+  :predicate (fn (act) true))

next/genesis/validators/type-schema.sx

@@ -0,0 +1,21 @@
+;; next/genesis/validators/type-schema.sx
+;;
+;; Stage 5 of the validation pipeline per design §14. Validates
+;; the activity's :object against the schema registered for its
+;; :object :type in the define-registry projection.
+
+(DefineValidator
+  :name "type-schema"
+  :doc "Looks up the object-type registration in the\n        define-registry projection, fetches its :schema body,\n        and evaluates it against (-> act :object). Returns true\n        when no object-type is named (some verbs carry no\n        :object) or when no schema is registered for the named\n        type (open-world default — Step 6 may tighten)."
+  :predicate (fn
+    (act)
+    (let
+      ((obj (-> act :object)))
+      (cond
+        (nil? obj)
+        true
+        (nil? (-> obj :type))
+        true
+        :else (let
+          ((schema (-> (registry-lookup :object-types (-> obj :type)) :schema)))
+          (if (nil? schema) true (apply-schema schema obj)))))))

next/kernel/bootstrap.erl

@@ -0,0 +1,142 @@
+-module(bootstrap).
+-export([read_genesis/0, read_genesis/1,
+         read_section/2, sections/0, section_subdir/1,
+         default_base/0, ends_with_sx/1,
+         build_genesis/1, verify_genesis/2,
+         cidhash_path/1, write_cidhash/2, read_cidhash/1]).
+
+%% Genesis bundle reader per design §12.2.
+%%
+%% read_genesis/0,1 walks the seven canonical section subdirectories
+%% under `next/genesis/`, filters .sx files, reads each file into a
+%% binary, and returns a structured snapshot:
+%%
+%%   {ok, [{Section :: atom,
+%%          [{FileName :: binary, FileBytes :: binary}, ...]},
+%%         ...]}
+%%
+%% Step 4d will compute the bundle CID by hashing the assembled
+%% byte string across all entries; Step 4e will register the parsed
+%% definitions in the kernel registry.
+%%
+%% Port note: this module does NOT parse the .sx contents. The
+%% Erlang-on-SX port has no in-Erlang path from binary bytes to SX
+%% structured terms (same substrate gap that parked Step 3b); the
+%% bundle CID needs only the raw bytes, and registry registration
+%% will happen via an SX-side helper that the kernel hands the
+%% binary contents to. read_genesis/1 ignores its arg in v1 except
+%% to swap the BasePath — `default_base/0` is "next/genesis".
+%%
+%% Port note 2: string-literal binary segments `<<"abc">>` truncate
+%% to one byte in this port, so all path constants are hand-spelled
+%% as integer-segment binaries.
+
+%% ── Public API ──────────────────────────────────────────────────
+
+%% "next/genesis"
+default_base() ->
+    <<110,101,120,116,47,103,101,110,101,115,105,115>>.
+
+read_genesis() ->
+    read_genesis(default_base()).
+
+read_genesis(BasePath) ->
+    {ok, lists:map(
+           fun (S) -> {S, read_section(BasePath, S)} end,
+           sections())}.
+
+sections() ->
+    [activity_types, object_types, projections,
+     validators, codecs, sig_suites, audience].
+
+%% "activity-types"
+section_subdir(activity_types) ->
+    <<97,99,116,105,118,105,116,121,45,116,121,112,101,115>>;
+%% "object-types"
+section_subdir(object_types) ->
+    <<111,98,106,101,99,116,45,116,121,112,101,115>>;
+%% "projections"
+section_subdir(projections) ->
+    <<112,114,111,106,101,99,116,105,111,110,115>>;
+%% "validators"
+section_subdir(validators) ->
+    <<118,97,108,105,100,97,116,111,114,115>>;
+%% "codecs"
+section_subdir(codecs) ->
+    <<99,111,100,101,99,115>>;
+%% "sig-suites"
+section_subdir(sig_suites) ->
+    <<115,105,103,45,115,117,105,116,101,115>>;
+%% "audience"
+section_subdir(audience) ->
+    <<97,117,100,105,101,110,99,101>>.
+
+read_section(BasePath, Section) ->
+    SubDir = section_subdir(Section),
+    %% 47 = '/'
+    Path = <<BasePath/binary, 47, SubDir/binary>>,
+    case file:list_dir(Path) of
+        {ok, Names} ->
+            SxNames = lists:filter(fun (N) -> ends_with_sx(N) end, Names),
+            lists:map(fun (Name) -> read_one(Path, Name) end, SxNames);
+        {error, _} ->
+            []
+    end.
+
+%% Suffix check on the .sx extension. 46='.' 115='s' 120='x'.
+ends_with_sx(<<46, 115, 120>>) -> true;
+ends_with_sx(<<>>) -> false;
+ends_with_sx(<<_, Rest/binary>>) -> ends_with_sx(Rest).
+
+%% ── Internal ────────────────────────────────────────────────────
+
+read_one(DirPath, Name) ->
+    Full = <<DirPath/binary, 47, Name/binary>>,
+    case file:read_file(Full) of
+        {ok, Bytes} -> {Name, Bytes};
+        {error, R}  -> {Name, {error, R}}
+    end.
+
+%% ── Step 4d: bundle CID compute + verify ────────────────────────
+%%
+%% The bundle CID is the canonical content-address of everything in
+%% read_genesis/0's result. We delegate to the host `cid:to_string/1`
+%% BIF (Step 1b substrate): it walks the term via `er-format-value`,
+%% feeds the deterministic textual form into `cid-from-sx`, returns
+%% a CIDv1 (raw codec, sha2-256 multihash) as a binary.
+%%
+%% Design §12.3: at startup the kernel computes this CID and
+%% compares against a hardcoded value (here: a sibling `.cidhash`
+%% file). A mismatch is a hard refuse-to-start.
+
+build_genesis(ReadResult) ->
+    case ReadResult of
+        {ok, Sections} ->
+            Cid = cid:to_string({genesis_bundle, Sections}),
+            {ok, [{cid, Cid}, {sections, Sections}]};
+        Other ->
+            {error, {bad_read_result, Other}}
+    end.
+
+verify_genesis(ReadResult, ExpectedCid) ->
+    case build_genesis(ReadResult) of
+        {ok, [{cid, Cid}, _]} ->
+            case Cid =:= ExpectedCid of
+                true  -> ok;
+                false -> {error, {cid_mismatch, Cid, ExpectedCid}}
+            end;
+        Err -> Err
+    end.
+
+%% Sibling-file CID storage. "/.cidhash" appended to BasePath as
+%% an integer-segment binary (string-literal segments are broken).
+
+%% "/.cidhash" — 47='/' 46='.' c i d h a s h
+cidhash_path(BasePath) ->
+    <<BasePath/binary, 47, 46, 99, 105, 100, 104, 97, 115, 104>>.
+
+write_cidhash(BasePath, Cid) ->
+    file:write_file(cidhash_path(BasePath), Cid).
+
+read_cidhash(BasePath) ->
+    file:read_file(cidhash_path(BasePath)).

next/kernel/envelope.erl

@@ -0,0 +1,177 @@
+-module(envelope).
+-export([validate_shape/1, get_field/2, canonical_bytes/1, verify_signature/2]).
+
+%% Activity envelope per design §3.1.
+%%
+%% Erlang maps (#{...}) are not supported by this port, so envelopes
+%% are represented as property lists of {atom_key, value} pairs. This
+%% port's binary syntax also can't carry string literals; values that
+%% would naturally be binaries in real Erlang are kept as atoms or
+%% integer-segment binaries in the test corpus.
+%%
+%% Required fields: id, type, actor, published, signature.
+%% The signature value is itself a property list with key_id,
+%% algorithm, value.
+%%
+%% validate_shape/1 returns ok | {error, Reason}. Reasons:
+%%   not_a_proplist
+%%   {missing_field, FieldName}
+%%   {bad_signature, BadSigReason}
+%%
+%% get_field/2 returns {ok, Value} | not_found.
+
+validate_shape(Env) when is_list(Env) ->
+    case check_required([id, type, actor, published, signature], Env) of
+        ok -> validate_signature_shape(Env);
+        Err -> Err
+    end;
+validate_shape(_) ->
+    {error, not_a_proplist}.
+
+get_field(_, []) -> not_found;
+get_field(K, [{K, V} | _]) -> {ok, V};
+get_field(K, [_ | Rest]) -> get_field(K, Rest).
+
+check_required([], _) -> ok;
+check_required([F | Rest], Env) ->
+    case get_field(F, Env) of
+        {ok, _} -> check_required(Rest, Env);
+        not_found -> {error, {missing_field, F}}
+    end.
+
+validate_signature_shape(Env) ->
+    {ok, Sig} = get_field(signature, Env),
+    case is_list(Sig) of
+        true ->
+            case check_required([key_id, algorithm, value], Sig) of
+                ok -> ok;
+                {error, {missing_field, F}} ->
+                    {error, {bad_signature, {missing_field, F}}}
+            end;
+        false ->
+            {error, {bad_signature, not_a_proplist}}
+    end.
+
+%% canonical_bytes/1 — the byte string the signature covers.
+%%
+%% Real fed-sx will use dag-cbor over a JSON-LD-canonicalised form
+%% (design §3.2). For milestone 1 we stand in for that with the host
+%% BIF `cid:to_string/1`, which produces a CIDv1 over the deterministic
+%% textual form of the term. Two prior steps make this work:
+%%   1. The signature pair is stripped (sig covers everything except
+%%      itself).
+%%   2. The top-level property list is sorted by key so field order in
+%%      the source envelope is not load-bearing.
+%%
+%% The result is an Erlang binary suitable as the sig-cover input.
+
+canonical_bytes(Env) when is_list(Env) ->
+    Stripped = strip_signature(Env),
+    Sorted = sort_pairs(Stripped),
+    cid:to_string(Sorted).
+
+strip_signature([]) -> [];
+strip_signature([{signature, _} | Rest]) -> strip_signature(Rest);
+strip_signature([P | Rest]) -> [P | strip_signature(Rest)].
+
+sort_pairs([]) -> [];
+sort_pairs([H | T]) -> insert_pair(H, sort_pairs(T)).
+
+insert_pair(P, []) -> [P];
+insert_pair({K1, V1}, [{K2, V2} | Rest]) ->
+    case K1 < K2 of
+        true  -> [{K1, V1}, {K2, V2} | Rest];
+        false -> [{K2, V2} | insert_pair({K1, V1}, Rest)]
+    end.
+
+%% verify_signature/2 — time-aware sig verification per design §9.6.
+%%
+%% Activity carries a `signature` proplist with `key_id`, `algorithm`,
+%% `value`. ActorState carries `public_keys` — a list of key proplists
+%% with `id`, `created`, optionally `superseded_at`, and `value` (the
+%% key material).
+%%
+%% A key is active at time T iff `created =< T` AND
+%% (no `superseded_at` OR T < `superseded_at`). Verification picks the
+%% first matching active key whose `id == signature.key_id` at the
+%% activity's `published` timestamp, then recomputes the MAC
+%% `crypto:hash(sha256, <<KeyMaterial/binary, CanonicalBytes/binary>>)`
+%% and compares it to `signature.value`.
+%%
+%% Returns ok | {error, Reason}. Reasons:
+%%   no_signature | no_key_id | no_published | no_keys |
+%%   no_active_key | bad_signature
+%%
+%% Real RSA-SHA256 / Ed25519 verification is deferred to milestone 2:
+%% Phase 8 only ships `crypto:hash/2`, so we stand in with an HMAC-shaped
+%% MAC that exercises the same key-lookup and canonical-bytes pipeline.
+
+verify_signature(Activity, ActorState) ->
+    case get_field(signature, Activity) of
+        not_found -> {error, no_signature};
+        {ok, Sig} ->
+            case get_field(key_id, Sig) of
+                not_found -> {error, no_key_id};
+                {ok, KeyId} ->
+                    case get_field(published, Activity) of
+                        not_found -> {error, no_published};
+                        {ok, Published} ->
+                            verify_with_keys(Activity, Sig, KeyId,
+                                             Published, ActorState)
+                    end
+            end
+    end.
+
+verify_with_keys(Activity, Sig, KeyId, Published, ActorState) ->
+    case get_field(public_keys, ActorState) of
+        not_found -> {error, no_keys};
+        {ok, Keys} ->
+            case find_active_key(KeyId, Published, Keys) of
+                not_found -> {error, no_active_key};
+                {ok, Key} -> verify_mac(Activity, Sig, Key)
+            end
+    end.
+
+find_active_key(_, _, []) -> not_found;
+find_active_key(KeyId, Now, [Key | Rest]) ->
+    case is_matching_active_key(Key, KeyId, Now) of
+        true -> {ok, Key};
+        false -> find_active_key(KeyId, Now, Rest)
+    end.
+
+is_matching_active_key(Key, WantId, Now) ->
+    case get_field(id, Key) of
+        {ok, WantId} -> is_active_at(Key, Now);
+        _ -> false
+    end.
+
+is_active_at(Key, Now) ->
+    case get_field(created, Key) of
+        not_found -> false;
+        {ok, Created} ->
+            case Now >= Created of
+                false -> false;
+                true ->
+                    case get_field(superseded_at, Key) of
+                        not_found -> true;
+                        {ok, SupAt} -> Now < SupAt
+                    end
+            end
+    end.
+
+verify_mac(Activity, Sig, Key) ->
+    case get_field(value, Sig) of
+        not_found -> {error, bad_signature};
+        {ok, SigValue} ->
+            case get_field(value, Key) of
+                not_found -> {error, bad_signature};
+                {ok, KeyMat} ->
+                    Bytes = canonical_bytes(Activity),
+                    Computed = crypto:hash(sha256,
+                        <<KeyMat/binary, Bytes/binary>>),
+                    case SigValue =:= Computed of
+                        true -> ok;
+                        false -> {error, bad_signature}
+                    end
+            end
+    end.

next/kernel/log.erl

@@ -0,0 +1,63 @@
+-module(log).
+-export([open/2, append/2, tip/1, replay/3, entries/1]).
+
+%% Per-actor activity log — the canonical record of everything an
+%% actor has emitted, in chronological order. Per design §15.2 this
+%% lives on disk as a JSONL segment file; v1 starts with an in-memory
+%% backend so the API and seq-number machinery can be locked down
+%% before the on-disk format is added (Step 3b).
+%%
+%% State shape (a property list):
+%%   [{actor, ActorId}, {base, BasePath}, {seq, NextSeq}, {entries, [Act|...]}]
+%%
+%% `entries` stores activities in append order — i.e. oldest first.
+%% `seq` is the next sequence number that will be assigned by append.
+%% `base` is kept on the state for forward-compatibility with 3b
+%% (where it becomes the segment-file directory).
+%%
+%% open/2 takes ActorId + BasePath and returns {ok, LogState} starting
+%% with seq=0 and no entries.
+%%
+%% append/2 returns {ok, NewLogState, AssignedSeq}.
+%%
+%% tip/1 returns the next seq the log would assign (== count of entries).
+%%
+%% replay/3 folds Fun(Activity, AssignedSeq, Acc) over every entry in
+%% append order. Three-arity rather than two-arity because the plan's
+%% example test is "sequence numbers gap-free across replay" — having
+%% the seq number visible in the fold makes that test direct.
+%%
+%% entries/1 is a debug accessor returning [Activity, ...] in append
+%% order. Not part of the public API contract.
+
+open(ActorId, BasePath) ->
+    {ok, [{actor, ActorId}, {base, BasePath}, {seq, 0}, {entries, []}]}.
+
+append(LogState, Activity) ->
+    Seq = field(seq, LogState),
+    Entries = field(entries, LogState),
+    NewState = replace_field(seq, Seq + 1,
+                  replace_field(entries, Entries ++ [Activity], LogState)),
+    {ok, NewState, Seq}.
+
+tip(LogState) ->
+    field(seq, LogState).
+
+replay(LogState, InitAcc, Fun) ->
+    Entries = field(entries, LogState),
+    replay_loop(Entries, 0, InitAcc, Fun).
+
+replay_loop([], _, Acc, _) -> Acc;
+replay_loop([Act | Rest], Seq, Acc, Fun) ->
+    replay_loop(Rest, Seq + 1, Fun(Act, Seq, Acc), Fun).
+
+entries(LogState) ->
+    field(entries, LogState).
+
+field(K, [{K, V} | _]) -> V;
+field(K, [_ | Rest]) -> field(K, Rest);
+field(_, []) -> erlang:error(badkey).
+
+replace_field(K, V, []) -> [{K, V}];
+replace_field(K, V, [{K, _} | Rest]) -> [{K, V} | Rest];
+replace_field(K, V, [P | Rest]) -> [P | replace_field(K, V, Rest)].

next/kernel/nx_cid.erl

@@ -0,0 +1,24 @@
+-module(nx_cid).
+-export([from_sx/1, to_string/1, from_string/1, equals/2]).
+
+%% The kernel-side CID wrapper. The host BIF `cid:to_string/1` already
+%% produces a canonical CIDv1 (raw codec, sha2-256 multihash) over the
+%% deterministic textual form of any term (er-format-value); we expose
+%% it under the kernel namespace and add the equality + round-trip
+%% helpers the rest of the kernel needs.
+%%
+%% Naming note: the BIF module is `cid`, so we use `nx_cid` to avoid
+%% shadowing. Plans/fed-sx-milestone-1.md §Step 1 spells the file as
+%% `cid.erl`; the briefing flags Erlang snippets as illustrative.
+
+from_sx(V) ->
+    cid:to_string(V).
+
+to_string(Cid) ->
+    Cid.
+
+from_string(S) ->
+    S.
+
+equals(A, B) ->
+    A =:= B.

next/tests/bootstrap_build.sh

@@ -0,0 +1,127 @@
+#!/usr/bin/env bash
+# next/tests/bootstrap_build.sh — Step 4d acceptance test.
+#
+# Exercises bootstrap:build_genesis/1, verify_genesis/2,
+# cidhash_path/1, write_cidhash/2, read_cidhash/1. The bundle CID
+# is computed by delegating to the host cid:to_string BIF (Step 1b
+# substrate) over the read_genesis result. 11 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+# Clean any stale .cidhash from previous runs before tests touch
+# the filesystem.
+rm -f next/genesis/.cidhash
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE; rm -f next/genesis/.cidhash" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/bootstrap.erl\")) :name)")
+
+;; build_genesis returns {ok, [{cid, _}, {sections, _}]}
+(epoch 10)
+(eval "(erlang-eval-ast \"{ok, B} = bootstrap:build_genesis(bootstrap:read_genesis()), {Tag, _} = hd(B), Tag\")")
+
+;; The CID is a non-empty binary
+(epoch 11)
+(eval "(get (erlang-eval-ast \"{ok, [{cid, C}, _]} = bootstrap:build_genesis(bootstrap:read_genesis()), is_binary(C)\") :name)")
+(epoch 12)
+(eval "(get (erlang-eval-ast \"{ok, [{cid, C}, _]} = bootstrap:build_genesis(bootstrap:read_genesis()), byte_size(C) > 50\") :name)")
+
+;; build_genesis is deterministic across calls
+(epoch 13)
+(eval "(get (erlang-eval-ast \"{ok, [{cid, C1}, _]} = bootstrap:build_genesis(bootstrap:read_genesis()), {ok, [{cid, C2}, _]} = bootstrap:build_genesis(bootstrap:read_genesis()), C1 =:= C2\") :name)")
+
+;; build_genesis preserves the sections list
+(epoch 14)
+(eval "(erlang-eval-ast \"{ok, [_, {sections, S}]} = bootstrap:build_genesis(bootstrap:read_genesis()), length(S)\")")
+
+;; build_genesis rejects bad input shapes
+(epoch 15)
+(eval "(get (erlang-eval-ast \"case bootstrap:build_genesis({error, broken}) of {error, {bad_read_result, _}} -> ok; _ -> bad end\") :name)")
+
+;; verify_genesis returns ok when CID matches
+(epoch 20)
+(eval "(get (erlang-eval-ast \"{ok, [{cid, C}, _]} = bootstrap:build_genesis(bootstrap:read_genesis()), bootstrap:verify_genesis(bootstrap:read_genesis(), C) =:= ok\") :name)")
+
+;; verify_genesis returns {error, {cid_mismatch, _, _}} when CID doesn't match
+(epoch 21)
+(eval "(get (erlang-eval-ast \"case bootstrap:verify_genesis(bootstrap:read_genesis(), <<99,99,99>>) of {error, {cid_mismatch, _, _}} -> ok; _ -> bad end\") :name)")
+
+;; cidhash_path concatenation
+(epoch 22)
+(eval "(get (erlang-eval-ast \"bootstrap:cidhash_path(<<110,101,120,116>>) =:= <<110,101,120,116,47,46,99,105,100,104,97,115,104>>\") :name)")
+
+;; write_cidhash + read_cidhash round-trip the bundle CID
+(epoch 23)
+(eval "(get (erlang-eval-ast \"{ok, [{cid, C}, _]} = bootstrap:build_genesis(bootstrap:read_genesis()), Base = bootstrap:default_base(), ok = bootstrap:write_cidhash(Base, C), {ok, Stored} = bootstrap:read_cidhash(Base), Stored =:= C\") :name)")
+
+;; Full verify path against the persisted .cidhash
+(epoch 24)
+(eval "(get (erlang-eval-ast \"Base = bootstrap:default_base(), {ok, [{cid, C}, _]} = bootstrap:build_genesis(bootstrap:read_genesis()), ok = bootstrap:write_cidhash(Base, C), {ok, Stored} = bootstrap:read_cidhash(Base), bootstrap:verify_genesis(bootstrap:read_genesis(), Stored) =:= ok\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 180 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                "bootstrap"
+check 10  "build_genesis head tag"          "cid"
+check 11  "CID is a binary"                 "true"
+check 12  "CID length > 50"                 "true"
+check 13  "build_genesis deterministic"     "true"
+check 14  "sections preserved (7 entries)"  "7"
+check 15  "build_genesis rejects bad shape" "ok"
+check 20  "verify_genesis ok when match"    "true"
+check 21  "verify_genesis errs on mismatch" "ok"
+check 22  "cidhash_path concatenation"      "true"
+check 23  "write/read_cidhash round-trip"   "true"
+check 24  "verify against persisted hash"   "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/bootstrap_build.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/bootstrap_read.sh

@@ -0,0 +1,123 @@
+#!/usr/bin/env bash
+# next/tests/bootstrap_read.sh — Step 4c acceptance test.
+#
+# Exercises bootstrap:read_genesis/0, read_section/2, sections/0,
+# section_subdir/1, ends_with_sx/1. Verifies per-section file
+# counts match the manifest authored in Steps 4a/4b. 14 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/bootstrap.erl\")) :name)")
+
+;; sections/0 returns 7 atoms
+(epoch 10)
+(eval "(erlang-eval-ast \"length(bootstrap:sections())\")")
+
+;; ends_with_sx — positive on "create.sx", negative on "hello"
+(epoch 11)
+(eval "(get (erlang-eval-ast \"bootstrap:ends_with_sx(<<99,114,101,97,116,101,46,115,120>>)\") :name)")
+(epoch 12)
+(eval "(get (erlang-eval-ast \"bootstrap:ends_with_sx(<<104,101,108,108,111>>)\") :name)")
+(epoch 13)
+(eval "(get (erlang-eval-ast \"bootstrap:ends_with_sx(<<>>)\") :name)")
+
+;; Per-section file counts match the manifest (3/10/7/3/3/2/3)
+(epoch 20)
+(eval "(erlang-eval-ast \"length(bootstrap:read_section(bootstrap:default_base(), activity_types))\")")
+(epoch 21)
+(eval "(erlang-eval-ast \"length(bootstrap:read_section(bootstrap:default_base(), object_types))\")")
+(epoch 22)
+(eval "(erlang-eval-ast \"length(bootstrap:read_section(bootstrap:default_base(), projections))\")")
+(epoch 23)
+(eval "(erlang-eval-ast \"length(bootstrap:read_section(bootstrap:default_base(), validators))\")")
+(epoch 24)
+(eval "(erlang-eval-ast \"length(bootstrap:read_section(bootstrap:default_base(), codecs))\")")
+(epoch 25)
+(eval "(erlang-eval-ast \"length(bootstrap:read_section(bootstrap:default_base(), sig_suites))\")")
+(epoch 26)
+(eval "(erlang-eval-ast \"length(bootstrap:read_section(bootstrap:default_base(), audience))\")")
+
+;; read_genesis/0 returns {ok, [{Section, Entries}, ...]} with 7 entries
+(epoch 30)
+(eval "(erlang-eval-ast \"{ok, G} = bootstrap:read_genesis(), length(G)\")")
+
+;; First entry is {activity_types, [_,_,_]}
+(epoch 31)
+(eval "(get (erlang-eval-ast \"{ok, G} = bootstrap:read_genesis(), {S, Entries} = hd(G), S\") :name)")
+
+;; Each entry has the right number of files
+(epoch 32)
+(eval "(erlang-eval-ast \"{ok, G} = bootstrap:read_genesis(), {_, E} = hd(G), length(E)\")")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                "bootstrap"
+check 10  "sections/0 length"               "7"
+check 11  "ends_with_sx create.sx"          "true"
+check 12  "ends_with_sx hello"              "false"
+check 13  "ends_with_sx empty"              "false"
+check 20  "section activity_types count"    "3"
+check 21  "section object_types count"      "10"
+check 22  "section projections count"       "7"
+check 23  "section validators count"        "3"
+check 24  "section codecs count"            "3"
+check 25  "section sig_suites count"        "2"
+check 26  "section audience count"          "3"
+check 30  "read_genesis returns 7 sections" "7"
+check 31  "first section name"              "activity_types"
+check 32  "first section entry count"       "3"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/bootstrap_read.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/cid.sh

@@ -0,0 +1,117 @@
+#!/usr/bin/env bash
+# next/tests/cid.sh — Step 1b acceptance test.
+#
+# Loads next/kernel/nx_cid.erl into the Erlang-on-SX runtime and checks
+# the canonical CID contract: determinism, uniqueness, equality, and
+# to_string/from_string round-trip. 12 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/nx_cid.erl\")) :name)")
+
+;; from_sx returns a binary
+(epoch 10)
+(eval "(get (erlang-eval-ast \"is_binary(nx_cid:from_sx(foo))\") :name)")
+
+;; from_sx is deterministic on atoms / ints / compound terms
+(epoch 11)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx(foo) =:= nx_cid:from_sx(foo)\") :name)")
+(epoch 12)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx(42) =:= nx_cid:from_sx(42)\") :name)")
+(epoch 13)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx({a, [1, 2, 3]}) =:= nx_cid:from_sx({a, [1, 2, 3]})\") :name)")
+
+;; from_sx is collision-resistant on distinct terms
+(epoch 20)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx(foo) =/= nx_cid:from_sx(bar)\") :name)")
+(epoch 21)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx(1) =/= nx_cid:from_sx(2)\") :name)")
+(epoch 22)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx([1, 2]) =/= nx_cid:from_sx([1, 2, 3])\") :name)")
+
+;; equals/2 is alias for =:=
+(epoch 30)
+(eval "(get (erlang-eval-ast \"nx_cid:equals(nx_cid:from_sx(foo), nx_cid:from_sx(foo))\") :name)")
+(epoch 31)
+(eval "(get (erlang-eval-ast \"nx_cid:equals(nx_cid:from_sx(foo), nx_cid:from_sx(bar))\") :name)")
+
+;; to_string + from_string round-trip
+(epoch 40)
+(eval "(get (erlang-eval-ast \"nx_cid:equals(nx_cid:from_string(nx_cid:to_string(nx_cid:from_sx(foo))), nx_cid:from_sx(foo))\") :name)")
+(epoch 41)
+(eval "(get (erlang-eval-ast \"is_binary(nx_cid:to_string(nx_cid:from_sx({tuple, 1, 2})))\") :name)")
+
+;; CIDv1 raw codec sha256 base32 form is around 59 chars; sanity-check length
+(epoch 50)
+(eval "(get (erlang-eval-ast \"byte_size(nx_cid:from_sx(hello)) > 50\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                "nx_cid"
+check 10  "from_sx returns binary"          "true"
+check 11  "from_sx atom deterministic"      "true"
+check 12  "from_sx int deterministic"       "true"
+check 13  "from_sx compound deterministic"  "true"
+check 20  "from_sx atoms distinct"          "true"
+check 21  "from_sx ints distinct"           "true"
+check 22  "from_sx lists distinct"          "true"
+check 30  "equals same CIDs"                "true"
+check 31  "equals different CIDs"           "false"
+check 40  "to_string/from_string round-trip" "true"
+check 41  "to_string returns binary"        "true"
+check 50  "CIDv1 base32 length sanity"      "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/cid.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/envelope_canonical.sh

@@ -0,0 +1,105 @@
+#!/usr/bin/env bash
+# next/tests/envelope_canonical.sh — Step 2b acceptance test.
+#
+# Loads next/kernel/envelope.erl and checks canonical_bytes/1 contract:
+# returns a binary, deterministic across runs, invariant under
+# field-order permutation, invariant under signature changes, and
+# different for different covered content. 7 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/envelope.erl\")) :name)")
+
+;; canonical_bytes returns a binary
+(epoch 10)
+(eval "(get (erlang-eval-ast \"is_binary(envelope:canonical_bytes([{id,1},{type,create},{actor,alice},{published,1000},{signature,whatever}]))\") :name)")
+
+;; Determinism: same envelope twice -> same bytes
+(epoch 11)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice}]) =:= envelope:canonical_bytes([{id,1},{type,create},{actor,alice}])\") :name)")
+
+;; Signature stripping: different signatures -> same canonical bytes
+(epoch 12)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice},{signature,sig_one}]) =:= envelope:canonical_bytes([{id,1},{type,create},{actor,alice},{signature,sig_two}])\") :name)")
+
+;; No signature vs some signature -> same canonical bytes
+(epoch 13)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice}]) =:= envelope:canonical_bytes([{id,1},{type,create},{actor,alice},{signature,whatever}])\") :name)")
+
+;; Key-order invariance: reordering top-level fields -> same bytes
+(epoch 14)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice}]) =:= envelope:canonical_bytes([{actor,alice},{type,create},{id,1}])\") :name)")
+
+;; Changing a covered field changes the bytes
+(epoch 15)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice}]) =/= envelope:canonical_bytes([{id,2},{type,create},{actor,alice}])\") :name)")
+
+;; Distinct envelopes -> distinct bytes
+(epoch 16)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice}]) =/= envelope:canonical_bytes([{id,1},{type,update},{actor,bob}])\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                "envelope"
+check 10  "canonical_bytes returns binary"  "true"
+check 11  "deterministic"                   "true"
+check 12  "signature stripped (changes)"    "true"
+check 13  "signature stripped (absent)"     "true"
+check 14  "key-order invariant"             "true"
+check 15  "covered field change visible"    "true"
+check 16  "distinct envelopes distinct"     "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/envelope_canonical.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/envelope_shape.sh

@@ -0,0 +1,126 @@
+#!/usr/bin/env bash
+# next/tests/envelope_shape.sh — Step 2a acceptance test.
+#
+# Loads next/kernel/envelope.erl into the Erlang-on-SX runtime and
+# checks validate_shape/1 / get_field/2 against the design §3.1 shape
+# contract. 13 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/envelope.erl\")) :name)")
+
+;; Reusable valid envelope as Erlang text. The signature itself is a
+;; property list with key_id, algorithm, value.
+;;   E0 = [{id,1},{type,create},{actor,alice},{published,1000},
+;;         {signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]
+
+;; Complete valid envelope
+(epoch 10)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000},{signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]) =:= ok\") :name)")
+
+;; Missing each top-level required field
+(epoch 11)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{type,create},{actor,alice},{published,1000},{signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]) =:= {error,{missing_field,id}}\") :name)")
+(epoch 12)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{actor,alice},{published,1000},{signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]) =:= {error,{missing_field,type}}\") :name)")
+(epoch 13)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{published,1000},{signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]) =:= {error,{missing_field,actor}}\") :name)")
+(epoch 14)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]) =:= {error,{missing_field,published}}\") :name)")
+(epoch 15)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000}]) =:= {error,{missing_field,signature}}\") :name)")
+
+;; Non-list inputs
+(epoch 16)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape(42) =:= {error,not_a_proplist}\") :name)")
+(epoch 17)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape(some_atom) =:= {error,not_a_proplist}\") :name)")
+
+;; Signature sub-shape
+(epoch 20)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000},{signature,[{algorithm,ed25519},{value,v}]}]) =:= {error,{bad_signature,{missing_field,key_id}}}\") :name)")
+(epoch 21)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000},{signature,[{key_id,k1},{value,v}]}]) =:= {error,{bad_signature,{missing_field,algorithm}}}\") :name)")
+(epoch 22)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000},{signature,[{key_id,k1},{algorithm,ed25519}]}]) =:= {error,{bad_signature,{missing_field,value}}}\") :name)")
+(epoch 23)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000},{signature,not_a_proplist}]) =:= {error,{bad_signature,not_a_proplist}}\") :name)")
+
+;; get_field
+(epoch 30)
+(eval "(get (erlang-eval-ast \"envelope:get_field(actor,[{id,1},{actor,alice}]) =:= {ok,alice}\") :name)")
+(epoch 31)
+(eval "(get (erlang-eval-ast \"envelope:get_field(missing,[{id,1},{actor,alice}]) =:= not_found\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                  "envelope"
+check 10  "complete envelope -> ok"           "true"
+check 11  "missing id"                        "true"
+check 12  "missing type"                      "true"
+check 13  "missing actor"                     "true"
+check 14  "missing published"                 "true"
+check 15  "missing signature"                 "true"
+check 16  "non-list (integer)"                "true"
+check 17  "non-list (atom)"                   "true"
+check 20  "signature missing key_id"          "true"
+check 21  "signature missing algorithm"       "true"
+check 22  "signature missing value"           "true"
+check 23  "signature not a proplist"          "true"
+check 30  "get_field hit"                     "true"
+check 31  "get_field miss"                    "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/envelope_shape.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/envelope_sig.sh

@@ -0,0 +1,129 @@
+#!/usr/bin/env bash
+# next/tests/envelope_sig.sh — Step 2c acceptance test.
+#
+# Exercises envelope:verify_signature/2 against the full sig pipeline:
+# canonical_bytes + crypto:hash MAC + time-aware key validity per design
+# §9.6. 10 cases.
+#
+# The signature stand-in is HMAC-shaped:
+#   sig.value = crypto:hash(sha256, <<KeyMaterial/binary, CanonicalBytes/binary>>)
+# Real Ed25519/RSA verification is deferred to milestone 2 once the
+# corresponding crypto BIFs are wired.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+# Shared Erlang prelude builds a valid-signed envelope template and an
+# actor state with one active key. Each test reuses these and asserts
+# against an Erlang =:= comparison so the result is a bare boolean.
+PRELUDE='KM = <<1,2,3,4>>, U = [{actor,alice},{id,1},{published,100},{type,create}], CB = envelope:canonical_bytes(U), Sig = crypto:hash(sha256, <<KM/binary, CB/binary>>), Env = [{actor,alice},{id,1},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,Sig}]}], AS = [{public_keys, [[{id,k1},{created,50},{value,KM}]]}],'
+
+cat > "$TMPFILE" <<EPOCHS
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/envelope.erl\")) :name)")
+
+;; valid sig + active key -> ok
+(epoch 10)
+(eval "(get (erlang-eval-ast \"${PRELUDE} envelope:verify_signature(Env, AS) =:= ok\") :name)")
+
+;; tampered envelope (id mutated post-sign) -> bad_signature
+(epoch 11)
+(eval "(get (erlang-eval-ast \"${PRELUDE} Tampered = [{actor,alice},{id,999},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,Sig}]}], envelope:verify_signature(Tampered, AS) =:= {error,bad_signature}\") :name)")
+
+;; wrong sig value (random bytes) -> bad_signature
+(epoch 12)
+(eval "(get (erlang-eval-ast \"${PRELUDE} BadEnv = [{actor,alice},{id,1},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,<<0,0,0,0>>}]}], envelope:verify_signature(BadEnv, AS) =:= {error,bad_signature}\") :name)")
+
+;; unknown key_id -> no_active_key
+(epoch 13)
+(eval "(get (erlang-eval-ast \"${PRELUDE} OtherAS = [{public_keys, [[{id,k_other},{created,50},{value,KM}]]}], envelope:verify_signature(Env, OtherAS) =:= {error,no_active_key}\") :name)")
+
+;; key superseded BEFORE published -> no_active_key
+(epoch 14)
+(eval "(get (erlang-eval-ast \"${PRELUDE} SupAS = [{public_keys, [[{id,k1},{created,50},{superseded_at,80},{value,KM}]]}], envelope:verify_signature(Env, SupAS) =:= {error,no_active_key}\") :name)")
+
+;; key superseded AFTER published -> ok (historical valid)
+(epoch 15)
+(eval "(get (erlang-eval-ast \"${PRELUDE} SupAS2 = [{public_keys, [[{id,k1},{created,50},{superseded_at,200},{value,KM}]]}], envelope:verify_signature(Env, SupAS2) =:= ok\") :name)")
+
+;; key not yet created at published -> no_active_key
+(epoch 16)
+(eval "(get (erlang-eval-ast \"${PRELUDE} FutAS = [{public_keys, [[{id,k1},{created,150},{value,KM}]]}], envelope:verify_signature(Env, FutAS) =:= {error,no_active_key}\") :name)")
+
+;; missing signature field -> no_signature
+(epoch 17)
+(eval "(get (erlang-eval-ast \"${PRELUDE} envelope:verify_signature(U, AS) =:= {error,no_signature}\") :name)")
+
+;; actor state with no public_keys field -> no_keys
+(epoch 18)
+(eval "(get (erlang-eval-ast \"${PRELUDE} envelope:verify_signature(Env, []) =:= {error,no_keys}\") :name)")
+
+;; second key in list matches when first doesn't (lookup walks list)
+(epoch 19)
+(eval "(get (erlang-eval-ast \"${PRELUDE} TwoKeys = [{public_keys, [[{id,k_other},{created,50},{value,<<9,9,9>>}], [{id,k1},{created,50},{value,KM}]]}], envelope:verify_signature(Env, TwoKeys) =:= ok\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                "envelope"
+check 10  "valid sig active key"            "true"
+check 11  "tampered envelope"               "true"
+check 12  "wrong sig value"                 "true"
+check 13  "unknown key_id"                  "true"
+check 14  "key superseded before published" "true"
+check 15  "key superseded after published"  "true"
+check 16  "key not yet created"             "true"
+check 17  "missing signature field"         "true"
+check 18  "actor state no keys"             "true"
+check 19  "match second key in list"        "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/envelope_sig.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/genesis_parse.sh

@@ -0,0 +1,206 @@
+#!/usr/bin/env bash
+# next/tests/genesis_parse.sh — Step 4a acceptance test.
+#
+# Confirms the seed genesis SX files parse cleanly and have the
+# expected top-level head form. The bundler (Step 4c+) consumes
+# these forms directly as data. 50 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 10)
+(eval "(first (parse (file-read \"next/genesis/manifest.sx\")))")
+(epoch 11)
+(eval "(first (parse (file-read \"next/genesis/activity-types/create.sx\")))")
+(epoch 12)
+(eval "(first (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :activity-types))")
+(epoch 13)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/activity-types/create.sx\")))) :name)")
+(epoch 14)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :version)")
+(epoch 15)
+(eval "(first (parse (file-read \"next/genesis/activity-types/update.sx\")))")
+(epoch 16)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/activity-types/update.sx\")))) :name)")
+(epoch 17)
+(eval "(first (parse (file-read \"next/genesis/activity-types/delete.sx\")))")
+(epoch 18)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/activity-types/delete.sx\")))) :name)")
+(epoch 19)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :activity-types))")
+(epoch 30)
+(eval "(first (parse (file-read \"next/genesis/object-types/sx-artifact.sx\")))")
+(epoch 31)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/sx-artifact.sx\")))) :name)")
+(epoch 32)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/note.sx\")))) :name)")
+(epoch 33)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/tombstone.sx\")))) :name)")
+(epoch 34)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/define-activity.sx\")))) :name)")
+(epoch 35)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/define-object.sx\")))) :name)")
+(epoch 36)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/define-projection.sx\")))) :name)")
+(epoch 37)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/define-validator.sx\")))) :name)")
+(epoch 38)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/define-codec.sx\")))) :name)")
+(epoch 39)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/define-sig-suite.sx\")))) :name)")
+(epoch 40)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/snapshot.sx\")))) :name)")
+(epoch 41)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :object-types))")
+(epoch 50)
+(eval "(first (parse (file-read \"next/genesis/projections/activity-log.sx\")))")
+(epoch 51)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/projections/activity-log.sx\")))) :name)")
+(epoch 52)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/projections/by-type.sx\")))) :name)")
+(epoch 53)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/projections/by-actor.sx\")))) :name)")
+(epoch 54)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/projections/by-object.sx\")))) :name)")
+(epoch 55)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/projections/actor-state.sx\")))) :name)")
+(epoch 56)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/projections/define-registry.sx\")))) :name)")
+(epoch 57)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/projections/audience-graph.sx\")))) :name)")
+(epoch 58)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :projections))")
+(epoch 60)
+(eval "(first (parse (file-read \"next/genesis/validators/envelope-shape.sx\")))")
+(epoch 61)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/validators/envelope-shape.sx\")))) :name)")
+(epoch 62)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/validators/signature.sx\")))) :name)")
+(epoch 63)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/validators/type-schema.sx\")))) :name)")
+(epoch 64)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :validators))")
+(epoch 70)
+(eval "(first (parse (file-read \"next/genesis/codecs/dag-cbor.sx\")))")
+(epoch 71)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/codecs/dag-cbor.sx\")))) :name)")
+(epoch 72)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/codecs/raw.sx\")))) :name)")
+(epoch 73)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/codecs/dag-json.sx\")))) :name)")
+(epoch 74)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :codecs))")
+(epoch 80)
+(eval "(first (parse (file-read \"next/genesis/sig-suites/rsa-sha256-2018.sx\")))")
+(epoch 81)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/sig-suites/rsa-sha256-2018.sx\")))) :name)")
+(epoch 82)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/sig-suites/ed25519-2020.sx\")))) :name)")
+(epoch 83)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :sig-suites))")
+(epoch 90)
+(eval "(first (parse (file-read \"next/genesis/audience/public.sx\")))")
+(epoch 91)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/audience/public.sx\")))) :name)")
+(epoch 92)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/audience/followers.sx\")))) :name)")
+(epoch 93)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/audience/direct.sx\")))) :name)")
+(epoch 94)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :audience))")
+EPOCHS
+
+OUTPUT=$(timeout 30 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check 10 "manifest.sx head form"        "GenesisManifest"
+check 11 "create.sx head form"          "DefineActivity"
+check 12 "manifest lists create.sx"     "activity-types/create.sx"
+check 13 "create.sx name is Create"     "Create"
+check 14 "manifest version present"     "0.0.1"
+check 15 "update.sx head form"          "DefineActivity"
+check 16 "update.sx name is Update"     "Update"
+check 17 "delete.sx head form"          "DefineActivity"
+check 18 "delete.sx name is Delete"     "Delete"
+check 19 "manifest has 3 activity-types" "3"
+check 30 "sx-artifact.sx head form"     "DefineObject"
+check 31 "sx-artifact.sx name"          "SXArtifact"
+check 32 "note.sx name"                 "Note"
+check 33 "tombstone.sx name"            "Tombstone"
+check 34 "define-activity.sx name"      "DefineActivity"
+check 35 "define-object.sx name"        "DefineObject"
+check 36 "define-projection.sx name"    "DefineProjection"
+check 37 "define-validator.sx name"     "DefineValidator"
+check 38 "define-codec.sx name"         "DefineCodec"
+check 39 "define-sig-suite.sx name"     "DefineSigSuite"
+check 40 "snapshot.sx name"             "Snapshot"
+check 41 "manifest has 10 object-types" "10"
+check 50 "activity-log.sx head form"    "DefineProjection"
+check 51 "activity-log.sx name"         "activity-log"
+check 52 "by-type.sx name"              "by-type"
+check 53 "by-actor.sx name"             "by-actor"
+check 54 "by-object.sx name"            "by-object"
+check 55 "actor-state.sx name"          "actor-state"
+check 56 "define-registry.sx name"      "define-registry"
+check 57 "audience-graph.sx name"       "audience-graph"
+check 58 "manifest has 7 projections"   "7"
+check 60 "envelope-shape.sx head form"  "DefineValidator"
+check 61 "envelope-shape.sx name"       "envelope-shape"
+check 62 "signature.sx name"            "signature"
+check 63 "type-schema.sx name"          "type-schema"
+check 64 "manifest has 3 validators"    "3"
+check 70 "dag-cbor.sx head form"        "DefineCodec"
+check 71 "dag-cbor.sx name"             "dag-cbor"
+check 72 "raw.sx name"                  "raw"
+check 73 "dag-json.sx name"             "dag-json"
+check 74 "manifest has 3 codecs"        "3"
+check 80 "rsa-sha256-2018.sx head form" "DefineSigSuite"
+check 81 "rsa-sha256-2018.sx name"      "rsa-sha256-2018"
+check 82 "ed25519-2020.sx name"         "ed25519-2020"
+check 83 "manifest has 2 sig-suites"    "2"
+check 90 "public.sx head form"          "DefineAudience"
+check 91 "public.sx name"               "Public"
+check 92 "followers.sx name"            "Followers"
+check 93 "direct.sx name"               "Direct"
+check 94 "manifest has 3 audience"      "3"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/genesis_parse.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/log_memory.sh

@@ -0,0 +1,123 @@
+#!/usr/bin/env bash
+# next/tests/log_memory.sh — Step 3a acceptance test.
+#
+# Exercises the in-memory log API: open/2, append/2, tip/1, replay/3,
+# entries/1. On-disk persistence is the job of Step 3b. 11 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/log.erl\")) :name)")
+
+;; Fresh log: tip is 0
+(epoch 10)
+(eval "(get (erlang-eval-ast \"{ok, L} = log:open(alice, base), log:tip(L) =:= 0\") :name)")
+
+;; Fresh log: entries empty
+(epoch 11)
+(eval "(get (erlang-eval-ast \"{ok, L} = log:open(alice, base), log:entries(L) =:= []\") :name)")
+
+;; First append returns seq 0; tip advances to 1
+(epoch 12)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), {ok, L1, S} = log:append(L0, act_a), {S, log:tip(L1)} =:= {0, 1}\") :name)")
+
+;; Two appends: seq 0,1; tip = 2
+(epoch 13)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), {ok, L1, S0} = log:append(L0, a), {ok, L2, S1} = log:append(L1, b), {S0, S1, log:tip(L2)} =:= {0, 1, 2}\") :name)")
+
+;; Five appends: seq sequence gap-free
+(epoch 14)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), {ok, L1, S0} = log:append(L0, a), {ok, L2, S1} = log:append(L1, b), {ok, L3, S2} = log:append(L2, c), {ok, L4, S3} = log:append(L3, d), {ok, L5, S4} = log:append(L4, e), {S0,S1,S2,S3,S4,log:tip(L5)} =:= {0,1,2,3,4,5}\") :name)")
+
+;; entries/1 returns activities in append order
+(epoch 15)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), {ok, L1, _} = log:append(L0, a), {ok, L2, _} = log:append(L1, b), {ok, L3, _} = log:append(L2, c), log:entries(L3) =:= [a, b, c]\") :name)")
+
+;; Round-trip: appended activity is recoverable byte-for-byte
+(epoch 16)
+(eval "(get (erlang-eval-ast \"Act = [{id,1},{type,create},{actor,alice}], {ok, L0} = log:open(alice, base), {ok, L1, _} = log:append(L0, Act), log:entries(L1) =:= [Act]\") :name)")
+
+;; Per-actor isolation: two logs are independent
+(epoch 17)
+(eval "(get (erlang-eval-ast \"{ok, LA0} = log:open(alice, base), {ok, LB0} = log:open(bob, base), {ok, LA1, _} = log:append(LA0, a), {ok, LB1, _} = log:append(LB0, b1), {ok, LB2, _} = log:append(LB1, b2), {log:tip(LA1), log:tip(LB2)} =:= {1, 2}\") :name)")
+
+;; replay/3 visits all activities in append order with monotonic seqs
+(epoch 18)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), {ok, L1, _} = log:append(L0, a), {ok, L2, _} = log:append(L1, b), {ok, L3, _} = log:append(L2, c), log:replay(L3, [], fun (A, S, Acc) -> [{S, A} | Acc] end) =:= [{2,c},{1,b},{0,a}]\") :name)")
+
+;; replay over empty log: InitAcc returned unchanged
+(epoch 19)
+(eval "(get (erlang-eval-ast \"{ok, L} = log:open(alice, base), log:replay(L, init_acc, fun (_, _, A) -> A end) =:= init_acc\") :name)")
+
+;; replay can compute a derived state (sum of integer activities)
+(epoch 20)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), {ok, L1, _} = log:append(L0, 10), {ok, L2, _} = log:append(L1, 20), {ok, L3, _} = log:append(L2, 30), log:replay(L3, 0, fun (V, _, Acc) -> V + Acc end) =:= 60\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                  "log"
+check 10  "fresh log tip is 0"                "true"
+check 11  "fresh log entries empty"           "true"
+check 12  "append returns seq 0, tip 1"       "true"
+check 13  "two appends seq 0,1; tip 2"        "true"
+check 14  "five appends gap-free"             "true"
+check 15  "entries in append order"           "true"
+check 16  "round-trip activity"               "true"
+check 17  "per-actor isolation"               "true"
+check 18  "replay visits all in order"        "true"
+check 19  "replay over empty log"             "true"
+check 20  "replay computes derived state"     "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/log_memory.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

plans/fed-sx-milestone-1.md

@@ -99,6 +99,10 @@ in isolation, and a clear acceptance check.
 
 ## Step 1 — Repo skeleton + canonical CID
 
+**Sub-deliverables:**
+- [x] **1a** — `next/` directory skeleton, README, `.gitignore` for `data/`
+- [x] **1b** — `next/kernel/nx_cid.erl` (from_sx/to_string/from_string/equals) + `next/tests/cid.sh` (13 cases). Module is `nx_cid` not `cid` — the `cid` BIF module would be shadowed by a user module of the same name; plan §Step 1's `cid.erl` is illustrative per briefing.
+
 **Deliverables:**
 
 ```
@@ -146,6 +150,11 @@ canonicalize_sx(V) -> ...                  % sorts dict keys, normalizes strings
 
 ## Step 2 — Activity envelope + signature verify
 
+**Sub-deliverables:**
+- [x] **2a** — `next/kernel/envelope.erl` `validate_shape/1` + `get_field/2` (property-list envelope; Erlang maps `#{}` not supported in this port) + `next/tests/envelope_shape.sh` (15 cases)
+- [x] **2b** — `canonical_bytes/1` over sig-stripped, key-sorted envelope (deterministic textual form via `cid:to_string` substrate; dag-cbor stand-in for v1) + `next/tests/envelope_canonical.sh` (8 cases)
+- [x] **2c** — `verify_signature/2` against actor `public_keys`, time-aware key validity per design §9.6 (created ≤ published, optional supersession check) + `next/tests/envelope_sig.sh` (11 cases). Signature scheme is HMAC-shaped (`crypto:hash(sha256, KeyMaterial ++ canonical_bytes)`) — RSA/Ed25519 verify deferred to m2 (BIFs not yet wired).
+
 **Deliverables:**
 
 ```erlang
@@ -186,6 +195,13 @@ verify_signature(Activity, ActorState) ->
 
 ## Step 3 — JSONL log + sequence numbers
 
+**Sub-deliverables:**
+- [x] **3a** — `log:open/2` + `log:append/2` + `log:tip/1` + `log:replay/3` + `log:entries/1` over an in-memory log state (per-actor seq; replay in append order; round-trip the stored activity). `next/tests/log_memory.sh` (12 cases).
+- [ ] **3b** — *Parked behind substrate gap (see Blockers below).* Term codec + on-disk persistence: serializer/parser writing each activity as a JSONL-style line; restart-resumes-tip from the segment file.
+- [ ] **3c** — Segment rotation at size threshold + gen_server-mediated concurrent appends.
+
+**Blockers (Step 3b):** The Erlang port returns SX strings (an opaque OCaml-string type) from `atom_to_list/1` and `integer_to_list/1`, rejects them from `++`/list pattern matching, and does not register `binary_to_list`/`list_to_binary`. `$X` character literals decode to `nil` in `parse-number`. Net effect: there is no in-Erlang path from an arbitrary term to a byte sequence (or back) that doesn't go through a temp-file round-trip through the filesystem. Workaround paths: (a) add a `term_to_binary`/`binary_to_term` BIF in a separate substrate loop, (b) accept a filesystem-mediated SX-string→binary helper and live with the O(N) IO cost, (c) restrict the on-disk format to a binary-only encoding with a per-instance atom-id table for atoms (introduces an extra durability dependency). Decision to defer; revisit once a downstream Step (5–8) forces the issue or a substrate BIF arrives. In-memory log from 3a is sufficient to unblock Step 5+ which consume the API surface.
+
 **Deliverables:**
 
 ```erlang
@@ -227,6 +243,17 @@ replay(LogState, InitAcc, Fun) -> ...
 
 ## Step 4 — Genesis bundle
 
+**Sub-deliverables:**
+- [x] **4a** — Seed genesis SX file authoring: `next/genesis/manifest.sx` + `next/genesis/activity-types/create.sx`. Manifest uses bare parenthesised paths (data lists, not `(list ...)` calls — consumed by `parse`, not `eval`). `next/tests/genesis_parse.sh` (5 cases).
+- [x] **4b-act** — Remaining activity-types: `update.sx` + `delete.sx`, manifest updated, parse tests (10 cases total in `genesis_parse.sh`)
+- [x] **4b-obj** — Object-types: SXArtifact, Note, Tombstone, DefineActivity, DefineObject, DefineProjection, DefineValidator, DefineCodec, DefineSigSuite, Snapshot — 10 `DefineObject` files + manifest updated + 12 new parse tests
+- [x] **4b-proj** — Projections: activity-log, by-type, by-actor, by-object, actor-state, define-registry, audience-graph — 7 `DefineProjection` files + manifest updated + 9 new parse tests
+- [x] **4b-vld** — Validators: envelope-shape, signature, type-schema — 3 `DefineValidator` files + manifest updated + 5 new parse tests
+- [x] **4b-cod** — Codecs (dag-cbor, raw, dag-json) + sig-suites (rsa-sha256-2018, ed25519-2020) + audience predicates (Public, Followers, Direct) — 8 SX files + manifest fully populated + 14 new parse tests
+- [x] **4c** — `bootstrap:read_genesis/0,1` + `read_section/2` + `sections/0` + `section_subdir/1` + `ends_with_sx/1` in Erlang: walk seven hardcoded section subdirs, filter `.sx` files via byte-pattern suffix match, read each into a binary. Returns `{ok, [{Section, [{Name, Bytes}, ...]}, ...]}`. Skips SX parsing — the substrate has no in-Erlang binary→SX-term path (same gap as Step 3b); bundle CID over raw bytes is enough for Step 4d. `next/tests/bootstrap_read.sh` (15 cases).
+- [x] **4d** — `bootstrap:build_genesis/1` + `verify_genesis/2` + `cidhash_path/1` + `write_cidhash/2` + `read_cidhash/1`: bundle CID via host `cid:to_string` over `{genesis_bundle, Sections}`; mismatch returns `{error, {cid_mismatch, Got, Expected}}`; `.cidhash` sibling file persists between runs. `next/tests/bootstrap_build.sh` (12 cases).
+- [ ] **4e** — `bootstrap:load_genesis/1`: register parsed definitions into the in-memory registry (depends on Step 5)
+
 **Deliverables:**
 
 Genesis bundle SX sources (per design §12.2). Each is a small SX file authored
@@ -920,3 +947,26 @@ A few things still under-specified; resolve as work begins.
    60 seconds." Tunable per-projection later; v1 uses the default.
 5. **Genesis bundle format.** Dag-cbor map per §12.2; concrete schema needs
    one round of refinement once we author the actual definitions in step 4.
+
+---
+
+## Progress log
+
+Newest first. One line per sub-deliverable commit. Erlang conformance gate
+(`bash lib/erlang/conformance.sh`) must remain 729/729 on every entry.
+
+- **2026-05-28** — Step 4d: `bootstrap:build_genesis/1` + `verify_genesis/2` + `.cidhash` helpers in `next/kernel/bootstrap.erl`. Bundle CID delegated to host `cid:to_string` over `{genesis_bundle, Sections}` — deterministic, ~59 byte CIDv1 binary. `verify_genesis/2` returns `ok` on match, `{error, {cid_mismatch, Got, Expected}}` on drift. `write_cidhash`/`read_cidhash` persist the CID to a `.cidhash` sibling file (path hand-spelled `<<...,47,46,99,...>>` per the string-literal-in-binary substrate quirk). `next/tests/bootstrap_build.sh` 12/12. Erlang conformance 729/729.
+- **2026-05-27** — Step 4c: `next/kernel/bootstrap.erl` — Erlang module that enumerates the genesis bundle by walking seven hardcoded section subdirs via `file:list_dir/1`, filters `.sx` files via byte-pattern suffix match (`ends_with_sx/1`), reads each into a binary via `file:read_file/1`. Returns `{ok, [{Section, [{Name, Bytes}, ...]}]}`. Hits the same SX-parser substrate gap as Step 3b — kept the surface byte-only; parsing happens via SX-side helpers in later steps. Port gotchas: `fun name/arity` references unsupported (use anonymous fun wrappers); `<<"...">>` string-literal segments truncate to one byte (paths hand-spelled as integer-segment binaries). `next/tests/bootstrap_read.sh` 15/15. Erlang conformance 729/729.
+- **2026-05-27** — Step 4b-cod: bootstrap codecs + sig-suites + audience predicates complete. 3 `DefineCodec` files (dag-cbor + raw + dag-json, dag-cbor + dag-json deferring to host-codec primitive when wired), 2 `DefineSigSuite` files (rsa-sha256-2018 PEM-keyed, ed25519-2020 multibase-keyed, both :verify returning false as m2-deferred stand-in), 3 `DefineAudience` files (Public/Followers/Direct member-of predicates per design §16). Manifest now lists 26 bootstrap files across all eight sections; `next/tests/genesis_parse.sh` 50/50. Step 4b complete; remaining Step 4 is bundler code (4c–4e). Erlang conformance 729/729.
+- **2026-05-27** — Step 4b-vld: bootstrap validators complete — 3 `DefineValidator` SX files (envelope-shape mirroring Step 2a, signature stub delegating to envelope:verify_signature/2 per design §9.6, type-schema looking up the object-type schema from define-registry). Manifest `:validators` populated; `next/tests/genesis_parse.sh` 36/36. Erlang conformance 729/729.
+- **2026-05-27** — Step 4b-proj: bootstrap projections complete — 7 `DefineProjection` SX files authored (activity-log identity, by-type/by-actor/by-object indexes, actor-state with key history fold, define-registry meta-fold over Create{Define*}, audience-graph stub). Manifest `:projections` populated; `next/tests/genesis_parse.sh` 31/31. Erlang conformance 729/729.
+- **2026-05-27** — Step 4b-obj: bootstrap object-types complete — 10 `DefineObject` SX files authored (SXArtifact, Note, Tombstone, DefineActivity, DefineObject, DefineProjection, DefineValidator, DefineCodec, DefineSigSuite, Snapshot). Each carries an SX `:schema` predicate. Manifest `:object-types` populated; `next/tests/genesis_parse.sh` 22/22. Erlang conformance 729/729.
+- **2026-05-27** — Step 4b-act: bootstrap activity-types complete — `update.sx` (Update verb, requires :object CID + :patch) + `delete.sx` (Delete verb, requires :object CID) authored as DefineActivity forms matching the Create shape. Manifest updated; `next/tests/genesis_parse.sh` 10/10. Step 4b broken into act/obj/proj/vld/cod sub-deliverables on the plan. Erlang conformance 729/729.
+- **2026-05-27** — Step 4a: genesis bundle seeded. `next/genesis/manifest.sx` (GenesisManifest with eight section keys, only `:activity-types` populated for now) + `next/genesis/activity-types/create.sx` (DefineActivity{Create} with :schema/:semantics SX bodies). `next/tests/genesis_parse.sh` 5/5. Step 3b parked behind a substrate-level term-codec gap — Blockers note added under Step 3; in-memory log from 3a unblocks Step 5+ which only need the API surface. Erlang conformance 729/729.
+- **2026-05-27** — Step 3a: `log:open/2 append/2 tip/1 replay/3 entries/1` over an in-memory state (per-actor seq, replay in append order, round-trip activities). `next/tests/log_memory.sh` 12/12. Pivoted from on-disk in this iteration: this port's `atom_to_list`/`integer_to_list` return SX strings rather than Erlang charlists, `binary_to_list` is unregistered, and `$X` char literals decode to nil — so a term codec needs a workaround. Captured as the Step 3b risk note in the plan. Erlang conformance 729/729.
+- **2026-05-26** — Step 2c: `envelope:verify_signature/2` — time-aware key lookup over `public_keys` (created ≤ published < superseded_at), MAC recompute via `crypto:hash(sha256, KeyMaterial ++ canonical_bytes)`, compared against `signature.value`. Returns ok or one of `no_signature | no_key_id | no_published | no_keys | no_active_key | bad_signature`. `next/tests/envelope_sig.sh` 11/11 pass. Erlang conformance 729/729.
+- **2026-05-26** — Step 2b: `envelope:canonical_bytes/1` — strip signature, insertion-sort property list by key, return host-CID-string as deterministic byte form (dag-cbor stand-in). `next/tests/envelope_canonical.sh` 8/8 pass. Erlang conformance 729/729 preserved.
+- **2026-05-26** — Step 2a: `next/kernel/envelope.erl` `validate_shape/1` + `get_field/2` over property-list envelopes (Erlang `#{}` maps not supported in this port). `next/tests/envelope_shape.sh` 15/15 pass. Erlang conformance 729/729 preserved.
+- **2026-05-26** — Step 1b: `next/kernel/nx_cid.erl` (from_sx/to_string/from_string/equals) — thin Erlang wrapper around the `cid:to_string/1` BIF. `next/tests/cid.sh` 13/13 pass. Module named `nx_cid` to avoid shadowing the `cid` BIF (user-module dispatch takes precedence over BIFs by module name). Erlang conformance 729/729 preserved.
+- **2026-05-26** — Step 1a: `next/` skeleton created (kernel/, genesis/, tests/, data/), README, `.gitignore data/`. Erlang conformance 729/729 preserved.
+