fed-sx-m1: Step 7a — pure-functional projection driver + 12 tests

Wires the 3 previously-BLOCKED Phase 8 FFI BIFs against loops/fed-prims
primitives (merged at 380bc69f):

- crypto:hash/2 → crypto-sha256/sha512/sha3-256 (atom dispatch, raw-binary
  return via er-hex->bytes), +6 ffi tests
- cid:from_bytes/1 → CIDv1 raw-codec (0x55) + sha2-256 multihash assembled
  in SX; cid:to_string/1 → cid-from-sx of canonical er-format-value string,
  +7 ffi tests
- file:list_dir/1 → file-list-dir, {ok,[Binary]} / {error,Reason} reusing
  er-classify-file-error, +4 ffi tests

ffi suite 14 → 28 (3 BLOCKED negative-asserts flipped to functional tests).
httpc:request and sqlite:* remain BLOCKED — need HTTP-client and SQLite
host primitives which loops/fed-prims didn't deliver.

Full conformance 729/729 (eval 385, vm 78, ffi 28, all process suites).

next/.gitignore

@@ -0,0 +1 @@
+data/

next/README.md

@@ -0,0 +1,34 @@
+# next — fed-sx Milestone 1 kernel
+
+Single-instance, single-actor fed-sx server built as Erlang-on-SX modules.
+See `plans/fed-sx-design.md` for the architecture and
+`plans/fed-sx-milestone-1.md` for the build plan.
+
+## Layout
+
+```
+next/
+├── kernel/      Erlang-on-SX kernel modules (.erl, hot-loaded via code:load_binary/3)
+├── genesis/     SX source files for the genesis bootstrap bundle (DefineActivity, ...)
+├── tests/       Bash test scripts driving sx_server.exe via the epoch protocol
+└── data/        Runtime state — gitignored
+    ├── log/         per-actor JSONL outboxes
+    ├── objects/     CID-addressed artifacts on disk
+    ├── snapshots/   projection snapshots
+    ├── indexes/     derived projection index files
+    └── keys/        actor signing keys + bearer tokens
+```
+
+## Substrate
+
+The kernel is Erlang-on-SX. Each `.erl` source file is hot-loaded at boot via
+`code:load_binary(Mod, Filename, SourceString)` (Erlang Phase 7 BIF). The
+underlying SX runtime provides the host primitives the kernel calls into:
+`crypto:*`, `cid:*`, `file:*`, `code:*`, and (Step 8) `http:listen/2`.
+
+Tests drive the kernel via the epoch protocol:
+
+```bash
+printf '(epoch 1)\n(load "lib/erlang/runtime.sx")\n(epoch 2)\n<test-expr>\n' \
+  | hosts/ocaml/_build/default/bin/sx_server.exe
+```

next/genesis/activity-types/create.sx

@@ -0,0 +1,15 @@
+;; next/genesis/activity-types/create.sx
+;;
+;; Bootstrap definition of the Create verb per design §3 and §12.2.
+;; Read as data by the bundler (bootstrap.erl) — never evaluated as
+;; code. The :schema and :semantics bodies are SX source; the
+;; validation pipeline (Step 6) and projection scheduler (Step 7)
+;; evaluate them at the appropriate times.
+
+(DefineActivity
+  :name "Create"
+  :doc "Publish a new object. Required for actor onboarding and for\n        every Define* meta-activity. The activity's :object holds\n        the canonical content of the published object."
+  :schema (fn
+    (act)
+    (and (not (nil? (-> act :object))) (string? (-> act :object :type))))
+  :semantics (fn (state act) state))

next/genesis/activity-types/delete.sx

@@ -0,0 +1,13 @@
+;; next/genesis/activity-types/delete.sx
+;;
+;; Bootstrap definition of the Delete verb per design §3 and §12.2.
+;; Read as data by the bundler — never evaluated as code here. The
+;; :schema and :semantics bodies are SX source; the validator
+;; pipeline (Step 6) and projection scheduler (Step 7) evaluate them
+;; at the appropriate times.
+
+(DefineActivity
+  :name "Delete"
+  :doc "Tombstone an existing object. :object is the CID of the\n        target. Projections fold Delete by removing the object from\n        their working indexes; the underlying log line is never\n        erased — durability of the historical record is independent\n        of projection state."
+  :schema (fn (act) (string? (-> act :object)))
+  :semantics (fn (state act) state))

next/genesis/activity-types/update.sx

@@ -0,0 +1,15 @@
+;; next/genesis/activity-types/update.sx
+;;
+;; Bootstrap definition of the Update verb per design §3 and §12.2.
+;; Read as data by the bundler — never evaluated as code here. The
+;; :schema and :semantics bodies are SX source; the validator
+;; pipeline (Step 6) and projection scheduler (Step 7) evaluate them
+;; at the appropriate times.
+
+(DefineActivity
+  :name "Update"
+  :doc "Patch or replace an existing object. :object is the CID of\n        the target; :patch is the field-level edit. Behaviour is\n        delegated to per-object-type semantics — e.g. an Update of a\n        DefineActivity supersedes the prior registry entry; an\n        Update of a Person actor rotates keys via :patch :add-publicKey\n        + :patch :supersede."
+  :schema (fn
+    (act)
+    (and (string? (-> act :object)) (not (nil? (-> act :patch)))))
+  :semantics (fn (state act) state))

next/genesis/audience/direct.sx

@@ -0,0 +1,14 @@
+;; next/genesis/audience/direct.sx
+;;
+;; Direct audience: an actor is a member iff they are
+;; explicitly named in the activity's :to or :cc lists. No
+;; group expansion — true direct addressing only.
+
+(DefineAudience
+  :name "Direct"
+  :doc "Direct-addressing predicate. Tests literal membership\n        in the activity's :to or :cc."
+  :member-of (fn
+    (actor audience)
+    (or
+      (member? actor (-> audience :to))
+      (member? actor (-> audience :cc)))))

next/genesis/audience/followers.sx

@@ -0,0 +1,14 @@
+;; next/genesis/audience/followers.sx
+;;
+;; Followers audience: an actor is a member iff they appear in
+;; the audience-owner's :followers set in the audience-graph
+;; projection. Federation (m2) wires this to peer delivery.
+
+(DefineAudience
+  :name "Followers"
+  :doc "Followers-of-owner predicate. Looks up the\n        audience-graph projection's :followers list for the\n        audience owner and tests membership."
+  :member-of (fn
+    (actor audience)
+    (member?
+      actor
+      (-> (get-projection :audience-graph) (-> audience :owner) :followers))))

next/genesis/audience/public.sx

@@ -0,0 +1,9 @@
+;; next/genesis/audience/public.sx
+;;
+;; Public audience: every actor is a member. Maps to the AP
+;; magic id `https://www.w3.org/ns/activitystreams#Public`.
+
+(DefineAudience
+  :name "Public"
+  :doc "Public audience predicate. Always returns true — every\n        actor on the network is considered a member."
+  :member-of (fn (actor audience) true))

next/genesis/codecs/dag-cbor.sx

@@ -0,0 +1,13 @@
+;; next/genesis/codecs/dag-cbor.sx
+;;
+;; Canonical CBOR encoding per IPLD dag-cbor. Used to compute
+;; envelope canonical bytes for signature coverage and to serialise
+;; the genesis bundle itself. In Erlang-on-SX mode the kernel
+;; dispatches to the host cid:to_string substrate (Step 1b) when
+;; this codec is requested.
+
+(DefineCodec
+  :name "dag-cbor"
+  :doc "Deterministic CBOR with dag-cbor restrictions: sorted\n        map keys, no floats unless required, no indefinite-length\n        items. The canonical wire format for fed-sx artifacts."
+  :encode (fn (term) (host-codec :dag-cbor :encode term))
+  :decode (fn (bytes) (host-codec :dag-cbor :decode bytes)))

next/genesis/codecs/dag-json.sx

@@ -0,0 +1,12 @@
+;; next/genesis/codecs/dag-json.sx
+;;
+;; JSON encoding with dag-json restrictions per IPLD: sorted map
+;; keys, no NaN / Infinity, no comments, CIDs as `{"/": "..."}`.
+;; Used as the human-readable wire format for ActivityPub interop
+;; (JSON-LD over dag-json).
+
+(DefineCodec
+  :name "dag-json"
+  :doc "Deterministic JSON with dag-json restrictions. Sorted\n        keys, CIDs as the {\"/\": \"...\"} object. Used by the\n        HTTP server (Step 8) for application/json responses."
+  :encode (fn (term) (host-codec :dag-json :encode term))
+  :decode (fn (bytes) (host-codec :dag-json :decode bytes)))

next/genesis/codecs/raw.sx

@@ -0,0 +1,12 @@
+;; next/genesis/codecs/raw.sx
+;;
+;; Identity codec — input bytes pass through unchanged in both
+;; directions. Used for already-encoded payloads and for binary
+;; artifacts (images, archives) whose CID is computed over the
+;; raw bytes directly.
+
+(DefineCodec
+  :name "raw"
+  :doc "Identity codec. The CID's multicodec byte is 0x55.\n        :encode and :decode return their input unchanged."
+  :encode (fn (bytes) bytes)
+  :decode (fn (bytes) bytes))

next/genesis/manifest.sx

@@ -0,0 +1,46 @@
+;; next/genesis/manifest.sx
+;;
+;; Genesis bundle root per design §12.2. Lists every definition file
+;; that gets packed into the bundle. The bundler (bootstrap.erl)
+;; walks this manifest, reads each referenced file, parses its
+;; top-level form, and inserts it into the bundle dict at the
+;; appropriate section path.
+;;
+;; The bundle CID is the content-address of the resulting dag-cbor
+;; (or v1 stand-in) blob over the assembled dict. That CID is
+;; baked into the kernel at build time and re-verified on startup
+;; per design §12.3.
+;;
+;; Section values are bare parenthesised paths (data lists, not
+;; function calls) — the manifest is consumed by `parse`, not
+;; `eval`. Empty sections are written as `()`.
+
+(GenesisManifest
+  :version "0.0.1"
+  :kernel-version "1.0.0-m1"
+  :activity-types ("activity-types/create.sx"
+    "activity-types/update.sx"
+    "activity-types/delete.sx")
+  :object-types ("object-types/sx-artifact.sx"
+    "object-types/note.sx"
+    "object-types/tombstone.sx"
+    "object-types/define-activity.sx"
+    "object-types/define-object.sx"
+    "object-types/define-projection.sx"
+    "object-types/define-validator.sx"
+    "object-types/define-codec.sx"
+    "object-types/define-sig-suite.sx"
+    "object-types/snapshot.sx")
+  :projections ("projections/activity-log.sx"
+    "projections/by-type.sx"
+    "projections/by-actor.sx"
+    "projections/by-object.sx"
+    "projections/actor-state.sx"
+    "projections/define-registry.sx"
+    "projections/audience-graph.sx")
+  :validators ("validators/envelope-shape.sx"
+    "validators/signature.sx"
+    "validators/type-schema.sx")
+  :codecs ("codecs/dag-cbor.sx" "codecs/raw.sx" "codecs/dag-json.sx")
+  :sig-suites ("sig-suites/rsa-sha256-2018.sx" "sig-suites/ed25519-2020.sx")
+  :audience ("audience/public.sx" "audience/followers.sx" "audience/direct.sx"))

next/genesis/object-types/define-activity.sx

@@ -0,0 +1,12 @@
+;; next/genesis/object-types/define-activity.sx
+;;
+;; Meta-object that registers a new activity verb. Published as
+;; Create{DefineActivity{...}}; the define-registry projection
+;; folds it into the activity-types registry. Per design §5.
+
+(DefineObject
+  :name "DefineActivity"
+  :doc "Activity-type registration. :name is the verb (e.g.\n        \"Pin\"); :schema is an SX predicate over activity\n        envelopes; :semantics is an optional state-fold body."
+  :schema (fn
+    (obj)
+    (and (string? (-> obj :name)) (not (nil? (-> obj :schema))))))

next/genesis/object-types/define-codec.sx

@@ -0,0 +1,15 @@
+;; next/genesis/object-types/define-codec.sx
+;;
+;; Meta-object that registers a content codec — an encode/decode
+;; pair. The bootstrap bundle ships dag-cbor, raw, and dag-json
+;; codecs; new codecs can be added via Create{DefineCodec{...}}.
+
+(DefineObject
+  :name "DefineCodec"
+  :doc "Codec registration. :name identifies the codec ('dag-cbor',\n        'raw', 'dag-json', ...); :encode and :decode are the\n        SX bodies the kernel calls when serialising / parsing\n        artifacts under this codec."
+  :schema (fn
+    (obj)
+    (and
+      (string? (-> obj :name))
+      (not (nil? (-> obj :encode)))
+      (not (nil? (-> obj :decode))))))

next/genesis/object-types/define-object.sx

@@ -0,0 +1,12 @@
+;; next/genesis/object-types/define-object.sx
+;;
+;; Meta-object that registers a new object-type. Bootstrap-level —
+;; runtime registration of new object types (e.g. DefineSubscription
+;; in the Step 9b smoke test) flows through this.
+
+(DefineObject
+  :name "DefineObject"
+  :doc "Object-type registration. :name is the type tag (e.g.\n        \"PinSpec\"); :schema is an SX predicate over object\n        forms of that type."
+  :schema (fn
+    (obj)
+    (and (string? (-> obj :name)) (not (nil? (-> obj :schema))))))

next/genesis/object-types/define-projection.sx

@@ -0,0 +1,16 @@
+;; next/genesis/object-types/define-projection.sx
+;;
+;; Meta-object that registers a new projection. The projection
+;; scheduler (Step 7) spawns one gen_server per registered
+;; projection and feeds activities through its :fold body in
+;; sandbox mode.
+
+(DefineObject
+  :name "DefineProjection"
+  :doc "Projection registration. :name is the projection key;\n        :initial-state is the empty state value; :fold is the\n        pure (state activity) -> state function evaluated in\n        sandbox mode per activity."
+  :schema (fn
+    (obj)
+    (and
+      (string? (-> obj :name))
+      (not (nil? (-> obj :initial-state)))
+      (not (nil? (-> obj :fold))))))

next/genesis/object-types/define-sig-suite.sx

@@ -0,0 +1,12 @@
+;; next/genesis/object-types/define-sig-suite.sx
+;;
+;; Meta-object that registers a signature suite. Bootstrap ships
+;; rsa-sha256-2018 and ed25519-2020; the suite name maps an
+;; algorithm to a :verify body and a :key-format predicate.
+
+(DefineObject
+  :name "DefineSigSuite"
+  :doc "Signature suite registration. :name identifies the suite\n        ('rsa-sha256-2018', 'ed25519-2020', ...); :verify is the\n        SX (canonical-bytes signature key) -> bool body; the\n        envelope-signature validator dispatches by suite name."
+  :schema (fn
+    (obj)
+    (and (string? (-> obj :name)) (not (nil? (-> obj :verify))))))

next/genesis/object-types/define-validator.sx

@@ -0,0 +1,12 @@
+;; next/genesis/object-types/define-validator.sx
+;;
+;; Meta-object that registers a validator predicate. The validation
+;; pipeline (Step 6) consults registered validators by name when
+;; running its stages.
+
+(DefineObject
+  :name "DefineValidator"
+  :doc "Validator registration. :name is the validator key (e.g.\n        \"envelope-shape\"); :predicate is the SX (activity) ->\n        ok|{error, R} body."
+  :schema (fn
+    (obj)
+    (and (string? (-> obj :name)) (not (nil? (-> obj :predicate))))))

next/genesis/object-types/note.sx

@@ -0,0 +1,10 @@
+;; next/genesis/object-types/note.sx
+;;
+;; Short message intended for an audience, ActivityPub-Note-compatible.
+;; Used by the Step 9b reactive smoke test (Note tagged "smoketest"
+;; matches the Topic subscription).
+
+(DefineObject
+  :name "Note"
+  :doc "Short authored message. :content is the body text;\n        :tags is a list of subscription-routable tags."
+  :schema (fn (obj) (string? (-> obj :content))))

next/genesis/object-types/snapshot.sx

@@ -0,0 +1,13 @@
+;; next/genesis/object-types/snapshot.sx
+;;
+;; Projection state checkpoint. The projection scheduler emits
+;; Snapshot{projection-name, state-cid, log-seq} periodically;
+;; cold starts read the most recent Snapshot and replay only
+;; activities after :log-seq. Per design §10.5.
+
+(DefineObject
+  :name "Snapshot"
+  :doc "Projection-state checkpoint. :projection-name identifies\n        the projection; :state-cid is the content-address of\n        the snapshotted state value; :log-seq is the activity\n        sequence number the snapshot was taken at."
+  :schema (fn
+    (obj)
+    (and (string? (-> obj :projection-name)) (string? (-> obj :state-cid)))))

next/genesis/object-types/sx-artifact.sx

@@ -0,0 +1,10 @@
+;; next/genesis/object-types/sx-artifact.sx
+;;
+;; Content-addressed SX source — a library, component, or
+;; executable form published via Create{SXArtifact{...}}.
+;; Consumers reference an artifact by its CID. Per design §3.4.
+
+(DefineObject
+  :name "SXArtifact"
+  :doc "Published SX source. :source carries the form text;\n        :language is optional ('sx' by default); :imports lists\n        CIDs the artifact depends on."
+  :schema (fn (obj) (string? (-> obj :source))))

next/genesis/object-types/tombstone.sx

@@ -0,0 +1,9 @@
+;; next/genesis/object-types/tombstone.sx
+;;
+;; Replacement for an object that has been Delete'd. Lets projection
+;; folds keep a marker without retaining the deleted content.
+
+(DefineObject
+  :name "Tombstone"
+  :doc "Marker for a deleted object. :former-cid carries the CID\n        of the object that was removed. Projections fold Tombstone\n        by replacing the cached entry (not by omitting it)."
+  :schema (fn (obj) (string? (-> obj :former-cid))))

next/genesis/projections/activity-log.sx

@@ -0,0 +1,11 @@
+;; next/genesis/projections/activity-log.sx
+;;
+;; Identity projection: stores every activity by its CID. The
+;; base ledger every other projection could be re-derived from
+;; if needed. Per design §10.2.
+
+(DefineProjection
+  :name "activity-log"
+  :doc "Maps activity CID to the full envelope. Every activity\n        flows through; no filter. State is the CID-keyed dict."
+  :initial-state {}
+  :fold (fn (state act) (assoc state (-> act :cid) act)))

next/genesis/projections/actor-state.sx

@@ -0,0 +1,26 @@
+;; next/genesis/projections/actor-state.sx
+;;
+;; Per-actor live state: publicKeys (with history per design §9.6),
+;; profile fields (preferredUsername, summary, ...), follower/
+;; following counts. Powers the actor doc endpoint and the
+;; time-aware signature verification in envelope:verify_signature/2.
+
+(DefineProjection
+  :name "actor-state"
+  :doc "Actor-id -> {publicKeys, profile, followers, following}.\n        Updated by Create{Person|Service|Group}, Update (key\n        rotation, profile edits), Move (federation migration)."
+  :initial-state {}
+  :fold (fn
+    (state act)
+    (let
+      ((aid (-> act :actor)) (t (-> act :type)))
+      (cond
+        (= t "Create")
+        (assoc state aid (or (-> act :object) {}))
+        (= t "Update")
+        (assoc
+          state
+          aid
+          (merge
+            (or (get state aid) {})
+            (or (-> act :patch) {})))
+        :else state))))

next/genesis/projections/audience-graph.sx

@@ -0,0 +1,25 @@
+;; next/genesis/projections/audience-graph.sx
+;;
+;; Per-actor follow / follower graph and audience caches. Folded
+;; from Follow / Accept / Reject / Undo{Follow}. Used by the
+;; activity router to expand :to / :cc audiences (Public,
+;; Followers, Direct) into concrete recipient sets. Per design §16.
+
+(DefineProjection
+  :name "audience-graph"
+  :doc "Actor-id -> {following, followers, pending} sets.\n        Updated by Follow / Accept / Reject / Undo. Federation\n        (m2) wires this projection to the delivery queue."
+  :initial-state {}
+  :fold (fn
+    (state act)
+    (let
+      ((t (-> act :type)))
+      (cond
+        (= t "Follow")
+        state
+        (= t "Accept")
+        state
+        (= t "Reject")
+        state
+        (= t "Undo")
+        state
+        :else state))))

next/genesis/projections/by-actor.sx

@@ -0,0 +1,15 @@
+;; next/genesis/projections/by-actor.sx
+;;
+;; Index of activity CIDs grouped by :actor. Maps actor-id to a
+;; list of CIDs in append order. Powers the per-actor outbox
+;; listing (Step 8) without re-scanning the full log.
+
+(DefineProjection
+  :name "by-actor"
+  :doc "Actor-id -> list of activity CIDs (append order)."
+  :initial-state {}
+  :fold (fn
+    (state act)
+    (let
+      ((a (-> act :actor)) (cid (-> act :cid)))
+      (assoc state a (append (or (get state a) (list)) (list cid))))))

next/genesis/projections/by-object.sx

@@ -0,0 +1,22 @@
+;; next/genesis/projections/by-object.sx
+;;
+;; Index of activities that reference each :object CID. Maps
+;; object-CID to the list of activity CIDs that target it
+;; (Update / Delete / Announce / etc.). Used for "show me
+;; everything that happened to X" queries.
+
+(DefineProjection
+  :name "by-object"
+  :doc "Object CID -> list of activity CIDs that target it."
+  :initial-state {}
+  :fold (fn
+    (state act)
+    (let
+      ((obj-cid (-> act :object)) (cid (-> act :cid)))
+      (if
+        (string? obj-cid)
+        (assoc
+          state
+          obj-cid
+          (append (or (get state obj-cid) (list)) (list cid)))
+        state))))

next/genesis/projections/by-type.sx

@@ -0,0 +1,15 @@
+;; next/genesis/projections/by-type.sx
+;;
+;; Index of activity CIDs grouped by :type. Maps type-name to a
+;; list of CIDs in append order. Used by the outbox listing
+;; endpoints (Step 8) for type-filtered pagination.
+
+(DefineProjection
+  :name "by-type"
+  :doc "Type-name -> list of activity CIDs (append order)."
+  :initial-state {}
+  :fold (fn
+    (state act)
+    (let
+      ((t (-> act :type)) (cid (-> act :cid)))
+      (assoc state t (append (or (get state t) (list)) (list cid))))))

next/genesis/projections/define-registry.sx

@@ -0,0 +1,33 @@
+;; next/genesis/projections/define-registry.sx
+;;
+;; The meta-projection: folds Create{Define*{...}} activities into
+;; the kernel registry. Resolves the chicken-and-egg circle —
+;; bootstrap.erl populates the registry directly at startup from
+;; the genesis bundle, and from then on define-registry's fold
+;; keeps it current as new Define* activities arrive. Per design §5.
+
+(DefineProjection
+  :name "define-registry"
+  :doc "Maps {kind, name} -> definition entry. Folded from\n        Create{DefineActivity|DefineObject|DefineProjection|\n        DefineValidator|DefineCodec|DefineSigSuite|...}. Kind is\n        derived from the inner :object :type tag."
+  :initial-state {}
+  :fold (fn
+    (state act)
+    (let
+      ((obj (-> act :object)) (otype (-> act :object :type)))
+      (cond
+        (= (-> act :type) "Create")
+        (cond
+          (= otype "DefineActivity")
+          (assoc-in state (list :activity-types (-> obj :name)) obj)
+          (= otype "DefineObject")
+          (assoc-in state (list :object-types (-> obj :name)) obj)
+          (= otype "DefineProjection")
+          (assoc-in state (list :projections (-> obj :name)) obj)
+          (= otype "DefineValidator")
+          (assoc-in state (list :validators (-> obj :name)) obj)
+          (= otype "DefineCodec")
+          (assoc-in state (list :codecs (-> obj :name)) obj)
+          (= otype "DefineSigSuite")
+          (assoc-in state (list :sig-suites (-> obj :name)) obj)
+          :else state)
+        :else state))))

next/genesis/sig-suites/ed25519-2020.sx

@@ -0,0 +1,11 @@
+;; next/genesis/sig-suites/ed25519-2020.sx
+;;
+;; W3C Verifiable Credential signature suite — Ed25519 over
+;; canonical bytes, key material in multibase. Default suite
+;; for fed-sx actors per design §9.
+
+(DefineSigSuite
+  :name "ed25519-2020"
+  :doc "Ed25519 verification. Key carries publicKeyMultibase.\n        :verify takes canonical-bytes + signature + key and\n        returns bool. Real verification deferred to m2 once\n        crypto:verify_ed25519/3 BIF lands; v1 stand-in returns\n        false to defer all Ed25519-signed activities."
+  :verify (fn (canonical-bytes signature key) false)
+  :key-format (fn (key-doc) (string? (-> key-doc :publicKeyMultibase))))

next/genesis/sig-suites/rsa-sha256-2018.sx

@@ -0,0 +1,11 @@
+;; next/genesis/sig-suites/rsa-sha256-2018.sx
+;;
+;; W3C Verifiable Credential signature suite — RSA-SHA256 over
+;; canonical bytes, key material in PEM. Compatible with
+;; Mastodon's HTTP-Signatures / Linked-Data-Signatures-2017.
+
+(DefineSigSuite
+  :name "rsa-sha256-2018"
+  :doc "RSA-SHA256 verification. Key carries publicKeyPem.\n        :verify takes canonical-bytes + signature + key and\n        returns bool. Real verification deferred to m2 once\n        crypto:verify_rsa/3 BIF lands; v1 stand-in returns\n        false to defer all RSA-signed activities."
+  :verify (fn (canonical-bytes signature key) false)
+  :key-format (fn (key-doc) (string? (-> key-doc :publicKeyPem))))

next/genesis/validators/envelope-shape.sx

@@ -0,0 +1,22 @@
+;; next/genesis/validators/envelope-shape.sx
+;;
+;; Validates required envelope fields per design §3.1. Stage 1 of
+;; the validation pipeline (Step 6). Mirrors the kernel's
+;; envelope:validate_shape/1 from Step 2a — when the pipeline runs
+;; in OCaml-side sandbox eval mode it dispatches by name; when it
+;; runs through the kernel Erlang path it short-circuits to the BIF.
+
+(DefineValidator
+  :name "envelope-shape"
+  :doc "Required-fields check on the activity envelope:\n        :id, :type, :actor, :published, :signature must all be\n        present and non-nil. The :signature sub-field needs\n        :key_id, :algorithm, :value."
+  :predicate (fn
+    (act)
+    (and
+      (not (nil? (-> act :id)))
+      (not (nil? (-> act :type)))
+      (not (nil? (-> act :actor)))
+      (not (nil? (-> act :published)))
+      (not (nil? (-> act :signature)))
+      (not (nil? (-> act :signature :key_id)))
+      (not (nil? (-> act :signature :algorithm)))
+      (not (nil? (-> act :signature :value))))))

next/genesis/validators/signature.sx

@@ -0,0 +1,13 @@
+;; next/genesis/validators/signature.sx
+;;
+;; Stage 2 of the validation pipeline per design §14. Verifies the
+;; activity signature against the time-relevant public key in the
+;; actor-state projection. Bootstrap entry; the kernel dispatches
+;; to envelope:verify_signature/2 (Step 2c) when running in
+;; Erlang-on-SX mode. Per design §9.6 the lookup is timestamp-aware
+;; — key validity is evaluated at :published, not "now".
+
+(DefineValidator
+  :name "signature"
+  :doc "Signature verification. Picks the signature suite by\n        :signature :algorithm, fetches the key with id ==\n        :signature :key_id that was active at :published from\n        the actor-state projection, then dispatches to the\n        suite's :verify body."
+  :predicate (fn (act) true))

next/genesis/validators/type-schema.sx

@@ -0,0 +1,21 @@
+;; next/genesis/validators/type-schema.sx
+;;
+;; Stage 5 of the validation pipeline per design §14. Validates
+;; the activity's :object against the schema registered for its
+;; :object :type in the define-registry projection.
+
+(DefineValidator
+  :name "type-schema"
+  :doc "Looks up the object-type registration in the\n        define-registry projection, fetches its :schema body,\n        and evaluates it against (-> act :object). Returns true\n        when no object-type is named (some verbs carry no\n        :object) or when no schema is registered for the named\n        type (open-world default — Step 6 may tighten)."
+  :predicate (fn
+    (act)
+    (let
+      ((obj (-> act :object)))
+      (cond
+        (nil? obj)
+        true
+        (nil? (-> obj :type))
+        true
+        :else (let
+          ((schema (-> (registry-lookup :object-types (-> obj :type)) :schema)))
+          (if (nil? schema) true (apply-schema schema obj)))))))

next/kernel/bootstrap.erl

@@ -0,0 +1,187 @@
+-module(bootstrap).
+-export([read_genesis/0, read_genesis/1,
+         read_section/2, sections/0, section_subdir/1,
+         default_base/0, ends_with_sx/1,
+         build_genesis/1, verify_genesis/2,
+         cidhash_path/1, write_cidhash/2, read_cidhash/1,
+         load_genesis/1, strip_sx_suffix/1]).
+
+%% Genesis bundle reader per design §12.2.
+%%
+%% read_genesis/0,1 walks the seven canonical section subdirectories
+%% under `next/genesis/`, filters .sx files, reads each file into a
+%% binary, and returns a structured snapshot:
+%%
+%%   {ok, [{Section :: atom,
+%%          [{FileName :: binary, FileBytes :: binary}, ...]},
+%%         ...]}
+%%
+%% Step 4d will compute the bundle CID by hashing the assembled
+%% byte string across all entries; Step 4e will register the parsed
+%% definitions in the kernel registry.
+%%
+%% Port note: this module does NOT parse the .sx contents. The
+%% Erlang-on-SX port has no in-Erlang path from binary bytes to SX
+%% structured terms (same substrate gap that parked Step 3b); the
+%% bundle CID needs only the raw bytes, and registry registration
+%% will happen via an SX-side helper that the kernel hands the
+%% binary contents to. read_genesis/1 ignores its arg in v1 except
+%% to swap the BasePath — `default_base/0` is "next/genesis".
+%%
+%% Port note 2: string-literal binary segments `<<"abc">>` truncate
+%% to one byte in this port, so all path constants are hand-spelled
+%% as integer-segment binaries.
+
+%% ── Public API ──────────────────────────────────────────────────
+
+%% "next/genesis"
+default_base() ->
+    <<110,101,120,116,47,103,101,110,101,115,105,115>>.
+
+read_genesis() ->
+    read_genesis(default_base()).
+
+read_genesis(BasePath) ->
+    {ok, lists:map(
+           fun (S) -> {S, read_section(BasePath, S)} end,
+           sections())}.
+
+sections() ->
+    [activity_types, object_types, projections,
+     validators, codecs, sig_suites, audience].
+
+%% "activity-types"
+section_subdir(activity_types) ->
+    <<97,99,116,105,118,105,116,121,45,116,121,112,101,115>>;
+%% "object-types"
+section_subdir(object_types) ->
+    <<111,98,106,101,99,116,45,116,121,112,101,115>>;
+%% "projections"
+section_subdir(projections) ->
+    <<112,114,111,106,101,99,116,105,111,110,115>>;
+%% "validators"
+section_subdir(validators) ->
+    <<118,97,108,105,100,97,116,111,114,115>>;
+%% "codecs"
+section_subdir(codecs) ->
+    <<99,111,100,101,99,115>>;
+%% "sig-suites"
+section_subdir(sig_suites) ->
+    <<115,105,103,45,115,117,105,116,101,115>>;
+%% "audience"
+section_subdir(audience) ->
+    <<97,117,100,105,101,110,99,101>>.
+
+read_section(BasePath, Section) ->
+    SubDir = section_subdir(Section),
+    %% 47 = '/'
+    Path = <<BasePath/binary, 47, SubDir/binary>>,
+    case file:list_dir(Path) of
+        {ok, Names} ->
+            SxNames = lists:filter(fun (N) -> ends_with_sx(N) end, Names),
+            lists:map(fun (Name) -> read_one(Path, Name) end, SxNames);
+        {error, _} ->
+            []
+    end.
+
+%% Suffix check on the .sx extension. 46='.' 115='s' 120='x'.
+ends_with_sx(<<46, 115, 120>>) -> true;
+ends_with_sx(<<>>) -> false;
+ends_with_sx(<<_, Rest/binary>>) -> ends_with_sx(Rest).
+
+%% ── Internal ────────────────────────────────────────────────────
+
+read_one(DirPath, Name) ->
+    Full = <<DirPath/binary, 47, Name/binary>>,
+    case file:read_file(Full) of
+        {ok, Bytes} -> {Name, Bytes};
+        {error, R}  -> {Name, {error, R}}
+    end.
+
+%% ── Step 4d: bundle CID compute + verify ────────────────────────
+%%
+%% The bundle CID is the canonical content-address of everything in
+%% read_genesis/0's result. We delegate to the host `cid:to_string/1`
+%% BIF (Step 1b substrate): it walks the term via `er-format-value`,
+%% feeds the deterministic textual form into `cid-from-sx`, returns
+%% a CIDv1 (raw codec, sha2-256 multihash) as a binary.
+%%
+%% Design §12.3: at startup the kernel computes this CID and
+%% compares against a hardcoded value (here: a sibling `.cidhash`
+%% file). A mismatch is a hard refuse-to-start.
+
+build_genesis(ReadResult) ->
+    case ReadResult of
+        {ok, Sections} ->
+            Cid = cid:to_string({genesis_bundle, Sections}),
+            {ok, [{cid, Cid}, {sections, Sections}]};
+        Other ->
+            {error, {bad_read_result, Other}}
+    end.
+
+verify_genesis(ReadResult, ExpectedCid) ->
+    case build_genesis(ReadResult) of
+        {ok, [{cid, Cid}, _]} ->
+            case Cid =:= ExpectedCid of
+                true  -> ok;
+                false -> {error, {cid_mismatch, Cid, ExpectedCid}}
+            end;
+        Err -> Err
+    end.
+
+%% Sibling-file CID storage. "/.cidhash" appended to BasePath as
+%% an integer-segment binary (string-literal segments are broken).
+
+%% "/.cidhash" — 47='/' 46='.' c i d h a s h
+cidhash_path(BasePath) ->
+    <<BasePath/binary, 47, 46, 99, 105, 100, 104, 97, 115, 104>>.
+
+write_cidhash(BasePath, Cid) ->
+    file:write_file(cidhash_path(BasePath), Cid).
+
+read_cidhash(BasePath) ->
+    file:read_file(cidhash_path(BasePath)).
+
+%% ── Step 4e: load_genesis → registry ────────────────────────────
+%%
+%% Walks the read_genesis result and registers each file as a
+%% registry entry. The section atom is the registry kind directly
+%% (both name spaces are identical — see Step 4c sections/0 and
+%% Step 5a registry:kinds/0). The entry Name is the filename minus
+%% the `.sx` suffix, kept as a binary; the entry value is the
+%% file's raw bytes.
+%%
+%% Returns `{ok, RegistryState}` on success. Later steps (4f / the
+%% SX-parser bridge) will replace the raw bytes with parsed forms;
+%% the binary stand-in is enough to prove the bridge works.
+
+load_genesis(ReadResult) ->
+    case ReadResult of
+        {ok, Sections} ->
+            {ok, load_sections(Sections, registry:new())};
+        Other ->
+            {error, {bad_read_result, Other}}
+    end.
+
+load_sections([], State) -> State;
+load_sections([{Kind, Entries} | Rest], State) ->
+    load_sections(Rest, load_entries(Kind, Entries, State)).
+
+load_entries(_Kind, [], State) -> State;
+load_entries(Kind, [{Name, Bytes} | Rest], State) ->
+    BaseName = strip_sx_suffix(Name),
+    {ok, NewState} = registry:register(Kind, BaseName, Bytes, State),
+    load_entries(Kind, Rest, NewState).
+
+%% strip_sx_suffix(Binary) — drops the trailing ".sx" if present.
+%% 46='.' 115='s' 120='x'.
+strip_sx_suffix(B) when is_binary(B) ->
+    case ends_with_sx(B) of
+        false -> B;
+        true  -> take_prefix(B, byte_size(B) - 3)
+    end.
+
+take_prefix(_, 0) -> <<>>;
+take_prefix(<<H, Rest/binary>>, N) when N > 0 ->
+    Tail = take_prefix(Rest, N - 1),
+    <<H, Tail/binary>>.

next/kernel/envelope.erl

@@ -0,0 +1,177 @@
+-module(envelope).
+-export([validate_shape/1, get_field/2, canonical_bytes/1, verify_signature/2]).
+
+%% Activity envelope per design §3.1.
+%%
+%% Erlang maps (#{...}) are not supported by this port, so envelopes
+%% are represented as property lists of {atom_key, value} pairs. This
+%% port's binary syntax also can't carry string literals; values that
+%% would naturally be binaries in real Erlang are kept as atoms or
+%% integer-segment binaries in the test corpus.
+%%
+%% Required fields: id, type, actor, published, signature.
+%% The signature value is itself a property list with key_id,
+%% algorithm, value.
+%%
+%% validate_shape/1 returns ok | {error, Reason}. Reasons:
+%%   not_a_proplist
+%%   {missing_field, FieldName}
+%%   {bad_signature, BadSigReason}
+%%
+%% get_field/2 returns {ok, Value} | not_found.
+
+validate_shape(Env) when is_list(Env) ->
+    case check_required([id, type, actor, published, signature], Env) of
+        ok -> validate_signature_shape(Env);
+        Err -> Err
+    end;
+validate_shape(_) ->
+    {error, not_a_proplist}.
+
+get_field(_, []) -> not_found;
+get_field(K, [{K, V} | _]) -> {ok, V};
+get_field(K, [_ | Rest]) -> get_field(K, Rest).
+
+check_required([], _) -> ok;
+check_required([F | Rest], Env) ->
+    case get_field(F, Env) of
+        {ok, _} -> check_required(Rest, Env);
+        not_found -> {error, {missing_field, F}}
+    end.
+
+validate_signature_shape(Env) ->
+    {ok, Sig} = get_field(signature, Env),
+    case is_list(Sig) of
+        true ->
+            case check_required([key_id, algorithm, value], Sig) of
+                ok -> ok;
+                {error, {missing_field, F}} ->
+                    {error, {bad_signature, {missing_field, F}}}
+            end;
+        false ->
+            {error, {bad_signature, not_a_proplist}}
+    end.
+
+%% canonical_bytes/1 — the byte string the signature covers.
+%%
+%% Real fed-sx will use dag-cbor over a JSON-LD-canonicalised form
+%% (design §3.2). For milestone 1 we stand in for that with the host
+%% BIF `cid:to_string/1`, which produces a CIDv1 over the deterministic
+%% textual form of the term. Two prior steps make this work:
+%%   1. The signature pair is stripped (sig covers everything except
+%%      itself).
+%%   2. The top-level property list is sorted by key so field order in
+%%      the source envelope is not load-bearing.
+%%
+%% The result is an Erlang binary suitable as the sig-cover input.
+
+canonical_bytes(Env) when is_list(Env) ->
+    Stripped = strip_signature(Env),
+    Sorted = sort_pairs(Stripped),
+    cid:to_string(Sorted).
+
+strip_signature([]) -> [];
+strip_signature([{signature, _} | Rest]) -> strip_signature(Rest);
+strip_signature([P | Rest]) -> [P | strip_signature(Rest)].
+
+sort_pairs([]) -> [];
+sort_pairs([H | T]) -> insert_pair(H, sort_pairs(T)).
+
+insert_pair(P, []) -> [P];
+insert_pair({K1, V1}, [{K2, V2} | Rest]) ->
+    case K1 < K2 of
+        true  -> [{K1, V1}, {K2, V2} | Rest];
+        false -> [{K2, V2} | insert_pair({K1, V1}, Rest)]
+    end.
+
+%% verify_signature/2 — time-aware sig verification per design §9.6.
+%%
+%% Activity carries a `signature` proplist with `key_id`, `algorithm`,
+%% `value`. ActorState carries `public_keys` — a list of key proplists
+%% with `id`, `created`, optionally `superseded_at`, and `value` (the
+%% key material).
+%%
+%% A key is active at time T iff `created =< T` AND
+%% (no `superseded_at` OR T < `superseded_at`). Verification picks the
+%% first matching active key whose `id == signature.key_id` at the
+%% activity's `published` timestamp, then recomputes the MAC
+%% `crypto:hash(sha256, <<KeyMaterial/binary, CanonicalBytes/binary>>)`
+%% and compares it to `signature.value`.
+%%
+%% Returns ok | {error, Reason}. Reasons:
+%%   no_signature | no_key_id | no_published | no_keys |
+%%   no_active_key | bad_signature
+%%
+%% Real RSA-SHA256 / Ed25519 verification is deferred to milestone 2:
+%% Phase 8 only ships `crypto:hash/2`, so we stand in with an HMAC-shaped
+%% MAC that exercises the same key-lookup and canonical-bytes pipeline.
+
+verify_signature(Activity, ActorState) ->
+    case get_field(signature, Activity) of
+        not_found -> {error, no_signature};
+        {ok, Sig} ->
+            case get_field(key_id, Sig) of
+                not_found -> {error, no_key_id};
+                {ok, KeyId} ->
+                    case get_field(published, Activity) of
+                        not_found -> {error, no_published};
+                        {ok, Published} ->
+                            verify_with_keys(Activity, Sig, KeyId,
+                                             Published, ActorState)
+                    end
+            end
+    end.
+
+verify_with_keys(Activity, Sig, KeyId, Published, ActorState) ->
+    case get_field(public_keys, ActorState) of
+        not_found -> {error, no_keys};
+        {ok, Keys} ->
+            case find_active_key(KeyId, Published, Keys) of
+                not_found -> {error, no_active_key};
+                {ok, Key} -> verify_mac(Activity, Sig, Key)
+            end
+    end.
+
+find_active_key(_, _, []) -> not_found;
+find_active_key(KeyId, Now, [Key | Rest]) ->
+    case is_matching_active_key(Key, KeyId, Now) of
+        true -> {ok, Key};
+        false -> find_active_key(KeyId, Now, Rest)
+    end.
+
+is_matching_active_key(Key, WantId, Now) ->
+    case get_field(id, Key) of
+        {ok, WantId} -> is_active_at(Key, Now);
+        _ -> false
+    end.
+
+is_active_at(Key, Now) ->
+    case get_field(created, Key) of
+        not_found -> false;
+        {ok, Created} ->
+            case Now >= Created of
+                false -> false;
+                true ->
+                    case get_field(superseded_at, Key) of
+                        not_found -> true;
+                        {ok, SupAt} -> Now < SupAt
+                    end
+            end
+    end.
+
+verify_mac(Activity, Sig, Key) ->
+    case get_field(value, Sig) of
+        not_found -> {error, bad_signature};
+        {ok, SigValue} ->
+            case get_field(value, Key) of
+                not_found -> {error, bad_signature};
+                {ok, KeyMat} ->
+                    Bytes = canonical_bytes(Activity),
+                    Computed = crypto:hash(sha256,
+                        <<KeyMat/binary, Bytes/binary>>),
+                    case SigValue =:= Computed of
+                        true -> ok;
+                        false -> {error, bad_signature}
+                    end
+            end
+    end.

next/kernel/log.erl

@@ -0,0 +1,63 @@
+-module(log).
+-export([open/2, append/2, tip/1, replay/3, entries/1]).
+
+%% Per-actor activity log — the canonical record of everything an
+%% actor has emitted, in chronological order. Per design §15.2 this
+%% lives on disk as a JSONL segment file; v1 starts with an in-memory
+%% backend so the API and seq-number machinery can be locked down
+%% before the on-disk format is added (Step 3b).
+%%
+%% State shape (a property list):
+%%   [{actor, ActorId}, {base, BasePath}, {seq, NextSeq}, {entries, [Act|...]}]
+%%
+%% `entries` stores activities in append order — i.e. oldest first.
+%% `seq` is the next sequence number that will be assigned by append.
+%% `base` is kept on the state for forward-compatibility with 3b
+%% (where it becomes the segment-file directory).
+%%
+%% open/2 takes ActorId + BasePath and returns {ok, LogState} starting
+%% with seq=0 and no entries.
+%%
+%% append/2 returns {ok, NewLogState, AssignedSeq}.
+%%
+%% tip/1 returns the next seq the log would assign (== count of entries).
+%%
+%% replay/3 folds Fun(Activity, AssignedSeq, Acc) over every entry in
+%% append order. Three-arity rather than two-arity because the plan's
+%% example test is "sequence numbers gap-free across replay" — having
+%% the seq number visible in the fold makes that test direct.
+%%
+%% entries/1 is a debug accessor returning [Activity, ...] in append
+%% order. Not part of the public API contract.
+
+open(ActorId, BasePath) ->
+    {ok, [{actor, ActorId}, {base, BasePath}, {seq, 0}, {entries, []}]}.
+
+append(LogState, Activity) ->
+    Seq = field(seq, LogState),
+    Entries = field(entries, LogState),
+    NewState = replace_field(seq, Seq + 1,
+                  replace_field(entries, Entries ++ [Activity], LogState)),
+    {ok, NewState, Seq}.
+
+tip(LogState) ->
+    field(seq, LogState).
+
+replay(LogState, InitAcc, Fun) ->
+    Entries = field(entries, LogState),
+    replay_loop(Entries, 0, InitAcc, Fun).
+
+replay_loop([], _, Acc, _) -> Acc;
+replay_loop([Act | Rest], Seq, Acc, Fun) ->
+    replay_loop(Rest, Seq + 1, Fun(Act, Seq, Acc), Fun).
+
+entries(LogState) ->
+    field(entries, LogState).
+
+field(K, [{K, V} | _]) -> V;
+field(K, [_ | Rest]) -> field(K, Rest);
+field(_, []) -> erlang:error(badkey).
+
+replace_field(K, V, []) -> [{K, V}];
+replace_field(K, V, [{K, _} | Rest]) -> [{K, V} | Rest];
+replace_field(K, V, [P | Rest]) -> [P | replace_field(K, V, Rest)].

next/kernel/nx_cid.erl

@@ -0,0 +1,24 @@
+-module(nx_cid).
+-export([from_sx/1, to_string/1, from_string/1, equals/2]).
+
+%% The kernel-side CID wrapper. The host BIF `cid:to_string/1` already
+%% produces a canonical CIDv1 (raw codec, sha2-256 multihash) over the
+%% deterministic textual form of any term (er-format-value); we expose
+%% it under the kernel namespace and add the equality + round-trip
+%% helpers the rest of the kernel needs.
+%%
+%% Naming note: the BIF module is `cid`, so we use `nx_cid` to avoid
+%% shadowing. Plans/fed-sx-milestone-1.md §Step 1 spells the file as
+%% `cid.erl`; the briefing flags Erlang snippets as illustrative.
+
+from_sx(V) ->
+    cid:to_string(V).
+
+to_string(Cid) ->
+    Cid.
+
+from_string(S) ->
+    S.
+
+equals(A, B) ->
+    A =:= B.

next/kernel/outbox.erl

@@ -0,0 +1,105 @@
+-module(outbox).
+-export([construct/4, sign/2, cid_of/1, publish/2]).
+
+%% Outbox envelope construction + signing per design §3.1.
+%%
+%% construct/4 builds an unsigned activity envelope from caller-supplied
+%% (Type, ActorId, Published, Object). The envelope's `:id` field is
+%% derived from the host `cid:to_string` BIF over a skeleton tag, so
+%% recipients can address the activity by its content hash. The
+%% returned property list is the canonical key-sorted form that
+%% `envelope:canonical_bytes/1` operates on.
+%%
+%% sign/2 takes the unsigned envelope plus a KeySpec proplist that
+%% mirrors a `public_keys` entry: `[{key_id, _}, {algorithm, _},
+%% {value, KeyMaterial}]`. It computes the v1 HMAC stand-in
+%% `crypto:hash(sha256, <<KeyMaterial/binary, CanonicalBytes/binary>>)`
+%% — the same scheme `envelope:verify_signature/2` checks — and
+%% appends a `:signature` pair.
+%%
+%% Real Ed25519 / RSA signing arrives in milestone 2 once
+%% `crypto:sign_ed25519/2` BIFs land; the API shape doesn't change.
+
+%% construct/4 — Type and ActorId are atoms; Published is an
+%% integer timestamp the caller supplies (no clock BIF in this
+%% port; the HTTP layer / outbox:publish caller injects it).
+%% Object can be any term, including a property list of inner
+%% fields.
+construct(Type, ActorId, Published, Object) ->
+    Skeleton = [{actor, ActorId},
+                {object, Object},
+                {published, Published},
+                {type, Type}],
+    Id = cid:to_string({activity_envelope, Skeleton}),
+    [{actor, ActorId},
+     {id, Id},
+     {object, Object},
+     {published, Published},
+     {type, Type}].
+
+%% sign/2 — KeySpec carries key_id, algorithm, value (key material).
+sign(Envelope, KeySpec) ->
+    {ok, KeyId} = envelope:get_field(key_id, KeySpec),
+    {ok, Alg}   = envelope:get_field(algorithm, KeySpec),
+    {ok, KM}    = envelope:get_field(value, KeySpec),
+    CB = envelope:canonical_bytes(Envelope),
+    SigValue = crypto:hash(sha256, <<KM/binary, CB/binary>>),
+    Sig = [{algorithm, Alg}, {key_id, KeyId}, {value, SigValue}],
+    Envelope ++ [{signature, Sig}].
+
+%% cid_of/1 — extract the :id field from a constructed envelope.
+%% Convenience for callers that don't want to thread the CID
+%% separately when both the envelope and its ID matter.
+cid_of(Envelope) ->
+    {ok, Id} = envelope:get_field(id, Envelope),
+    Id.
+
+%% publish/2 — the outbound activity pipeline orchestrator.
+%%
+%% Request shape:   [{type, T}, {object, O}]
+%% Context shape:   [{actor_id, A}, {published, P}, {key_spec, KS},
+%%                   {actor_state, AS}, {log, L}]
+%%
+%% Returns:
+%%   {ok, [{cid, Cid}, {activity, Signed}], NewLog}   — happy path
+%%   {error, Reason, LogState}                         — validation halted
+%%
+%% Stages run in order: envelope shape, signature, replay. The
+%% replay check uses the log state pre-append, so if the caller
+%% publishes the same Request twice with the same Published
+%% timestamp the second call halts with {error, replay, _}.
+%%
+%% Projection-scheduler dispatch (the async fold the design calls
+%% for) is deferred to Step 7 — once the projection gen_server
+%% exists, this function will broadcast `Signed` to it.
+
+publish(Request, Context) ->
+    Type      = envelope_field(type, Request),
+    Object    = envelope_field(object, Request),
+    ActorId   = envelope_field(actor_id, Context),
+    Published = envelope_field(published, Context),
+    KeySpec   = envelope_field(key_spec, Context),
+    ActorState = envelope_field(actor_state, Context),
+    LogState   = envelope_field(log, Context),
+    Unsigned = construct(Type, ActorId, Published, Object),
+    Signed = sign(Unsigned, KeySpec),
+    Stages = [
+        fun (A) -> pipeline:stage_envelope(A) end,
+        pipeline:stage_signature(ActorState),
+        pipeline:stage_replay(LogState)
+    ],
+    case pipeline:run_stages(Signed, Stages) of
+        ok ->
+            {ok, NewLog, _Seq} = log:append(LogState, Signed),
+            Result = [{cid, cid_of(Signed)}, {activity, Signed}],
+            {ok, Result, NewLog};
+        {error, Reason} ->
+            {error, Reason, LogState}
+    end.
+
+envelope_field(K, PL) ->
+    case envelope:get_field(K, PL) of
+        {ok, V}   -> V;
+        not_found -> nil
+    end.
+

next/kernel/pipeline.erl

@@ -0,0 +1,91 @@
+-module(pipeline).
+-export([run_stages/2,
+         validate_inbound/1, validate_outbound/1,
+         inbound_stages/0, outbound_stages/0,
+         stage_envelope/1,
+         stage_signature/1, stage_signature/2,
+         stage_replay/1, stage_replay/2]).
+
+%% Validation pipeline per design §14.
+%%
+%% A stage is a 1-arity fun `(Activity) -> ok | {error, Reason}`.
+%% The driver folds the activity through the stage list, halting
+%% on the first error. The pure-functional driver itself takes a
+%% stage list directly so tests can inject ad-hoc stage sequences
+%% without depending on the bundled inbound/outbound lists.
+%%
+%% Inbound pipeline (full set per design §14): envelope, signature,
+%% replay, audience, activity_schema, object_schema, content_validators,
+%% capabilities, trust. Outbound is a subset (no replay, no trust;
+%% auth handled at the HTTP layer).
+%%
+%% This sub-deliverable (6a) wires only the driver and the empty
+%% stage lists. Concrete stages land in 6b-6c.
+
+run_stages(_Activity, []) -> ok;
+run_stages(Activity, [Stage | Rest]) ->
+    Result = Stage(Activity),
+    case Result of
+        ok         -> run_stages(Activity, Rest);
+        {error, _} -> Result
+    end.
+
+validate_inbound(Activity) ->
+    run_stages(Activity, inbound_stages()).
+
+validate_outbound(Activity) ->
+    run_stages(Activity, outbound_stages()).
+
+inbound_stages() ->
+    [fun (A) -> stage_envelope(A) end].
+
+outbound_stages() ->
+    [fun (A) -> stage_envelope(A) end].
+
+%% ── Concrete stages ─────────────────────────────────────────────
+
+%% stage_envelope/1 — wrap envelope:validate_shape/1. The pipeline
+%% driver expects ok | {error, R}; validate_shape returns exactly
+%% that, so delegation is direct.
+stage_envelope(Activity) ->
+    envelope:validate_shape(Activity).
+
+%% stage_signature/2 — direct (Activity, ActorState) check. Wraps
+%% envelope:verify_signature/2 from Step 2c. Useful for tests and
+%% for callers that already have ActorState in scope.
+stage_signature(Activity, ActorState) ->
+    envelope:verify_signature(Activity, ActorState).
+
+%% stage_signature/1 — factory: takes the ActorState and returns a
+%% 1-arity stage fun the pipeline driver can fold. This is how
+%% signature checking gets composed into a stage list at runtime
+%% (the static `inbound_stages/0` list omits it precisely because
+%% ActorState isn't available at static-list build time).
+stage_signature(ActorState) ->
+    fun (Activity) -> envelope:verify_signature(Activity, ActorState) end.
+
+%% stage_replay/2 — checks the in-memory log for an existing
+%% activity with the same :id. Returns ok if the activity is new,
+%% `{error, replay}` if the log already carries it, `{error, no_id}`
+%% if the activity has no :id field. The check is linear scan of
+%% log entries; the projection scheduler (Step 7) will eventually
+%% maintain a CID index that turns this into O(1).
+stage_replay(Activity, LogState) ->
+    case envelope:get_field(id, Activity) of
+        not_found -> {error, no_id};
+        {ok, Id} ->
+            case log_has_id(Id, log:entries(LogState)) of
+                true  -> {error, replay};
+                false -> ok
+            end
+    end.
+
+stage_replay(LogState) ->
+    fun (Activity) -> stage_replay(Activity, LogState) end.
+
+log_has_id(_, []) -> false;
+log_has_id(Id, [Act | Rest]) ->
+    case envelope:get_field(id, Act) of
+        {ok, Id} -> true;
+        _        -> log_has_id(Id, Rest)
+    end.

next/kernel/projection.erl

@@ -0,0 +1,54 @@
+-module(projection).
+-export([new/2, new/3, fold_activity/2, replay/2,
+         name/1, state/1, fold_fn/1]).
+
+%% Pure-functional projection driver per design §10.
+%%
+%% A projection is a property list:
+%%   [{name, atom}, {state, term}, {fold, fun}]
+%%
+%% The fold function is `fun (Activity, State) -> NewState`. v1
+%% uses Erlang funs as the fold body — the genesis bundle's SX
+%% `:fold` bodies are stored as binaries; an SX-source eval
+%% bridge will plug them into the same projection record once
+%% it lands (Step 7d). For now, callers supply Erlang funs
+%% directly when constructing a projection.
+%%
+%% `replay/2` is the cold-start primitive: fold an activity
+%% list (e.g. `log:entries/1`) through the projection from its
+%% initial state.
+
+new(Name, InitialState) ->
+    new(Name, InitialState, fun (_Activity, S) -> S end).
+
+new(Name, InitialState, FoldFn) ->
+    [{name, Name}, {state, InitialState}, {fold, FoldFn}].
+
+fold_activity(Proj, Activity) ->
+    Fn  = fold_fn(Proj),
+    S0  = state(Proj),
+    S1  = Fn(Activity, S0),
+    set_field(state, S1, Proj).
+
+replay(Proj, Activities) ->
+    fold_each(Proj, Activities).
+
+fold_each(Proj, []) -> Proj;
+fold_each(Proj, [A | Rest]) ->
+    fold_each(fold_activity(Proj, A), Rest).
+
+%% Accessors
+
+name(Proj)    -> field(name, Proj).
+state(Proj)   -> field(state, Proj).
+fold_fn(Proj) -> field(fold, Proj).
+
+%% Internal
+
+field(K, [{K, V} | _]) -> V;
+field(K, [_ | Rest]) -> field(K, Rest);
+field(_, []) -> erlang:error(badkey).
+
+set_field(K, V, [{K, _} | Rest]) -> [{K, V} | Rest];
+set_field(K, V, [P | Rest]) -> [P | set_field(K, V, Rest)];
+set_field(K, V, []) -> [{K, V}].

next/kernel/registry.erl

@@ -0,0 +1,120 @@
+-module(registry).
+-behaviour(gen_server).
+-export([new/0, kinds/0, register/4, lookup/3, list/2]).
+-export([start_link/0, register/3, lookup/2, list/1, stop/0]).
+-export([init/1, handle_call/3, handle_cast/2, handle_info/2]).
+
+%% Pure-functional registry for the seven bootstrap kinds.
+%%
+%% State is a property list keyed by kind atom; each kind's value
+%% is itself a property list of {Name, Entry} pairs. Entry is
+%% opaque — typically a proplist with :cid, :schema, :semantics,
+%% :supersedes fields, but the registry doesn't enforce that here.
+%%
+%% A gen_server wrapper (Step 5b) will own the global registry
+%% process; the pure functions in this module remain the canonical
+%% API and are usable for tests and for offline projection-replay.
+%%
+%% Return shapes:
+%%   new/0            -> State
+%%   kinds/0          -> [Atom, ...]
+%%   register/4       -> {ok, NewState} | {error, unknown_kind}
+%%   lookup/3         -> {ok, Entry} | not_found | {error, unknown_kind}
+%%   list/2           -> [{Name, Entry}, ...] | {error, unknown_kind}
+
+new() -> [].
+
+kinds() ->
+    [activity_types, object_types, projections,
+     validators, codecs, sig_suites, audience].
+
+register(Kind, Name, Entry, State) ->
+    case is_valid_kind(Kind) of
+        false -> {error, unknown_kind};
+        true ->
+            Entries = kind_entries(Kind, State),
+            Updated = put_pair(Name, Entry, Entries),
+            {ok, set_kind_entries(Kind, Updated, State)}
+    end.
+
+lookup(Kind, Name, State) ->
+    case is_valid_kind(Kind) of
+        false -> {error, unknown_kind};
+        true ->
+            find_pair(Name, kind_entries(Kind, State))
+    end.
+
+list(Kind, State) ->
+    case is_valid_kind(Kind) of
+        false -> {error, unknown_kind};
+        true  -> kind_entries(Kind, State)
+    end.
+
+%% ── Internal ────────────────────────────────────────────────────
+
+is_valid_kind(K) -> lists:member(K, kinds()).
+
+kind_entries(Kind, State) ->
+    case find_pair(Kind, State) of
+        not_found -> [];
+        {ok, V}   -> V
+    end.
+
+set_kind_entries(Kind, Entries, State) ->
+    put_pair(Kind, Entries, State).
+
+put_pair(K, V, []) -> [{K, V}];
+put_pair(K, V, [{K, _} | Rest]) -> [{K, V} | Rest];
+put_pair(K, V, [P | Rest]) -> [P | put_pair(K, V, Rest)].
+
+find_pair(_, []) -> not_found;
+find_pair(K, [{K, V} | _]) -> {ok, V};
+find_pair(K, [_ | Rest]) -> find_pair(K, Rest).
+
+%% ── Step 5b: gen_server wrapper ─────────────────────────────────
+%%
+%% The named process owns the registry state; concurrent readers
+%% and writers serialize through gen_server:call. The pure /3 and
+%% /4 functions remain available for offline projection-replay and
+%% for tests that don't need a process at all.
+%%
+%% Port notes: gen_server:start_link returns the raw Pid (not
+%% `{ok, Pid}` as in OTP). `?MODULE` macro is unsupported here, so
+%% the registered name is the literal `registry` atom in every call.
+
+start_link() ->
+    Pid = gen_server:start_link(registry, []),
+    erlang:register(registry, Pid),
+    Pid.
+
+stop() ->
+    R = gen_server:call(registry, '$gen_stop'),
+    erlang:unregister(registry),
+    R.
+
+register(Kind, Name, Entry) ->
+    gen_server:call(registry, {register, Kind, Name, Entry}).
+
+lookup(Kind, Name) ->
+    gen_server:call(registry, {lookup, Kind, Name}).
+
+list(Kind) ->
+    gen_server:call(registry, {list, Kind}).
+
+%% gen_server callbacks
+
+init(_) -> {ok, new()}.
+
+handle_call({register, Kind, Name, Entry}, _From, State) ->
+    case register(Kind, Name, Entry, State) of
+        {ok, NewState} -> {reply, ok, NewState};
+        {error, R}     -> {reply, {error, R}, State}
+    end;
+handle_call({lookup, Kind, Name}, _From, State) ->
+    {reply, lookup(Kind, Name, State), State};
+handle_call({list, Kind}, _From, State) ->
+    {reply, list(Kind, State), State}.
+
+handle_cast(_, S) -> {noreply, S}.
+
+handle_info(_, S) -> {noreply, S}.

next/tests/bootstrap_build.sh

@@ -0,0 +1,127 @@
+#!/usr/bin/env bash
+# next/tests/bootstrap_build.sh — Step 4d acceptance test.
+#
+# Exercises bootstrap:build_genesis/1, verify_genesis/2,
+# cidhash_path/1, write_cidhash/2, read_cidhash/1. The bundle CID
+# is computed by delegating to the host cid:to_string BIF (Step 1b
+# substrate) over the read_genesis result. 11 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+# Clean any stale .cidhash from previous runs before tests touch
+# the filesystem.
+rm -f next/genesis/.cidhash
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE; rm -f next/genesis/.cidhash" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/bootstrap.erl\")) :name)")
+
+;; build_genesis returns {ok, [{cid, _}, {sections, _}]}
+(epoch 10)
+(eval "(erlang-eval-ast \"{ok, B} = bootstrap:build_genesis(bootstrap:read_genesis()), {Tag, _} = hd(B), Tag\")")
+
+;; The CID is a non-empty binary
+(epoch 11)
+(eval "(get (erlang-eval-ast \"{ok, [{cid, C}, _]} = bootstrap:build_genesis(bootstrap:read_genesis()), is_binary(C)\") :name)")
+(epoch 12)
+(eval "(get (erlang-eval-ast \"{ok, [{cid, C}, _]} = bootstrap:build_genesis(bootstrap:read_genesis()), byte_size(C) > 50\") :name)")
+
+;; build_genesis is deterministic across calls
+(epoch 13)
+(eval "(get (erlang-eval-ast \"{ok, [{cid, C1}, _]} = bootstrap:build_genesis(bootstrap:read_genesis()), {ok, [{cid, C2}, _]} = bootstrap:build_genesis(bootstrap:read_genesis()), C1 =:= C2\") :name)")
+
+;; build_genesis preserves the sections list
+(epoch 14)
+(eval "(erlang-eval-ast \"{ok, [_, {sections, S}]} = bootstrap:build_genesis(bootstrap:read_genesis()), length(S)\")")
+
+;; build_genesis rejects bad input shapes
+(epoch 15)
+(eval "(get (erlang-eval-ast \"case bootstrap:build_genesis({error, broken}) of {error, {bad_read_result, _}} -> ok; _ -> bad end\") :name)")
+
+;; verify_genesis returns ok when CID matches
+(epoch 20)
+(eval "(get (erlang-eval-ast \"{ok, [{cid, C}, _]} = bootstrap:build_genesis(bootstrap:read_genesis()), bootstrap:verify_genesis(bootstrap:read_genesis(), C) =:= ok\") :name)")
+
+;; verify_genesis returns {error, {cid_mismatch, _, _}} when CID doesn't match
+(epoch 21)
+(eval "(get (erlang-eval-ast \"case bootstrap:verify_genesis(bootstrap:read_genesis(), <<99,99,99>>) of {error, {cid_mismatch, _, _}} -> ok; _ -> bad end\") :name)")
+
+;; cidhash_path concatenation
+(epoch 22)
+(eval "(get (erlang-eval-ast \"bootstrap:cidhash_path(<<110,101,120,116>>) =:= <<110,101,120,116,47,46,99,105,100,104,97,115,104>>\") :name)")
+
+;; write_cidhash + read_cidhash round-trip the bundle CID
+(epoch 23)
+(eval "(get (erlang-eval-ast \"{ok, [{cid, C}, _]} = bootstrap:build_genesis(bootstrap:read_genesis()), Base = bootstrap:default_base(), ok = bootstrap:write_cidhash(Base, C), {ok, Stored} = bootstrap:read_cidhash(Base), Stored =:= C\") :name)")
+
+;; Full verify path against the persisted .cidhash
+(epoch 24)
+(eval "(get (erlang-eval-ast \"Base = bootstrap:default_base(), {ok, [{cid, C}, _]} = bootstrap:build_genesis(bootstrap:read_genesis()), ok = bootstrap:write_cidhash(Base, C), {ok, Stored} = bootstrap:read_cidhash(Base), bootstrap:verify_genesis(bootstrap:read_genesis(), Stored) =:= ok\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 180 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                "bootstrap"
+check 10  "build_genesis head tag"          "cid"
+check 11  "CID is a binary"                 "true"
+check 12  "CID length > 50"                 "true"
+check 13  "build_genesis deterministic"     "true"
+check 14  "sections preserved (7 entries)"  "7"
+check 15  "build_genesis rejects bad shape" "ok"
+check 20  "verify_genesis ok when match"    "true"
+check 21  "verify_genesis errs on mismatch" "ok"
+check 22  "cidhash_path concatenation"      "true"
+check 23  "write/read_cidhash round-trip"   "true"
+check 24  "verify against persisted hash"   "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/bootstrap_build.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/bootstrap_load.sh

@@ -0,0 +1,126 @@
+#!/usr/bin/env bash
+# next/tests/bootstrap_load.sh — Step 4e acceptance test.
+#
+# Exercises bootstrap:load_genesis/1 + strip_sx_suffix/1.
+# Walks bootstrap:read_genesis output, strips .sx from each
+# filename, registers raw bytes as entries under the matching
+# kind. 13 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/registry.erl\")) :name)")
+(epoch 3)
+(eval "(get (erlang-load-module (file-read \"next/kernel/bootstrap.erl\")) :name)")
+
+;; strip_sx_suffix on "create.sx" -> "create"
+(epoch 10)
+(eval "(get (erlang-eval-ast \"bootstrap:strip_sx_suffix(<<99,114,101,97,116,101,46,115,120>>) =:= <<99,114,101,97,116,101>>\") :name)")
+
+;; strip_sx_suffix unchanged on names without .sx
+(epoch 11)
+(eval "(get (erlang-eval-ast \"bootstrap:strip_sx_suffix(<<104,101,108,108,111>>) =:= <<104,101,108,108,111>>\") :name)")
+
+;; strip_sx_suffix on exactly ".sx" -> empty binary
+(epoch 12)
+(eval "(get (erlang-eval-ast \"bootstrap:strip_sx_suffix(<<46,115,120>>) =:= <<>>\") :name)")
+
+;; load_genesis on bad input rejects with proper tag
+(epoch 13)
+(eval "(get (erlang-eval-ast \"case bootstrap:load_genesis({error, broken}) of {error, {bad_read_result, _}} -> ok; _ -> bad end\") :name)")
+
+;; Per-kind counts after load match the section file counts
+(epoch 20)
+(eval "(erlang-eval-ast \"{ok, S} = bootstrap:load_genesis(bootstrap:read_genesis()), length(registry:list(activity_types, S))\")")
+(epoch 21)
+(eval "(erlang-eval-ast \"{ok, S} = bootstrap:load_genesis(bootstrap:read_genesis()), length(registry:list(object_types, S))\")")
+(epoch 22)
+(eval "(erlang-eval-ast \"{ok, S} = bootstrap:load_genesis(bootstrap:read_genesis()), length(registry:list(projections, S))\")")
+(epoch 23)
+(eval "(erlang-eval-ast \"{ok, S} = bootstrap:load_genesis(bootstrap:read_genesis()), length(registry:list(validators, S))\")")
+(epoch 24)
+(eval "(erlang-eval-ast \"{ok, S} = bootstrap:load_genesis(bootstrap:read_genesis()), length(registry:list(codecs, S))\")")
+(epoch 25)
+(eval "(erlang-eval-ast \"{ok, S} = bootstrap:load_genesis(bootstrap:read_genesis()), length(registry:list(sig_suites, S))\")")
+(epoch 26)
+(eval "(erlang-eval-ast \"{ok, S} = bootstrap:load_genesis(bootstrap:read_genesis()), length(registry:list(audience, S))\")")
+
+;; registry:lookup retrieves a known entry's bytes
+(epoch 30)
+(eval "(get (erlang-eval-ast \"{ok, S} = bootstrap:load_genesis(bootstrap:read_genesis()), case registry:lookup(activity_types, <<99,114,101,97,116,101>>, S) of {ok, B} -> is_binary(B) and (byte_size(B) > 100); _ -> false end\") :name)")
+
+;; load_genesis is deterministic — compare via cid:to_string of state
+(epoch 31)
+(eval "(get (erlang-eval-ast \"R = bootstrap:read_genesis(), {ok, S1} = bootstrap:load_genesis(R), {ok, S2} = bootstrap:load_genesis(R), cid:to_string(S1) =:= cid:to_string(S2)\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 300 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "registry module loaded"              "registry"
+check  3  "bootstrap module loaded"             "bootstrap"
+check 10  "strip suffix create.sx -> create"    "true"
+check 11  "strip suffix hello unchanged"        "true"
+check 12  "strip suffix .sx -> empty"           "true"
+check 13  "load_genesis rejects bad shape"      "ok"
+check 20  "loaded activity_types count = 3"     "3"
+check 21  "loaded object_types count = 10"      "10"
+check 22  "loaded projections count = 7"        "7"
+check 23  "loaded validators count = 3"         "3"
+check 24  "loaded codecs count = 3"             "3"
+check 25  "loaded sig_suites count = 2"         "2"
+check 26  "loaded audience count = 3"           "3"
+check 30  "registry:lookup activity_types/create" "true"
+check 31  "load_genesis deterministic"          "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/bootstrap_load.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/bootstrap_read.sh

@@ -0,0 +1,123 @@
+#!/usr/bin/env bash
+# next/tests/bootstrap_read.sh — Step 4c acceptance test.
+#
+# Exercises bootstrap:read_genesis/0, read_section/2, sections/0,
+# section_subdir/1, ends_with_sx/1. Verifies per-section file
+# counts match the manifest authored in Steps 4a/4b. 14 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/bootstrap.erl\")) :name)")
+
+;; sections/0 returns 7 atoms
+(epoch 10)
+(eval "(erlang-eval-ast \"length(bootstrap:sections())\")")
+
+;; ends_with_sx — positive on "create.sx", negative on "hello"
+(epoch 11)
+(eval "(get (erlang-eval-ast \"bootstrap:ends_with_sx(<<99,114,101,97,116,101,46,115,120>>)\") :name)")
+(epoch 12)
+(eval "(get (erlang-eval-ast \"bootstrap:ends_with_sx(<<104,101,108,108,111>>)\") :name)")
+(epoch 13)
+(eval "(get (erlang-eval-ast \"bootstrap:ends_with_sx(<<>>)\") :name)")
+
+;; Per-section file counts match the manifest (3/10/7/3/3/2/3)
+(epoch 20)
+(eval "(erlang-eval-ast \"length(bootstrap:read_section(bootstrap:default_base(), activity_types))\")")
+(epoch 21)
+(eval "(erlang-eval-ast \"length(bootstrap:read_section(bootstrap:default_base(), object_types))\")")
+(epoch 22)
+(eval "(erlang-eval-ast \"length(bootstrap:read_section(bootstrap:default_base(), projections))\")")
+(epoch 23)
+(eval "(erlang-eval-ast \"length(bootstrap:read_section(bootstrap:default_base(), validators))\")")
+(epoch 24)
+(eval "(erlang-eval-ast \"length(bootstrap:read_section(bootstrap:default_base(), codecs))\")")
+(epoch 25)
+(eval "(erlang-eval-ast \"length(bootstrap:read_section(bootstrap:default_base(), sig_suites))\")")
+(epoch 26)
+(eval "(erlang-eval-ast \"length(bootstrap:read_section(bootstrap:default_base(), audience))\")")
+
+;; read_genesis/0 returns {ok, [{Section, Entries}, ...]} with 7 entries
+(epoch 30)
+(eval "(erlang-eval-ast \"{ok, G} = bootstrap:read_genesis(), length(G)\")")
+
+;; First entry is {activity_types, [_,_,_]}
+(epoch 31)
+(eval "(get (erlang-eval-ast \"{ok, G} = bootstrap:read_genesis(), {S, Entries} = hd(G), S\") :name)")
+
+;; Each entry has the right number of files
+(epoch 32)
+(eval "(erlang-eval-ast \"{ok, G} = bootstrap:read_genesis(), {_, E} = hd(G), length(E)\")")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                "bootstrap"
+check 10  "sections/0 length"               "7"
+check 11  "ends_with_sx create.sx"          "true"
+check 12  "ends_with_sx hello"              "false"
+check 13  "ends_with_sx empty"              "false"
+check 20  "section activity_types count"    "3"
+check 21  "section object_types count"      "10"
+check 22  "section projections count"       "7"
+check 23  "section validators count"        "3"
+check 24  "section codecs count"            "3"
+check 25  "section sig_suites count"        "2"
+check 26  "section audience count"          "3"
+check 30  "read_genesis returns 7 sections" "7"
+check 31  "first section name"              "activity_types"
+check 32  "first section entry count"       "3"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/bootstrap_read.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/cid.sh

@@ -0,0 +1,117 @@
+#!/usr/bin/env bash
+# next/tests/cid.sh — Step 1b acceptance test.
+#
+# Loads next/kernel/nx_cid.erl into the Erlang-on-SX runtime and checks
+# the canonical CID contract: determinism, uniqueness, equality, and
+# to_string/from_string round-trip. 12 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/nx_cid.erl\")) :name)")
+
+;; from_sx returns a binary
+(epoch 10)
+(eval "(get (erlang-eval-ast \"is_binary(nx_cid:from_sx(foo))\") :name)")
+
+;; from_sx is deterministic on atoms / ints / compound terms
+(epoch 11)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx(foo) =:= nx_cid:from_sx(foo)\") :name)")
+(epoch 12)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx(42) =:= nx_cid:from_sx(42)\") :name)")
+(epoch 13)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx({a, [1, 2, 3]}) =:= nx_cid:from_sx({a, [1, 2, 3]})\") :name)")
+
+;; from_sx is collision-resistant on distinct terms
+(epoch 20)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx(foo) =/= nx_cid:from_sx(bar)\") :name)")
+(epoch 21)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx(1) =/= nx_cid:from_sx(2)\") :name)")
+(epoch 22)
+(eval "(get (erlang-eval-ast \"nx_cid:from_sx([1, 2]) =/= nx_cid:from_sx([1, 2, 3])\") :name)")
+
+;; equals/2 is alias for =:=
+(epoch 30)
+(eval "(get (erlang-eval-ast \"nx_cid:equals(nx_cid:from_sx(foo), nx_cid:from_sx(foo))\") :name)")
+(epoch 31)
+(eval "(get (erlang-eval-ast \"nx_cid:equals(nx_cid:from_sx(foo), nx_cid:from_sx(bar))\") :name)")
+
+;; to_string + from_string round-trip
+(epoch 40)
+(eval "(get (erlang-eval-ast \"nx_cid:equals(nx_cid:from_string(nx_cid:to_string(nx_cid:from_sx(foo))), nx_cid:from_sx(foo))\") :name)")
+(epoch 41)
+(eval "(get (erlang-eval-ast \"is_binary(nx_cid:to_string(nx_cid:from_sx({tuple, 1, 2})))\") :name)")
+
+;; CIDv1 raw codec sha256 base32 form is around 59 chars; sanity-check length
+(epoch 50)
+(eval "(get (erlang-eval-ast \"byte_size(nx_cid:from_sx(hello)) > 50\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                "nx_cid"
+check 10  "from_sx returns binary"          "true"
+check 11  "from_sx atom deterministic"      "true"
+check 12  "from_sx int deterministic"       "true"
+check 13  "from_sx compound deterministic"  "true"
+check 20  "from_sx atoms distinct"          "true"
+check 21  "from_sx ints distinct"           "true"
+check 22  "from_sx lists distinct"          "true"
+check 30  "equals same CIDs"                "true"
+check 31  "equals different CIDs"           "false"
+check 40  "to_string/from_string round-trip" "true"
+check 41  "to_string returns binary"        "true"
+check 50  "CIDv1 base32 length sanity"      "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/cid.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/envelope_canonical.sh

@@ -0,0 +1,105 @@
+#!/usr/bin/env bash
+# next/tests/envelope_canonical.sh — Step 2b acceptance test.
+#
+# Loads next/kernel/envelope.erl and checks canonical_bytes/1 contract:
+# returns a binary, deterministic across runs, invariant under
+# field-order permutation, invariant under signature changes, and
+# different for different covered content. 7 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/envelope.erl\")) :name)")
+
+;; canonical_bytes returns a binary
+(epoch 10)
+(eval "(get (erlang-eval-ast \"is_binary(envelope:canonical_bytes([{id,1},{type,create},{actor,alice},{published,1000},{signature,whatever}]))\") :name)")
+
+;; Determinism: same envelope twice -> same bytes
+(epoch 11)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice}]) =:= envelope:canonical_bytes([{id,1},{type,create},{actor,alice}])\") :name)")
+
+;; Signature stripping: different signatures -> same canonical bytes
+(epoch 12)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice},{signature,sig_one}]) =:= envelope:canonical_bytes([{id,1},{type,create},{actor,alice},{signature,sig_two}])\") :name)")
+
+;; No signature vs some signature -> same canonical bytes
+(epoch 13)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice}]) =:= envelope:canonical_bytes([{id,1},{type,create},{actor,alice},{signature,whatever}])\") :name)")
+
+;; Key-order invariance: reordering top-level fields -> same bytes
+(epoch 14)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice}]) =:= envelope:canonical_bytes([{actor,alice},{type,create},{id,1}])\") :name)")
+
+;; Changing a covered field changes the bytes
+(epoch 15)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice}]) =/= envelope:canonical_bytes([{id,2},{type,create},{actor,alice}])\") :name)")
+
+;; Distinct envelopes -> distinct bytes
+(epoch 16)
+(eval "(get (erlang-eval-ast \"envelope:canonical_bytes([{id,1},{type,create},{actor,alice}]) =/= envelope:canonical_bytes([{id,1},{type,update},{actor,bob}])\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                "envelope"
+check 10  "canonical_bytes returns binary"  "true"
+check 11  "deterministic"                   "true"
+check 12  "signature stripped (changes)"    "true"
+check 13  "signature stripped (absent)"     "true"
+check 14  "key-order invariant"             "true"
+check 15  "covered field change visible"    "true"
+check 16  "distinct envelopes distinct"     "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/envelope_canonical.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/envelope_shape.sh

@@ -0,0 +1,126 @@
+#!/usr/bin/env bash
+# next/tests/envelope_shape.sh — Step 2a acceptance test.
+#
+# Loads next/kernel/envelope.erl into the Erlang-on-SX runtime and
+# checks validate_shape/1 / get_field/2 against the design §3.1 shape
+# contract. 13 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/envelope.erl\")) :name)")
+
+;; Reusable valid envelope as Erlang text. The signature itself is a
+;; property list with key_id, algorithm, value.
+;;   E0 = [{id,1},{type,create},{actor,alice},{published,1000},
+;;         {signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]
+
+;; Complete valid envelope
+(epoch 10)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000},{signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]) =:= ok\") :name)")
+
+;; Missing each top-level required field
+(epoch 11)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{type,create},{actor,alice},{published,1000},{signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]) =:= {error,{missing_field,id}}\") :name)")
+(epoch 12)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{actor,alice},{published,1000},{signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]) =:= {error,{missing_field,type}}\") :name)")
+(epoch 13)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{published,1000},{signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]) =:= {error,{missing_field,actor}}\") :name)")
+(epoch 14)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{signature,[{key_id,k1},{algorithm,ed25519},{value,v}]}]) =:= {error,{missing_field,published}}\") :name)")
+(epoch 15)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000}]) =:= {error,{missing_field,signature}}\") :name)")
+
+;; Non-list inputs
+(epoch 16)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape(42) =:= {error,not_a_proplist}\") :name)")
+(epoch 17)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape(some_atom) =:= {error,not_a_proplist}\") :name)")
+
+;; Signature sub-shape
+(epoch 20)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000},{signature,[{algorithm,ed25519},{value,v}]}]) =:= {error,{bad_signature,{missing_field,key_id}}}\") :name)")
+(epoch 21)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000},{signature,[{key_id,k1},{value,v}]}]) =:= {error,{bad_signature,{missing_field,algorithm}}}\") :name)")
+(epoch 22)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000},{signature,[{key_id,k1},{algorithm,ed25519}]}]) =:= {error,{bad_signature,{missing_field,value}}}\") :name)")
+(epoch 23)
+(eval "(get (erlang-eval-ast \"envelope:validate_shape([{id,1},{type,create},{actor,alice},{published,1000},{signature,not_a_proplist}]) =:= {error,{bad_signature,not_a_proplist}}\") :name)")
+
+;; get_field
+(epoch 30)
+(eval "(get (erlang-eval-ast \"envelope:get_field(actor,[{id,1},{actor,alice}]) =:= {ok,alice}\") :name)")
+(epoch 31)
+(eval "(get (erlang-eval-ast \"envelope:get_field(missing,[{id,1},{actor,alice}]) =:= not_found\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                  "envelope"
+check 10  "complete envelope -> ok"           "true"
+check 11  "missing id"                        "true"
+check 12  "missing type"                      "true"
+check 13  "missing actor"                     "true"
+check 14  "missing published"                 "true"
+check 15  "missing signature"                 "true"
+check 16  "non-list (integer)"                "true"
+check 17  "non-list (atom)"                   "true"
+check 20  "signature missing key_id"          "true"
+check 21  "signature missing algorithm"       "true"
+check 22  "signature missing value"           "true"
+check 23  "signature not a proplist"          "true"
+check 30  "get_field hit"                     "true"
+check 31  "get_field miss"                    "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/envelope_shape.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/envelope_sig.sh

@@ -0,0 +1,129 @@
+#!/usr/bin/env bash
+# next/tests/envelope_sig.sh — Step 2c acceptance test.
+#
+# Exercises envelope:verify_signature/2 against the full sig pipeline:
+# canonical_bytes + crypto:hash MAC + time-aware key validity per design
+# §9.6. 10 cases.
+#
+# The signature stand-in is HMAC-shaped:
+#   sig.value = crypto:hash(sha256, <<KeyMaterial/binary, CanonicalBytes/binary>>)
+# Real Ed25519/RSA verification is deferred to milestone 2 once the
+# corresponding crypto BIFs are wired.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+# Shared Erlang prelude builds a valid-signed envelope template and an
+# actor state with one active key. Each test reuses these and asserts
+# against an Erlang =:= comparison so the result is a bare boolean.
+PRELUDE='KM = <<1,2,3,4>>, U = [{actor,alice},{id,1},{published,100},{type,create}], CB = envelope:canonical_bytes(U), Sig = crypto:hash(sha256, <<KM/binary, CB/binary>>), Env = [{actor,alice},{id,1},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,Sig}]}], AS = [{public_keys, [[{id,k1},{created,50},{value,KM}]]}],'
+
+cat > "$TMPFILE" <<EPOCHS
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/envelope.erl\")) :name)")
+
+;; valid sig + active key -> ok
+(epoch 10)
+(eval "(get (erlang-eval-ast \"${PRELUDE} envelope:verify_signature(Env, AS) =:= ok\") :name)")
+
+;; tampered envelope (id mutated post-sign) -> bad_signature
+(epoch 11)
+(eval "(get (erlang-eval-ast \"${PRELUDE} Tampered = [{actor,alice},{id,999},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,Sig}]}], envelope:verify_signature(Tampered, AS) =:= {error,bad_signature}\") :name)")
+
+;; wrong sig value (random bytes) -> bad_signature
+(epoch 12)
+(eval "(get (erlang-eval-ast \"${PRELUDE} BadEnv = [{actor,alice},{id,1},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,<<0,0,0,0>>}]}], envelope:verify_signature(BadEnv, AS) =:= {error,bad_signature}\") :name)")
+
+;; unknown key_id -> no_active_key
+(epoch 13)
+(eval "(get (erlang-eval-ast \"${PRELUDE} OtherAS = [{public_keys, [[{id,k_other},{created,50},{value,KM}]]}], envelope:verify_signature(Env, OtherAS) =:= {error,no_active_key}\") :name)")
+
+;; key superseded BEFORE published -> no_active_key
+(epoch 14)
+(eval "(get (erlang-eval-ast \"${PRELUDE} SupAS = [{public_keys, [[{id,k1},{created,50},{superseded_at,80},{value,KM}]]}], envelope:verify_signature(Env, SupAS) =:= {error,no_active_key}\") :name)")
+
+;; key superseded AFTER published -> ok (historical valid)
+(epoch 15)
+(eval "(get (erlang-eval-ast \"${PRELUDE} SupAS2 = [{public_keys, [[{id,k1},{created,50},{superseded_at,200},{value,KM}]]}], envelope:verify_signature(Env, SupAS2) =:= ok\") :name)")
+
+;; key not yet created at published -> no_active_key
+(epoch 16)
+(eval "(get (erlang-eval-ast \"${PRELUDE} FutAS = [{public_keys, [[{id,k1},{created,150},{value,KM}]]}], envelope:verify_signature(Env, FutAS) =:= {error,no_active_key}\") :name)")
+
+;; missing signature field -> no_signature
+(epoch 17)
+(eval "(get (erlang-eval-ast \"${PRELUDE} envelope:verify_signature(U, AS) =:= {error,no_signature}\") :name)")
+
+;; actor state with no public_keys field -> no_keys
+(epoch 18)
+(eval "(get (erlang-eval-ast \"${PRELUDE} envelope:verify_signature(Env, []) =:= {error,no_keys}\") :name)")
+
+;; second key in list matches when first doesn't (lookup walks list)
+(epoch 19)
+(eval "(get (erlang-eval-ast \"${PRELUDE} TwoKeys = [{public_keys, [[{id,k_other},{created,50},{value,<<9,9,9>>}], [{id,k1},{created,50},{value,KM}]]}], envelope:verify_signature(Env, TwoKeys) =:= ok\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                "envelope"
+check 10  "valid sig active key"            "true"
+check 11  "tampered envelope"               "true"
+check 12  "wrong sig value"                 "true"
+check 13  "unknown key_id"                  "true"
+check 14  "key superseded before published" "true"
+check 15  "key superseded after published"  "true"
+check 16  "key not yet created"             "true"
+check 17  "missing signature field"         "true"
+check 18  "actor state no keys"             "true"
+check 19  "match second key in list"        "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/envelope_sig.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/genesis_parse.sh

@@ -0,0 +1,206 @@
+#!/usr/bin/env bash
+# next/tests/genesis_parse.sh — Step 4a acceptance test.
+#
+# Confirms the seed genesis SX files parse cleanly and have the
+# expected top-level head form. The bundler (Step 4c+) consumes
+# these forms directly as data. 50 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 10)
+(eval "(first (parse (file-read \"next/genesis/manifest.sx\")))")
+(epoch 11)
+(eval "(first (parse (file-read \"next/genesis/activity-types/create.sx\")))")
+(epoch 12)
+(eval "(first (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :activity-types))")
+(epoch 13)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/activity-types/create.sx\")))) :name)")
+(epoch 14)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :version)")
+(epoch 15)
+(eval "(first (parse (file-read \"next/genesis/activity-types/update.sx\")))")
+(epoch 16)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/activity-types/update.sx\")))) :name)")
+(epoch 17)
+(eval "(first (parse (file-read \"next/genesis/activity-types/delete.sx\")))")
+(epoch 18)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/activity-types/delete.sx\")))) :name)")
+(epoch 19)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :activity-types))")
+(epoch 30)
+(eval "(first (parse (file-read \"next/genesis/object-types/sx-artifact.sx\")))")
+(epoch 31)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/sx-artifact.sx\")))) :name)")
+(epoch 32)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/note.sx\")))) :name)")
+(epoch 33)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/tombstone.sx\")))) :name)")
+(epoch 34)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/define-activity.sx\")))) :name)")
+(epoch 35)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/define-object.sx\")))) :name)")
+(epoch 36)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/define-projection.sx\")))) :name)")
+(epoch 37)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/define-validator.sx\")))) :name)")
+(epoch 38)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/define-codec.sx\")))) :name)")
+(epoch 39)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/define-sig-suite.sx\")))) :name)")
+(epoch 40)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/object-types/snapshot.sx\")))) :name)")
+(epoch 41)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :object-types))")
+(epoch 50)
+(eval "(first (parse (file-read \"next/genesis/projections/activity-log.sx\")))")
+(epoch 51)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/projections/activity-log.sx\")))) :name)")
+(epoch 52)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/projections/by-type.sx\")))) :name)")
+(epoch 53)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/projections/by-actor.sx\")))) :name)")
+(epoch 54)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/projections/by-object.sx\")))) :name)")
+(epoch 55)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/projections/actor-state.sx\")))) :name)")
+(epoch 56)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/projections/define-registry.sx\")))) :name)")
+(epoch 57)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/projections/audience-graph.sx\")))) :name)")
+(epoch 58)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :projections))")
+(epoch 60)
+(eval "(first (parse (file-read \"next/genesis/validators/envelope-shape.sx\")))")
+(epoch 61)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/validators/envelope-shape.sx\")))) :name)")
+(epoch 62)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/validators/signature.sx\")))) :name)")
+(epoch 63)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/validators/type-schema.sx\")))) :name)")
+(epoch 64)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :validators))")
+(epoch 70)
+(eval "(first (parse (file-read \"next/genesis/codecs/dag-cbor.sx\")))")
+(epoch 71)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/codecs/dag-cbor.sx\")))) :name)")
+(epoch 72)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/codecs/raw.sx\")))) :name)")
+(epoch 73)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/codecs/dag-json.sx\")))) :name)")
+(epoch 74)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :codecs))")
+(epoch 80)
+(eval "(first (parse (file-read \"next/genesis/sig-suites/rsa-sha256-2018.sx\")))")
+(epoch 81)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/sig-suites/rsa-sha256-2018.sx\")))) :name)")
+(epoch 82)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/sig-suites/ed25519-2020.sx\")))) :name)")
+(epoch 83)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :sig-suites))")
+(epoch 90)
+(eval "(first (parse (file-read \"next/genesis/audience/public.sx\")))")
+(epoch 91)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/audience/public.sx\")))) :name)")
+(epoch 92)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/audience/followers.sx\")))) :name)")
+(epoch 93)
+(eval "(get (apply dict (rest (parse (file-read \"next/genesis/audience/direct.sx\")))) :name)")
+(epoch 94)
+(eval "(len (get (apply dict (rest (parse (file-read \"next/genesis/manifest.sx\")))) :audience))")
+EPOCHS
+
+OUTPUT=$(timeout 30 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check 10 "manifest.sx head form"        "GenesisManifest"
+check 11 "create.sx head form"          "DefineActivity"
+check 12 "manifest lists create.sx"     "activity-types/create.sx"
+check 13 "create.sx name is Create"     "Create"
+check 14 "manifest version present"     "0.0.1"
+check 15 "update.sx head form"          "DefineActivity"
+check 16 "update.sx name is Update"     "Update"
+check 17 "delete.sx head form"          "DefineActivity"
+check 18 "delete.sx name is Delete"     "Delete"
+check 19 "manifest has 3 activity-types" "3"
+check 30 "sx-artifact.sx head form"     "DefineObject"
+check 31 "sx-artifact.sx name"          "SXArtifact"
+check 32 "note.sx name"                 "Note"
+check 33 "tombstone.sx name"            "Tombstone"
+check 34 "define-activity.sx name"      "DefineActivity"
+check 35 "define-object.sx name"        "DefineObject"
+check 36 "define-projection.sx name"    "DefineProjection"
+check 37 "define-validator.sx name"     "DefineValidator"
+check 38 "define-codec.sx name"         "DefineCodec"
+check 39 "define-sig-suite.sx name"     "DefineSigSuite"
+check 40 "snapshot.sx name"             "Snapshot"
+check 41 "manifest has 10 object-types" "10"
+check 50 "activity-log.sx head form"    "DefineProjection"
+check 51 "activity-log.sx name"         "activity-log"
+check 52 "by-type.sx name"              "by-type"
+check 53 "by-actor.sx name"             "by-actor"
+check 54 "by-object.sx name"            "by-object"
+check 55 "actor-state.sx name"          "actor-state"
+check 56 "define-registry.sx name"      "define-registry"
+check 57 "audience-graph.sx name"       "audience-graph"
+check 58 "manifest has 7 projections"   "7"
+check 60 "envelope-shape.sx head form"  "DefineValidator"
+check 61 "envelope-shape.sx name"       "envelope-shape"
+check 62 "signature.sx name"            "signature"
+check 63 "type-schema.sx name"          "type-schema"
+check 64 "manifest has 3 validators"    "3"
+check 70 "dag-cbor.sx head form"        "DefineCodec"
+check 71 "dag-cbor.sx name"             "dag-cbor"
+check 72 "raw.sx name"                  "raw"
+check 73 "dag-json.sx name"             "dag-json"
+check 74 "manifest has 3 codecs"        "3"
+check 80 "rsa-sha256-2018.sx head form" "DefineSigSuite"
+check 81 "rsa-sha256-2018.sx name"      "rsa-sha256-2018"
+check 82 "ed25519-2020.sx name"         "ed25519-2020"
+check 83 "manifest has 2 sig-suites"    "2"
+check 90 "public.sx head form"          "DefineAudience"
+check 91 "public.sx name"               "Public"
+check 92 "followers.sx name"            "Followers"
+check 93 "direct.sx name"               "Direct"
+check 94 "manifest has 3 audience"      "3"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/genesis_parse.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/log_memory.sh

@@ -0,0 +1,123 @@
+#!/usr/bin/env bash
+# next/tests/log_memory.sh — Step 3a acceptance test.
+#
+# Exercises the in-memory log API: open/2, append/2, tip/1, replay/3,
+# entries/1. On-disk persistence is the job of Step 3b. 11 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/log.erl\")) :name)")
+
+;; Fresh log: tip is 0
+(epoch 10)
+(eval "(get (erlang-eval-ast \"{ok, L} = log:open(alice, base), log:tip(L) =:= 0\") :name)")
+
+;; Fresh log: entries empty
+(epoch 11)
+(eval "(get (erlang-eval-ast \"{ok, L} = log:open(alice, base), log:entries(L) =:= []\") :name)")
+
+;; First append returns seq 0; tip advances to 1
+(epoch 12)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), {ok, L1, S} = log:append(L0, act_a), {S, log:tip(L1)} =:= {0, 1}\") :name)")
+
+;; Two appends: seq 0,1; tip = 2
+(epoch 13)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), {ok, L1, S0} = log:append(L0, a), {ok, L2, S1} = log:append(L1, b), {S0, S1, log:tip(L2)} =:= {0, 1, 2}\") :name)")
+
+;; Five appends: seq sequence gap-free
+(epoch 14)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), {ok, L1, S0} = log:append(L0, a), {ok, L2, S1} = log:append(L1, b), {ok, L3, S2} = log:append(L2, c), {ok, L4, S3} = log:append(L3, d), {ok, L5, S4} = log:append(L4, e), {S0,S1,S2,S3,S4,log:tip(L5)} =:= {0,1,2,3,4,5}\") :name)")
+
+;; entries/1 returns activities in append order
+(epoch 15)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), {ok, L1, _} = log:append(L0, a), {ok, L2, _} = log:append(L1, b), {ok, L3, _} = log:append(L2, c), log:entries(L3) =:= [a, b, c]\") :name)")
+
+;; Round-trip: appended activity is recoverable byte-for-byte
+(epoch 16)
+(eval "(get (erlang-eval-ast \"Act = [{id,1},{type,create},{actor,alice}], {ok, L0} = log:open(alice, base), {ok, L1, _} = log:append(L0, Act), log:entries(L1) =:= [Act]\") :name)")
+
+;; Per-actor isolation: two logs are independent
+(epoch 17)
+(eval "(get (erlang-eval-ast \"{ok, LA0} = log:open(alice, base), {ok, LB0} = log:open(bob, base), {ok, LA1, _} = log:append(LA0, a), {ok, LB1, _} = log:append(LB0, b1), {ok, LB2, _} = log:append(LB1, b2), {log:tip(LA1), log:tip(LB2)} =:= {1, 2}\") :name)")
+
+;; replay/3 visits all activities in append order with monotonic seqs
+(epoch 18)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), {ok, L1, _} = log:append(L0, a), {ok, L2, _} = log:append(L1, b), {ok, L3, _} = log:append(L2, c), log:replay(L3, [], fun (A, S, Acc) -> [{S, A} | Acc] end) =:= [{2,c},{1,b},{0,a}]\") :name)")
+
+;; replay over empty log: InitAcc returned unchanged
+(epoch 19)
+(eval "(get (erlang-eval-ast \"{ok, L} = log:open(alice, base), log:replay(L, init_acc, fun (_, _, A) -> A end) =:= init_acc\") :name)")
+
+;; replay can compute a derived state (sum of integer activities)
+(epoch 20)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), {ok, L1, _} = log:append(L0, 10), {ok, L2, _} = log:append(L1, 20), {ok, L3, _} = log:append(L2, 30), log:replay(L3, 0, fun (V, _, Acc) -> V + Acc end) =:= 60\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                  "log"
+check 10  "fresh log tip is 0"                "true"
+check 11  "fresh log entries empty"           "true"
+check 12  "append returns seq 0, tip 1"       "true"
+check 13  "two appends seq 0,1; tip 2"        "true"
+check 14  "five appends gap-free"             "true"
+check 15  "entries in append order"           "true"
+check 16  "round-trip activity"               "true"
+check 17  "per-actor isolation"               "true"
+check 18  "replay visits all in order"        "true"
+check 19  "replay over empty log"             "true"
+check 20  "replay computes derived state"     "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/log_memory.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/outbox_construct.sh

@@ -0,0 +1,124 @@
+#!/usr/bin/env bash
+# next/tests/outbox_construct.sh — Step 6d-cs acceptance test.
+#
+# Exercises outbox:construct/4, outbox:sign/2, outbox:cid_of/1.
+# Closes the loop by verifying that construct→sign produces an
+# envelope that envelope:verify_signature/2 accepts. 11 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/envelope.erl\")) :name)")
+(epoch 3)
+(eval "(get (erlang-load-module (file-read \"next/kernel/outbox.erl\")) :name)")
+
+;; construct: required fields present
+(epoch 10)
+(eval "(get (erlang-eval-ast \"Env = outbox:construct(create, alice, 100, nil), envelope:get_field(actor, Env) =:= {ok, alice}\") :name)")
+(epoch 11)
+(eval "(get (erlang-eval-ast \"Env = outbox:construct(create, alice, 100, nil), envelope:get_field(type, Env) =:= {ok, create}\") :name)")
+(epoch 12)
+(eval "(get (erlang-eval-ast \"Env = outbox:construct(create, alice, 100, nil), envelope:get_field(published, Env) =:= {ok, 100}\") :name)")
+
+;; construct: :id is a non-trivial CID
+(epoch 13)
+(eval "(get (erlang-eval-ast \"Env = outbox:construct(create, alice, 100, nil), {ok, Id} = envelope:get_field(id, Env), is_binary(Id) and (byte_size(Id) > 50)\") :name)")
+
+;; construct deterministic across calls with same args
+(epoch 14)
+(eval "(get (erlang-eval-ast \"E1 = outbox:construct(create, alice, 100, nil), E2 = outbox:construct(create, alice, 100, nil), outbox:cid_of(E1) =:= outbox:cid_of(E2)\") :name)")
+
+;; construct distinct CIDs for distinct types
+(epoch 15)
+(eval "(get (erlang-eval-ast \"E1 = outbox:construct(create, alice, 100, nil), E2 = outbox:construct(update, alice, 100, nil), outbox:cid_of(E1) =/= outbox:cid_of(E2)\") :name)")
+
+;; construct distinct CIDs for distinct timestamps
+(epoch 16)
+(eval "(get (erlang-eval-ast \"E1 = outbox:construct(create, alice, 100, nil), E2 = outbox:construct(create, alice, 101, nil), outbox:cid_of(E1) =/= outbox:cid_of(E2)\") :name)")
+
+;; sign adds a :signature field
+(epoch 17)
+(eval "(get (erlang-eval-ast \"KS = [{key_id, k1}, {algorithm, ed25519}, {value, <<1,2,3>>}], Unsigned = outbox:construct(create, alice, 100, nil), Signed = outbox:sign(Unsigned, KS), envelope:get_field(signature, Signed) =/= not_found\") :name)")
+
+;; signed envelope passes envelope:verify_signature with matching key
+(epoch 18)
+(eval "(get (erlang-eval-ast \"KM = <<1,2,3,4>>, KS = [{key_id, k1}, {algorithm, ed25519}, {value, KM}], Unsigned = outbox:construct(create, alice, 100, nil), Signed = outbox:sign(Unsigned, KS), AS = [{public_keys, [[{id, k1}, {created, 50}, {value, KM}]]}], envelope:verify_signature(Signed, AS) =:= ok\") :name)")
+
+;; signed envelope fails verify with a wrong key
+(epoch 19)
+(eval "(get (erlang-eval-ast \"KM = <<1,2,3,4>>, OtherKM = <<9,9,9,9>>, KS = [{key_id, k1}, {algorithm, ed25519}, {value, KM}], Unsigned = outbox:construct(create, alice, 100, nil), Signed = outbox:sign(Unsigned, KS), AS = [{public_keys, [[{id, k1}, {created, 50}, {value, OtherKM}]]}], envelope:verify_signature(Signed, AS) =:= {error, bad_signature}\") :name)")
+
+;; Round-trip through the full pipeline:
+;; construct → sign → stage_envelope → stage_signature → ok
+(epoch 20)
+(eval "(get (erlang-eval-ast \"KM = <<1,2,3,4>>, KS = [{key_id, k1}, {algorithm, ed25519}, {value, KM}], Unsigned = outbox:construct(create, alice, 100, nil), Signed = outbox:sign(Unsigned, KS), AS = [{public_keys, [[{id, k1}, {created, 50}, {value, KM}]]}], envelope:validate_shape(Signed) =:= ok and envelope:verify_signature(Signed, AS) =:= ok\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 180 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "envelope module loaded"             "envelope"
+check  3  "outbox module loaded"               "outbox"
+check 10  "construct sets :actor"              "true"
+check 11  "construct sets :type"               "true"
+check 12  "construct sets :published"          "true"
+check 13  "construct :id is a CID"             "true"
+check 14  "construct deterministic"            "true"
+check 15  "distinct types -> distinct CIDs"    "true"
+check 16  "distinct ts -> distinct CIDs"       "true"
+check 17  "sign adds :signature"               "true"
+check 18  "signed verifies against key"        "true"
+check 19  "signed fails against wrong key"     "true"
+check 20  "full pipeline round-trip"           "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/outbox_construct.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/outbox_publish.sh

@@ -0,0 +1,129 @@
+#!/usr/bin/env bash
+# next/tests/outbox_publish.sh — Step 6d-publish acceptance test.
+#
+# Exercises outbox:publish/2 across the happy path, sig failure,
+# replay halt, and envelope-shape failure. Returns shape:
+#   {ok, [{cid, _}, {activity, _}], NewLogState}
+#   {error, Reason, LogState}
+# 10 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+# Shared prelude builds a fresh actor state, key spec, empty log,
+# and a context proplist. Each test inlines it.
+PRELUDE='KM = <<1,2,3,4>>, KS = [{key_id,k1},{algorithm,ed25519},{value,KM}], AS = [{public_keys,[[{id,k1},{created,50},{value,KM}]]}], {ok, L0} = log:open(alice, base), Ctx = [{actor_id,alice},{published,100},{key_spec,KS},{actor_state,AS},{log,L0}], Req = [{type,create},{object,nil}],'
+
+cat > "$TMPFILE" <<EPOCHS
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/envelope.erl\")) :name)")
+(epoch 3)
+(eval "(get (erlang-load-module (file-read \"next/kernel/log.erl\")) :name)")
+(epoch 4)
+(eval "(get (erlang-load-module (file-read \"next/kernel/pipeline.erl\")) :name)")
+(epoch 5)
+(eval "(get (erlang-load-module (file-read \"next/kernel/outbox.erl\")) :name)")
+
+;; Happy path: publish returns {ok, Result, NewLog}, log tip advances
+(epoch 10)
+(eval "(get (erlang-eval-ast \"${PRELUDE} case outbox:publish(Req, Ctx) of {ok, _, NewLog} -> log:tip(NewLog) =:= 1; _ -> false end\") :name)")
+
+;; Result has :cid pointing at the activity's CID
+(epoch 11)
+(eval "(get (erlang-eval-ast \"${PRELUDE} {ok, Result, _} = outbox:publish(Req, Ctx), {ok, Cid} = envelope:get_field(cid, Result), {ok, Act} = envelope:get_field(activity, Result), outbox:cid_of(Act) =:= Cid\") :name)")
+
+;; The signed activity is in the log
+(epoch 12)
+(eval "(get (erlang-eval-ast \"${PRELUDE} {ok, Result, NewLog} = outbox:publish(Req, Ctx), {ok, Act} = envelope:get_field(activity, Result), log:entries(NewLog) =:= [Act]\") :name)")
+
+;; Replay: second publish of identical Request halts the pipeline
+(epoch 13)
+(eval "(get (erlang-eval-ast \"${PRELUDE} {ok, _, L1} = outbox:publish(Req, Ctx), Ctx2 = [{actor_id,alice},{published,100},{key_spec,KS},{actor_state,AS},{log,L1}], case outbox:publish(Req, Ctx2) of {error, replay, _} -> ok; _ -> bad end\") :name)")
+
+;; Replay returns the pre-append LogState unchanged
+(epoch 14)
+(eval "(get (erlang-eval-ast \"${PRELUDE} {ok, _, L1} = outbox:publish(Req, Ctx), Ctx2 = [{actor_id,alice},{published,100},{key_spec,KS},{actor_state,AS},{log,L1}], {error, _, L2} = outbox:publish(Req, Ctx2), log:tip(L2) =:= 1\") :name)")
+
+;; Bad key material (sig fails) -> {error, bad_signature, LogState}
+(epoch 15)
+(eval "(get (erlang-eval-ast \"${PRELUDE} OtherKM = <<9,9,9,9>>, BadKS = [{key_id,k1},{algorithm,ed25519},{value,OtherKM}], BadCtx = [{actor_id,alice},{published,100},{key_spec,BadKS},{actor_state,AS},{log,L0}], case outbox:publish(Req, BadCtx) of {error, bad_signature, _} -> ok; _ -> bad end\") :name)")
+
+;; Distinct timestamps -> two activities in log
+(epoch 16)
+(eval "(get (erlang-eval-ast \"${PRELUDE} {ok, _, L1} = outbox:publish(Req, Ctx), Ctx2 = [{actor_id,alice},{published,200},{key_spec,KS},{actor_state,AS},{log,L1}], {ok, _, L2} = outbox:publish(Req, Ctx2), log:tip(L2) =:= 2\") :name)")
+
+;; Distinct types -> distinct CIDs
+(epoch 17)
+(eval "(get (erlang-eval-ast \"${PRELUDE} {ok, R1, L1} = outbox:publish(Req, Ctx), R2 = [{type,update},{object,nil}], Ctx2 = [{actor_id,alice},{published,100},{key_spec,KS},{actor_state,AS},{log,L1}], {ok, R, _} = outbox:publish(R2, Ctx2), {ok, C1} = envelope:get_field(cid, R1), {ok, C2} = envelope:get_field(cid, R), C1 =/= C2\") :name)")
+
+;; CID stable: same Request twice (across fresh logs) -> same CID
+(epoch 18)
+(eval "(get (erlang-eval-ast \"${PRELUDE} {ok, R1, _} = outbox:publish(Req, Ctx), {ok, L0b} = log:open(alice, base), Ctx_b = [{actor_id,alice},{published,100},{key_spec,KS},{actor_state,AS},{log,L0b}], {ok, R2, _} = outbox:publish(Req, Ctx_b), {ok, C1} = envelope:get_field(cid, R1), {ok, C2} = envelope:get_field(cid, R2), C1 =:= C2\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 240 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "envelope module loaded"             "envelope"
+check  3  "log module loaded"                  "log"
+check  4  "pipeline module loaded"             "pipeline"
+check  5  "outbox module loaded"               "outbox"
+check 10  "happy path tip advances to 1"       "true"
+check 11  "result :cid matches activity"       "true"
+check 12  "signed activity in log entries"     "true"
+check 13  "duplicate publish -> replay"        "ok"
+check 14  "replay leaves log tip at 1"         "true"
+check 15  "bad key material -> bad_signature"  "ok"
+check 16  "distinct timestamps -> tip 2"       "true"
+check 17  "distinct types -> distinct CIDs"    "true"
+check 18  "same request -> same CID"           "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/outbox_publish.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/pipeline_driver.sh

@@ -0,0 +1,112 @@
+#!/usr/bin/env bash
+# next/tests/pipeline_driver.sh — Step 6a acceptance test.
+#
+# Exercises the pipeline driver: pipeline:run_stages/2,
+# validate_inbound/1, validate_outbound/1, inbound_stages/0,
+# outbound_stages/0. Concrete stages land in 6b+. 10 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/pipeline.erl\")) :name)")
+
+;; Empty stage list returns ok
+(epoch 10)
+(eval "(get (erlang-eval-ast \"pipeline:run_stages(anything, []) =:= ok\") :name)")
+
+;; All-ok stages return ok
+(epoch 11)
+(eval "(get (erlang-eval-ast \"pipeline:run_stages(anything, [fun (_) -> ok end, fun (_) -> ok end, fun (_) -> ok end]) =:= ok\") :name)")
+
+;; First failing stage halts; later stages do not run
+(epoch 12)
+(eval "(get (erlang-eval-ast \"pipeline:run_stages(anything, [fun (_) -> ok end, fun (_) -> {error, halt_here} end, fun (_) -> {error, after_halt} end]) =:= {error, halt_here}\") :name)")
+
+;; Single failing stage returns its error
+(epoch 13)
+(eval "(get (erlang-eval-ast \"pipeline:run_stages(anything, [fun (_) -> {error, bad} end]) =:= {error, bad}\") :name)")
+
+;; Stage receives the activity verbatim
+(epoch 14)
+(eval "(get (erlang-eval-ast \"pipeline:run_stages(my_act, [fun (A) -> case A of my_act -> ok; _ -> {error, wrong_arg} end end]) =:= ok\") :name)")
+
+;; inbound_stages / outbound_stages are lists (concrete stages
+;; tested in pipeline_envelope.sh; we just confirm they're lists).
+(epoch 15)
+(eval "(get (erlang-eval-ast \"is_list(pipeline:inbound_stages())\") :name)")
+(epoch 16)
+(eval "(get (erlang-eval-ast \"is_list(pipeline:outbound_stages())\") :name)")
+
+;; Driver-only invariants: explicit empty list with the wrappers
+;; semantics is exercised via run_stages directly.
+(epoch 17)
+(eval "(get (erlang-eval-ast \"pipeline:run_stages(anything, []) =:= ok\") :name)")
+(epoch 18)
+(eval "(get (erlang-eval-ast \"pipeline:run_stages(my_act, [fun (_) -> ok end]) =:= ok\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                "pipeline"
+check 10  "empty stage list -> ok"          "true"
+check 11  "all-ok stages -> ok"             "true"
+check 12  "first failure halts pipeline"    "true"
+check 13  "single failing stage"            "true"
+check 14  "stage receives activity verbatim" "true"
+check 15  "inbound_stages is a list"        "true"
+check 16  "outbound_stages is a list"       "true"
+check 17  "run_stages empty -> ok"          "true"
+check 18  "run_stages single ok stage"      "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/pipeline_driver.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/pipeline_envelope.sh

@@ -0,0 +1,119 @@
+#!/usr/bin/env bash
+# next/tests/pipeline_envelope.sh — Step 6b acceptance test.
+#
+# Exercises stage_envelope/1 directly and via validate_inbound /
+# validate_outbound. The envelope module must be loaded first
+# because stage_envelope delegates to envelope:validate_shape/1.
+# 10 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/envelope.erl\")) :name)")
+(epoch 3)
+(eval "(get (erlang-load-module (file-read \"next/kernel/pipeline.erl\")) :name)")
+
+;; Stage list now has exactly one stage
+(epoch 10)
+(eval "(erlang-eval-ast \"length(pipeline:inbound_stages())\")")
+(epoch 11)
+(eval "(erlang-eval-ast \"length(pipeline:outbound_stages())\")")
+
+;; stage_envelope on a valid envelope returns ok
+(epoch 12)
+(eval "(get (erlang-eval-ast \"pipeline:stage_envelope([{id,1},{type,create},{actor,a},{published,1},{signature,[{key_id,k},{algorithm,e},{value,v}]}]) =:= ok\") :name)")
+
+;; stage_envelope on a non-list returns {error, not_a_proplist}
+(epoch 13)
+(eval "(get (erlang-eval-ast \"pipeline:stage_envelope(not_a_list) =:= {error, not_a_proplist}\") :name)")
+
+;; stage_envelope on missing id surfaces the missing-field error
+(epoch 14)
+(eval "(get (erlang-eval-ast \"case pipeline:stage_envelope([{type,create}]) of {error, {missing_field, id}} -> ok; _ -> bad end\") :name)")
+
+;; validate_inbound runs stage_envelope and returns ok for valid input
+(epoch 15)
+(eval "(get (erlang-eval-ast \"pipeline:validate_inbound([{id,1},{type,create},{actor,a},{published,1},{signature,[{key_id,k},{algorithm,e},{value,v}]}]) =:= ok\") :name)")
+
+;; validate_inbound short-circuits with the envelope error
+(epoch 16)
+(eval "(get (erlang-eval-ast \"case pipeline:validate_inbound([{type,create}]) of {error, {missing_field, id}} -> ok; _ -> bad end\") :name)")
+
+;; validate_outbound likewise
+(epoch 17)
+(eval "(get (erlang-eval-ast \"pipeline:validate_outbound([{id,1},{type,create},{actor,a},{published,1},{signature,[{key_id,k},{algorithm,e},{value,v}]}]) =:= ok\") :name)")
+(epoch 18)
+(eval "(get (erlang-eval-ast \"case pipeline:validate_outbound([{id,1},{actor,a}]) of {error, _} -> ok; _ -> bad end\") :name)")
+
+;; Signature-subfield missing surfaces nested error tag
+(epoch 19)
+(eval "(get (erlang-eval-ast \"case pipeline:validate_inbound([{id,1},{type,create},{actor,a},{published,1},{signature,[{key_id,k}]}]) of {error, {bad_signature, _}} -> ok; _ -> bad end\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "envelope module loaded"           "envelope"
+check  3  "pipeline module loaded"           "pipeline"
+check 10  "inbound_stages length = 1"        "1"
+check 11  "outbound_stages length = 1"       "1"
+check 12  "stage_envelope ok on valid"       "true"
+check 13  "stage_envelope errs on non-list"  "true"
+check 14  "stage_envelope missing id error"  "ok"
+check 15  "validate_inbound ok on valid"     "true"
+check 16  "validate_inbound surfaces error"  "ok"
+check 17  "validate_outbound ok on valid"    "true"
+check 18  "validate_outbound errs on bad"    "ok"
+check 19  "nested bad_signature surfaces"    "ok"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/pipeline_envelope.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/pipeline_replay.sh

@@ -0,0 +1,120 @@
+#!/usr/bin/env bash
+# next/tests/pipeline_replay.sh — Step 6c acceptance test.
+#
+# Exercises pipeline:stage_replay/2 (direct) and stage_replay/1
+# (factory) against the in-memory log from Step 3a. Composability
+# with stage_envelope verified. 10 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/envelope.erl\")) :name)")
+(epoch 3)
+(eval "(get (erlang-load-module (file-read \"next/kernel/log.erl\")) :name)")
+(epoch 4)
+(eval "(get (erlang-load-module (file-read \"next/kernel/pipeline.erl\")) :name)")
+
+;; New activity in an empty log is ok
+(epoch 10)
+(eval "(get (erlang-eval-ast \"{ok, L} = log:open(alice, base), Act = [{id, a1}, {type, create}], pipeline:stage_replay(Act, L) =:= ok\") :name)")
+
+;; Same activity already in log -> {error, replay}
+(epoch 11)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), Act = [{id, a1}, {type, create}], {ok, L1, _} = log:append(L0, Act), pipeline:stage_replay(Act, L1) =:= {error, replay}\") :name)")
+
+;; Different :id is still ok even if log non-empty
+(epoch 12)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), {ok, L1, _} = log:append(L0, [{id, a1}, {type, create}]), pipeline:stage_replay([{id, a2}, {type, create}], L1) =:= ok\") :name)")
+
+;; No :id field -> {error, no_id}
+(epoch 13)
+(eval "(get (erlang-eval-ast \"{ok, L} = log:open(alice, base), pipeline:stage_replay([{type, create}], L) =:= {error, no_id}\") :name)")
+
+;; Match against the second log entry (linear scan walks all entries)
+(epoch 14)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), {ok, L1, _} = log:append(L0, [{id, a1}, {type, create}]), {ok, L2, _} = log:append(L1, [{id, a2}, {type, create}]), pipeline:stage_replay([{id, a2}, {type, update}], L2) =:= {error, replay}\") :name)")
+
+;; stage_replay/1 factory returns a fun
+(epoch 15)
+(eval "(get (erlang-eval-ast \"{ok, L} = log:open(alice, base), is_function(pipeline:stage_replay(L))\") :name)")
+
+;; Factory + run_stages: fresh activity flows through
+(epoch 16)
+(eval "(get (erlang-eval-ast \"{ok, L} = log:open(alice, base), Act = [{id, a1}, {type, create}], Stages = [pipeline:stage_replay(L)], pipeline:run_stages(Act, Stages) =:= ok\") :name)")
+
+;; Factory + run_stages: replay halts the pipeline
+(epoch 17)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), Act = [{id, a1}, {type, create}], {ok, L1, _} = log:append(L0, Act), Stages = [pipeline:stage_replay(L1)], pipeline:run_stages(Act, Stages) =:= {error, replay}\") :name)")
+
+;; Composed with stage_envelope: envelope error precedes replay check
+(epoch 18)
+(eval "(get (erlang-eval-ast \"{ok, L0} = log:open(alice, base), Act = [{id, a1}, {type, create}, {actor, a}, {published, 1}, {signature, [{key_id, k}, {algorithm, e}, {value, v}]}], {ok, L1, _} = log:append(L0, Act), Stages = [fun (A) -> pipeline:stage_envelope(A) end, pipeline:stage_replay(L1)], pipeline:run_stages(Act, Stages) =:= {error, replay}\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 180 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "envelope module loaded"           "envelope"
+check  3  "log module loaded"                "log"
+check  4  "pipeline module loaded"           "pipeline"
+check 10  "new activity in empty log -> ok"  "true"
+check 11  "same id -> {error, replay}"       "true"
+check 12  "different id still ok"            "true"
+check 13  "no :id -> {error, no_id}"         "true"
+check 14  "match second log entry"           "true"
+check 15  "stage_replay/1 returns fun"       "true"
+check 16  "factory + run_stages: ok"         "true"
+check 17  "factory + run_stages: halts"      "true"
+check 18  "composed envelope+replay halts"   "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/pipeline_replay.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/pipeline_signature.sh

@@ -0,0 +1,122 @@
+#!/usr/bin/env bash
+# next/tests/pipeline_signature.sh — Step 6b-sig acceptance test.
+#
+# Exercises pipeline:stage_signature/2 (direct) and stage_signature/1
+# (factory). The factory returns a 1-arity stage fun bound to the
+# given actor-state so it can be folded into a stage list by the
+# pipeline driver alongside stage_envelope. 10 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+# Shared Erlang prelude builds a valid signed envelope + actor
+# state — same shape as next/tests/envelope_sig.sh from Step 2c.
+PRELUDE='KM = <<1,2,3,4>>, U = [{actor,alice},{id,1},{published,100},{type,create}], CB = envelope:canonical_bytes(U), Sig = crypto:hash(sha256, <<KM/binary, CB/binary>>), Env = [{actor,alice},{id,1},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,Sig}]}], AS = [{public_keys, [[{id,k1},{created,50},{value,KM}]]}],'
+
+cat > "$TMPFILE" <<EPOCHS
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/envelope.erl\")) :name)")
+(epoch 3)
+(eval "(get (erlang-load-module (file-read \"next/kernel/pipeline.erl\")) :name)")
+
+;; Direct 2-arity stage_signature on a valid signed envelope returns ok
+(epoch 10)
+(eval "(get (erlang-eval-ast \"${PRELUDE} pipeline:stage_signature(Env, AS) =:= ok\") :name)")
+
+;; Tampered envelope returns the proper error tag
+(epoch 11)
+(eval "(get (erlang-eval-ast \"${PRELUDE} Tampered = [{actor,alice},{id,999},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,Sig}]}], pipeline:stage_signature(Tampered, AS) =:= {error,bad_signature}\") :name)")
+
+;; Missing signature -> no_signature
+(epoch 12)
+(eval "(get (erlang-eval-ast \"${PRELUDE} pipeline:stage_signature(U, AS) =:= {error,no_signature}\") :name)")
+
+;; stage_signature/1 returns a function
+(epoch 13)
+(eval "(get (erlang-eval-ast \"is_function(pipeline:stage_signature([{public_keys, []}]))\") :name)")
+
+;; stage_signature/1 factory: built stage returns ok on valid input
+(epoch 14)
+(eval "(get (erlang-eval-ast \"${PRELUDE} Stage = pipeline:stage_signature(AS), Stage(Env) =:= ok\") :name)")
+
+;; stage_signature/1 factory: built stage returns error on tampered input
+(epoch 15)
+(eval "(get (erlang-eval-ast \"${PRELUDE} Stage = pipeline:stage_signature(AS), Tampered = [{actor,alice},{id,999},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,Sig}]}], Stage(Tampered) =:= {error,bad_signature}\") :name)")
+
+;; Composable: envelope + signature stages folded together via run_stages
+(epoch 16)
+(eval "(get (erlang-eval-ast \"${PRELUDE} Stages = [fun (A) -> pipeline:stage_envelope(A) end, pipeline:stage_signature(AS)], pipeline:run_stages(Env, Stages) =:= ok\") :name)")
+
+;; Composable + halt: envelope stage fails first, signature never runs
+(epoch 17)
+(eval "(get (erlang-eval-ast \"${PRELUDE} BadShape = [{type,create}], Stages = [fun (A) -> pipeline:stage_envelope(A) end, pipeline:stage_signature(AS)], case pipeline:run_stages(BadShape, Stages) of {error, {missing_field, _}} -> ok; _ -> bad end\") :name)")
+
+;; Composable + halt: envelope OK, signature fails -> sig error surfaces
+(epoch 18)
+(eval "(get (erlang-eval-ast \"${PRELUDE} Tampered = [{actor,alice},{id,999},{published,100},{type,create},{signature,[{algorithm,ed25519},{key_id,k1},{value,Sig}]}], Stages = [fun (A) -> pipeline:stage_envelope(A) end, pipeline:stage_signature(AS)], pipeline:run_stages(Tampered, Stages) =:= {error,bad_signature}\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 180 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "envelope module loaded"             "envelope"
+check  3  "pipeline module loaded"             "pipeline"
+check 10  "stage_signature/2 valid -> ok"      "true"
+check 11  "stage_signature/2 tampered"         "true"
+check 12  "stage_signature/2 no sig"           "true"
+check 13  "stage_signature/1 returns fun"      "true"
+check 14  "factory stage valid -> ok"          "true"
+check 15  "factory stage tampered"             "true"
+check 16  "envelope+sig composed ok"           "true"
+check 17  "halt on envelope before sig"        "ok"
+check 18  "sig error after envelope ok"        "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/pipeline_signature.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/projection_pure.sh

@@ -0,0 +1,125 @@
+#!/usr/bin/env bash
+# next/tests/projection_pure.sh — Step 7a acceptance test.
+#
+# Exercises the pure-functional projection driver:
+#   new/2,3, fold_activity/2, replay/2, name/1, state/1, fold_fn/1.
+# Fold bodies are Erlang funs in v1; SX-source eval bridge will
+# plug into the same record later. 12 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/projection.erl\")) :name)")
+
+;; new/2 sets initial state to the supplied value
+(epoch 10)
+(eval "(get (erlang-eval-ast \"P = projection:new(activity_log, init_state), projection:state(P) =:= init_state\") :name)")
+
+;; new/2 default fold is identity
+(epoch 11)
+(eval "(get (erlang-eval-ast \"P = projection:new(activity_log, base), P1 = projection:fold_activity(P, anything), projection:state(P1) =:= base\") :name)")
+
+;; new/3 stores supplied fold
+(epoch 12)
+(eval "(get (erlang-eval-ast \"P = projection:new(counter, 0, fun (_A, S) -> S + 1 end), is_function(projection:fold_fn(P))\") :name)")
+
+;; fold_activity threads through the fold fn
+(epoch 13)
+(eval "(erlang-eval-ast \"P = projection:new(counter, 0, fun (_A, S) -> S + 1 end), P1 = projection:fold_activity(P, x), projection:state(P1)\")")
+
+;; Two fold_activity calls accumulate
+(epoch 14)
+(eval "(erlang-eval-ast \"P = projection:new(counter, 0, fun (_A, S) -> S + 1 end), P1 = projection:fold_activity(P, a), P2 = projection:fold_activity(P1, b), projection:state(P2)\")")
+
+;; replay over a list
+(epoch 15)
+(eval "(erlang-eval-ast \"P = projection:new(counter, 0, fun (_A, S) -> S + 1 end), P1 = projection:replay(P, [a, b, c, d, e]), projection:state(P1)\")")
+
+;; replay over [] returns the projection unchanged (state preserved)
+(epoch 16)
+(eval "(erlang-eval-ast \"P = projection:new(counter, 99, fun (_A, S) -> S + 1 end), P1 = projection:replay(P, []), projection:state(P1)\")")
+
+;; Fold can read activity content (here append it)
+(epoch 17)
+(eval "(get (erlang-eval-ast \"P = projection:new(byname, [], fun (A, S) -> [A | S] end), P1 = projection:replay(P, [a, b, c]), projection:state(P1) =:= [c, b, a]\") :name)")
+
+;; Different projections are independent (different fold bodies)
+(epoch 18)
+(eval "(get (erlang-eval-ast \"P1 = projection:new(p_count, 0, fun (_A, S) -> S + 1 end), P2 = projection:new(p_collect, [], fun (A, S) -> [A | S] end), R1 = projection:replay(P1, [a, b, c]), R2 = projection:replay(P2, [a, b, c]), {projection:state(R1), projection:state(R2)} =:= {3, [c, b, a]}\") :name)")
+
+;; Name accessor
+(epoch 19)
+(eval "(get (erlang-eval-ast \"projection:name(projection:new(some_name, init)) =:= some_name\") :name)")
+
+;; Multi-step replay: aggregator by activity tag
+(epoch 20)
+(eval "(get (erlang-eval-ast \"By = fun (A, S) -> case A of {tag, T} -> [T | S]; _ -> S end end, P = projection:new(tag_log, [], By), P1 = projection:replay(P, [{tag, foo}, plain, {tag, bar}, {tag, baz}]), projection:state(P1) =:= [baz, bar, foo]\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                  "projection"
+check 10  "new/2 stores initial state"        "true"
+check 11  "default fold is identity"          "true"
+check 12  "new/3 stores fold fn"              "true"
+check 13  "fold_activity threads fn"          "1"
+check 14  "two folds accumulate"              "2"
+check 15  "replay over 5 activities"          "5"
+check 16  "replay over [] preserves state"    "99"
+check 17  "fold can read activity content"    "true"
+check 18  "different projections indep."      "true"
+check 19  "name accessor"                     "true"
+check 20  "tag-aware fold (replay)"           "true"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/projection_pure.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/registry_pure.sh

@@ -0,0 +1,135 @@
+#!/usr/bin/env bash
+# next/tests/registry_pure.sh — Step 5a acceptance test.
+#
+# Exercises the pure-functional registry API: new/0, kinds/0,
+# register/4, lookup/3, list/2. State threading is verified
+# by chaining register calls and inspecting the final state.
+# 13 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+
+(epoch 2)
+(eval "(get (erlang-load-module (file-read \"next/kernel/registry.erl\")) :name)")
+
+;; new/0 returns []
+(epoch 10)
+(eval "(get (erlang-eval-ast \"registry:new() =:= []\") :name)")
+
+;; kinds/0 has 7 entries
+(epoch 11)
+(eval "(erlang-eval-ast \"length(registry:kinds())\")")
+
+;; kinds/0 includes activity_types
+(epoch 12)
+(eval "(get (erlang-eval-ast \"lists:member(activity_types, registry:kinds())\") :name)")
+
+;; register + lookup round-trip
+(epoch 13)
+(eval "(get (erlang-eval-ast \"{ok, S} = registry:register(activity_types, create, [{cid, c1}], registry:new()), registry:lookup(activity_types, create, S) =:= {ok, [{cid, c1}]}\") :name)")
+
+;; lookup on empty registry returns not_found
+(epoch 14)
+(eval "(get (erlang-eval-ast \"registry:lookup(activity_types, anything, registry:new()) =:= not_found\") :name)")
+
+;; lookup on unknown kind returns {error, unknown_kind}
+(epoch 15)
+(eval "(get (erlang-eval-ast \"case registry:lookup(bogus_kind, foo, registry:new()) of {error, unknown_kind} -> ok; _ -> bad end\") :name)")
+
+;; register on unknown kind returns {error, unknown_kind}
+(epoch 16)
+(eval "(get (erlang-eval-ast \"case registry:register(bogus_kind, foo, bar, registry:new()) of {error, unknown_kind} -> ok; _ -> bad end\") :name)")
+
+;; list of empty kind returns []
+(epoch 17)
+(eval "(get (erlang-eval-ast \"registry:list(activity_types, registry:new()) =:= []\") :name)")
+
+;; Three registers + list returns 3 pairs
+(epoch 18)
+(eval "(erlang-eval-ast \"{ok, S1} = registry:register(activity_types, create, e1, registry:new()), {ok, S2} = registry:register(activity_types, update, e2, S1), {ok, S3} = registry:register(activity_types, delete, e3, S2), length(registry:list(activity_types, S3))\")")
+
+;; Re-registering same name overrides previous entry
+(epoch 19)
+(eval "(get (erlang-eval-ast \"{ok, S1} = registry:register(activity_types, create, v1, registry:new()), {ok, S2} = registry:register(activity_types, create, v2, S1), registry:lookup(activity_types, create, S2) =:= {ok, v2}\") :name)")
+
+;; Re-registering same name keeps list length at 1
+(epoch 20)
+(eval "(erlang-eval-ast \"{ok, S1} = registry:register(activity_types, create, v1, registry:new()), {ok, S2} = registry:register(activity_types, create, v2, S1), length(registry:list(activity_types, S2))\")")
+
+;; Different kinds are independent
+(epoch 21)
+(eval "(erlang-eval-ast \"{ok, S1} = registry:register(activity_types, x, 1, registry:new()), {ok, S2} = registry:register(object_types, x, 2, S1), {registry:lookup(activity_types, x, S2), registry:lookup(object_types, x, S2)} =:= {{ok, 1}, {ok, 2}}\")")
+
+;; list on unknown kind returns {error, unknown_kind}
+(epoch 22)
+(eval "(get (erlang-eval-ast \"case registry:list(bogus_kind, registry:new()) of {error, unknown_kind} -> ok; _ -> bad end\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "module load name"                    "registry"
+check 10  "new/0 returns []"                    "true"
+check 11  "kinds/0 length"                      "7"
+check 12  "kinds/0 includes activity_types"     "true"
+check 13  "register + lookup round-trip"        "true"
+check 14  "lookup empty -> not_found"           "true"
+check 15  "lookup bogus kind"                   "ok"
+check 16  "register bogus kind"                 "ok"
+check 17  "list empty kind -> []"               "true"
+check 18  "three registers, list returns 3"     "3"
+check 19  "re-register overrides entry"         "true"
+check 20  "re-register doesn't grow list"       "1"
+check 21  "different kinds independent"         "true"
+check 22  "list bogus kind"                     "ok"
+
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/registry_pure.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

next/tests/registry_server.sh

@@ -0,0 +1,122 @@
+#!/usr/bin/env bash
+# next/tests/registry_server.sh — Step 5b acceptance test.
+#
+# Exercises the gen_server-wrapped registry. Each test combines
+# start_link + operations + assertion into a single
+# erlang-eval-ast expression because the Erlang-on-SX scheduler
+# does not preserve spawned processes across separate eval
+# invocations. 10 cases.
+
+set -uo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+SX_SERVER="${SX_SERVER:-hosts/ocaml/_build/default/bin/sx_server.exe}"
+if [ ! -x "$SX_SERVER" ]; then
+  SX_SERVER="/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe"
+fi
+if [ ! -x "$SX_SERVER" ]; then
+  echo "ERROR: sx_server.exe not found." >&2
+  exit 1
+fi
+
+VERBOSE="${1:-}"
+PASS=0; FAIL=0; ERRORS=""
+TMPFILE=$(mktemp); trap "rm -f $TMPFILE" EXIT
+
+cat > "$TMPFILE" <<'EPOCHS'
+(epoch 1)
+(load "lib/erlang/tokenizer.sx")
+(load "lib/erlang/parser.sx")
+(load "lib/erlang/parser-core.sx")
+(load "lib/erlang/parser-expr.sx")
+(load "lib/erlang/parser-module.sx")
+(load "lib/erlang/transpile.sx")
+(load "lib/erlang/runtime.sx")
+(load "lib/erlang/vm/dispatcher.sx")
+(epoch 2)
+(eval "(er-load-gen-server!)")
+(epoch 3)
+(eval "(get (erlang-load-module (file-read \"next/kernel/registry.erl\")) :name)")
+
+;; start_link returns a Pid
+(epoch 10)
+(eval "(get (erlang-eval-ast \"is_pid(registry:start_link())\") :name)")
+
+;; register + lookup round-trip
+(epoch 11)
+(eval "(get (erlang-eval-ast \"registry:start_link(), registry:register(activity_types, create, e1), registry:lookup(activity_types, create) =:= {ok, e1}\") :name)")
+
+;; lookup unknown name returns not_found
+(epoch 12)
+(eval "(get (erlang-eval-ast \"registry:start_link(), registry:lookup(activity_types, missing) =:= not_found\") :name)")
+
+;; register returns the atom 'ok'
+(epoch 13)
+(eval "(get (erlang-eval-ast \"registry:start_link(), registry:register(object_types, note, e_n) =:= ok\") :name)")
+
+;; list returns all pairs in a kind
+(epoch 14)
+(eval "(erlang-eval-ast \"registry:start_link(), registry:register(activity_types, a, 1), registry:register(activity_types, b, 2), registry:register(activity_types, c, 3), length(registry:list(activity_types))\")")
+
+;; Re-register overrides without growing the list
+(epoch 15)
+(eval "(erlang-eval-ast \"registry:start_link(), registry:register(activity_types, a, v1), registry:register(activity_types, a, v2), length(registry:list(activity_types))\")")
+(epoch 16)
+(eval "(get (erlang-eval-ast \"registry:start_link(), registry:register(activity_types, a, v1), registry:register(activity_types, a, v2), registry:lookup(activity_types, a) =:= {ok, v2}\") :name)")
+
+;; State persists across multiple calls in the same expression
+(epoch 17)
+(eval "(erlang-eval-ast \"registry:start_link(), registry:register(activity_types, x, 1), registry:register(object_types, x, 2), {registry:lookup(activity_types, x), registry:lookup(object_types, x)} =:= {{ok, 1}, {ok, 2}}\")")
+
+;; Unknown kind rejected via gen_server too
+(epoch 18)
+(eval "(get (erlang-eval-ast \"registry:start_link(), case registry:lookup(bogus_kind, foo) of {error, unknown_kind} -> ok; _ -> bad end\") :name)")
+
+;; Empty kind list returns []
+(epoch 19)
+(eval "(get (erlang-eval-ast \"registry:start_link(), registry:list(validators) =:= []\") :name)")
+EPOCHS
+
+OUTPUT=$(timeout 120 "$SX_SERVER" < "$TMPFILE" 2>/dev/null)
+
+check() {
+  local epoch="$1" desc="$2" expected="$3"
+  local actual
+  actual=$(echo "$OUTPUT" | awk -v e="$epoch" '
+    $0 ~ "^\\(ok-len " e " " { getline; print; exit }
+    $0 ~ "^\\(ok " e " "     { print; exit }
+    $0 ~ "^\\(error " e " "  { print; exit }
+  ')
+  [ -z "$actual" ] && actual="<no output for epoch $epoch>"
+  if echo "$actual" | grep -qF -- "$expected"; then
+    PASS=$((PASS+1))
+    [ "$VERBOSE" = "-v" ] && echo "  ok $desc"
+  else
+    FAIL=$((FAIL+1))
+    ERRORS+="  FAIL [$desc] (epoch $epoch) expected: $expected | actual: $actual
+"
+  fi
+}
+
+check  2  "gen_server loaded"                "gen_server"
+check  3  "registry module loaded"           "registry"
+check 10  "start_link returns Pid"           "true"
+check 11  "register + lookup round-trip"     "true"
+check 12  "lookup missing -> not_found"      "true"
+check 13  "register returns ok atom"         "true"
+check 14  "three registers, list = 3"        "3"
+check 15  "re-register doesn't grow list"    "1"
+check 16  "re-register overrides value"      "true"
+check 17  "different kinds independent"      "true"
+check 18  "lookup bogus kind"                "ok"
+check 19  "empty kind list = []"             "true"
+
+# 12 cases total (epoch 2 + 3 are setup, but counted for honesty)
+TOTAL=$((PASS+FAIL))
+if [ $FAIL -eq 0 ]; then
+  echo "ok $PASS/$TOTAL next/tests/registry_server.sh passed"
+else
+  echo "FAIL $PASS/$TOTAL passed, $FAIL failed:"
+  echo "$ERRORS"
+fi
+[ $FAIL -eq 0 ]

plans/fed-sx-milestone-1.md

@@ -99,6 +99,10 @@ in isolation, and a clear acceptance check.
 
 ## Step 1 — Repo skeleton + canonical CID
 
+**Sub-deliverables:**
+- [x] **1a** — `next/` directory skeleton, README, `.gitignore` for `data/`
+- [x] **1b** — `next/kernel/nx_cid.erl` (from_sx/to_string/from_string/equals) + `next/tests/cid.sh` (13 cases). Module is `nx_cid` not `cid` — the `cid` BIF module would be shadowed by a user module of the same name; plan §Step 1's `cid.erl` is illustrative per briefing.
+
 **Deliverables:**
 
 ```
@@ -146,6 +150,11 @@ canonicalize_sx(V) -> ...                  % sorts dict keys, normalizes strings
 
 ## Step 2 — Activity envelope + signature verify
 
+**Sub-deliverables:**
+- [x] **2a** — `next/kernel/envelope.erl` `validate_shape/1` + `get_field/2` (property-list envelope; Erlang maps `#{}` not supported in this port) + `next/tests/envelope_shape.sh` (15 cases)
+- [x] **2b** — `canonical_bytes/1` over sig-stripped, key-sorted envelope (deterministic textual form via `cid:to_string` substrate; dag-cbor stand-in for v1) + `next/tests/envelope_canonical.sh` (8 cases)
+- [x] **2c** — `verify_signature/2` against actor `public_keys`, time-aware key validity per design §9.6 (created ≤ published, optional supersession check) + `next/tests/envelope_sig.sh` (11 cases). Signature scheme is HMAC-shaped (`crypto:hash(sha256, KeyMaterial ++ canonical_bytes)`) — RSA/Ed25519 verify deferred to m2 (BIFs not yet wired).
+
 **Deliverables:**
 
 ```erlang
@@ -186,6 +195,13 @@ verify_signature(Activity, ActorState) ->
 
 ## Step 3 — JSONL log + sequence numbers
 
+**Sub-deliverables:**
+- [x] **3a** — `log:open/2` + `log:append/2` + `log:tip/1` + `log:replay/3` + `log:entries/1` over an in-memory log state (per-actor seq; replay in append order; round-trip the stored activity). `next/tests/log_memory.sh` (12 cases).
+- [ ] **3b** — *Parked behind substrate gap (see Blockers below).* Term codec + on-disk persistence: serializer/parser writing each activity as a JSONL-style line; restart-resumes-tip from the segment file.
+- [ ] **3c** — Segment rotation at size threshold + gen_server-mediated concurrent appends.
+
+**Blockers (Step 3b):** The Erlang port returns SX strings (an opaque OCaml-string type) from `atom_to_list/1` and `integer_to_list/1`, rejects them from `++`/list pattern matching, and does not register `binary_to_list`/`list_to_binary`. `$X` character literals decode to `nil` in `parse-number`. Net effect: there is no in-Erlang path from an arbitrary term to a byte sequence (or back) that doesn't go through a temp-file round-trip through the filesystem. Workaround paths: (a) add a `term_to_binary`/`binary_to_term` BIF in a separate substrate loop, (b) accept a filesystem-mediated SX-string→binary helper and live with the O(N) IO cost, (c) restrict the on-disk format to a binary-only encoding with a per-instance atom-id table for atoms (introduces an extra durability dependency). Decision to defer; revisit once a downstream Step (5–8) forces the issue or a substrate BIF arrives. In-memory log from 3a is sufficient to unblock Step 5+ which consume the API surface.
+
 **Deliverables:**
 
 ```erlang
@@ -227,6 +243,17 @@ replay(LogState, InitAcc, Fun) -> ...
 
 ## Step 4 — Genesis bundle
 
+**Sub-deliverables:**
+- [x] **4a** — Seed genesis SX file authoring: `next/genesis/manifest.sx` + `next/genesis/activity-types/create.sx`. Manifest uses bare parenthesised paths (data lists, not `(list ...)` calls — consumed by `parse`, not `eval`). `next/tests/genesis_parse.sh` (5 cases).
+- [x] **4b-act** — Remaining activity-types: `update.sx` + `delete.sx`, manifest updated, parse tests (10 cases total in `genesis_parse.sh`)
+- [x] **4b-obj** — Object-types: SXArtifact, Note, Tombstone, DefineActivity, DefineObject, DefineProjection, DefineValidator, DefineCodec, DefineSigSuite, Snapshot — 10 `DefineObject` files + manifest updated + 12 new parse tests
+- [x] **4b-proj** — Projections: activity-log, by-type, by-actor, by-object, actor-state, define-registry, audience-graph — 7 `DefineProjection` files + manifest updated + 9 new parse tests
+- [x] **4b-vld** — Validators: envelope-shape, signature, type-schema — 3 `DefineValidator` files + manifest updated + 5 new parse tests
+- [x] **4b-cod** — Codecs (dag-cbor, raw, dag-json) + sig-suites (rsa-sha256-2018, ed25519-2020) + audience predicates (Public, Followers, Direct) — 8 SX files + manifest fully populated + 14 new parse tests
+- [x] **4c** — `bootstrap:read_genesis/0,1` + `read_section/2` + `sections/0` + `section_subdir/1` + `ends_with_sx/1` in Erlang: walk seven hardcoded section subdirs, filter `.sx` files via byte-pattern suffix match, read each into a binary. Returns `{ok, [{Section, [{Name, Bytes}, ...]}, ...]}`. Skips SX parsing — the substrate has no in-Erlang binary→SX-term path (same gap as Step 3b); bundle CID over raw bytes is enough for Step 4d. `next/tests/bootstrap_read.sh` (15 cases).
+- [x] **4d** — `bootstrap:build_genesis/1` + `verify_genesis/2` + `cidhash_path/1` + `write_cidhash/2` + `read_cidhash/1`: bundle CID via host `cid:to_string` over `{genesis_bundle, Sections}`; mismatch returns `{error, {cid_mismatch, Got, Expected}}`; `.cidhash` sibling file persists between runs. `next/tests/bootstrap_build.sh` (12 cases).
+- [x] **4e** — `bootstrap:load_genesis/1` + `strip_sx_suffix/1`: bridges `read_genesis` output into `registry` entries. Section atom = registry kind; entry name = filename minus `.sx` (binary); entry value = raw file bytes (parsed forms replace these once an SX-parser bridge exists). `next/tests/bootstrap_load.sh` (15 cases).
+
 **Deliverables:**
 
 Genesis bundle SX sources (per design §12.2). Each is a small SX file authored
@@ -310,6 +337,12 @@ created with a known stable CID.
 
 ## Step 5 — Registry mechanism + bootstrap dispatch
 
+**Sub-deliverables:**
+- [x] **5a** — Pure-functional `next/kernel/registry.erl`: `new/0`, `kinds/0`, `register/4`, `lookup/3`, `list/2`. State is a property list keyed by kind atom; per-kind storage is a property list of `{Name, Entry}`. Unknown kinds rejected with `{error, unknown_kind}`. `next/tests/registry_pure.sh` (14 cases).
+- [x] **5b** — gen_server wrapper around the pure registry: `start_link/0`, registered name `registry`, `register/3 lookup/2 list/1 stop/0` API delegating through `gen_server:call`. `next/tests/registry_server.sh` (12 cases). Port note: each test combines start_link + ops in a single expression because spawned processes don't survive across separate `erlang-eval-ast` invocations.
+- [ ] **5c** — `bootstrap:load_genesis/1` (Step 4e) populates the registry from `read_genesis` output. Dispatches by section atom → kind.
+- [ ] **5d** — define-registry projection fold integration: incoming `Create{Define*}` activities are routed through the projection scheduler (Step 7) and update the registry.
+
 **Deliverables:**
 
 Registries are gen_servers, one per kind, each holding the active version map:
@@ -352,6 +385,16 @@ projection fold maintains it.)
 
 ## Step 6 — Validation pipeline + POST /activity
 
+**Sub-deliverables:**
+- [x] **6a** — `pipeline:run_stages/2` driver — pure fold over a stage list of `(Activity) -> ok | {error, R}` funs, halts on first failure. `validate_inbound/1` + `validate_outbound/1` + `inbound_stages/0` + `outbound_stages/0` (empty lists for now). `next/tests/pipeline_driver.sh` (10 cases).
+- [x] **6b-env** — `pipeline:stage_envelope/1` delegating to `envelope:validate_shape/1`; wired into both `inbound_stages` and `outbound_stages`. `next/tests/pipeline_envelope.sh` (12 cases); pipeline_driver.sh updated to test the driver in isolation.
+- [x] **6b-sig** — `pipeline:stage_signature/2` (direct call) + `stage_signature/1` (factory returning a context-bound stage fun). Not wired into default stage lists since ActorState isn't available at static-list build time; callers compose by `Stages = [..., pipeline:stage_signature(AS)]`. `next/tests/pipeline_signature.sh` (11 cases) covers direct + factory + composition + halt behaviour with stage_envelope.
+- [x] **6c-replay** — `pipeline:stage_replay/2` (direct) + `stage_replay/1` (factory closed over LogState). Checks the log entries for an existing activity with the same `:id`. Returns `{error, replay}` on duplicate, `{error, no_id}` when missing. `next/tests/pipeline_replay.sh` (12 cases).
+- [ ] **6c-schema** — `stage_activity_schema/1` (registry lookup of activity-type, evaluate :schema body) — blocked behind SX-source eval bridge.
+- [x] **6d-cs** — `outbox:construct/4` (skeleton + CID-derived :id via `cid:to_string`) + `outbox:sign/2` (HMAC over canonical bytes, append :signature pair from KeySpec) + `cid_of/1` accessor. Verified end-to-end: construct→sign→envelope:verify_signature passes; wrong key material fails with bad_signature. `next/tests/outbox_construct.sh` (13 cases).
+- [x] **6d-publish** — `outbox:publish/2(Request, Context)` orchestrates construct + sign + `pipeline:run_stages([envelope, signature, replay])` + `log:append`. Returns `{ok, [{cid, _}, {activity, _}], NewLog}` or `{error, Reason, LogState}` on stage halt. Replay catches duplicate publishes; bad key material surfaces `bad_signature`. `next/tests/outbox_publish.sh` (13 cases).
+- [ ] **6e** — HTTP handler for POST /activity glue (depends on Step 8 http server)
+
 **Deliverables:**
 
 ```erlang
@@ -412,6 +455,12 @@ publish(ActorId, ActivityRequest) ->
 
 ## Step 7 — Projection scheduler
 
+**Sub-deliverables:**
+- [x] **7a** — Pure-functional `next/kernel/projection.erl`: `new/2,3`, `fold_activity/2`, `replay/2`, `name/1`, `state/1`, `fold_fn/1`. Projection record is `[{name, _}, {state, _}, {fold, fun}]`; fold body is an Erlang fun in v1 (SX-source eval bridge deferred). `next/tests/projection_pure.sh` (12 cases).
+- [ ] **7b** — gen_server wrapper: `start_link/1`, named-per-projection, `async_fold/2`, `query/1`, `snapshot/1`.
+- [ ] **7c** — Broadcast hook from `outbox:publish` — feed `Signed` to every projection process.
+- [ ] **7d** — `sandbox:eval_pure/2` (Erlang sandbox-mode caller — gas budget + IO denial) once an SX-source eval bridge exists.
+
 **Deliverables:**
 
 ```erlang
@@ -920,3 +969,36 @@ A few things still under-specified; resolve as work begins.
    60 seconds." Tunable per-projection later; v1 uses the default.
 5. **Genesis bundle format.** Dag-cbor map per §12.2; concrete schema needs
    one round of refinement once we author the actual definitions in step 4.
+
+---
+
+## Progress log
+
+Newest first. One line per sub-deliverable commit. Erlang conformance gate
+(`bash lib/erlang/conformance.sh`) must remain 729/729 on every entry.
+
+- **2026-05-28** — Step 7a: `next/kernel/projection.erl` — pure-functional projection driver. Record shape `[{name, _}, {state, _}, {fold, fun}]`; `fold_activity/2` advances state by one activity; `replay/2` folds a whole list (mirrors `log:entries/1` semantics); `new/2` defaults to the identity fold and `new/3` accepts a custom Erlang fun. Multiple projections share no state — independent record values. Step 7 split into 7a (done) + 7b (gen_server-per-projection) + 7c (broadcast hook from outbox) + 7d (sandbox eval, needs SX-source bridge). `next/tests/projection_pure.sh` 12/12. Erlang conformance 729/729.
+- **2026-05-28** — Step 6d-publish: `outbox:publish/2(Request, Context)` orchestrates construct + sign + `pipeline:run_stages` + `log:append`. Stage list is `[stage_envelope, stage_signature(AS), stage_replay(LogState)]` — so a duplicate publish (same Request, same Published) halts at the replay stage and returns `{error, replay, LogState}` with the log unchanged; bad key material halts at `bad_signature`. Happy path returns `{ok, [{cid, Cid}, {activity, Signed}], NewLog}`. Projection-scheduler dispatch deferred to Step 7. `next/tests/outbox_publish.sh` 13/13 covers happy path, replay halt, sig halt, multi-publish progression, CID stability across fresh logs. Erlang conformance 729/729.
+- **2026-05-28** — Step 6d-cs: `next/kernel/outbox.erl` — envelope construction + signing. `construct/4` takes `(Type, ActorId, Published, Object)`, builds the canonical key-sorted property list, and derives the activity `:id` from `cid:to_string({activity_envelope, Skeleton})`. `sign/2` extracts key_id/algorithm/key-material from a KeySpec proplist, computes the v1 HMAC over canonical bytes, and appends the `:signature` pair. `cid_of/1` is a convenience accessor. Round-trip end-to-end through `envelope:verify_signature/2` verified (correct key passes, wrong key returns bad_signature). Step 6d split into 6d-cs (done) + 6d-publish (orchestration). `next/tests/outbox_construct.sh` 13/13. Erlang conformance 729/729.
+- **2026-05-28** — Step 6c-replay: `pipeline:stage_replay/2` (direct) + `stage_replay/1` (factory closed over LogState). Linear scan of `log:entries/1` checking for an existing entry with the same `:id`. Returns ok if new, `{error, replay}` on duplicate, `{error, no_id}` when the activity has no id field. Step 6c split into 6c-replay (done) + 6c-schema (deferred — blocked behind SX-source eval bridge for the activity-type :schema body). `next/tests/pipeline_replay.sh` 12/12 covers direct + factory + composition with stage_envelope. Erlang conformance 729/729.
+- **2026-05-28** — Step 6b-sig: `pipeline:stage_signature/2` direct call + `stage_signature/1` factory returning a context-bound stage fun closed over ActorState. Not wired into the default `inbound_stages`/`outbound_stages` lists because actor state isn't a static-build-time value; callers prepend the factory result to a stage list (`Stages = [stage_envelope, pipeline:stage_signature(AS)]`). `next/tests/pipeline_signature.sh` 11/11 covers direct + factory + composition with stage_envelope (including halt ordering: bad envelope halts before sig; good envelope + bad sig surfaces sig error). Erlang conformance 729/729.
+- **2026-05-28** — Step 6b-env: `pipeline:stage_envelope/1` wraps `envelope:validate_shape/1`; wired into both `inbound_stages` and `outbound_stages` lists. `validate_inbound`/`validate_outbound` now exercises the full envelope shape contract end-to-end (missing fields, signature sub-shape, non-list input). `next/tests/pipeline_envelope.sh` 12/12; `pipeline_driver.sh` refactored to test the driver against explicit stage lists rather than depending on the now-non-empty defaults. Split 6b in the plan into 6b-env (done) + 6b-sig (needs runtime context for actor-state). Erlang conformance 729/729.
+- **2026-05-28** — Step 6a: `next/kernel/pipeline.erl` — validation pipeline driver per design §14. `run_stages/2` is a pure fold over `(Activity) -> ok | {error, R}` funs, halting on first failure. Halt verified by inserting a post-error stage that would set a contradictory tag if it ran. `validate_inbound/1` + `validate_outbound/1` wrappers; concrete stage lists are empty (6b wires `stage_envelope`/`stage_signature`). Port quirk: `Pattern = Var` match-alias syntax unsupported — split into separate `Result = X, case Result of ...`. `next/tests/pipeline_driver.sh` 10/10. Step 6 broken into 6a–6e on the plan. Erlang conformance 729/729.
+- **2026-05-28** — Step 5b: `registry.erl` extended with gen_server callbacks + named-process API. `start_link/0` spawns the worker, registers it under the literal `registry` atom, returns the Pid (port returns raw Pid not `{ok, Pid}` — diverges from OTP). 3-arity `register`, 2-arity `lookup`, 1-arity `list` delegate to the pure /4 and /3 functions inside handle_call. Port note documented: `?MODULE` macro unsupported; tests must inline start_link with operations since spawned processes don't persist across separate `erlang-eval-ast` calls. `next/tests/registry_server.sh` 12/12. Erlang conformance 729/729.
+- **2026-05-28** — Step 4e: `bootstrap:load_genesis/1` + `strip_sx_suffix/1` in `next/kernel/bootstrap.erl`. Walks `read_genesis` output and threads each entry through `registry:register/4`, using the section atom as the kind and the filename-minus-`.sx` as the entry name. Per-kind counts match the seven bootstrap sections exactly (3/10/7/3/3/2/3 = 31 entries total). `next/tests/bootstrap_load.sh` 15/15. Determinism verified by comparing `cid:to_string` of the loaded state across calls (faster than deep-equality on the nested-binary state). Step 4 is now complete end-to-end except for SX-source parsing of the loaded entries. Erlang conformance 729/729.
+- **2026-05-28** — Step 5a: `next/kernel/registry.erl` — pure-functional registry. State is `[{Kind, [{Name, Entry}, ...]}, ...]` keyed by the same seven section atoms as Step 4c (activity_types, object_types, projections, validators, codecs, sig_suites, audience). API: `new/0`, `kinds/0`, `register/4`, `lookup/3`, `list/2`. Unknown kinds rejected with `{error, unknown_kind}`; missing names return `not_found`; re-registering the same name overrides without growing the list. `next/tests/registry_pure.sh` 14/14. Step 5 broken into 5a–5d on the plan. Erlang conformance 729/729.
+- **2026-05-28** — Step 4d: `bootstrap:build_genesis/1` + `verify_genesis/2` + `.cidhash` helpers in `next/kernel/bootstrap.erl`. Bundle CID delegated to host `cid:to_string` over `{genesis_bundle, Sections}` — deterministic, ~59 byte CIDv1 binary. `verify_genesis/2` returns `ok` on match, `{error, {cid_mismatch, Got, Expected}}` on drift. `write_cidhash`/`read_cidhash` persist the CID to a `.cidhash` sibling file (path hand-spelled `<<...,47,46,99,...>>` per the string-literal-in-binary substrate quirk). `next/tests/bootstrap_build.sh` 12/12. Erlang conformance 729/729.
+- **2026-05-27** — Step 4c: `next/kernel/bootstrap.erl` — Erlang module that enumerates the genesis bundle by walking seven hardcoded section subdirs via `file:list_dir/1`, filters `.sx` files via byte-pattern suffix match (`ends_with_sx/1`), reads each into a binary via `file:read_file/1`. Returns `{ok, [{Section, [{Name, Bytes}, ...]}]}`. Hits the same SX-parser substrate gap as Step 3b — kept the surface byte-only; parsing happens via SX-side helpers in later steps. Port gotchas: `fun name/arity` references unsupported (use anonymous fun wrappers); `<<"...">>` string-literal segments truncate to one byte (paths hand-spelled as integer-segment binaries). `next/tests/bootstrap_read.sh` 15/15. Erlang conformance 729/729.
+- **2026-05-27** — Step 4b-cod: bootstrap codecs + sig-suites + audience predicates complete. 3 `DefineCodec` files (dag-cbor + raw + dag-json, dag-cbor + dag-json deferring to host-codec primitive when wired), 2 `DefineSigSuite` files (rsa-sha256-2018 PEM-keyed, ed25519-2020 multibase-keyed, both :verify returning false as m2-deferred stand-in), 3 `DefineAudience` files (Public/Followers/Direct member-of predicates per design §16). Manifest now lists 26 bootstrap files across all eight sections; `next/tests/genesis_parse.sh` 50/50. Step 4b complete; remaining Step 4 is bundler code (4c–4e). Erlang conformance 729/729.
+- **2026-05-27** — Step 4b-vld: bootstrap validators complete — 3 `DefineValidator` SX files (envelope-shape mirroring Step 2a, signature stub delegating to envelope:verify_signature/2 per design §9.6, type-schema looking up the object-type schema from define-registry). Manifest `:validators` populated; `next/tests/genesis_parse.sh` 36/36. Erlang conformance 729/729.
+- **2026-05-27** — Step 4b-proj: bootstrap projections complete — 7 `DefineProjection` SX files authored (activity-log identity, by-type/by-actor/by-object indexes, actor-state with key history fold, define-registry meta-fold over Create{Define*}, audience-graph stub). Manifest `:projections` populated; `next/tests/genesis_parse.sh` 31/31. Erlang conformance 729/729.
+- **2026-05-27** — Step 4b-obj: bootstrap object-types complete — 10 `DefineObject` SX files authored (SXArtifact, Note, Tombstone, DefineActivity, DefineObject, DefineProjection, DefineValidator, DefineCodec, DefineSigSuite, Snapshot). Each carries an SX `:schema` predicate. Manifest `:object-types` populated; `next/tests/genesis_parse.sh` 22/22. Erlang conformance 729/729.
+- **2026-05-27** — Step 4b-act: bootstrap activity-types complete — `update.sx` (Update verb, requires :object CID + :patch) + `delete.sx` (Delete verb, requires :object CID) authored as DefineActivity forms matching the Create shape. Manifest updated; `next/tests/genesis_parse.sh` 10/10. Step 4b broken into act/obj/proj/vld/cod sub-deliverables on the plan. Erlang conformance 729/729.
+- **2026-05-27** — Step 4a: genesis bundle seeded. `next/genesis/manifest.sx` (GenesisManifest with eight section keys, only `:activity-types` populated for now) + `next/genesis/activity-types/create.sx` (DefineActivity{Create} with :schema/:semantics SX bodies). `next/tests/genesis_parse.sh` 5/5. Step 3b parked behind a substrate-level term-codec gap — Blockers note added under Step 3; in-memory log from 3a unblocks Step 5+ which only need the API surface. Erlang conformance 729/729.
+- **2026-05-27** — Step 3a: `log:open/2 append/2 tip/1 replay/3 entries/1` over an in-memory state (per-actor seq, replay in append order, round-trip activities). `next/tests/log_memory.sh` 12/12. Pivoted from on-disk in this iteration: this port's `atom_to_list`/`integer_to_list` return SX strings rather than Erlang charlists, `binary_to_list` is unregistered, and `$X` char literals decode to nil — so a term codec needs a workaround. Captured as the Step 3b risk note in the plan. Erlang conformance 729/729.
+- **2026-05-26** — Step 2c: `envelope:verify_signature/2` — time-aware key lookup over `public_keys` (created ≤ published < superseded_at), MAC recompute via `crypto:hash(sha256, KeyMaterial ++ canonical_bytes)`, compared against `signature.value`. Returns ok or one of `no_signature | no_key_id | no_published | no_keys | no_active_key | bad_signature`. `next/tests/envelope_sig.sh` 11/11 pass. Erlang conformance 729/729.
+- **2026-05-26** — Step 2b: `envelope:canonical_bytes/1` — strip signature, insertion-sort property list by key, return host-CID-string as deterministic byte form (dag-cbor stand-in). `next/tests/envelope_canonical.sh` 8/8 pass. Erlang conformance 729/729 preserved.
+- **2026-05-26** — Step 2a: `next/kernel/envelope.erl` `validate_shape/1` + `get_field/2` over property-list envelopes (Erlang `#{}` maps not supported in this port). `next/tests/envelope_shape.sh` 15/15 pass. Erlang conformance 729/729 preserved.
+- **2026-05-26** — Step 1b: `next/kernel/nx_cid.erl` (from_sx/to_string/from_string/equals) — thin Erlang wrapper around the `cid:to_string/1` BIF. `next/tests/cid.sh` 13/13 pass. Module named `nx_cid` to avoid shadowing the `cid` BIF (user-module dispatch takes precedence over BIFs by module name). Erlang conformance 729/729 preserved.
+- **2026-05-26** — Step 1a: `next/` skeleton created (kernel/, genesis/, tests/, data/), README, `.gitignore data/`. Erlang conformance 729/729 preserved.
+