giles
0f85bd963a
`next/kernel/http_server.erl` gains `start/1(Port)` + `start/2(Port, Cfg)`. Both spawn an Erlang process that hosts
the native `http:listen/2` accept loop with the Cfg-aware `route/2` as the handler.
The blocker — the BIF wrapper in `lib/erlang/runtime.sx` had no dict↔proplist marshaling, so Erlang handler funs
couldn't pattern-match on an opaque SX request dict — is resolved by a new family of helpers added next to `er-of-sx`
(which is left untouched so non-HTTP callers see no behavioural drift):
er-request-dict-to-proplist request dict -> [{method,<<>>},{path,<<>>},...] (atom keys)
er-of-sx-deep recursive marshal: dicts -> binary-keyed proplist
er-dict-to-header-proplist headers: [{<<"content-type">>,<<"text/plain">>},...]
(binary keys keep arbitrary user input out of the atom table)
er-proplist-to-dict response proplist -> SX dict for native serialiser
er-proplist-fill! dict-set! walker over a cons-of-2-tuples
er-to-sx-deep recursive marshal: cons-of-2-tuples -> nested dict
er-proplist-2tuple? predicate distinguishing a header proplist from a binary body
`er-bif-http-listen`'s body is updated to route through the new pair instead of `er-of-sx` / `er-to-sx`. Existing
`http_listen_bif.sh` (Step 8a) still passes — the BIF's external contract (port + handler validation, registration)
hasn't changed, only the request/response shape the handler sees.
This commit also lands a small pre-existing unstaged refactor that was sitting in the same file (er-binary->string
helper above er-bif-http-listen, a "Register everything at load time." comment move, and the binary_to_list /
list_to_binary / er-iolist-walk! defines reshuffled into the er-register-builtin-bifs! body). The refactor was
agreed-out-of-scope earlier in the loop but was unblocked this iteration when the user OK'd progress on 8b-start.
Bundling it here keeps the lib/erlang/runtime.sx diff coherent.
Tests:
- `next/tests/http_marshal.sh` (10 cases) — marshaling unit tests: request dict → cons proplist; method as
<<"GET">> via SX-side proplist walker; path-as-string roundtrip; nested headers reach through binary keys;
response status/body field marshaling; nested headers reconstruct dict; full round-trip preserves status.
- `next/tests/http_server_start.sh` (6 cases) — structural verification: http_server module loaded, start bound
in module env, marshalers defined as lambdas, http:listen BIF registered. Can't invoke spawn in an Erlang test
because the cooperative scheduler (`er-sched-run-all!`) drains every runnable process before returning to the
caller, and the listener's accept loop never exits.
- `next/tests/http_server_tcp.sh` (5 cases) — **first live end-to-end transport test in the milestone**: boots
sx_server in background with FIFO-held stdin (~10s boot for all lib/erlang/*.sx loads + module compile +
Unix.bind), then drives the listener via shell-side curl over real TCP. Verifies GET / → 200, GET
/.well-known/sx-capabilities → 200, GET unknown → 404, POST /activity → 401 with no/bad bearer. Doubles as the
smoke surface for 9a-tcp / 9b-tcp.
Erlang conformance **761/761** unchanged. All standing suites stay green (http_listen_bif 5/5, log_disk 12/12,
log_rotate 10/10, term_codec 18/18).
Step 8b-start ticked in plans/fed-sx-milestone-1.md. Remaining in the milestone: 9a-tcp / 9b-tcp — partly covered
by http_server_tcp.sh's smoke probes; the full curl-driven publish flows are the next iteration.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
next — fed-sx Milestone 1 kernel
Single-instance, single-actor fed-sx server built as Erlang-on-SX modules.
See plans/fed-sx-design.md for the architecture and
plans/fed-sx-milestone-1.md for the build plan + per-step progress log.
Status
Both Step 9 smoke proof points are functional in-process:
- 9a-pure (verb extensibility) —
Create{DefineActivity{Pin}}registers Pin at runtime; subsequentPin{path, cid}activities fold into a pin-state projection. Zero kernel code between definition and use. Seenext/tests/smoke_pin_pure.sh. - 9b-pure (reactive application) — A trigger projection matches Notes
tagged
smoketestand derives aTestEchocarrying the source CID. Seenext/tests/smoke_app_pure.sh.
The remaining 9a-tcp / 9b-tcp deliverables layer TCP transport on top — see
Substrate gaps below.
Layout
next/
├── kernel/ Erlang-on-SX kernel modules (.erl)
├── genesis/ SX source files for the bootstrap bundle
├── tests/ Bash test scripts driving sx_server.exe via the epoch protocol
└── data/ Runtime state — gitignored
Module map
| Module | Role |
|---|---|
nx_cid.erl |
Canonical CID wrapper around the host cid:to_string BIF |
envelope.erl |
Activity envelope shape, canonical bytes, time-aware sig verify |
log.erl |
Per-actor in-memory append log (open / append / tip / replay / entries) |
registry.erl |
Pure-functional + gen_server-wrapped registry keyed by Kind |
pipeline.erl |
Validation driver + stage_envelope/signature/replay/schema |
projection.erl |
Pure projection driver + gen_server-per-projection wrapper |
outbox.erl |
Envelope construct + sign + publish orchestrator + broadcast |
bootstrap.erl |
Genesis read/build/verify/load + one-call start/3 kernel bring-up |
define_registry.erl |
Meta-projection fold for Create{Define*} → registry |
sandbox.erl |
eval_pure/2,3 try/catch envelope for projection folds |
nx_kernel.erl |
Long-lived runtime orchestrator (state + gen_server) |
http_server.erl |
route/1,2 + format-aware GET + POST + Accept header content negotiation |
Genesis bundle
next/genesis/ contains 31 SX files across 7 sections, all consumed as data
(read + serialised by bootstrap:populate_registry, not eval'd):
- 3 activity-types — Create, Update, Delete
- 10 object-types — SXArtifact, Note, Tombstone, 6 Define* meta-types, Snapshot
- 7 projections — activity-log, by-type, by-actor, by-object, actor-state, define-registry, audience-graph
- 3 validators — envelope-shape, signature, type-schema
- 3 codecs — dag-cbor, raw, dag-json
- 2 sig-suites — rsa-sha256-2018, ed25519-2020
- 3 audience predicates — Public, Followers, Direct
manifest.sx is the bundle root, listed in dependency-friendly order.
Tests
43 test suites, ~560+ assertions. Each script drives sx_server.exe via the
epoch protocol — loads the Erlang substrate, loads relevant kernel modules
via code:load_binary / erlang-load-module, then exercises behaviour
through erlang-eval-ast.
Conventions:
- Scripts marked
_pure.shexercise pure-functional state. - Scripts marked
_server.sh(or no suffix) exercise gen_server APIs and must inlinestart_linkwith operations — the Erlang-on-SX scheduler doesn't preserve spawned processes across separateerlang-eval-astinvocations. smoke_*_pure.share end-to-end smoke tests demonstrating the §Step 9 proof points without TCP / curl / JSON.
The Erlang-on-SX conformance gate (bash lib/erlang/conformance.sh, 729 /
729) is the no-regression contract — every commit on loops/fed-sx-m1
preserves it.
Substrate
Each .erl source file is hot-loaded at boot via
code:load_binary(Mod, Filename, SourceString) (Phase 7 BIF). Tests drive
the runtime via the epoch protocol:
printf '(epoch 1)\n(load "lib/erlang/runtime.sx")\n(epoch 2)\n<test-expr>\n' \
| hosts/ocaml/_build/default/bin/sx_server.exe
The kernel calls into these host primitives: crypto:hash/2,
cid:from_bytes/1, cid:to_string/1, file:read_file/1, file:write_file/2,
file:delete/1, file:list_dir/1, code:load_binary/3, plus http:listen/2
(the briefing's allowed scope exception, added to lib/erlang/runtime.sx).
Substrate gaps (parked work)
These three gaps block the remaining unchecked deliverables:
-
Term codec (
3b/3c) — all three substrate fixes done 2026-06-05:erlang:binary_to_list/1anderlang:list_to_binary/1registered inlib/erlang/runtime.sx(iolist-aware); the tokenizer's$Xbranch emits the decimal char code;atom_to_list/1andinteger_to_list/1now return Erlang charlists (standard Erlang semantics) withlist_to_atom/list_to_integeraccepting both charlists and SX strings for back-compat. 759/759 conformance. The full term-codec primitive set is in place — Step 3b on-disk segment writer can encode arbitrary Erlang activity terms (atoms, ints, binaries, tuples, lists) into byte sequences using only Erlang-native primitives. -
SX-source eval bridge — There's no BIF that lets Erlang call into the SX evaluator on a parsed source string. Blocks evaluating the
:schema/:fold/:predicate/:verifybodies from the genesis bundle. Erlang-fun stand-ins (pipeline:stage_schema,define_registry:fold, etc.) prove the API shapes; the bridge would let bundle bodies dispatch through them unchanged. -
Dict ↔ proplist marshalling for
http:listen/2— The nativehttp-listenprimitive calls the handler with an SX dict; the BIF wrapper's bridge would need to marshal that to / from an Erlang proplist. BlocksStep 8b-start(actual TCP listening with working route dispatch). The briefing allowed the BIF wrapper as a single scope exception; further in-place modifications need agent approval.
Bringing up the kernel
For tests, bootstrap:start/3(ActorId, KeySpec, ActorState) is the
one-call boot:
KM = <<1,2,3,4>>,
KS = [{key_id, k1}, {algorithm, ed25519}, {value, KM}],
AS = [{public_keys, [[{id, k1}, {created, 0}, {value, KM}]]}],
Pid = bootstrap:start(alice, KS, AS),
%% nx_kernel + registry populated; you now have a kernel.
The HTTP layer (http_server) and nx_kernel:publish/1 flow through the
same in-process gen_servers; http_publish_fold.sh is the end-to-end proof
the chain works.
What's next (when work resumes)
In priority order:
- 8b-bridge — extend
er-bif-http-listenwith dict ↔ proplist marshalling so requests reachroute/1shaped correctly. - 8b-start —
http_server:start/1spawns a process hostinghttp:listen/2. - 9a-tcp / 9b-tcp — replace the in-process smoke scripts with curl-driven versions hitting the running server.
- Term codec / on-disk log — needs either a new BIF or a temp-file workaround; current in-memory log keeps everything functional otherwise.
- SX-source eval bridge — unlocks real
:schema/:foldbody evaluation from the genesis bundle.