diff --git a/plans/identity-on-sx.md b/plans/identity-on-sx.md
index 3ed3f930..e5a1107a 100644
--- a/plans/identity-on-sx.md
+++ b/plans/identity-on-sx.md
@@ -77,6 +77,16 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
 - [x] federated identity (peer-asserted subject) — advisory, trust-gated stub
 - [x] tests: audit completeness, cross-instance subject mapping
 
+## Extensions (base roadmap complete; deepen the engine)
+- [ ] PKCE S256 method (RFC 7636 §4.2) — SHA256 challenge derivation, not just `plain`
+- [ ] access-token TTL / `expires_in` — tokens expire as a grant timeout, introspect honours it
+- [ ] scope as a set + scope narrowing on refresh (RFC 6749 §6)
+- [ ] client registry: public vs confidential clients, client authentication (RFC 6749 §2)
+- [ ] client-credentials grant (RFC 6749 §4.4) and device grant (RFC 8628)
+- [ ] acl-on-sx delegation: wire `verify`/membership projection → an acl decision, integration test
+- [ ] OAuth `state` (CSRF) + OIDC `nonce` threaded through authorize→exchange
+- [ ] unify `api.sx` over oauth + membership + audit (one facade, audited login/consent)
+
 ## Progress log
 - 2026-06-07 — `federation.sx`: trust-gated, advisory federated identity.
   A peer assertion is accepted only from an explicitly trusted peer