identity: device authorization grant (RFC 8628, +10 tests)

device.sx — for input-constrained devices. authorize → {device_code,
user_code}; the human approves/denies out-of-band by user_code; the device
polls by device_code through the §3.5 status machine (authorization_pending
→ access_denied / {ok, Token}). Device code is single-use once a token
issues; approve-after-deny is rejected. Tokens grant-backed via token.sx.
Device-code expiry + slow_down deferred (no wall clock). New
tests/device.sx. 168/168.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

lib/identity/conformance.sh

@@ -41,6 +41,7 @@ SUITES=(
   "expiry|id-expiry-test-pass|id-expiry-test-count"
   "clients|id-clients-test-pass|id-clients-test-count"
   "grants|id-grants-test-pass|id-grants-test-count"
+  "device|id-device-test-pass|id-device-test-count"
 )
 
 cat > "$TMPFILE" << 'EPOCHS'
@@ -62,6 +63,7 @@ cat > "$TMPFILE" << 'EPOCHS'
 (load "lib/identity/audit.sx")
 (load "lib/identity/federation.sx")
 (load "lib/identity/clients.sx")
+(load "lib/identity/device.sx")
 (load "lib/identity/tests/session.sx")
 (load "lib/identity/tests/token.sx")
 (load "lib/identity/tests/registry.sx")
@@ -75,6 +77,7 @@ cat > "$TMPFILE" << 'EPOCHS'
 (load "lib/identity/tests/expiry.sx")
 (load "lib/identity/tests/clients.sx")
 (load "lib/identity/tests/grants.sx")
+(load "lib/identity/tests/device.sx")
 (epoch 100)
 (eval "(list id-session-test-pass id-session-test-count)")
 (epoch 101)
@@ -101,6 +104,8 @@ cat > "$TMPFILE" << 'EPOCHS'
 (eval "(list id-clients-test-pass id-clients-test-count)")
 (epoch 112)
 (eval "(list id-grants-test-pass id-grants-test-count)")
+(epoch 113)
+(eval "(list id-device-test-pass id-device-test-count)")
 EPOCHS
 
 timeout 600 "$SX_SERVER" < "$TMPFILE" > "$OUTFILE" 2>&1