identity: PKCE S256 (RFC 7636 §4.2) — now the erlang binary substrate is fixed

oauth.sx routes the PKCE check through pkce_ok: an S256 challenge carried as
{s256, Hash} compares crypto:hash(sha256, Verifier) =:= Hash; a bare
challenge stays plain (§4.1), so both methods coexist with no change to
existing flows (the bare path is the old =:= behaviour). Raw sha256 digests
are compared (base64url is wire encoding, omitted). New tests/pkce.sx (6,
incl. S256 through PAR). Verified pkce 6/6; substrate fix is in the
preceding commit. 239 total.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

plans/identity-on-sx.md

@@ -19,7 +19,7 @@ through the event log, all authorization questions delegated to `acl-on-sx`.
 
 ## Status (rolling)
 
-`bash lib/identity/conformance.sh` → **233/233** (4 phases + 15 ext) — slow (~10min, run in background; internal timeout 1200)
+`bash lib/identity/conformance.sh` → **239/239** (4 phases + 16 ext) — slow (~10min, run in background; internal timeout 1200)
 
 ## Ground rules
 
@@ -78,7 +78,7 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
 - [x] tests: audit completeness, cross-instance subject mapping
 
 ## Extensions (base roadmap complete; deepen the engine)
-- [~] PKCE S256 method (RFC 7636 §4.2) — BLOCKED on erlang substrate (see Blockers)
+- [x] PKCE S256 method (RFC 7636 §4.2) — substrate fixed; `{s256, sha256(verifier)}` challenge
 - [x] access-token TTL / `expires_in` — logical-clock expiry, introspect honours it
 - [x] scope as a set + scope narrowing on refresh (RFC 6749 §6)
 - [x] client registry: public vs confidential clients, client authentication (RFC 6749 §2)
@@ -95,6 +95,21 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
 - [x] RFC 7662 full introspection metadata (`introspect_full`: sub/client_id/scope/exp/iat/token_type)
 
 ## Progress log
+- 2026-06-07 — PKCE S256 UNBLOCKED + implemented (RFC 7636 §4.2). Root-caused
+  the substrate blocker to ONE bug in `lib/erlang/transpile.sx`
+  `er-eval-binary-segment`: a string literal in a binary (`<<"abc">>`) was
+  evaluated as a single integer segment, emitting one `0` byte — so every
+  binary literal became `{:bytes (0)}` (hence binary `=:=` "always equal" and
+  crypto:hash input-independent). Fix (user-authorized cross-scope edit on
+  architecture; loops/erlang should adopt as owner): the integer branch now
+  expands a string value to per-character bytes (`<<"abc">>` ≡ `<<97,98,99>>`).
+  Verified: `byte_size(<<"abc">>)`=3, binary `=:=` correct, sha256 distinct.
+  Then `oauth.sx`: PKCE check routed through `pkce_ok` — `{s256, H}` challenge
+  compares `crypto:hash(sha256, Verifier) =:= H`; bare challenge stays `plain`
+  (RFC §4.1), so both coexist with zero change to existing flows. New
+  tests/pkce.sx (6, incl. S256-through-PAR). +6 → 239. Done directly on
+  architecture (where fixed-erlang + merged-identity coexist); loops/identity
+  trails until refreshed.
 - 2026-06-07 — "disconnect app" (ext): `identity_tokens:revoke_app(Subject,
   Client)` revokes every grant a subject holds for one client at once (audited
   one revoke per grant), exposed at the facade as `identity:revoke_app`. The
@@ -276,6 +291,12 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
   `tests/session.sx`). 11/11.
 
 ## Blockers
+- 2026-06-07 — **RESOLVED.** Both symptoms below were ONE bug —
+  `er-eval-binary-segment` in `lib/erlang/transpile.sx` emitting a single `0`
+  byte for a string literal in a binary, so every `<<"...">>` was `{:bytes (0)}`
+  (equal to each other, and hashing the same). Fixed (string → per-character
+  bytes); binary `=:=` and `crypto:hash` now correct, and PKCE S256 is
+  implemented. See Progress log 2026-06-07. (Historical detail below.)
 - 2026-06-07 — **PKCE S256 blocked: erlang binary bugs.** Two substrate bugs
   in `lib/erlang` make a correct/secure S256 impossible (S256 needs
   `BASE64URL(SHA256(verifier))` compared against the stored challenge):