identity: "apps with access" — per-subject active-grant listing (+7 tests)

identity_tokens:grants_for(Subject) lists a subject's active grants as
[{Client, Scope}] (revoked excluded), exposed through the facade as
identity:grants(Subject). Completes the per-subject account-security trio:
sessions (where logged in), grants (which apps have access), history (what
happened). New tests/account.sx. Conformance internal timeout raised to
1200s (22 suites, ~10min — run in background). 229/229.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

lib/identity/conformance.sh

@@ -49,6 +49,7 @@ SUITES=(
   "introspect|id-intr-test-pass|id-intr-test-count"
   "par|id-par-test-pass|id-par-test-count"
   "dynreg|id-dyn-test-pass|id-dyn-test-count"
+  "account|id-acct-test-pass|id-acct-test-count"
 )
 
 cat > "$TMPFILE" << 'EPOCHS'
@@ -93,6 +94,7 @@ cat > "$TMPFILE" << 'EPOCHS'
 (load "lib/identity/tests/introspect.sx")
 (load "lib/identity/tests/par.sx")
 (load "lib/identity/tests/dynreg.sx")
+(load "lib/identity/tests/account.sx")
 (epoch 100)
 (eval "(list id-session-test-pass id-session-test-count)")
 (epoch 101)
@@ -135,9 +137,11 @@ cat > "$TMPFILE" << 'EPOCHS'
 (eval "(list id-par-test-pass id-par-test-count)")
 (epoch 120)
 (eval "(list id-dyn-test-pass id-dyn-test-count)")
+(epoch 121)
+(eval "(list id-acct-test-pass id-acct-test-count)")
 EPOCHS
 
-timeout 600 "$SX_SERVER" < "$TMPFILE" > "$OUTFILE" 2>&1
+timeout 1200 "$SX_SERVER" < "$TMPFILE" > "$OUTFILE" 2>&1
 
 parse_pair() {
   local epoch="$1"

lib/identity/scoreboard.json

@@ -1,7 +1,7 @@
 {
   "language": "identity",
-  "total_pass": 222,
-  "total": 222,
+  "total_pass": 229,
+  "total": 229,
   "suites": [
     {"name":"session","pass":11,"total":11,"status":"ok"},
     {"name":"token","pass":24,"total":24,"status":"ok"},
@@ -23,6 +23,7 @@
     {"name":"exchange","pass":8,"total":8,"status":"ok"},
     {"name":"introspect","pass":9,"total":9,"status":"ok"},
     {"name":"par","pass":7,"total":7,"status":"ok"},
-    {"name":"dynreg","pass":5,"total":5,"status":"ok"}
+    {"name":"dynreg","pass":5,"total":5,"status":"ok"},
+    {"name":"account","pass":7,"total":7,"status":"ok"}
   ]
 }

lib/identity/scoreboard.md

@@ -1,6 +1,6 @@
 # identity-on-sx Scoreboard
 
-**Total: 222 / 222 tests passing**
+**Total: 229 / 229 tests passing**
 
 |  | Suite | Pass | Total |
 |---|---|---|---|
@@ -25,6 +25,7 @@
 | ✅ | introspect | 9 | 9 |
 | ✅ | par | 7 | 7 |
 | ✅ | dynreg | 5 | 5 |
+| ✅ | account | 7 | 7 |
 
 
 Generated by `lib/identity/conformance.sh`.

lib/identity/tests/account.sx

@@ -0,0 +1,74 @@
+;; identity/tests/account.sx — \"apps with access\": per-subject active-grant
+;; listing, at the token registry (grants_for) and through the facade
+;; (identity:grants). Completes the per-subject security trio with sessions
+;; and history.
+
+(define id-acct-test-count 0)
+(define id-acct-test-pass 0)
+(define id-acct-test-fails (list))
+
+(define
+  id-acct-test
+  (fn
+    (name actual expected)
+    (set! id-acct-test-count (+ id-acct-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-acct-test-pass (+ id-acct-test-pass 1))
+      (append! id-acct-test-fails {:name name :expected expected :actual actual}))))
+
+(define ida-ev erlang-eval-ast)
+(define idanm (fn (v) (get v :name)))
+
+(identity-load-all!)
+
+;; ── token-level grants_for ───────────────────────────────────────
+
+(id-acct-test
+  "grants_for lists a subject's active grants"
+  (ida-ev
+    "R = identity_tokens:start(),\n     identity_tokens:issue(R, alice, web, read),\n     identity_tokens:issue(R, alice, cli, write),\n     identity_tokens:issue(R, bob, web, read),\n     length(identity_tokens:grants_for(R, alice))")
+  2)
+
+(id-acct-test
+  "grants_for excludes revoked grants"
+  (ida-ev
+    "R = identity_tokens:start(),\n     {ok, A} = identity_tokens:issue(R, alice, web, read),\n     identity_tokens:issue(R, alice, cli, write),\n     identity_tokens:revoke(R, A),\n     length(identity_tokens:grants_for(R, alice))")
+  1)
+
+(id-acct-test
+  "grants_for is empty for a subject with none"
+  (ida-ev
+    "R = identity_tokens:start(),\n     identity_tokens:issue(R, alice, web, read),\n     length(identity_tokens:grants_for(R, ghost))")
+  0)
+
+(id-acct-test
+  "each grant entry carries the client"
+  (idanm
+    (ida-ev
+      "R = identity_tokens:start(),\n       identity_tokens:issue(R, alice, web, read),\n       case identity_tokens:grants_for(R, alice) of\n         [{Client, _Scope}] -> Client;\n         _ -> other\n       end"))
+  "web")
+
+;; ── facade-level grants ──────────────────────────────────────────
+
+(id-acct-test
+  "identity:grants lists apps a subject has logged into"
+  (ida-ev
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, alice, mobile, read),\n     length(identity:grants(Svc, alice))")
+  2)
+
+(id-acct-test
+  "revoking a token drops it from identity:grants"
+  (ida-ev
+    "Svc = identity:start(),\n     {ok, _S1, T1} = identity:login(Svc, alice, web, read),\n     identity:login(Svc, alice, mobile, read),\n     identity:revoke(Svc, T1),\n     length(identity:grants(Svc, alice))")
+  1)
+
+(id-acct-test
+  "identity:grants is per-subject"
+  (ida-ev
+    "Svc = identity:start(),\n     identity:login(Svc, alice, web, read),\n     identity:login(Svc, bob, web, read),\n     length(identity:grants(Svc, bob))")
+  1)
+
+(define
+  id-acct-test-summary
+  (str "account " id-acct-test-pass "/" id-acct-test-count))

plans/identity-on-sx.md

@@ -19,7 +19,7 @@ through the event log, all authorization questions delegated to `acl-on-sx`.
 
 ## Status (rolling)
 
-`bash lib/identity/conformance.sh` → **222/222** (4 phases + 13 ext) — needs `timeout 580`
+`bash lib/identity/conformance.sh` → **229/229** (4 phases + 14 ext) — slow (~10min, run in background; internal timeout 1200)
 
 ## Ground rules
 
@@ -87,12 +87,21 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
 - [~] OAuth `state`/OIDC `nonce` — low value in this server-centric model (client-side echo); skipped
 - [x] pushed authorization requests (PAR, RFC 9126): single-use request_uri → consent
 - [x] dynamic client registration (RFC 7591): server-generated client_id + secret
+- [x] "apps with access": `grants_for(Subject)` / `identity:grants` (per-subject active grants)
 - [x] unify `api.sx` over membership + audit (one facade, audited login/logout)
 - [x] subject-wide session management: `sessions(Subject)` + `logout_all` (log out everywhere)
 - [x] token exchange (RFC 8693): downscope a token into a new independent token
 - [x] RFC 7662 full introspection metadata (`introspect_full`: sub/client_id/scope/exp/iat/token_type)
 
 ## Progress log
+- 2026-06-07 — "apps with access" (ext): `identity_tokens:grants_for(Subject)`
+  lists a subject's ACTIVE grants as `[{Client, Scope}]` (revoked excluded),
+  exposed through the facade as `identity:grants(Subject)`. Completes the
+  per-subject account-security trio: sessions (where), grants (which apps),
+  history (what happened). New tests/account.sx (7). 222→229. NOTE: conformance
+  is now slow (~10 min, 22 suites); run it in the background — internal
+  sx_server timeout raised to 1200s. The suite is at its monolithic-runtime
+  ceiling; further test growth should consider splitting the harness.
 - 2026-06-07 — dynamic client registration (ext, RFC 7591): `register_dynamic`
   generates a client_id + secret server-side (make_ref each) and registers the
   client, returning {ok, ClientId, Secret} — self-service onboarding distinct