identity: RFC 7662 full introspection metadata — introspect_full (+9 tests)

introspect_full returns {active, Subject, Client, Scope, Exp, Iat, bearer}
for live tokens and {inactive} otherwise — deepening the opaque-token /
live-lookup model. Access tokens now carry Iat (clock-at-issue); exp = iat +
ttl. Simple introspect is unchanged (all prior suites green). New
tests/introspect.sx. 210/210.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

lib/identity/conformance.sh

@@ -46,6 +46,7 @@ SUITES=(
   "delegation|id-deleg-test-pass|id-deleg-test-count"
   "session-mgmt|id-smgmt-test-pass|id-smgmt-test-count"
   "exchange|id-xchg-test-pass|id-xchg-test-count"
+  "introspect|id-intr-test-pass|id-intr-test-count"
 )
 
 cat > "$TMPFILE" << 'EPOCHS'
@@ -87,6 +88,7 @@ cat > "$TMPFILE" << 'EPOCHS'
 (load "lib/identity/tests/delegation.sx")
 (load "lib/identity/tests/session_mgmt.sx")
 (load "lib/identity/tests/exchange.sx")
+(load "lib/identity/tests/introspect.sx")
 (epoch 100)
 (eval "(list id-session-test-pass id-session-test-count)")
 (epoch 101)
@@ -123,6 +125,8 @@ cat > "$TMPFILE" << 'EPOCHS'
 (eval "(list id-smgmt-test-pass id-smgmt-test-count)")
 (epoch 117)
 (eval "(list id-xchg-test-pass id-xchg-test-count)")
+(epoch 118)
+(eval "(list id-intr-test-pass id-intr-test-count)")
 EPOCHS
 
 timeout 600 "$SX_SERVER" < "$TMPFILE" > "$OUTFILE" 2>&1

lib/identity/scoreboard.json

@@ -1,7 +1,7 @@
 {
   "language": "identity",
-  "total_pass": 201,
-  "total": 201,
+  "total_pass": 210,
+  "total": 210,
   "suites": [
     {"name":"session","pass":11,"total":11,"status":"ok"},
     {"name":"token","pass":24,"total":24,"status":"ok"},
@@ -20,6 +20,7 @@
     {"name":"facade","pass":9,"total":9,"status":"ok"},
     {"name":"delegation","pass":8,"total":8,"status":"ok"},
     {"name":"session-mgmt","pass":8,"total":8,"status":"ok"},
-    {"name":"exchange","pass":8,"total":8,"status":"ok"}
+    {"name":"exchange","pass":8,"total":8,"status":"ok"},
+    {"name":"introspect","pass":9,"total":9,"status":"ok"}
   ]
 }

lib/identity/scoreboard.md

@@ -1,6 +1,6 @@
 # identity-on-sx Scoreboard
 
-**Total: 201 / 201 tests passing**
+**Total: 210 / 210 tests passing**
 
 |  | Suite | Pass | Total |
 |---|---|---|---|
@@ -22,6 +22,7 @@
 | ✅ | delegation | 8 | 8 |
 | ✅ | session-mgmt | 8 | 8 |
 | ✅ | exchange | 8 | 8 |
+| ✅ | introspect | 9 | 9 |
 
 
 Generated by `lib/identity/conformance.sh`.

lib/identity/tests/introspect.sx

@@ -0,0 +1,93 @@
+;; identity/tests/introspect.sx — RFC 7662 §2.2 full introspection metadata
+;; (sub, client_id, scope, exp, iat, token_type) alongside the live-lookup
+;; active/inactive semantics.
+
+(define id-intr-test-count 0)
+(define id-intr-test-pass 0)
+(define id-intr-test-fails (list))
+
+(define
+  id-intr-test
+  (fn
+    (name actual expected)
+    (set! id-intr-test-count (+ id-intr-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-intr-test-pass (+ id-intr-test-pass 1))
+      (append! id-intr-test-fails {:name name :expected expected :actual actual}))))
+
+(define idi-ev erlang-eval-ast)
+(define idinm (fn (v) (get v :name)))
+
+(identity-load-token!)
+
+;; ── metadata fields ──────────────────────────────────────────────
+
+(id-intr-test
+  "introspect_full reports token_type bearer"
+  (idinm
+    (idi-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read, 100),\n       case identity_tokens:introspect_full(R, T) of\n         {active, _, _, _, _, _, Tt} -> Tt;\n         {inactive} -> inactive\n       end"))
+  "bearer")
+
+(id-intr-test
+  "introspect_full reports the subject"
+  (idinm
+    (idi-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read, 100),\n       case identity_tokens:introspect_full(R, T) of\n         {active, Sub, _, _, _, _, _} -> Sub\n       end"))
+  "alice")
+
+(id-intr-test
+  "introspect_full reports the client_id"
+  (idinm
+    (idi-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, mobile, read, 100),\n       case identity_tokens:introspect_full(R, T) of\n         {active, _, Cl, _, _, _, _} -> Cl\n       end"))
+  "mobile")
+
+(id-intr-test
+  "introspect_full reports the scope"
+  (idinm
+    (idi-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, write, 100),\n       case identity_tokens:introspect_full(R, T) of\n         {active, _, _, Sc, _, _, _} -> Sc\n       end"))
+  "write")
+
+;; ── exp / iat reflect the logical clock ──────────────────────────
+
+(id-intr-test
+  "iat is the clock value at issue"
+  (idi-ev
+    "R = identity_tokens:start(),\n     identity_tokens:advance(R, 7),\n     {ok, T} = identity_tokens:issue(R, alice, web, read, 100),\n     case identity_tokens:introspect_full(R, T) of\n       {active, _, _, _, _, Iat, _} -> Iat\n     end")
+  7)
+
+(id-intr-test
+  "exp is iat plus the ttl"
+  (idi-ev
+    "R = identity_tokens:start(),\n     identity_tokens:advance(R, 7),\n     {ok, T} = identity_tokens:issue(R, alice, web, read, 100),\n     case identity_tokens:introspect_full(R, T) of\n       {active, _, _, _, Exp, Iat, _} -> Exp - Iat\n     end")
+  100)
+
+;; ── inactive / expired / revoked ─────────────────────────────────
+
+(id-intr-test
+  "an expired token introspects inactive in full mode too"
+  (idinm
+    (idi-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read, 100),\n       identity_tokens:advance(R, 100),\n       case identity_tokens:introspect_full(R, T) of\n         {active, _, _, _, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(id-intr-test
+  "a revoked token introspects inactive in full mode"
+  (idinm
+    (idi-ev
+      "R = identity_tokens:start(),\n       {ok, T} = identity_tokens:issue(R, alice, web, read),\n       identity_tokens:revoke(R, T),\n       case identity_tokens:introspect_full(R, T) of\n         {active, _, _, _, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(id-intr-test
+  "an unknown token introspects inactive in full mode"
+  (idinm
+    (idi-ev
+      "R = identity_tokens:start(),\n       Bogus = make_ref(),\n       case identity_tokens:introspect_full(R, Bogus) of\n         {active, _, _, _, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "inactive")
+
+(define
+  id-intr-test-summary
+  (str "introspect " id-intr-test-pass "/" id-intr-test-count))

plans/identity-on-sx.md

@@ -19,7 +19,7 @@ through the event log, all authorization questions delegated to `acl-on-sx`.
 
 ## Status (rolling)
 
-`bash lib/identity/conformance.sh` → **201/201** (4 phases + 10 ext)
+`bash lib/identity/conformance.sh` → **210/210** (4 phases + 11 ext)
 
 ## Ground rules
 
@@ -88,8 +88,16 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
 - [x] unify `api.sx` over membership + audit (one facade, audited login/logout)
 - [x] subject-wide session management: `sessions(Subject)` + `logout_all` (log out everywhere)
 - [x] token exchange (RFC 8693): downscope a token into a new independent token
+- [x] RFC 7662 full introspection metadata (`introspect_full`: sub/client_id/scope/exp/iat/token_type)
 
 ## Progress log
+- 2026-06-07 — full introspection (ext, RFC 7662 §2.2): `introspect_full`
+  returns {active, Subject, Client, Scope, Exp, Iat, bearer} for live tokens,
+  {inactive} otherwise — deepening the opaque-token/live-lookup model the
+  whole design rests on. Access tokens now carry `Iat` (clock-at-issue);
+  exp = iat + ttl. Simple `introspect` unchanged. New tests/introspect.sx (9).
+  201→210. NOTE: conformance now needs an explicit long timeout (>120s, 19
+  suites) — run with `timeout 580`.
 - 2026-06-07 — token exchange (ext, RFC 8693 §2.1): `oauth.sx` gains
   `token_exchange(SubjectToken, RequestedScope)` — a valid access token is
   downscoped into a NEW independent grant for the same subject (subset only,