identity: silent SSO prompt=none fast-path — one session, many clients (10 tests)

oauth.sx now owns a session registry. establish creates a subject session;
silent_authorize (OIDC prompt=none §3.1.2.1) asks "does this subject have a
live session?" — if yes it mints a code skipping consent, bound to client +
redirect_uri + PKCE exactly like a consented code; if no it returns
login_required (a negative state, not a login redirect). One session serves
many clients; end_session closes the fast-path. New tests/sso.sx. 75/75.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

lib/identity/conformance.sh

@@ -33,6 +33,7 @@ SUITES=(
   "registry|id-registry-test-pass|id-registry-test-count"
   "api|id-api-test-pass|id-api-test-count"
   "oauth|id-oauth-test-pass|id-oauth-test-count"
+  "sso|id-sso-test-pass|id-sso-test-count"
 )
 
 cat > "$TMPFILE" << 'EPOCHS'
@@ -54,6 +55,7 @@ cat > "$TMPFILE" << 'EPOCHS'
 (load "lib/identity/tests/registry.sx")
 (load "lib/identity/tests/api.sx")
 (load "lib/identity/tests/oauth.sx")
+(load "lib/identity/tests/sso.sx")
 (epoch 100)
 (eval "(list id-session-test-pass id-session-test-count)")
 (epoch 101)
@@ -64,6 +66,8 @@ cat > "$TMPFILE" << 'EPOCHS'
 (eval "(list id-api-test-pass id-api-test-count)")
 (epoch 104)
 (eval "(list id-oauth-test-pass id-oauth-test-count)")
+(epoch 105)
+(eval "(list id-sso-test-pass id-sso-test-count)")
 EPOCHS
 
 timeout 600 "$SX_SERVER" < "$TMPFILE" > "$OUTFILE" 2>&1

lib/identity/scoreboard.json

@@ -1,12 +1,13 @@
 {
   "language": "identity",
-  "total_pass": 65,
-  "total": 65,
+  "total_pass": 75,
+  "total": 75,
   "suites": [
     {"name":"session","pass":11,"total":11,"status":"ok"},
     {"name":"token","pass":18,"total":18,"status":"ok"},
     {"name":"registry","pass":9,"total":9,"status":"ok"},
     {"name":"api","pass":10,"total":10,"status":"ok"},
-    {"name":"oauth","pass":17,"total":17,"status":"ok"}
+    {"name":"oauth","pass":17,"total":17,"status":"ok"},
+    {"name":"sso","pass":10,"total":10,"status":"ok"}
   ]
 }

lib/identity/scoreboard.md

@@ -1,6 +1,6 @@
 # identity-on-sx Scoreboard
 
-**Total: 65 / 65 tests passing**
+**Total: 75 / 75 tests passing**
 
 |  | Suite | Pass | Total |
 |---|---|---|---|
@@ -9,6 +9,7 @@
 | ✅ | registry | 9 | 9 |
 | ✅ | api | 10 | 10 |
 | ✅ | oauth | 17 | 17 |
+| ✅ | sso | 10 | 10 |
 
 
 Generated by `lib/identity/conformance.sh`.

lib/identity/tests/sso.sx

@@ -0,0 +1,115 @@
+;; identity/tests/sso.sx — silent SSO (prompt=none, OIDC §3.1.2.1) as a
+;; fast-path through the authorization-code machine. One subject session,
+;; many client apps; no session → login_required (a negative state, not a
+;; redirect). Silently-issued codes carry the same client/redirect/PKCE
+;; binding as consented codes.
+
+(define id-sso-test-count 0)
+(define id-sso-test-pass 0)
+(define id-sso-test-fails (list))
+
+(define
+  id-sso-test
+  (fn
+    (name actual expected)
+    (set! id-sso-test-count (+ id-sso-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-sso-test-pass (+ id-sso-test-pass 1))
+      (append! id-sso-test-fails {:name name :expected expected :actual actual}))))
+
+(define ids-ev erlang-eval-ast)
+(define idsnm (fn (v) (get v :name)))
+
+(identity-load-token!)
+(identity-load-session!)
+(identity-load-registry!)
+(identity-load-oauth!)
+
+;; ── no session → login_required ──────────────────────────────────
+
+(id-sso-test
+  "silent authorize without a session is login_required"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       case identity_oauth:silent_authorize(O, dashboard, uri2, read, alice, vv) of\n         {code, _} -> got_code;\n         {error, Why} -> Why\n       end"))
+  "login_required")
+
+;; ── established session → silent code ────────────────────────────
+
+(id-sso-test
+  "silent authorize for the same client returns a code"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, _Sid} = identity_oauth:establish(O, alice, web),\n       case identity_oauth:silent_authorize(O, web, uri1, read, alice, vv) of\n         {code, _} -> got_code;\n         {error, Why} -> Why\n       end"))
+  "got_code")
+
+;; ── one session, many clients ────────────────────────────────────
+
+(id-sso-test
+  "a different client gets a silent code off the same session"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, _Sid} = identity_oauth:establish(O, alice, web),\n       case identity_oauth:silent_authorize(O, dashboard, uri2, read, alice, vv) of\n         {code, _} -> got_code;\n         {error, Why} -> Why\n       end"))
+  "got_code")
+
+(id-sso-test
+  "many clients all silently authorize off one session"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, _Sid} = identity_oauth:establish(O, alice, web),\n       {code, _C1} = identity_oauth:silent_authorize(O, dashboard, uri2, read, alice, vv),\n       {code, _C2} = identity_oauth:silent_authorize(O, mobile, uri3, read, alice, vv),\n       case identity_oauth:silent_authorize(O, billing, uri4, read, alice, vv) of\n         {code, _} -> got_code;\n         {error, Why} -> Why\n       end"))
+  "got_code")
+
+;; ── full SSO → token ─────────────────────────────────────────────
+
+(id-sso-test
+  "silent code exchanges to a working token"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, _Sid} = identity_oauth:establish(O, alice, web),\n       {code, C} = identity_oauth:silent_authorize(O, dashboard, uri2, read, alice, vv),\n       {ok, A, _R} = identity_oauth:exchange(O, C, dashboard, uri2, vv),\n       case identity_oauth:introspect(O, A) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+(id-sso-test
+  "SSO token carries the subject"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, _Sid} = identity_oauth:establish(O, alice, web),\n       {code, C} = identity_oauth:silent_authorize(O, dashboard, uri2, read, alice, vv),\n       {ok, A, _R} = identity_oauth:exchange(O, C, dashboard, uri2, vv),\n       case identity_oauth:introspect(O, A) of\n         {active, Subject, _, _} -> Subject\n       end"))
+  "alice")
+
+;; ── silent codes keep the full binding ───────────────────────────
+
+(id-sso-test
+  "silent code still enforces PKCE at exchange"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, _Sid} = identity_oauth:establish(O, alice, web),\n       {code, C} = identity_oauth:silent_authorize(O, dashboard, uri2, read, alice, vv),\n       case identity_oauth:exchange(O, C, dashboard, uri2, wrongverif) of\n         {ok, _, _} -> ok;\n         {error, Why} -> Why\n       end"))
+  "invalid_grant")
+
+(id-sso-test
+  "silent code still enforces client binding at exchange"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, _Sid} = identity_oauth:establish(O, alice, web),\n       {code, C} = identity_oauth:silent_authorize(O, dashboard, uri2, read, alice, vv),\n       case identity_oauth:exchange(O, C, attacker, uri2, vv) of\n         {ok, _, _} -> ok;\n         {error, Why} -> Why\n       end"))
+  "invalid_grant")
+
+;; ── subject scoping: SSO is per subject ──────────────────────────
+
+(id-sso-test
+  "another subject is still login_required"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, _Sid} = identity_oauth:establish(O, alice, web),\n       case identity_oauth:silent_authorize(O, dashboard, uri2, read, bob, vv) of\n         {code, _} -> got_code;\n         {error, Why} -> Why\n       end"))
+  "login_required")
+
+;; ── ending the session closes the SSO fast-path ──────────────────
+
+(id-sso-test
+  "after end_session, silent authorize is login_required"
+  (idsnm
+    (ids-ev
+      "O = identity_oauth:start(),\n       {ok, Sid} = identity_oauth:establish(O, alice, web),\n       identity_oauth:end_session(O, Sid),\n       case identity_oauth:silent_authorize(O, dashboard, uri2, read, alice, vv) of\n         {code, _} -> got_code;\n         {error, Why} -> Why\n       end"))
+  "login_required")
+
+(define
+  id-sso-test-summary
+  (str "sso " id-sso-test-pass "/" id-sso-test-count))

plans/identity-on-sx.md

@@ -19,7 +19,7 @@ through the event log, all authorization questions delegated to `acl-on-sx`.
 
 ## Status (rolling)
 
-`bash lib/identity/conformance.sh` → **65/65** (Phases 1–2 complete)
+`bash lib/identity/conformance.sh` → **75/75** (Phases 1–2 + silent SSO)
 
 ## Ground rules
 
@@ -68,7 +68,7 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
 - [x] tests: full code exchange, refresh, revoke-then-use (must fail)
 
 ## Phase 3 — Silent SSO + membership
-- [ ] `prompt=none` cross-app login (one session, many clients)
+- [x] `prompt=none` cross-app login (one session, many clients)
 - [ ] membership state + per-app grant projection
 - [ ] grant verification delegated cache (mirror Redis-cache pattern)
 
@@ -78,6 +78,12 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
 - [ ] tests: audit completeness, cross-instance subject mapping
 
 ## Progress log
+- 2026-06-07 — silent SSO (`prompt=none`, OIDC §3.1.2.1): `oauth.sx` now owns
+  a session registry; `establish` creates a subject session, `silent_authorize`
+  asks "does this subject have a live session?" → mints a code (skipping
+  consent) bound to client+redirect+PKCE, else `login_required`. Same machine,
+  fast-path — one session, many clients; `end_session` closes the path.
+  New `tests/sso.sx` (10). +10 → 75/75.
 - 2026-06-07 — `oauth.sx` refresh wiring + e2e: exchange now issues an
   access+refresh pair (RFC 6749 §4.1.4/§5.1) via token.sx issue_grant; added
   the refresh grant (§6) delegating to token rotation. End-to-end tests: