identity: session registry — route by id and (subject, client) + SSO fan-out (9 tests)

Directory process holding (SessionId, Subject, Client, Pid) rows. Answers
the SSO probe lookup(Subject, Client) and the fan-out sessions_for(Subject)
(one subject, many clients). Routes only — no grant state, decides nothing.
Integration-tested: register a live session, route to it, confirm active.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

plans/identity-on-sx.md

@@ -19,7 +19,7 @@ through the event log, all authorization questions delegated to `acl-on-sx`.
 
 ## Status (rolling)
 
-`bash lib/identity/conformance.sh` → **20/20** (Phase 1: session, token)
+`bash lib/identity/conformance.sh` → **29/29** (Phase 1: session, token, registry)
 
 ## Ground rules
 
@@ -59,7 +59,7 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
 ## Phase 1 — Sessions + tokens
 - [x] `session.sx` — session process, create/lookup/expire
 - [x] `token.sx` — issue/introspect/revoke (opaque, grant-backed)
-- [ ] `registry.sx` — route by subject/client
+- [x] `registry.sx` — route by subject/client
 - [ ] `api.sx` + tests + scoreboard + conformance.sh
 
 ## Phase 2 — OAuth2 flows
@@ -78,6 +78,11 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
 - [ ] tests: audit completeness, cross-instance subject mapping
 
 ## Progress log
+- 2026-06-06 — `registry.sx`: directory process routing sessions by id and
+  by (subject, client). Answers the SSO probe `lookup(Subject, Client)` and
+  the fan-out `sessions_for(Subject)` (one subject, many clients). Routes
+  only — holds no grant state. Integration-tested end-to-end: register a live
+  session, route to it, confirm it answers active. +9 → 29/29.
 - 2026-06-06 — `token.sx`: opaque grant-backed tokens. Token = `make_ref`
   (carries no info); the token table is a process; `introspect` is a live
   lookup every time so revocation is real (RFC 7009) — a revoked token reads