identity: opaque grant-backed tokens — issue/introspect/revoke (9 tests)

Token table is a process; the token is an opaque make_ref carrying no
information. introspect() is a live table lookup every time, so
revocation is real (RFC 7009 §2): a revoked token reads {inactive} on
the next introspection with no validity window. Reply shapes follow
RFC 7662 §2.2 ({active, Subject, Client, Scope} / {inactive}).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

plans/identity-on-sx.md

@@ -19,7 +19,7 @@ through the event log, all authorization questions delegated to `acl-on-sx`.
 
 ## Status (rolling)
 
-`bash lib/identity/conformance.sh` → **11/11** (Phase 1: session)
+`bash lib/identity/conformance.sh` → **20/20** (Phase 1: session, token)
 
 ## Ground rules
 
@@ -58,7 +58,7 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
 
 ## Phase 1 — Sessions + tokens
 - [x] `session.sx` — session process, create/lookup/expire
-- [ ] `token.sx` — issue/introspect/revoke (opaque, grant-backed)
+- [x] `token.sx` — issue/introspect/revoke (opaque, grant-backed)
 - [ ] `registry.sx` — route by subject/client
 - [ ] `api.sx` + tests + scoreboard + conformance.sh
 
@@ -78,6 +78,11 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
 - [ ] tests: audit completeness, cross-instance subject mapping
 
 ## Progress log
+- 2026-06-06 — `token.sx`: opaque grant-backed tokens. Token = `make_ref`
+  (carries no info); the token table is a process; `introspect` is a live
+  lookup every time so revocation is real (RFC 7009) — a revoked token reads
+  `{inactive}` on the next introspection, no validity window. Reply shapes
+  follow RFC 7662 §2.2 (`{active,...}` / `{inactive}`, never says why). +9 → 20/20.
 - 2026-06-06 — `session.sx`: session-as-Erlang-process. create/lookup/touch/
   explicit-expire/revoke as messages; idle-timeout self-expiry via
   `receive ... after Ttl` notifying the owner then tombstoning. Tombstones