identity: identity->acl delegation boundary — 401 gates before 403 (+8 tests)

delegation.sx makes the loop's central rule concrete: check() introspects
the token first — inactive → {error, unauthenticated} (401), acl never
consulted — and only an authenticated subject's request is delegated to
acl, which returns permit/deny ({error, forbidden} = 403). 401 strictly
precedes 403. acl-on-sx (Datalog) is a different SX guest wired at the
integration layer, so the decider here is a labelled stub (permits when
Action in Scope); swap the pid and the boundary is unchanged. New
tests/delegation.sx. 185/185 — extensions backlog clear.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

lib/identity/conformance.sh

@@ -43,6 +43,7 @@ SUITES=(
   "grants|id-grants-test-pass|id-grants-test-count"
   "device|id-device-test-pass|id-device-test-count"
   "facade|id-facade-test-pass|id-facade-test-count"
+  "delegation|id-deleg-test-pass|id-deleg-test-count"
 )
 
 cat > "$TMPFILE" << 'EPOCHS'
@@ -65,6 +66,7 @@ cat > "$TMPFILE" << 'EPOCHS'
 (load "lib/identity/federation.sx")
 (load "lib/identity/clients.sx")
 (load "lib/identity/device.sx")
+(load "lib/identity/delegation.sx")
 (load "lib/identity/tests/session.sx")
 (load "lib/identity/tests/token.sx")
 (load "lib/identity/tests/registry.sx")
@@ -80,6 +82,7 @@ cat > "$TMPFILE" << 'EPOCHS'
 (load "lib/identity/tests/grants.sx")
 (load "lib/identity/tests/device.sx")
 (load "lib/identity/tests/facade.sx")
+(load "lib/identity/tests/delegation.sx")
 (epoch 100)
 (eval "(list id-session-test-pass id-session-test-count)")
 (epoch 101)
@@ -110,6 +113,8 @@ cat > "$TMPFILE" << 'EPOCHS'
 (eval "(list id-device-test-pass id-device-test-count)")
 (epoch 114)
 (eval "(list id-facade-test-pass id-facade-test-count)")
+(epoch 115)
+(eval "(list id-deleg-test-pass id-deleg-test-count)")
 EPOCHS
 
 timeout 600 "$SX_SERVER" < "$TMPFILE" > "$OUTFILE" 2>&1