identity: token exchange — downscope into an independent token (RFC 8693, +8 tests)

oauth.sx gains token_exchange(SubjectToken, RequestedScope): a valid access
token is downscoped into a NEW independent grant for the same subject
(subset only, else invalid_scope; inactive subject token → invalid_grant).
The exchanged token's lifecycle is independent of the subject token
(revoking either leaves the other active); exchanges chain. Least-privilege
handoff to downstream services. New tests/exchange.sx. 201/201.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

plans/identity-on-sx.md

@@ -19,7 +19,7 @@ through the event log, all authorization questions delegated to `acl-on-sx`.
 
 ## Status (rolling)
 
-`bash lib/identity/conformance.sh` → **193/193** (4 phases + 9 ext)
+`bash lib/identity/conformance.sh` → **201/201** (4 phases + 10 ext)
 
 ## Ground rules
 
@@ -87,8 +87,16 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
 - [ ] OAuth `state` (CSRF) + OIDC `nonce` threaded through authorize→exchange
 - [x] unify `api.sx` over membership + audit (one facade, audited login/logout)
 - [x] subject-wide session management: `sessions(Subject)` + `logout_all` (log out everywhere)
+- [x] token exchange (RFC 8693): downscope a token into a new independent token
 
 ## Progress log
+- 2026-06-07 — token exchange (ext, RFC 8693 §2.1): `oauth.sx` gains
+  `token_exchange(SubjectToken, RequestedScope)` — a valid access token is
+  downscoped into a NEW independent grant for the same subject (subset only,
+  else invalid_scope; inactive subject token → invalid_grant). The new token's
+  lifecycle is independent (revoking either leaves the other active);
+  exchanges chain. Least-privilege handoff to downstream services. New
+  tests/exchange.sx (8). 193→201.
 - 2026-06-07 — subject-wide session management (ext): `api.sx` gains
   `sessions(Subject)` (enumerate) and `logout_all(Subject)` ("log out
   everywhere") — revokes + deregisters every session a subject holds,