Commits on May 7, 2026 permissions: sensitivity classifier with manifest-trust gating Tier 2 of the policy ladder. Three classifiers — domain, element, tool — emit a SensitivityVerdict that names which data labels should attach to data the action produces. Labels then propagate through Tier 3 of the PolicyEngine. Adds: - extension/src/policy/sensitivity.ts: * classifyDomain() recognizes SSO surfaces (Google/Microsoft/Apple/ Okta as credentials+identity), payment domains (Stripe/PayPal, banking heuristics as payments+identity), personal workspaces (Gmail/Outlook/Slack/Notion/Docs as confidential), patient portals (regulated+identity). * classifyElement() reads input descriptors — type=password, the WHATWG password/payment/identity autocomplete attributes, and a heuristic fallback on name/id/placeholder/aria-label. The content script never sends the actual value; just the shape. * classifyTool() reads tool manifest meta.…