Capability tokens are the runtime unit of authority. A session holds a token; the engine validates the token on every gated action; subagents get *attenuated* child tokens that are guaranteed to be a strict subset of the parent on every dimension. Adds: - extension/src/policy/tokens.ts: in-memory TokenRegistry. Tokens carry sessionId, origin, mode, allowedActions, acceptedLabels, budgets (toolCalls / remotePromptUsd / navigations / wallClockMs), issuedAt/expiresAt, attenuationDepth, and a parentId for delegation chains. mint() produces root tokens. attenuate() refuses to widen mode, allowedActions, acceptedLabels, budgets, or TTL — every dimension is intersected with the parent. validate() checks origin and action match. revokeWithDescendants() takes out a delegation chain in one call. cleanup() drops expired and revoked tokens.…