Commits on May 7, 2026 permissions: integration test for the full request → audit → replay flow Adds a single end-to-end integration test that wires the policy modules together and walks the path a real page-side agent.requestCapabilities() call takes: 1. SessionRegistry mints a capability token for an explicit session. 2. PolicyEngine evaluates a typed-action request against the token. 3. Audit log records the decision. 4. Simulator replays the recorded decision under a different mode. 5. SessionRegistry.setMode refuses any mode-widening attempt. 6. Terminating the session revokes the capability token. This complements the per-module unit tests in policy/__tests__ (which verify each tier of the engine, the token lattice, the simulator, and the audit log in isolation) with a single test that exercises them together, catching wiring regressions that pure module tests would miss.…