Commits on May 7, 2026 permissions: manifest trust registry (publisher keys + hash pins) Determines whether an MCP tool manifest's positive safety claims are honored. The classifier reads risk tags from any manifest (self-reported danger is strictly more conservative), but only honors a manifest's claim of `reversible: true` or `sideEffect: false` when the manifest comes from a trusted source. Adds: - extension/src/policy/manifest-trust.ts: * trustManifest() classifies a manifest's source as bundled, localInstall, signed (publisher-key-checked), policyPinned (hash-checked), pageDeclared, fetched, or unknown. Only the first four can produce trusted=true. * Publishers registry: ed25519 keys with optional allowedServerGlob. Adding a publisher is a deliberate user action. * Pins registry: serverId → set of accepted manifest hashes. Pins live in the user's policy file.…