Make capability objects first-class

[seanwevans]

Motivation

• Replace ad‑hoc YAML-only policy with a first-class authority model so callers can hand ReadPath, WritePath, ConnectTCP, Import, CpuBudget, etc., directly to the runtime and have YAML remain a serialization of the same model.
• Allow finer-grained semantics (e.g. split read vs write path grants) and a normalized AuthoritySet to drive runtime enforcement and import/CPU wiring.

Description

• Added a family of authority classes in pyisolate/capabilities.py: Authority, ReadPath, WritePath, ConnectTCP, Import, CpuBudget and AuthoritySet, and extended __all__ exports so they are available from the top-level package. (see pyisolate/capabilities.py).
• Extended Policy in pyisolate/policy/__init__.py with capabilities and a grant() API and implemented to_dict()/to_yaml() so object-based policies serialize to the same YAML shape as the DSL. Legacy helpers remain and are converted into the authority model (allow_fs → read+write). (see pyisolate/policy/__init__.py).
• Updated the YAML compiler in pyisolate/policy/compiler.py to accept read/write filesystem rules, cpu_ms, and to emit a capabilities list in the SandboxPolicy containing first-class capability objects. (see pyisolate/policy/compiler.py).
• Plumbed capability serialization/deserialization and enforcement into the runtime in pyisolate/runtime/thread.py: added (de)serialization for first-class authorities, computed an AuthoritySet from the union of policy objects and handed capabilities, and enforced read/write/connect checks using the authority model (_blocked_open, _guarded_connect, importer wiring and CPU budget resolution). (see pyisolate/runtime/thread.py).
• Minor supervisor logging tweak to improve diagnostic on control-plane auth rejection. (see pyisolate/supervisor.py).
• Documentation updates in POLICY.md and API.md describing the object-based authority model and examples, plus new unit tests that cover object grants and serialization. (see POLICY.md, API.md, tests/test_capabilities.py, tests/test_policy.py).

Testing

• Ran the capability & policy focused test suite: pytest -q tests/test_capabilities.py tests/test_policy.py tests/test_policy_enforcement.py and all tests passed (39 passed).
• Performed static compile checks with python -m py_compile on the modified modules and they succeeded.
• Note: a full local run of the entire test-suite depends on host toolchain / kernel helpers (BPF toolchain, bpftool, etc.); running the entire suite in this environment previously surfaced host/tooling-related failures (BPF compilation / stub manager differences) that are not related to the authority-model changes and should be validated in CI with the proper toolchain.

---

Codex Task