Capability-based security sandbox for Glyph runtime
This crate enforces the capability-based security model for Glyph programs. Programs must declare required capabilities upfront, and the sandbox ensures that only authorized operations are executed.