Replace v1's hardcoded authority→policy resolution with a mobile-app-style consent flow.
- Server declares the entitlements it wants (paths/modes, URL schemes, env vars).
- Client shows a one-time consent prompt; grant cached per-authority; client enforces.
- Security behavior must be identical across client impls → covered by shared security conformance vectors (a permissive bug in one client = a vulnerability).
Replace v1's hardcoded authority→policy resolution with a mobile-app-style consent flow.