feat: RUST with CMF and extensions.

[terylt]

Summary

Adds CMF (ContextForge Message Format) types, full extension model with 11 typed extensions, capability-gated
filtering, mutability tier enforcement (MonotonicSet, Guarded, WriteToken), and COW-based extension modification to
the CPEX Rust core.

Closes: #17

Changes

• cmf/ module — CMF Message, ContentPart (tagged enum), domain objects (ToolCall, ToolResult, Resource, etc.),
  enums, MessageView with OPA serialization
• extensions/ module — all 11 extension types matching Python: Security (with AgentIdentity), Http, Delegation,
  Agent, Request, Completion, Provenance, LLM, MCP, Framework, Meta
• extensions/monotonic.rs — MonotonicSet<T> add-only set, no remove() at compile time
• extensions/guarded.rs — Guarded<T> + WriteToken for capability-gated write access
• extensions/filter.rs — filter_extensions() with granular security sub-field filtering, slot registry with
  policies
• hooks/payload.rs — Extensions expanded to 11 slots with Arc immutable + owned mutable/monotonic, cow_copy()
  for zero-cost COW, validate_immutable() for tamper detection, write token propagation
• executor.rs — filter_extensions() wired into all 4 phases, write tokens set from capabilities, tier validation
  (immutable + monotonic) on modified extensions
• FilteredExtensions removed — single Extensions type, handlers receive &Extensions (immutable, zero-copy)
• cmf_capabilities_demo example — CMF message + config-driven capability gating end-to-end
• SDK re-exports for CMF types
• serde rc feature enabled for Arc serialization

Architecture highlights

• Zero-copy for read-only plugins — handler receives &Extensions, no clone. 95% of plugins pay nothing.
• COW for modifying plugins — extensions.cow_copy() clones only mutable slots (Arc bumps for 8 of 12 immutable
  slots). Write tokens propagate from the executor, can't be forged (pub(crate) constructor).
• Compile-time tier enforcement — MonotonicSet has no remove(), Guarded requires WriteToken for
  .write(). Plugin crates can't construct tokens.
• Executor validation — validate_immutable() uses Arc::ptr_eq to detect immutable slot tampering. Monotonic
  superset check ensures labels only grow.
• Concurrent/fire-and-forget — Arc<Extensions> shared across spawned tasks, one clone into the Arc, then
  refcount bumps per task.

Test plan

• 175 tests pass (76 original + 99 new)
• Zero compiler warnings
• cargo run --example plugin_demo works
• cargo run --example cmf_capabilities_demo works
• CMF serde round-trips match Python format
• Capability filtering: plugins without capabilities see None/empty
• COW: modifications on copy, original unchanged, immutable Arcs shared
• Write tokens: propagated through cow_copy, not clonable, not forgeable
• Executor rejects immutable slot tampering
• Executor rejects monotonic label removal
• Executor accepts valid label additions via cow_copy
• Sensitive headers (Authorization, Cookie, X-API-Key) stripped in OPA serialization

New test coverage

Module	Tests	Covers
cmf/enums	7	Serde round-trips for all enums
cmf/content	10	All content part types, domain objects, Resource helpers
cmf/message	11	Message helpers, serde, MessagePayload as PluginPayload
cmf/view	17	Views, actions, hooks, extensions, to_dict, to_opa_input, sensitive header stripping
extensions/security	10	AgentIdentity, SubjectExtension, labels, serde, ObjectSecurityProfile, DataPolicy
extensions/http	8	Case-insensitive get/set/has, add-if-absent, remove, serde
extensions/delegation	4	Append hop, multiple hops, scope narrowing, serde
extensions/monotonic	5	Add-only, superset, declassifier, case-insensitive labels, serde
extensions/guarded	4	Read without token, write with token, serde transparent
extensions/filter	8	Per-capability visibility, granular security sub-fields
extensions/tiers	2	Tier and capability serde
hooks/payload (COW)	11	cow_copy Arc sharing, token propagation, validate_immutable, multi-field modify,
read-only zero-cost
manager (tier validation)	3	Executor accepts valid labels, rejects immutable tampering, capability filtering
integration

[araujof]

LGTM

Merging into dev and review this changeset with #45 (branched from this PR).