The My Account page now provides an "API Tokens" sub-page for displaying

all the user's tokens, globally and across Local Sites. These are

displayed as a list of tokens, grouped into Local Site sections (just

like the Groups page). Each section allows the user to generate a new

token with just one click.
Each token can be described through an editable note field immediately

below the token value. Saving this field immediately updates the token

on the server.
Next to each token value is a drop-down for selecting the token policy.

This defaults to "Full access," but "Read-only" and "Custom" are also

available values.
"Custom" will display an editor that the user can use to craft a custom

policy for that token. This editor uses CodeMirror to do JSON syntax

highlighting, auto-indentation, and lintian checking. The user can save

the token and close the editor, or save and continue editing in order to

help with debugging/testing access through a token.

Played around with adding, editing, and removing API tokens, globally and

on Local Sites.
Tested editing and saving notes.
Switched the token policy type, reloaded the page, and saw the updates.

Every type of token policy saved properly. (This means they were properly

calculated from stored token policies, since the names aren't stored at

all.)
Clicked on Custom and saw the token policy editor.
Played around with saving valid policies, and adding invalid data to see

that lintian validation and save button disabling was working.
Reloaded to see that the custom policy saved.
When Custom selected, I clicked Custom again, and the policy editor once

again appeared.
Tested a bunch of the new policy validation logic, and that the user

wasn't taken out of the policy editor when encountering an error.