Enforce an optional TLP release ceiling at the single export chokepoint
so no format (PDF/PPTX/HTML) can bypass it. Classifying a deck stays
optional; the gate only blocks decks classified above the configured
ceiling, and is off by default.
- ClassificationPolicy + ExportDecision: pure, tested decision logic
(release ceiling, fail-closed; null = no gate).
- ExportService.export() evaluates the policy first and refuses without
building or writing anything when blocked.
- Persist the ceiling as maxReleaseExportTlpKey in app settings/prefs
(default off) with a setter on SettingsNotifier.
- Export dialog runs the same check up front and explains a blocked
export before any work starts; app shell builds the policy from
settings.
- Tests: classification_policy_test plus export_service chokepoint tests
asserting a blocked export fails and writes no file.
- Docs: CHANGELOG, README, USER_GUIDE, ARCHITECTURE, SECURITY.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
