Add low-fatigue exposure surface guards

[efij]

Summary

• add a narrowed exposure trust plane for clear public or externally shared sensitive exfil paths
• prompt only on a small unknown-visibility GitHub/Slack surface set with per-session dedupe and exact approval reuse
• bump the version to 15.0.1 and extend smoke coverage for public, unknown, private, and read-only exposure cases

Verification

• python3 -m py_compile scripts/runwall_policy.py scripts/runwall_exposure.py scripts/runwall_approvals.py
• bash -n tests/smoke.sh scripts/*.sh hooks/*.sh hooks/lib/*.sh bin/runwall bin/shield bin/secure-claude-code
• focused ./bin/runwall evaluate ... checks for:
  • public GitHub comment block
  • public Slack channel block
  • public gist block after secret read
  • unknown GitHub comment prompt + prompt dedupe
  • approval reuse for unknown GitHub comment
  • public object-store ACL block
  • private/read-only no-hit cases
  • existing sensitive-data-flow, public-artifact-flow, browser-session, and release guards still firing

Notes

• the full tests/smoke.sh run progressed through the new exposure coverage but later appeared to hang in an unrelated section, so this PR relies on the focused regression set above for this tranche.