fix(security): make GSTACK_SECURITY_OFF a real kill switch

Docs promised env var would disable ML classifier load. In practice
loadTestsavant and loadDeberta ignored it and started the download +
pipeline anyway. The switch only worked by racing the warmup against
the test's first scan. Add an explicit early-return on the env value.

Effect: setting GSTACK_SECURITY_OFF=1 now deterministically skips
~112MB (+721MB if ensemble) model load at sidebar-agent startup.
Canary layer and content-security layers stay active.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

browse/src/security-classifier.ts

@@ -174,6 +174,11 @@ async function ensureTestsavantStaged(onProgress?: (msg: string) => void): Promi
 let loadPromise: Promise<void> | null = null;
 
 export function loadTestsavant(onProgress?: (msg: string) => void): Promise<void> {
+  if (process.env.GSTACK_SECURITY_OFF === '1') {
+    testsavantState = 'failed';
+    testsavantLoadError = 'GSTACK_SECURITY_OFF=1 — ML classifier kill switch engaged';
+    return Promise.resolve();
+  }
   if (testsavantState === 'loaded') return Promise.resolve();
   if (loadPromise) return loadPromise;
   testsavantState = 'loading';
@@ -299,6 +304,7 @@ async function ensureDebertaStaged(onProgress?: (msg: string) => void): Promise<
 
 let debertaLoadPromise: Promise<void> | null = null;
 export function loadDeberta(onProgress?: (msg: string) => void): Promise<void> {
+  if (process.env.GSTACK_SECURITY_OFF === '1') return Promise.resolve();
   if (!isDebertaEnabled()) return Promise.resolve();
   if (debertaState === 'loaded') return Promise.resolve();
   if (debertaLoadPromise) return debertaLoadPromise;