docs(export): §12 addendum — m's decisions on the 9 §11 questions

t-paliad-214. m walked all 9 questions live; deviated on Q2 (project-scope
floor = any team member, not associate), Q3 (retention 90d, not 7d), Q5
(paliadin_turns hard-excluded from org scope, not opt-in). Other 6
matched inventor picks. Net slice-plan deltas captured in §12.

docs/design-paliad-data-export-2026-05-19.md

@@ -552,7 +552,32 @@ A global_admin can already assemble a DSR manually using project-scope exports f
 
 ---
 
-## 12. Adjacent / out-of-scope
+## 12. m's decisions (addendum, 2026-05-19)
+
+m walked the §11 questions live via AskUserQuestion. Results below — these supersede the inventor picks where they differ.
+
+- **Q1 — Bundle format:** Bundle xlsx + JSON + CSV in one `.zip` per export. ✓ matches pick.
+- **Q2 — Project-scope floor:** **Any team member** (`responsibility ∈ {lead, member}`). ⚠ **Deviation** from associate-floor pick — m chose the looser axis-split gate. **Implementation update for §4:** project-scope auth becomes `(a) can_see_project(root_id) AND (b) caller is on project_teams for the root with responsibility ∈ {lead, member}`. The DerivationService profession check is dropped from the export gate; observers + externals + derived-only members still cannot extract. `system_audit_log.metadata` records the responsibility value the caller held at export time.
+- **Q3 — Org-export retention:** **90 days**. ⚠ **Deviation** from 7-day pick. **Implementation update for §6.2:** `PALIAD_EXPORT_RETENTION_DAYS` default flips from `7` to `90`. The cleanup goroutine still runs daily; the threshold is just longer. Audit row unaffected (still persists forever).
+- **Q4 — Date format:** ISO 8601 strings only. ✓ matches pick.
+- **Q5 — paliadin_turns in org export:** **Never include in org export.** ⚠ **Tighter** than opt-in pick. **Implementation update for §2.1 + §6.3:** the `paliadin_turns` row drops from the org-scope sheet table entirely — no `?include=paliadin_turns` query param. Personal scope still carries the caller's own paliadin_turns (it's literally their data). The hard exclusion is enforced in `export_service.go`'s scope-aware sheet registry, not just in column-discovery, so a future schema addition can't accidentally re-include it.
+- **Q6 — Deterministic exports:** Yes. ✓ matches pick. (m answered freeform "1" alongside the batching request — first option = deterministic.)
+- **Q7 — Invitation tokens:** Drop entirely. ✓ matches pick.
+- **Q8 — Signed URLs in v1:** Not in v1. ✓ matches pick.
+- **Q9 — GDPR DSR helper UI in v1:** Not in v1. ✓ matches pick.
+
+**Net effect on slice plan:** unchanged shape, three modifications:
+- Slice 2 gate logic uses `project_teams.responsibility` only (no profession lookup).
+- Slice 3 default retention is 90 days (one env-var value change).
+- Slice 1 + 3 sheet registry omits `paliadin_turns` from org scope entirely.
+
+No other slice deltas. v1 still ships slices 1+2+3.
+
+**Coder shift gating:** head still gates the implementation handoff; m's decisions here close §11 but don't auto-trigger coder work.
+
+---
+
+## 13. Adjacent / out-of-scope
 
 - **Import path** — explicitly out per brief. A round-trip "export then re-import" is appealing but is its own design (rebinding UUIDs, conflict resolution, schema_version migrations). Don't conflate.
 - **Postgres replacement** — the Excel workbook is a *backup* + *portability artifact*, not a data-model alternative. Postgres stays canonical.
@@ -561,7 +586,7 @@ A global_admin can already assemble a DSR manually using project-scope exports f
 
 ---
 
-## 13. References
+## 14. References
 
 - `docs/design-data-model-v2.md` — projects + mandanten + ltree path + can_see_project predicate.
 - `docs/design-approval-policy-ui-2026-05-07.md` — 5-source audit union (this design adds the 6th source).