docs: add compression design constraints

Compression must be paired with encryption (compress-then-encrypt)
to prevent bypassing entropy enforcement via compress-only uploads.

TODO.md

@@ -9,6 +9,9 @@ Unstructured intake buffer for ideas, issues, and observations. Items here are r
 - Paste compression for large text content
   - Must mark compression in URL fragment (e.g., `#z:<key>` or `#<key>:z`)
   - Receiver needs to know content is compressed before decryption
+  - Design: compress-then-encrypt only (not compress-only)
+  - Compressed data has high entropy → bypasses entropy enforcement
+  - Must enforce encryption when compression enabled (CLI-side)
 - ETag support for conditional requests
 - Neovim/Vim plugin for editor integration
 - Webhook notifications for paste events