fix(brain-allowlist): sync project-root design and test-plan artifacts

[genisis0x]

Summary

Fixes #1452.

`/office-hours` Builder, `/plan-eng-review`, and `/autoplan` write their output at the project root, not under `designs/`:

```
projects/{slug}/{user}-{branch}-design-{datetime}.md
projects/{slug}/{user}-{branch}-test-plan-{datetime}.md
projects/{slug}/{user}-{branch}-eng-review-test-plan-{datetime}.md
```

The `.brain-allowlist` generated by `gstack-artifacts-init` covers `projects//designs/.md` and the `ceo-plans/` paths, so CEO plans sync correctly but the design / test-plan artifacts they reference do not. Pull on machine B and you get the CEO plan but not the underlying design, breaking the cross-machine plan-references-design chain.

Same class of incomplete-rename bug as #1441 (v1.27.0.0 missed the config key in one place); this audit covers the allowlist surface.

Changes

`bin/gstack-artifacts-init` — managed block of `.brain-allowlist` adds:

```
projects//-design-.md
projects//-test-plan-.md
projects//-eng-review-test-plan-*.md
```

`.brain-privacy-map.json` adds matching `"class": "artifact"` entries so the same privacy semantics that govern `designs/*.md` govern the project-root variants.

Why these patterns are safe to add to the managed block

The `` glob doesn't match path separators, so the new patterns are disjoint from the existing `designs/.md` patterns. No double-sync. No churn for installs that already have the subdirectory layout.

Why allowlist patch, not write-path change

The issue's "alternative (more conservative)" suggests canonicalizing the write paths in `/office-hours` and `/plan-eng-review` to use the `designs/` subdirectory. I picked the allowlist patch because:

• It's the lower-risk path — no skill template changes, no cross-skill reader breakage. Multiple skills already read the project-root filenames as canonical inputs.
• It matches the same fix-shape used for /setup-gbrain Step 7 sets wrong config key (gbrain_sync_mode); brain-sync reads artifacts_sync_mode → federation silently never runs #1441 (audit the surface the rename missed, don't redo the rename).

Happy to follow up with the write-path canonicalization as a separate change if maintainers prefer that direction; that one needs an audit of the cross-skill readers and is a larger surface than this PR should bundle.

Testing

`bash -n bin/gstack-artifacts-init` clean. JSON snippet round-trips through `json.loads` (14 entries). `bun test` not run locally because bun isn't installed on this machine; the change is text/glob only with no behavior change to existing paths, so the existing `test/gstack-artifacts-init.test.ts` coverage should remain green.

Fixes #1452

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews