fix(brain-allowlist): include root-level design + test-plan docs in artifacts sync

[genisis0x]

Summary

Fixes #1452: gstack-artifacts-init writes a .brain-allowlist that covers projects/*/designs/*.md and projects/*/ceo-plans/*.md, but several skills land their output at the project root, not in those subdirectories:

Skill	Actual write path	Source
/office-hours Builder/Startup	projects/{slug}/{user}-{branch}-design-{datetime}.md	office-hours/SKILL.md.tmpl:519
/plan-eng-review	projects/{slug}/{user}-{branch}-eng-review-test-plan-{datetime}.md	plan-eng-review/SKILL.md.tmpl:85-86
/autoplan (test plan)	projects/{slug}/{user}-{branch}-test-plan-{datetime}.md	autoplan/SKILL.md.tmpl:525

Cross-skill readers (plan-ceo-review, plan-eng-review, autoplan) glob these at the project root via projects/$SLUG/*-design-*.md, so the write paths are authoritative; the allowlist is the inconsistent piece. With artifacts_sync_mode=full, gstack-brain-sync silently skips all three doc types, breaking the cross-machine ceo-plan -> design chain.

Change

Add three root-anchored glob patterns to both:

1. .brain-allowlist (so gstack-brain-sync includes them):

   projects/*/*-design-*.md
   projects/*/*-eng-review-test-plan-*.md
   projects/*/*-test-plan-*.md
   

2. .brain-privacy-map.json (same patterns, class: "artifact", mirroring the existing designs/ entries).

Glob * does not match path separators, so the new patterns do not conflict with the existing projects/*/designs/*.md or projects/*/ceo-plans/*.md entries.

Per the issue author's recommendation, the alternative (canonicalizing skill write paths under designs/) would break the existing cross-skill readers. The allowlist fix is the lower-risk path.

Files

• bin/gstack-artifacts-init — allowlist + privacy-map block, 6 added lines, no removals.

Test plan

• Run bash -n bin/gstack-artifacts-init (verified locally — syntax OK)
• Parse the embedded .brain-privacy-map.json (verified locally — valid JSON)
• bun test test/brain-sync.test.ts — existing tests verify file existence only, not pattern contents, so the diff is non-breaking
• On a fresh setup: run /office-hours, then gstack-brain-sync --once, confirm the root-level *-design-*.md is enqueued and pushed
• Existing designs/*.md and ceo-plans/*.md paths continue to sync as before

[genisis0x]

Closing as a duplicate of #1465. #1465 (rebased onto latest main today) adds the same projects/*/*-eng-review-test-plan-*.md glob plus the two sibling *-design-*.md / *-test-plan-*.md patterns + the explaining comment block, all in one shot. This PR only added the eng-review entry, so once #1465 lands, this PR is a strict subset.

If #1465 needs scope tightening rather than landing as-is, happy to re-open this one as a narrower fallback. Otherwise the eng-review pattern arrives through #1465.