Reorganize brain: projects/ top level, rename filenames, update homepage

- Moved everything from ideas/passepartout/ to projects/passepartout/
- Moved legal structures to projects/flags/
- Created missing _index.org files for all subdirectories
- Stripped redundant passepartout- prefix from filenames
- Rewrote root _index.org as generalized brain index (projects + concepts)
- Updated Hugo nav to Projects/Concepts
- Updated build script section descriptions
- Deleted stale ideas/passepartout-economics.md orphan

projects/passepartout/strategy/compliance/apra-cps-234.org

@@ -0,0 +1,28 @@
+:PROPERTIES:
+:ID:       904f5f12-ec9a-4cbf-854a-0b9b1e11a521
+:ID:       auto-apra-cps-234
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: APRA CPS 234 (Prudential Standard — Information Security)
+#+filetags: :passepartout:compliance:framework:apra:
+
+** APRA CPS 234 (Prudential Standard — Information Security)
+
+Australian Prudential Regulation Authority standard for regulated financial
+institutions. Requires: clearly defined information security roles and
+responsibilities, periodic cybersecurity capability assessments, robust control
+testing, timely remediation of control weaknesses, mandatory notification of
+material incidents to APRA within 72 hours.
+
+Who must comply: Banks, insurers, superannuation funds regulated by APRA.
+~500 entities.
+
+Penalties: APRA can impose capital requirements, license conditions, or
+license cancellation for non-compliance. Personal liability for board and
+senior management.
+
+Why it matters: CPS 234's control testing requirement creates demand for
+continuous verification — exactly what the gate stack and [[id:45258a2d-1675-562c-9024-5d1eb2f1ea56][evaluation harness]]
+provide. First-mover advantage: CPS 234 is mature (2019) but enforcement is
+escalating. No vendor provides a deterministic control-testing pipeline.
+