Reorganize brain: projects/ top level, rename filenames, update homepage

- Moved everything from ideas/passepartout/ to projects/passepartout/
- Moved legal structures to projects/flags/
- Created missing _index.org files for all subdirectories
- Stripped redundant passepartout- prefix from filenames
- Rewrote root _index.org as generalized brain index (projects + concepts)
- Updated Hugo nav to Projects/Concepts
- Updated build script section descriptions
- Deleted stale ideas/passepartout-economics.md orphan

projects/passepartout/strategy/compliance/glba.org

@@ -0,0 +1,24 @@
+:PROPERTIES:
+:ID:       4a2bc62b-3f21-4212-9cd9-f9add8fc0be1
+:ID:       auto-glba
+:CREATED:  [2026-05-23 Sat]
+:END:
+#+title: GLBA (Gramm-Leach-Bliley Act)
+#+filetags: :passepartout:compliance:framework:glba:
+
+
+US federal law governing financial institutions' handling of nonpublic personal
+information (NPI). Requires privacy notices, opt-out rights, and a Safeguards
+Rule requiring an information security program.
+
+Who must comply: Banks, credit unions, insurance companies, securities firms,
+financial advisers. ~20,000 institutions.
+
+Penalties: FTC-enforced. Civil penalties up to $100K per violation; officers
+and directors personally liable.
+
+Why it matters: The Safeguards Rule maps directly to gate stack access controls.
+Every NPI access is gated; the proof log is the security program's evidence.
+First-mover advantage is narrow (GLBA is well-understood) but the market is
+large because every financial institution that dodges [[id:84fb5f8f-0527-4df0-b6b6-dbf3bcff8a7f][HIPAA]] still faces GLBA.
+