feat: wire learnings into all insight-producing skills

Adds LEARNINGS_SEARCH and/or LEARNINGS_LOG to 10 skill templates that
produce reusable insights but were previously disconnected from the
learning system:

- office-hours, plan-ceo-review, plan-eng-review: add LOG (had SEARCH)
- plan-design-review: add both SEARCH + LOG (had neither)
- design-review, design-consultation, cso, qa, qa-only: add both
- retro: add SEARCH (had LOG)

13 skills now fully participate in the learning loop (read + write).
Every review, QA, investigation, and design session both consults prior
learnings and contributes new ones.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cso/SKILL.md.tmpl

@@ -102,6 +102,8 @@ grep -q "laravel" composer.json 2>/dev/null && echo "FRAMEWORK: Laravel"
 
 This is NOT a checklist — it's a reasoning phase. The output is understanding, not findings.
 
+{{LEARNINGS_SEARCH}}
+
 ### Phase 1: Attack Surface Census
 
 Map what an attacker sees — both code surface and infrastructure surface.
@@ -598,6 +600,8 @@ Write findings to `.gstack/security-reports/{date}-{HHMMSS}.json` using this sch
 
 If `.gstack/` is not in `.gitignore`, note it in findings — security reports should stay local.
 
+{{LEARNINGS_LOG}}
+
 ## Important Rules
 
 - **Think like an attacker, report like a defender.** Show the exploit path, then the fix.