visual-artifacts: user-installed stack wins over bundled example (VA-STACK-001)

[garagon]

Summary

Closes VA-STACK-001 from the Visual Artifacts v1 Security Audit (architect review, 2026-05-11). Single P2 finding: named stack lookup checked the repo-bundled example before the project's user-installed stack, so a customized compliance-release was silently shadowed by the example with the same name. The render and manifest looked authoritative but described the wrong workflow.

Fix

Swap precedence in render_stack_body:

1. $NANOSTACK_STORE/stacks/<name>/stack.json (user-installed)
2. examples/custom-stack-template/<name>/stack.json (bundled fallback)
3. .nanostack/config.json only for stack default (unchanged)

A user-installed stack with the same name as a bundled example always wins. Bundled fallback still applies when no user stack exists. Malformed-named-stack and stack-not-found paths are unchanged.

Files

• bin/render-artifact.sh: swap the lookup order in render_stack_body.
• reference/visual-artifact-contract.md: update the stack <name> row to reflect the new order.
• ci/e2e-visual-artifacts.sh: 2 new cells (24a, 24b) covering both directions.

Regression coverage

Cell	Scenario	Asserts
24a	User-installed compliance-release with phase user-gate + display_name "User Compliance Override"	HTML shows user phases; does NOT show bundled license-audit; manifest first source is the user-installed stack file
24b	No user stack, bundled example only	HTML shows bundled phases; manifest first source is the examples file

Codex review trail (1 pass, clean)

Pass 1: clean.

Test plan

• ci/check-visual-artifact-templates.sh 38/38
• ci/e2e-visual-artifacts.sh 330/330 (was 321; +9 from cells 24a + 24b)
• tests/run.sh 83/83
• Architect's reproduction (user stack overrides bundled) — manifest first source now points at $NANOSTACK_STORE/stacks/compliance-release/stack.json
• Codex pass 1 returned clean