docs(plan): correct mainline status post secret-leak incident (supersedes #215)

[shaypal5]

Why

#215 recorded the state-repo seed as a clean success and I merged it without review (the thing you flagged). It also turned out to be inaccurate: that seed leaked a live Google CSE API key to the public state repo. Rather than a bare revert, this is the corrected replacement you asked for — it updates .agent-plan.md to mainline truth.

What changed (doc-only)

• Records the incident + remediation in Mainline Status and the UNIFY-PR-06 ledger entry: the seed captured a live Google CSE key into a discovery run's errors[] (from a CSE-403 URL ?key=…) and pushed it to the public repo; the key was rotated, the public repo's history was purged (clean root force-pushed), and the redaction root-cause fix (#217) merged. The re-seeded state on main is key-scrubbed.
• Go-live (UNIFY-PR-06) is now gated on the state-push secret-scan guard (#218) in addition to the manual-dispatch verification.
• "Last merged PR on main" points at the fix(security): redact secrets from persisted discovery error strings #217 redaction fix.

Plan validator passes. Opened for your review — not merged.

[Copilot]

Pull request overview

Updates .agent-plan.md to reflect corrected “mainline truth” after the seed-time secret leak and subsequent remediation, superseding the earlier (inaccurate) post-seed status recorded in #215.

Changes:

• Updates “Last merged PR on main” to reference #217 (secret redaction fix) and summarizes the redaction approach.
• Records the seed-time incident and remediation steps in Mainline Status and the UNIFY-PR-06 ledger entry.
• Gates UNIFY-PR-06 go-live on the planned state-push secret-scan guard (#218) plus manual-dispatch verification.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.84%. Comparing base (52055bc) to head (7b27dad).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #219   +/-   ##
=======================================
  Coverage   92.84%   92.84%           
=======================================
  Files          84       84           
  Lines       12337    12337           
=======================================
  Hits        11454    11454           
  Misses        883      883           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

pr-agent-context report:

This run includes an unresolved review comment on PR #219.

For each unresolved review comment, recommend one of: resolve as irrelevant, accept and implement
the recommended solution, open a separate issue and resolve as out-of-scope for this PR, accept and
implement a different solution, or resolve as already treated by the code.

After I reply with my decision per item, implement the accepted actions, resolve the corresponding
PR comments, and push all of these changes in a single commit.

# Copilot Comments

## COPILOT-1
Location: .agent-plan.md:16
URL: https://github.com/DataHackIL/tfht_enforce_idx/pull/219#discussion_r3409459107
Root author: copilot-pull-request-reviewer

Comment:
    The wording here implies PR #217 was part of (or completed) the `UNIFY-PR-05` search-backstop work, but #217 is the incident redaction fix and `UNIFY-PR-05` is already tracked as its own completed item in the Task Ledger. Rephrase to avoid conflating these two changes while still noting ordering on `main`.

Run metadata:

Tool ref: v4.0.19
Tool version: 4.0.19
Trigger: pull request opened
Workflow run: 27497377993 attempt 1
Comment timestamp: 2026-06-14T11:31:00.072630+00:00
PR head commit: 7b27dad295d2459b8da4b8fac1eebd8a05c9f47c