fix(plugins): address PR review findings on PyPI plugin migration

Round 1 (blockers + high):
- Restore exclude-newer = "10 days" in pyproject.toml; replace stale
  langchain/requests pins with cpex-* per-package overrides anchored
  to 2026-04-09 so the plugins resolve newer than the global window
- Guard cpex_retry_with_backoff import in tool_service.py with
  try/except ImportError; falls back to (None, True) for the Python
  pipeline when the optional [plugins] extra is not installed
- Delete orphaned .github/workflows/rust-plugins.yml and the
  associated test cases in tests/unit/test_rust_plugins_workflow.py;
  drop the workflow card from docs/docs/architecture/explorer.html
- Delete orphaned docs/docs/using/plugins/rust-plugins.md and remove
  it from docs/docs/using/plugins/.pages mkdocs nav
- Harden docker-entrypoint.sh install_plugin_requirements:
  canonicalize /app and the resolved requirements path with
  readlink -f and require the path to live under /app/, log
  non-comment lines from the requirements file before pip runs,
  and skip cleanly on validation failure
- Delete PLUGIN-MIGRATION-PLAN.md (one-time planning doc)
- Add COPY plugins/requirements.txt to Containerfile.scratch (the
  layered Containerfile.lite already had it; the broad COPY . in
  Containerfile already includes it)

Round 2 (medium + low):
- Bump cpex-* version pin floors in pyproject.toml [plugins] to
  match resolved versions in uv.lock (cpex-rate-limiter>=0.0.3,
  cpex-encoded-exfil-detection>=0.2.0, cpex-pii-filter>=0.2.0,
  cpex-url-reputation>=0.1.1)
- Add Prerequisites section to tests/performance/PLUGIN_PROFILING.md
  documenting the [plugins] extra requirement
- Add Status: Partially superseded note to ADR-041 explaining that
  plugins_rust/ was removed when in-tree Rust plugins migrated to
  PyPI packages
- Document upgrade semantics in plugins/requirements.txt header
  (pip without --upgrade skips already-satisfied constraints)
- Add importlib.util.find_spec() precheck to
  tests/performance/test_plugins_performance.py main(); the script
  now skips cleanly with an actionable message if any of the five
  cpex packages referenced by the perf config are missing
- Rename tests/unit/test_rust_plugins_workflow.py to
  test_go_toolchain_pinning.py to match its remaining contents
  (Go workflow pin and Makefile toolchain assertion)

Follow-ups tracked in #4116 and
IBM/cpex-plugins#21 for the longer-term tool_service.py refactor
that will eliminate the cross-package import entirely.

Signed-off-by: Jonathan Springer <jps@s390x.com>

Signed-off-by: lucarlig <luca.carlig@ibm.com>

Author: jonpspri

.claude/skills/pr-risk-scoring/score_prs.py

@@ -11,6 +11,7 @@
     approvals_csv  Optional CSV with columns: pr_number,approvals
 """
 
+# Standard
 import csv
 import json
 import os

.github/workflows/rust-plugins.yml

@@ -69,6 +69,7 @@ RUN chmod 644 /etc/profile.d/use-openssl.sh
 # This maximizes Docker layer caching - dependencies change less often
 # ----------------------------------------------------------------------------
 COPY pyproject.toml /app/
+COPY plugins/requirements.txt /app/plugins/requirements.txt
 
 # ----------------------------------------------------------------------------
 # Create and populate virtual environment