unplan(backups): remove plan docs for the shipped backup-credentials system

[passcod]

🤖 The backup-credentials system has shipped; this unplans the now-implemented plan docs (git history keeps them). Audited each component spec against the merged code before removing.

Audit — every canopy backup component is implemented & merged

Component spec	Status
canopy-database (tables, models, migrations, enums)	✅ fully implemented
canopy-public-server (device endpoints, AWS/kube on AppState, session policies, 412/409/502, audit)	✅ fully implemented
canopy-jobs-maintenance-inspection (maintenance, inspection, S3-metrics, init, scheduler)	✅ fully implemented (runs in-process rather than as spawned k8s Jobs — design evolved, all requirements met)
canopy-jobs-detection-preflight (staleness, reconcile, group-level alerting, preflight)	✅ signals 1+2 + preflight done; signal-3 (restore-verification) is explicitly out of this component's scope
canopy-operator-ui (private-server fns + private-web)	✅ fully implemented (escrow → recovery-vault refinement)
backup-setup-wizard	✅ implemented (2-step vs the sketched 3-step; schedule/retention tuned post-onboarding — conscious simplification)
backup-setup-wizard-ops-handoff	✅ canopy side done (ops side lives in ops/pulumi)

Removed (implemented → unplanned)

• docs/plans/specs/canopy-database.md
• docs/plans/specs/canopy-public-server.md
• docs/plans/specs/canopy-jobs-maintenance-inspection.md
• docs/plans/specs/canopy-jobs-detection-preflight.md
• docs/plans/specs/canopy-operator-ui.md
• docs/plans/backup-credentials-kopia-spike.md (spike resolved; its verdict is in the code, and was since refined — e.g. kopia was later granted DeleteObject)
• docs/plans/backup-setup-wizard.md
• docs/plans/backup-setup-wizard-ops-handoff.md
• docs/plans/backup-credentials-implementation-order.md (cross-repo build sequence; the build is done)

Also de-referenced the deleted detection-preflight spec from a migration comment (2026-06-15-064431-0000_backup_group_scoped_issues) so nothing dangles.

Kept (deliberately)

• docs/plans/backup-credentials.md — the master design + threat-model reference. Retained as durable context (it still anchors the deferred blind-relay work and carries the H1–H7 threat boundary / recovery-from-poisoning rationale). Links only to blind-relay, so no dangling refs.
• docs/plans/backup-credentials-blind-relay.md — deferred stage-2 hardening (make public-server a blind relay holding no AWS rights / no plaintext secrets). Intentional future work, not started.

What's left

• blind-relay — deferred stage-2 hardening (kept as the record above).
• restore-verification / signal-3 — in flight on feat(restore): managed restore replicas — control plane for PGRO (PR1) #293 (control + access) and feat(restore): restore-health ingest, alerting & overdue sweep (PR2) #294 (health), with its own spec .workhorse/specs/public-server/restore-replicas.md. Those docs unplan when that work merges; they're on the feature branches, not main, so they're out of scope here.

Non-backup plans (slack-integration, tailscale-device-auth, issues-followups) are untouched.

TAM-6877.

[passcod]

🤖 Added durable specs (the other half of unplanning — replace plan scaffolding with the canonical what):

• .workhorse/specs/public-server/backup.md (BAK) — device backup contract
• .workhorse/specs/private-server/backup.md (BKO) — operator backup control (config lifecycle, placement, schedules/retention, capabilities, recovery vault, setup probe)
• .workhorse/specs/jobs/backup.md (BKJ) — Canopy's autonomous control plane (maintenance, inspection, S3 metering, preflight, detection/alerting)

Distilled to what-not-how per the spec rules (the deleted plan-specs were how-heavy). The RST restore spec arrives with #293/#294; these reference it by name (not a link) so nothing dangles if this merges first.