fix: prevent cache poisoning by force-resetting worktree on failed PR remediation

[AftAb-25]

Fixes #6367

Description

This fixes a cache poisoning bug in the PR remediator where failed remediations would leak uncommitted changes into the shared ingest cache, causing silent evaluation failures for subsequent rules.

When pull_request.go aborts a remediation and runs checkoutToOriginallyFetchedBranch, it previously used the default go-git checkout which preserves modifications to the worktree/index. Because the executor uses a single shared ingestCache.Fs per run, those left-behind dirty files would then be incorrectly evaluated by subsequent rules.

This PR aggressively resets the worktree during the checkout cleanup phase:

• Adds Force: true to the checkout options to discard modified tracked files.
• Calls wt.Clean(&git.CleanOptions{Dir: true}) to remove any untracked leftover files.

I've also added a unit test (checkout_cleanup_test.go) that simulates a dirty worktree and ensures both tracked modifications and untracked files are correctly wiped out.

Checklist

• Code compiles correctly
• Added tests that fail without the change (if possible)
• All tests passing
• Extended the README / documentation, if necessary

[coveralls]

coverage: 59.534% (-0.005%) from 59.539% — AftAb-25:fix/6367-remediation-cache-poisoning into mindersec:main