fix(governance-store): validate namespace_id before side effects in apply_signed_op

[chefsale]

apply_signed_op ran the per-op-kind side effects and advanced the DAG
head before the namespace_id was checked at store time in
store_signed_operation. A wrong-namespace op would mutate state and
advance the head, then fail at the store write, leaving the head
advanced for an op that was never logged.

Validate op.namespace_id at the top of apply_signed_op so a mismatched
op is rejected before any side effects, preserving the idempotency
guard's invariant that an op in the log implies its head advance ran.

Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com
Claude-Session: https://claude.ai/code/session_01Dn8nTqykkewYZWwvya9gPz

[meroreviewer]

🤖 MeroReviewer

Reviewed by 1 agents | Quality score: 32% | Review time: 35.5s

---

💡 Suggestion (1)

1. Namespace mismatch check is redundant with apply_signed_namespace_op_at_cut

File: crates/governance-store/src/namespace/governance.rs (line 153-170) | Consensus: 1/1 agents ✓

The new guard at line 163 (op.namespace_id != self.namespace_id) is correct and fixes the described bug. However, apply_signed_namespace_op_at_cut (line ~700) constructs the NamespaceGovernance with op.namespace_id as the handle, so when called from that public entry point the two values are always identical and the check is a no-op there. The check only fires when a caller constructs NamespaceGovernance::new(store, X) and then calls apply_signed_op with an op whose namespace_id != X. This is a valid defensive guard, but the comment could note that the public free-function entry points are safe by construction, while the guard protects against misuse of the struct API directly.

Suggested fix:

Add a brief note to the comment: 'Note: `apply_signed_namespace_op_at_cut` is safe by construction (it passes `op.namespace_id` to `NamespaceGovernance::new`); this guard defends against direct struct misuse.'

Found by: security-reviewer

---

_{🤖 Generated by MeroReviewer | Review ID: review-aca51cde}

[meroreviewer]

Documentation Review

The following documentation may need updates based on the changes in this PR:

• 🟡 architecture/auto-follow.html: Files matching crates/governance-store/** were changed but architecture/auto-follow.html was not updated (per source_to_docs_mapping).
• 🟡 architecture/local-governance.html: Files matching crates/governance-store/** were changed but architecture/local-governance.html was not updated (per source_to_docs_mapping).

[meroreviewer]

🤖 AI Code Reviewer

Reviewed by 1 agents | Quality score: 32% | Review time: 392.5s

---

💡 Suggestion (1)

1. Namespace mismatch check duplicates existing store-layer guard but does not cover sign_apply_and_publish / publish_post_gate

File: crates/governance-store/src/namespace/governance.rs (line 153-170) | Consensus: 1/1 agents ✓

The new early-return guard in apply_signed_op (lines 153-170) correctly prevents side effects for a mismatched namespace_id. However, publish_post_gate (the path taken by sign_and_publish_without_apply and sign_and_publish_post_gate) calls self.advance_dag_head + self.store_operation directly, bypassing apply_signed_op entirely. The store_operation call there still delegates to NamespaceOpLogService::store_signed_operation, which has its own mismatch guard, but advance_dag_head runs before it — the same ordering bug the PR is fixing. Since publish_post_gate signs the op with self.namespace_id it cannot produce a mismatch in practice, but the structural asymmetry means the invariant is not uniformly enforced and a future refactor could reintroduce the bug on that path.

Suggested fix:

Consider extracting the namespace-id check into a shared helper (e.g. `fn assert_namespace_matches(&self, op: &SignedNamespaceOp) -> EyreResult<()>`) and calling it at the top of both `apply_signed_op` and `publish_post_gate`, so the invariant is enforced in one place regardless of which code path is taken.

Found by: security-reviewer

---

_{🤖 Generated by AI Code Reviewer | Review ID: review-3a59fdc3}

[meroreviewer]

🤖 AI Code Reviewer

Reviewed by 1 agents | Quality score: 32% | Review time: 302.5s

---

💡 Suggestion (1)

1. Namespace mismatch check duplicates existing store-layer guard

File: crates/governance-store/src/namespace/governance.rs (line 153-183) | Consensus: 1/1 agents ✓

The new early-return guard at line 153–183 is correct and the motivation is sound: it prevents side effects from running before the store rejects the op. However, the comment at line 157 says store_signed_operation 'already rejects a namespace mismatch', meaning the invariant was already enforced — just too late. The fix is good, but it is worth noting that the two checks now encode the same rule in two places (apply_signed_op and NamespaceOpLogService::store_signed_operation). If the store-layer check is ever relaxed or removed, the early guard here becomes the only defence. A brief cross-reference comment pointing to op_log.rs:store_signed_operation (or a shared helper) would make the coupling explicit and prevent future drift. This is a documentation/architecture note, not a blocking issue.

Suggested fix:

Add a comment like `// Mirrors the check in NamespaceOpLogService::store_signed_operation; both must stay in sync.` next to the guard, or extract the comparison into a shared inline helper.

Found by: security-reviewer

---

_{🤖 Generated by AI Code Reviewer | Review ID: review-dcbe6096}