P2.3: publish enforces cross-entity identity (no cross-app dangling edge)

Repo.publish validated entities individually and checked
artifact.release_id == release.id, but never verified the published
aggregate forms one consistent identity graph. It could commit a channel
whose app_id differs from the release's app (a channel of app B pointing
at app A's release) or artifacts whose app_id differs from the release's
app — exactly the dangling/cross-app edge the acceptance forbids.

Add Integrity preconditions to the publish transaction (reusing the
existing len-reset/channel-restore rollback so the model is unchanged on
failure): the release's app must exist, the promoted channel must belong
to that app (chan.app_id == release.app_id), and every artifact must
belong to that app AND name this release (a.app_id == release.app_id and
a.release_id == release.id).

Extend tests/repo_transaction.sx with cross-app channel and cross-app
artifact cases asserting publish raises Integrity and leaves the model
unchanged; the existing rollback and no-dangling assertions stay green.

tests/repo_transaction.sx

@@ -36,16 +36,22 @@ mk_release :: (id: string, version: string) -> Release {
     };
 }
 mk_artifact :: (id: string, release_id: string, digest: string) -> Artifact {
+    return mk_artifact_for(id, "app_01", release_id, digest);
+}
+mk_artifact_for :: (id: string, app_id: string, release_id: string, digest: string) -> Artifact {
     return Artifact.{
-        id = id, app_id = "app_01", release_id = release_id, platform = .android_apk,
+        id = id, app_id = app_id, release_id = release_id, platform = .android_apk,
         filename = "a.apk", content_type = "application/vnd.android.package-archive",
         size_bytes = 1024, sha256 = digest, storage_key = digest,
         metadata = "", validation_status = .pending,
     };
 }
 the_channel :: () -> Channel {
+    return mk_channel_for("app_01");
+}
+mk_channel_for :: (app_id: string) -> Channel {
     return Channel.{
-        app_id = "app_01", name = "stable", current_release_id = "",
+        app_id = app_id, name = "stable", current_release_id = "",
         policy = .manual, rollout_percent = 100,
     };
 }
@@ -124,7 +130,57 @@ main :: () -> s32 {
     process.assert(c2v.current_release_id == "rel_00", "integrity rollback: channel still rel_00");
     print("  integrity failure rolled back: channel still rel_00\n");
 
-    // ── 4. Persisted state reflects the rollback, not the attempts ───
+    // ── 4. Cross-app channel promotion: chan.app_id != release.app_id ─
+    // The release belongs to app_01 but the promoted channel claims app_02.
+    // Committing it would leave a channel of one app pointing at another
+    // app's release — a cross-identity dangling edge. Must raise Integrity.
+    arts_xc : List(Artifact) = .{};
+    arts_xc.append(mk_artifact("art_xc", "rel_xc", DIGEST_B));   // self-consistent artifact
+    xc_failed := false;
+    xc_integrity := false;
+    repo.publish(mk_release("rel_xc", "1.3.0"), @arts_xc, mk_channel_for("app_02")) catch e {
+        xc_failed = true;
+        xc_integrity = (e == error.Integrity);
+    };
+    process.assert(xc_failed, "cross-app channel promotion must fail");
+    process.assert(xc_integrity, "cross-app channel promotion must raise Integrity");
+    process.assert(repo.releases.len == rel_n, "cross-app channel rollback: release count unchanged");
+    process.assert(repo.artifacts.len == art_n, "cross-app channel rollback: artifact count unchanged");
+    process.assert(repo.channels.len == chan_n, "cross-app channel rollback: channel count unchanged");
+    process.assert(repo.get_release("rel_xc") == null, "cross-app channel rollback: release absent");
+    process.assert(repo.get_channel("app_02", "stable") == null, "cross-app channel rollback: no app_02 channel created");
+    cx := repo.get_channel("app_01", "stable");
+    process.assert(cx != null, "cross-app channel rollback: app_01 channel still exists");
+    cxv := cx!;
+    process.assert(cxv.current_release_id == "rel_00", "cross-app channel rollback: app_01 channel still -> rel_00");
+    print("  cross-app channel promotion rejected: model unchanged\n");
+
+    // ── 5. Cross-app artifact: artifact.app_id != release.app_id ─────
+    // The release and channel both belong to app_01, but the artifact claims
+    // app_02 (its release_id still matches). Only release_id was checked
+    // before; the app_id mismatch must now raise Integrity and roll back.
+    arts_xa : List(Artifact) = .{};
+    arts_xa.append(mk_artifact_for("art_xa", "app_02", "rel_xa", DIGEST_B));
+    xa_failed := false;
+    xa_integrity := false;
+    repo.publish(mk_release("rel_xa", "1.4.0"), @arts_xa, the_channel()) catch e {
+        xa_failed = true;
+        xa_integrity = (e == error.Integrity);
+    };
+    process.assert(xa_failed, "cross-app artifact must fail");
+    process.assert(xa_integrity, "cross-app artifact must raise Integrity");
+    process.assert(repo.releases.len == rel_n, "cross-app artifact rollback: release count unchanged");
+    process.assert(repo.artifacts.len == art_n, "cross-app artifact rollback: artifact count unchanged");
+    process.assert(repo.channels.len == chan_n, "cross-app artifact rollback: channel count unchanged");
+    process.assert(repo.get_release("rel_xa") == null, "cross-app artifact rollback: release absent");
+    process.assert(repo.find_artifact_by_digest(DIGEST_B) == null, "cross-app artifact rollback: artifact absent");
+    cy := repo.get_channel("app_01", "stable");
+    process.assert(cy != null, "cross-app artifact rollback: channel still exists");
+    cyv := cy!;
+    process.assert(cyv.current_release_id == "rel_00", "cross-app artifact rollback: channel still -> rel_00");
+    print("  cross-app artifact rejected: model unchanged\n");
+
+    // ── 6. Persisted state reflects the rollback, not the attempts ───
     serr := false;
     save(repo, root) catch { serr = true; };
     process.assert(!serr, "save must succeed");