…uard + message constant

Builds on PR #501 (issue #500) with three targeted reinforcements that
close the *regression class* the multi-agent namespace-gate series
(#491 → #494 → #496 → #498 → #499 → #500/#501) kept hitting one PR at
a time — a public surface gets added or refactored that takes a
namespace-shaped argument, but the new code path forgets to import /
call ``validate_namespace``. The series itself is the evidence: every
PR closed one more surface that had been silently ungated.

Three changes, cheapest-to-most-invasive:

──────────────────────────────────────────────────────────────────────
A. ``AppContext.current_namespace`` property setter
──────────────────────────────────────────────────────────────────────

Convert the dataclass field to a backing-store + property pair so
every write — ``mem_ns_set``, a future tool we forget to gate, a
Python adapter, or test code doing ``app.current_namespace = X`` —
runs through ``validate_namespace`` before the value lands in app
state. The forward-shield contract on the public input surfaces
(``mem_ns_set``, ``mem_session_start(namespace=)``,
``mem_agent_share(target=)``, …) still holds — this is defense-in-
depth, not a replacement.

The bypass this closes is the Python-level direct-mutation path:
``mem_ns_set`` is gated, but anyone with an ``AppContext`` reference
can also do ``app.current_namespace = "agent-runtime:foo:bar"``
without going through the tool. ``mem_session_start(agent_id=
"default")``'s priority chain (step 3 fallback, ``server/tools/
session.py:109-110``) reads ``current_namespace`` back as the
``sessions``-row namespace, so the same #496 / #500 bypass shape
round-trips through this back door.

The internally-derived contract from
``constants.py:96-100`` is preserved: re-validation only happens on
caller-supplied writes that reach app state. Reads never re-validate;
internally-derived namespaces (``f"{AGENT_NAMESPACE_PREFIX}{
agent_id}"`` after ``validate_agent_id`` succeeded, ``"default"``,
``SHARED_NAMESPACE``) skip the gate, same as before.

──────────────────────────────────────────────────────────────────────
B. Architectural guard test
──────────────────────────────────────────────────────────────────────

``tests/test_validate_namespace_architectural_guard.py`` AST-scans
``server/tools/*.py`` for any function with a
``namespace=``/``target=``/``old=``/``new=``/``old_namespace=``
parameter and forces every match to be classified into one of two
sets:

* ``VALIDATED_NS_SURFACES`` — the 9 ``(file, fn, param)`` triples
  PR #499 + PR #501 gate today. Test asserts each function body
  actually calls ``validate_namespace(<param>)``; a regression that
  drops the call (refactor, accidental deletion, copy-paste from a
  deferred surface) trips the test.
* ``DEFERRED_NS_SURFACES`` — the 22 triples the project has
  *explicitly* left ungated for now (issue #500's "broader UX call
  covered separately if pursued" line). Each entry carries inline
  rationale so future readers can tell deferral from oversight.

A new tool with a namespace-shaped param that lands in *neither* set
fails ``test_no_unclassified_ns_surfaces`` and forces the author to
make the validation decision at PR time — gate it (move to
VALIDATED) or explicitly defer it (move to DEFERRED with rationale).
Mirrors the ``feedback_drift_close_must_derive`` and
``feedback_stub_gap_check`` discipline: every literal that lists "the
gated surfaces" eventually drifts unless a guard forces re-
classification when the code adds new ones.

──────────────────────────────────────────────────────────────────────
E. Constantize ``"invalid namespace"`` message prefix
──────────────────────────────────────────────────────────────────────

Per PR #501 review: the test suite's reliance on ``out.startswith(
"Error: invalid namespace")`` made the validator's error formatting
an *implicit* public API. Centralise it as
``INVALID_NAMESPACE_MESSAGE_PREFIX`` in ``constants.py`` and
reference it from both the validator's f-strings and the test
assertions, so a future tweak (capitalisation, wording, etc.) stays
one change point. No behaviour change — the literal value is
unchanged.

──────────────────────────────────────────────────────────────────────
Out of scope (deliberate, per the original #500 contract)
──────────────────────────────────────────────────────────────────────

* **Storage-layer charset alignment.** Tightening
  ``sqlite_namespace._NS_NAME_RE`` (``[\w\-.:@ ]{1,255}``) to the
  strict gate would change behaviour for legacy data — out of scope
  for the same forward-only reasoning #496 / #499 / #500 used.
* **Final-resolution helper inside ``mem_session_start``.** Same
  pattern as the input gate at the boundary; marginal value over
  what (A) already delivers.
* **Validating ``mem_add`` / ``mem_search`` / ``mem_recall``
  ``namespace=``.** Tracked as deferred via the architectural
  guard's ``DEFERRED_NS_SURFACES``; promoting these is a UX call
  (do we reject ``mem_add(namespace="foo bar")`` loudly, or accept
  the legacy charset?) and belongs in a follow-up.

Tests:

* New ``TestAppContextCurrentNamespaceSetter`` class in
  ``test_validate_namespace_ns_tools.py`` — pins the property setter
  contract at the Python attribute level.
* New ``test_validate_namespace_architectural_guard.py`` — 11 tests:
  9 parametrised ``test_declared_validated_surfaces_call_validate_
  namespace`` + ``test_no_unclassified_ns_surfaces`` +
  ``test_validated_and_deferred_are_disjoint``.
* Existing assertions in ``test_validate_namespace_ns_tools.py``
  switched to ``_ERROR_PREFIX`` (sourced from the new constant).
* Full ``pytest -m "not ollama"`` green (2887 passed, was 2850
  before the +37 new tests).

Co-Authored-By: Claude <[email protected]>