Validate extension content namespaces match package namespace during push

Problem

Currently, extension push validates the manifest name field against reserved namespaces (@swamp, @si) and ensures it matches the authenticated user. However, the models, vaults, and workflows inside the extension can claim any namespace — e.g., a model with type @swamp/echo inside @stack72/my-extension. This is a namespace squatting risk.

Expected Behavior

If the extension package is @stack72/my-extension, then all models, workflows, and vaults inside must also use the @stack72/ namespace prefix:

• Model types must be @stack72/<name> (not aws/ec2 or @swamp/echo)
• Vault types must be @stack72/<name>
• Workflow names must be @stack72/<name>

Implementation Plan

1. NEW: src/domain/extensions/extension_namespace_validator.ts

Create a domain validation function with types:

interface NamespaceMismatch {
  kind: "model" | "vault" | "workflow";
  identifier: string;  // the type/name that mismatched
  fileName: string;     // source file
}

interface NamespaceValidationResult {
  valid: boolean;
  mismatches: NamespaceMismatch[];
}

function validateContentNamespaces(
  extensionName: string,           // e.g. "@stack72/my-extension"
  contentMetadata: ExtensionContentMetadata,
): NamespaceValidationResult

Logic: extract namespace prefix from extension name (@stack72/), check that each model.type, vault.type, and workflow.name starts with it.

2. MODIFY: src/domain/extensions/extension_content.ts

Add fileName: string to ExtractedWorkflow so error messages can reference the file.

3. MODIFY: src/domain/extensions/extension_content_extractor.ts

Populate the new fileName field on extracted workflows using wf.archiveName.

4. MODIFY: src/presentation/output/extension_push_output.ts

Add renderExtensionPushNamespaceErrors() following the existing renderExtensionPushSafetyErrors pattern. Shows expected namespace and each mismatch with kind, identifier, and file.

5. MODIFY: src/cli/commands/extension_push.ts

Insert validation after content metadata extraction (after the current step 9b, ~line 154) and before the resolved display. If validation fails, render errors and throw UserError. This runs after the manifest name may have been rewritten to match the authenticated user (line 137), so it uses the correct namespace.

6. NEW: src/domain/extensions/extension_namespace_validator_test.ts

Unit tests (pure function, no filesystem needed):

• All content matches namespace — valid
• Model type with wrong namespace — mismatch
• Model type without @ prefix (e.g. aws/ec2) — mismatch
• Vault type with wrong namespace — mismatch
• Workflow name with wrong namespace — mismatch
• Workflow name without namespace prefix — mismatch
• Mixed mismatches — all collected
• Empty content — valid
• Partial mismatches — only wrong ones reported

7. MODIFY: src/domain/extensions/extension_content_extractor_test.ts

Update workflow extraction test assertions to include the new fileName field.

Verification

1. deno check — type checking
2. deno lint — linting
3. deno fmt — formatting
4. deno run test — all tests pass
5. deno run compile — binary compiles