Derive and verify project_id from canonical GitHub repo identity

[romgenie]

Local source: coven-code/issues/14-derive-and-verify-project-id-from-git-remote.md

Summary

Project memory sync keys should use a deterministic, verified project id derived from canonical repository identity, not a caller-supplied opaque string.

Current Evidence

• settings_sync.rs comments say per-project settings/memory are keyed by git-remote hash.
• sync_key_project_settings(project_id) and sync_key_project_memory(project_id) accept a project_id string.
• collect_local_entries(project_id) trusts the passed value.

Problem

If the caller computes or passes the wrong project id, memory can be uploaded under the wrong key. In hosted mode, this can become cross-repo contamination.

Proposed Design

Add a project id resolver:

pub fn hosted_project_id(scope: &HostedMemoryScope) -> String

For local mode, optionally derive from canonical git remote URL:

1. Read remote URL.
2. Normalize host/owner/repo.
3. Include provider host.
4. Hash canonical identity.

For hosted mode, prefer GitHub webhook repo id and installation id.

Acceptance Criteria

• Hosted project id derives from installation id plus GitHub repo id.
• Local project id can be derived from normalized git remote.
• Callers cannot pass arbitrary project ids in hosted mode.
• Tests cover URL normalization for HTTPS and SSH remotes.
• Tests cover missing/ambiguous remote failing closed in hosted mode.

Documentation

Document that local path identity, git remote identity, and hosted GitHub identity are different and have different trust levels.