fix: broadcast goal progress on review log, fix goal handler security gaps

- Broadcast GoalUpdated AP note after ReviewLogged so federated goal
  progress reflects the new review count without requiring a manual goal edit
- Add attribution check in GoalObjectHandler::on_update (mirrors
  review_handler) to prevent any remote actor from overwriting another's goal
- Implement on_actor_removed in GoalObjectHandler via new
  RemoteGoalRepository::remove_all_by_actor — remote goals were never
  cleaned up when an actor unfollowed or was deleted
- Add remove_all_by_actor to SQLite, Postgres, Noop, and test Panic impls

crates/domain/src/ports.rs

@@ -444,6 +444,7 @@ pub trait RemoteGoalRepository: Send + Sync {
         current: u32,
     ) -> Result<(), DomainError>;
     async fn remove_by_ap_id(&self, ap_id: &str, actor_url: &str) -> Result<(), DomainError>;
+    async fn remove_all_by_actor(&self, actor_url: &str) -> Result<(), DomainError>;
     async fn get_by_actor_url(&self, actor_url: &str) -> Result<Vec<RemoteGoalEntry>, DomainError>;
 }
 

crates/domain/src/testing/noops.rs

@@ -182,6 +182,9 @@ impl crate::ports::RemoteGoalRepository for NoopRemoteGoalRepository {
     async fn remove_by_ap_id(&self, _: &str, _: &str) -> Result<(), DomainError> {
         Ok(())
     }
+    async fn remove_all_by_actor(&self, _: &str) -> Result<(), DomainError> {
+        Ok(())
+    }
     async fn get_by_actor_url(
         &self,
         _: &str,