Validate matching shapes for precomputed corridor surfaces

[brendancol]

Closes #3445

least_cost_corridor(..., precomputed=True) summed two cost-distance surfaces (cd_a + cd_b) without checking they shared a shape. Mismatched surfaces were silently aligned by xarray on the intersection of their coordinates, producing a truncated, wrong-valued corridor (e.g. 4x4 + 3x3 returned an all-zero 3x3 result). The non-precomputed path was already safe because cost_distance rejects mismatched raster/friction shapes.

• Added a _validate_matching_shape check across the precomputed surfaces, the same guard cost_distance already enforces. Applies to both the two-source and pairwise paths.
• The check is shape-only, matching cost_distance's own behavior (it validates .shape, not coordinate values).

Backends: pure xarray arithmetic; the validation runs identically across numpy, cupy, dask+numpy, and dask+cupy.

Test plan:

• New test for mismatched precomputed shapes raising ValueError (two-source)
• New test for mismatched precomputed shapes raising ValueError (pairwise)
• Full corridor test suite passes (34 passed)

[brendancol]

PR Review: Validate matching shapes for precomputed corridor surfaces

Blockers (must fix before merge)

None.

Suggestions (should fix, not blocking)

• The guard is shape-only, so two same-shape surfaces with non-overlapping coordinates still fall through to the old failure mode: xarray aligns them to an empty intersection and nanmin raises an opaque error instead of a clear validation message. This matches cost_distance's own shape-only check, so the scope boundary is reasonable, but a one-line comment or follow-up note saying coordinate mismatch is intentionally out of scope would help the next reader.

Nits (optional improvements)

• The two new tests run numpy-only. The validation happens before backend dispatch, so parametrizing over backends adds little, but a single dask-backed case would confirm .shape access stays lazy (no implicit compute). Optional.

What looks good

• The fix lands exactly on the gap: the precomputed path bypassed cost_distance, which is where the shape guard lived. Reusing _validate_matching_shape keeps the error message format consistent with the rest of the codebase.
• One loop covers both the two-source and pairwise paths.
• The comment explains why the check is needed (silent xarray alignment), which is the non-obvious part.
• Tests assert on the real failure mode and use the concrete 4x4 + 3x3 -> all-zero 3x3 example from the issue.

Checklist

• Algorithm matches reference/paper (N/A, validation only)
• All implemented backends produce consistent results (validation is backend-agnostic)
• NaN handling is correct (unchanged)
• Edge cases are covered by tests
• Dask chunk boundaries handled correctly (N/A)
• No premature materialization or unnecessary copies
• Benchmark exists or is not needed (not needed)
• README feature matrix updated (not applicable, no new function)
• Docstrings present and accurate (unchanged)

[brendancol]

Follow-up review

Both items from the first pass are handled in a987a48:

• Suggestion (coordinate-mismatch scope): added an inline comment by the shape check stating that, like cost_distance, the guard is shape-only and same-shape surfaces with mismatched coordinates are out of scope.
• Nit (dask coverage): added test_precomputed_mismatched_shape_dask_raises, which confirms the check fires on dask-backed surfaces without forcing a compute.

Full corridor suite: 35 passed. No remaining findings.