Forwarded commands received in recv_node_inbound (src/node/node_state.h) were dispatched to cmd_forwarder->recv_message(...) unconditionally, bypassing the "part of network" state guard applied to all other node-to-node messages. A node could therefore execute a forwarded command while still in an early startup state, with potentially undefined behaviour for some commands.

Changes

• src/node/node_inbound_message.h: New header-only helper recv_node_inbound_message, which reads a serialised node_inbound message and gates dispatch behind the "part of network" state check, so forwarded commands are gated identically to channel and consensus messages — processed only in partOfNetwork, partOfPublicNetwork, or readingPrivateLedger. Messages arriving too early are dropped with the same LOG_DEBUG_FMT as other node messages. The guard uses the new StateMachine::check_one_of() helper.
• src/node/node_state.h: recv_node_inbound now delegates to the new recv_node_inbound_message helper. The previously-unreachable LOG_FAIL_FMT in the forwarded_msg case is replaced by the real handler; dispatch logic is otherwise unchanged.
• src/ds/state_machine.h: Added check_one_of(const std::set<T>&), which loads the atomic state once and checks membership against the provided set of states, avoiding repeated atomic reads when checking whether the node is in one of several states.
• src/ds/test/state_machine.cpp / src/node/test/node_inbound_message.cpp / CMakeLists.txt: Added two C++ unit tests (state_machine_test and node_inbound_message_test).
• CHANGELOG.md / python/pyproject.toml: Added a new ## [7.0.6] / Fixed entry (with its release-tag link) and bumped the Python package version to 7.0.6 to match, so the "Release notes" CI check (which requires the first CHANGELOG version to match pyproject.toml) passes. The entry references this PR, #7936.

// Only process messages once part of network. This includes forwarded
// commands, which must not be executed until the node is part of the
// network, as some commands may otherwise exhibit undefined behaviour.
if (!sm.check_one_of(
      {NodeStartupState::partOfNetwork,
       NodeStartupState::partOfPublicNetwork,
       NodeStartupState::readingPrivateLedger}))
{
  LOG_DEBUG_FMT("Ignoring node msg received too early - current state is {}", sm.value());
  return;
}

switch (msg_type)
{
  case forwarded_msg:
    cmd_forwarder.recv_message(from, payload_data, payload_size);
    return;
  // channel_msg, consensus_msg, default unchanged
}

Testing

• state_machine_test (src/ds/test/state_machine.cpp): exercises the StateMachine API and the new check_one_of helper, including empty-set and state-transition edge cases.
• node_inbound_message_test (src/node/test/node_inbound_message.cpp): drives recv_node_inbound_message with a serialised node_inbound message and stub forwarder/channel/consensus handlers. Asserts that in early states (uninitialized, initialized, pending, readingPublicLedger) a forwarded_msg is not dispatched, and that in partOfNetwork, partOfPublicNetwork, and readingPrivateLedger it is dispatched with the expected from/payload. Also covers channel_msg and consensus_msg being gated identically.
• Both unit tests were built and run locally with the project's CMake/Ninja toolchain, with all assertions passing.
• Python e2e: not included - harder and racy, since it would require forwarding a write to a node mid-startup, whereas nodes accepting n2n traffic are normally already part of the network. The unit-test approach covers the gating logic more reliably.
• Release notes, C/C++ format, CMake format and prettier checks all pass locally.