Neotoma v0.13.0: Unauthorized data access via /list_relationships and /retrieve_graph_neighborhood

The /list_relationships and /retrieve_graph_neighborhood endpoints in Neotoma v0.13.0 do not filter Supabase queries by the authenticated user's ID, allowing an authenticated user to access another user's relationship and graph neighborhood data if they know the target's entity ID.

All Neotoma instances with multiple user accounts (v0.13.0). Currently no multi-tenant deployments exist, but severity escalates when multiple users share an instance.

Apply the remediation: add `.eq("user_id", userId)` to Supabase queries in both handlers, validate entity IDs with `isNeotomaEntityId`, and replace `.or()` string interpolation with separate `.eq()` calls.