fix: CRITICAL — scope copilot tree query to current account

A user who knew another account's tree UUID could start a copilot
conversation, causing the tree's full node structure, names, and
descriptions to be sent to the AI as part of the system prompt.

Fix: add account_id (or is_default / visibility='public') filter to
the tree SELECT in copilot_service.start_conversation(). Returns 404
for inaccessible trees. Test added in test_tenant_isolation_p0.py.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/services/copilot_service.py

@@ -8,7 +8,7 @@ from datetime import datetime, timezone, timedelta
 from typing import Optional, Any
 from uuid import UUID
 
-from sqlalchemy import select
+from sqlalchemy import select, or_
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload
 
@@ -103,13 +103,23 @@ async def start_conversation(
 
     Returns (conversation, greeting_message).
     """
-    # Load tree
+    # Load tree — must be accessible to this account.
+    # Allows own account's trees, default trees, and public trees.
+    # Raises ValueError (caught by endpoint as 404) if not found or not accessible.
     result = await db.execute(
-        select(Tree).options(selectinload(Tree.tags)).where(Tree.id == tree_id)
+        select(Tree).options(selectinload(Tree.tags)).where(
+            Tree.id == tree_id,
+            or_(
+                Tree.account_id == account_id,
+                Tree.author_id == user_id,
+                Tree.is_default == True,
+                Tree.is_public == True,
+            ),
+        )
     )
     tree = result.scalar_one_or_none()
     if not tree:
-        raise ValueError(f"Tree {tree_id} not found")
+        raise ValueError(f"Tree {tree_id} not found or not accessible")
 
     conversation = CopilotConversation(
         user_id=user_id,