fix: escape SQL wildcards in tag search autocomplete

The % and _ characters in user search input are now escaped before
the LIKE query, preventing unintended wildcard matching in tag search.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/api/endpoints/tags.py

@@ -62,8 +62,9 @@ async def search_tags(
     Searches tag names for the query string.
     Returns matching tags ordered by usage count.
     """
+    escaped_q = q.replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_")
     query = select(TreeTag).where(
-        TreeTag.name.ilike(f"%{q}%")
+        TreeTag.name.ilike(f"%{escaped_q}%", escape="\\")
     )
 
     # Filter by visibility