fix: enforce visibility column in tree access filter

Previously build_tree_access_filter used is_public boolean and ignored the
visibility column entirely. Now private/link trees are only visible to their
author, team trees require matching account_id, and public trees are open to all.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/core/filters.py

@@ -16,24 +16,32 @@ if TYPE_CHECKING:
 def build_tree_access_filter(current_user: User):
     """Build the access filter for trees based on user permissions.
 
-    Returns trees that are:
+    Visibility rules:
-    - All trees (for super admins)
+    - super_admin: sees everything
-    - Default/system trees (visible to all)
+    - is_default: visible to all authenticated users
-    - Public trees
+    - visibility='public': visible to all authenticated users
-    - User's own trees
+    - author_id == me: always visible (regardless of visibility setting)
-    - Trees from user's account
+    - visibility='team' AND account_id == mine: visible to account members
+    - visibility='private': only visible to author (covered by author_id check above)
+    - visibility='link': only visible to author (share token access is handled separately)
     """
     from app.models.tree import Tree
 
     if current_user.is_super_admin:
         return sa_true()
+
     conditions = [
         Tree.is_default == True,
-        Tree.is_public == True,
+        Tree.visibility == 'public',
         Tree.author_id == current_user.id,
     ]
     if current_user.account_id:
-        conditions.append(Tree.account_id == current_user.account_id)
+        conditions.append(
+            and_(
+                Tree.visibility == 'team',
+                Tree.account_id == current_user.account_id
+            )
+        )
     return or_(*conditions)