Security hardening: fix critical, high, and medium issues from audit

CRITICAL:
- A-001: SQL injection in snapshot — escape single quotes in backup path
- A-002: Timing attack — always verify against dummy hash when user not
  found, preventing username enumeration
- A-003: Notebook ownership — all authenticated endpoints now verify
  user_id before loading notebook data
- A-004: Point data bounds — decodePoints returns error on misaligned
  data, >4MB payloads, and NaN/Inf values

HIGH:
- A-005: Error messages — generic errors in HTTP responses, no err.Error()
- A-006: Share link authz — RevokeShareLink verifies notebook ownership
- A-007: Scan errors — return 500 instead of silently continuing

MEDIUM:
- A-008: Web server TLS — optional TLS support (HTTPS when configured)
- A-009: Input validation — page_size, stroke count, point_data alignment
  checked in SyncNotebook RPC
- A-010: Graceful shutdown — 30s drain on SIGINT/SIGTERM, all servers
  shut down properly

Added AUDIT.md with all 17 findings, status, and rationale for
accepted risks.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/grpcserver/share.go

@@ -51,6 +51,23 @@ func (s *SyncService) CreateShareLink(ctx context.Context, req *pb.CreateShareLi
 }
 
 func (s *SyncService) RevokeShareLink(ctx context.Context, req *pb.RevokeShareLinkRequest) (*pb.RevokeShareLinkResponse, error) {
+	userID, ok := UserIDFromContext(ctx)
+	if !ok {
+		return nil, status.Error(codes.Internal, "missing user context")
+	}
+
+	// Verify the calling user owns the notebook associated with this share link.
+	var count int
+	err := s.DB.QueryRowContext(ctx,
+		`SELECT COUNT(*) FROM share_links sl
+		 JOIN notebooks n ON sl.notebook_id = n.id
+		 WHERE sl.token = ? AND n.user_id = ?`,
+		req.Token, userID,
+	).Scan(&count)
+	if err != nil || count == 0 {
+		return nil, status.Error(codes.NotFound, "share link not found")
+	}
+
 	if err := share.RevokeLink(s.DB, req.Token); err != nil {
 		return nil, status.Errorf(codes.Internal, "revoke: %v", err)
 	}