feat: scope every API endpoint to the token's sub; expose ownerId in DTOs

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

server/api/lists.put.ts

@@ -1,4 +1,6 @@
-// PUT /api/lists (desktop) — full-replace catalog. Upsert all supplied; delete the rest.
+// PUT /api/lists (desktop) — full-replace of the caller's catalog. Upsert all supplied;
+// delete the caller's lists not present. Any client-supplied ownerId is ignored — the
+// server stamps ownership from the verified token.
 export default defineEventHandler(async (event) => {
   const body = await readBody(event);
   if (
@@ -9,6 +11,7 @@ export default defineEventHandler(async (event) => {
   }
   await replaceLists(
     getSql(),
+    ownerOf(event),
     body.map((l) => ({ id: l.id, name: l.name })),
   );
   return { ok: true };