fix: filter Neptune snapshot reads to active records (issue #613)

[haasonsaas]

Summary

• filter Neptune snapshot node and edge queries server-side so soft-deleted records are not transferred for snapshot reads
• make Neptune Snapshot defensively skip deleted rows even if a backend query regresses later
• add a regression test that forces Snapshot to use the filtered openCypher queries

Testing

• go test ./internal/graph -run 'TestNeptuneGraphStoreSnapshotFiltersDeletedRecordsServerSide|TestNeptuneGraphStoreDecodesLookupAndSnapshotResults' -count=1
• go test ./internal/graph -count=1
• go test ./... -count=1
• GOTOOLCHAIN=go1.26.1 go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.1 run --timeout=15m ./cmd/... ./internal/... ./api/...

[cursor]

You have used all Bugbot PR reviews included in your free trial for your GitHub account on this workspace.

To continue using Bugbot reviews, enable Bugbot for your team in the Cursor dashboard.

[cursor]

You have used all Bugbot PR reviews included in your free trial for your GitHub account on this workspace.

To continue using Bugbot reviews, enable Bugbot for your team in the Cursor dashboard.

[cursor]

Security review complete for PR #620.

No high-confidence vulnerabilities found in this diff.

Validated areas:

• Injection risks: snapshot queries remain static constants; no new user-controlled query construction introduced.
• Authn/authz boundaries: no authentication or authorization logic changed.
• Secrets/token handling: no new secret material handling or sensitive logging paths added.
• SSRF/XSS/deserialization/request forgery: no new network fetch, HTML rendering, or unsafe decode paths introduced by this PR.
• Supply-chain risk: no dependency or build-chain changes.

Prior automation findings/threads validation:

• Reviewed prior security-review state and found no unresolved security threads requiring carry-forward.
• Applied cleanup so only the current assessment remains active.

  

_{Sent by Cursor Automation: Find vulnerabilities}