fix: enforce run ownership on all mutation endpoints

Add require_run_owner helper in auth.py that enforces ownership on
mutation endpoints. Unowned (legacy) runs are now read-only.

Applied ownership checks to:
- All 4 encounter mutation endpoints
- Both boss result mutation endpoints
- Run update/delete endpoints
- All 5 genlocke mutation endpoints (via first leg's run owner)

Also sets owner_id on run creation in genlockes.py (create_genlocke,
advance_leg) and adds 22 comprehensive ownership enforcement tests.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/tests/test_runs.py

@@ -1,5 +1,7 @@
 """Integration tests for the Runs & Encounters API."""
 
+from uuid import UUID
+
 import pytest
 from httpx import AsyncClient
 from sqlalchemy.ext.asyncio import AsyncSession
@@ -8,8 +10,11 @@ from app.models.game import Game
 from app.models.nuzlocke_run import NuzlockeRun
 from app.models.pokemon import Pokemon
 from app.models.route import Route
+from app.models.user import User
 from app.models.version_group import VersionGroup
 
+MOCK_AUTH_USER_ID = UUID("00000000-0000-4000-a000-000000000001")
+
 RUNS_BASE = "/api/v1/runs"
 ENC_BASE = "/api/v1/encounters"
 
@@ -42,6 +47,11 @@ async def run(auth_client: AsyncClient, game_id: int) -> dict:
 @pytest.fixture
 async def enc_ctx(db_session: AsyncSession) -> dict:
     """Full context for encounter tests: game, run, pokemon, standalone and grouped routes."""
+    # Create the mock auth user to own the run
+    user = User(id=MOCK_AUTH_USER_ID, email="test@example.com")
+    db_session.add(user)
+    await db_session.flush()
+
     vg = VersionGroup(name="Enc Test VG", slug="enc-test-vg")
     db_session.add(vg)
     await db_session.flush()
@@ -83,6 +93,7 @@ async def enc_ctx(db_session: AsyncSession) -> dict:
 
     run = NuzlockeRun(
         game_id=game.id,
+        owner_id=user.id,
         name="Enc Run",
         status="active",
         rules={"shinyClause": True, "giftClause": False},