Safe-guards added to the database endpoints

The /api/db/* endpoints had grown organically and a few of them were missing the consistent auth-guard middleware. Easy to miss when shipping new endpoints quickly.

All DB endpoints now go through a uniform safe-guard layer that enforces session presence, validates the requesting user against the resource owner where applicable, and surfaces a structured 401/403 instead of leaking server-side errors. The pattern is documented so new endpoints inherit the guard by default.