fix(sync): verify card ownership before update in push

Previously, when updating an existing card during sync push, only the
target deck ownership was verified. This allowed a user who knew another
user's card ID to potentially update that card by specifying their own
deck. Now the query joins with decks table to verify the existing card
belongs to the current user.

🤖 Generated with [Claude Code](https://claude.ai/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

0 files changed, 0 insertions, 0 deletions