fix(graph): scope spanner tenant reads

[jonathanhaaswriter]

Summary

• mark SpannerGraphStore as tenant-scope-aware so tenant-configured reads can stay on the configured backend
• enforce tenant visibility across Spanner node, edge, snapshot, and traversal reads instead of falling back to snapshot materialization
• add TDD coverage for scoped Spanner reads and for CurrentSecurityGraphStoreForTenant preferring the configured Spanner backend

Validation

• go test ./internal/graph ./internal/app
• python3 scripts/devex.py run --files internal/app/app_graph_store_test.go internal/graph/store_spanner.go internal/graph/store_spanner_test.go

Stack

Base branch: feat/graph-store-read-foundation

[jonathanhaaswriter]

Re-reviewed the current diff and I don't have any additional actionable findings right now.

[jonathanhaaswriter]

I think the tenant fail-closed contract regressed here. Once the configured Spanner store advertises tenant read scope, CurrentSecurityGraphStoreForTenant() prefers that path without the HasScopedNodesForTenant() guard the other tenant resolvers use. Because shared nodes are still visible under tenant scope, a tenant-missing request can return shared data instead of ErrStoreUnavailable.

Can we add the same tenant-presence check (or a Spanner equivalent) before returning the scoped store?