Security vulnerabilities in Graphify's `_fetch_tweet` function (SSRF) and Neo4j Cypher export (injection).

Some more stuff claude noted:

**1. `_fetch_tweet` bypasses all SSRF protections**

`ingest.py:70-71` — You built a whole `safe_fetch()` system with URL validation, redirect re-validation, and size caps. Then `_fetch_tweet()` ignores all of it and calls `urllib.request.urlopen()` directly with a URL constructed from user input. The `oembed_api` URL is built by string-formatting `urllib.parse.quote(oembed_url)`, but the original `url` is only validated *after* `_detect_url_type()` already classified it — and the oEmbed call happens before `validate_url()` has a chance to reject anything because the code path enters `_fetch_tweet()` at line 208 before the `try/except` block at line 195 even matters (the tweet fetch is inside the try, but the raw `urlopen` doesn't go through `safe_fetch`). Any tweet-like URL triggers an unprotected HTTP request with no redirect validation, no size cap, and no scheme check on the constructed oEmbed URL.

**2. Neo4j Cypher export is injection-vulnerable**

`export.py:278-293` — `to_cypher()` builds Cypher statements by string-interpolating node IDs, labels, and relation names with only a single-quote escape (`replace("'", "\\'")`). Node IDs come from `_make_id()` (safe), but labels come from source code identifiers that can contain backslashes. A label like `foo\')}; MATCH (n) DETACH DELETE n;//` produces valid injection. The `relation` field is uppercased and has slashes replaced, but that's it. Anyone who exports to Neo4j and runs the generated ...