fix: appointment conflict detection, soft-delete, and auth guardrail

Fixes five bugs flagged in CEO code review (GitHub issues #18–22):

- #18: Wrap conflict check + insert/update in a DB transaction to
  prevent double-booking race conditions under concurrent load.

- #19: PATCH conflict detection now falls back to the existing
  appointment's staffId when staffId is omitted from the request body,
  so rescheduling always checks for conflicts.

- #20: DELETE endpoint now soft-deletes (status = 'cancelled') instead
  of hard-deleting, preserving audit trail and financial records.

- #21: Staff DELETE checks for existing non-cancelled appointments
  before deleting and returns 409 if any are found, preventing orphaned
  references.

- #22: AUTH_DISABLED=true now logs a startup warning in development and
  calls process.exit(1) in production, preventing accidental auth
  bypass in deployed environments.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/middleware/auth.ts

@@ -23,6 +23,21 @@ export interface JwtPayload {
   name?: string;
 }
 
+// Guard: refuse to start with AUTH_DISABLED in production (fixes #22).
+if (process.env.AUTH_DISABLED === "true") {
+  if (process.env.NODE_ENV === "production") {
+    console.error(
+      "[FATAL] AUTH_DISABLED=true is not allowed in production. " +
+        "Remove AUTH_DISABLED from your environment and configure OIDC_ISSUER."
+    );
+    process.exit(1);
+  }
+  console.warn(
+    "[WARNING] AUTH_DISABLED=true — authentication is bypassed. " +
+      "Do NOT use this in production."
+  );
+}
+
 export const authMiddleware: MiddlewareHandler = async (c, next) => {
   if (process.env.AUTH_DISABLED === "true") {
     c.set("jwtPayload", { sub: "dev-user" } as JwtPayload);