fix(GRO-634): atomic confirmation token in book.ts, correct RBAC error message

- Replace SELECT-then-UPDATE with atomic UPDATE ... WHERE token=? AND status='pending' RETURNING *
  to prevent confirmation token replay attacks (TOCTOU race condition)
- Fix requireRoleOrSuperUser() error message: swap the conditional branches so
  'Forbidden: super user privileges required' is returned when user lacks role,
  and 'Forbidden: role X is not permitted' when user is not superuser
- Add 'and' mock export to confirmation.test.ts and rbac.test.ts for new query patterns
- Update test expectations to match corrected error message semantics

apps/api/src/__tests__/confirmation.test.ts

@@ -68,6 +68,7 @@ vi.mock("@groombook/db", () => {
     }),
     appointments,
     eq: () => ({}),
+    and: (...clauses: unknown[]) => ({}),
   };
 });
 

apps/api/src/__tests__/rbac.test.ts

@@ -78,6 +78,7 @@ vi.mock("@groombook/db", () => {
     }),
     staff,
     eq: vi.fn((_col: unknown, _val: unknown) => ({ col: _col, val: _val })),
+    and: vi.fn((..._clauses: unknown[]) => ({})),
   };
 });
 
@@ -362,7 +363,7 @@ describe("requireRoleOrSuperUser", () => {
     const res = await app.request("/test");
     expect(res.status).toBe(403);
     const body = await res.json();
-    expect(body.error).toMatch(/super user privileges required/i);
+    expect(body.error).toMatch(/role.*not permitted/i);
   });
 
   it("blocks a non-super-user groomer from manager-only routes", async () => {
@@ -370,7 +371,7 @@ describe("requireRoleOrSuperUser", () => {
     const res = await app.request("/test");
     expect(res.status).toBe(403);
     const body = await res.json();
-    expect(body.error).toMatch(/super user privileges required/i);
+    expect(body.error).toMatch(/role.*not permitted/i);
   });
 
   it("allows a manager with multiple allowed roles", async () => {