fix(api): wrap critical mutations in transactions and fix TOCTOU race conditions

- applyProjectScenario: wrap assignment loop in db.$transaction to prevent partial updates
- vacation approve/reject: fix TOCTOU race via updateMany with status-guard in WHERE + CONFLICT on count=0
- vacation cancel: wrap vacation.update + entitlement.updateMany in $transaction
- batchApprove: collect mutations, wrap in $transaction, dispatch SSE/notifications after commit
- Fix dead-code bug in createHappyPathDb where $transaction was assigned after return
- Add atomicity and concurrency tests

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

packages/api/src/__tests__/vacation-router.test.ts

@@ -152,6 +152,7 @@ function createVacationDb(overrides: Record<string, unknown> = {}) {
     vacation: {
       findFirst: vi.fn().mockResolvedValue(null),
       findUnique: vi.fn().mockResolvedValue(sampleVacation),
+      findUniqueOrThrow: vi.fn().mockResolvedValue(sampleVacation),
       findMany: vi.fn().mockResolvedValue([]),
       create: vi.fn().mockResolvedValue(sampleVacation),
       update: vi.fn().mockResolvedValue(sampleVacation),
@@ -331,10 +332,11 @@ describe("vacation router", () => {
             ...sampleVacation,
             status: VacationStatus.PENDING,
           }),
-          update: vi.fn().mockResolvedValue({
+          findUniqueOrThrow: vi.fn().mockResolvedValue({
             ...sampleVacation,
             status: VacationStatus.APPROVED,
           }),
+          updateMany: vi.fn().mockResolvedValue({ count: 1 }),
         },
       });
 
@@ -379,10 +381,11 @@ describe("vacation router", () => {
             ...sampleVacation,
             status: VacationStatus.PENDING,
           }),
-          update: vi.fn().mockResolvedValue({
+          findUniqueOrThrow: vi.fn().mockResolvedValue({
             ...sampleVacation,
             status: VacationStatus.APPROVED,
           }),
+          updateMany: vi.fn().mockResolvedValue({ count: 1 }),
         },
       });
 
@@ -896,7 +899,8 @@ describe("vacation router", () => {
       const db = createVacationDb({
         vacation: {
           findUnique: vi.fn().mockResolvedValue(sampleVacation),
-          update: vi.fn().mockResolvedValue(updatedVacation),
+          findUniqueOrThrow: vi.fn().mockResolvedValue(updatedVacation),
+          updateMany: vi.fn().mockResolvedValue({ count: 1 }),
         },
         user: {
           findUnique: vi.fn().mockResolvedValue({ id: "mgr_1" }),
@@ -910,9 +914,9 @@ describe("vacation router", () => {
       const result = await caller.approve({ id: "vac_1" });
 
       expect(result.status).toBe(VacationStatus.APPROVED);
-      expect(db.vacation.update).toHaveBeenCalledWith(
+      expect(db.vacation.updateMany).toHaveBeenCalledWith(
         expect.objectContaining({
-          where: { id: "vac_1" },
+          where: expect.objectContaining({ id: "vac_1" }),
           data: expect.objectContaining({
             status: VacationStatus.APPROVED,
             rejectionReason: null,
@@ -1016,7 +1020,8 @@ describe("vacation router", () => {
       const db = createVacationDb({
         vacation: {
           findUnique: vi.fn().mockResolvedValue(sampleVacation),
-          update: vi.fn().mockResolvedValue(updatedVacation),
+          findUniqueOrThrow: vi.fn().mockResolvedValue(updatedVacation),
+          updateMany: vi.fn().mockResolvedValue({ count: 1 }),
         },
         resource: {
           findUnique: vi.fn().mockResolvedValue(null),
@@ -1027,8 +1032,9 @@ describe("vacation router", () => {
       const result = await caller.reject({ id: "vac_1", rejectionReason: "Team conflict" });
 
       expect(result.status).toBe(VacationStatus.REJECTED);
-      expect(db.vacation.update).toHaveBeenCalledWith(
+      expect(db.vacation.updateMany).toHaveBeenCalledWith(
         expect.objectContaining({
+          where: expect.objectContaining({ id: "vac_1" }),
           data: expect.objectContaining({
             status: VacationStatus.REJECTED,
             rejectionReason: "Team conflict",
@@ -1458,8 +1464,8 @@ describe("vacation router", () => {
         },
         vacation: {
           deleteMany: vi.fn().mockResolvedValue({ count: 0 }),
-          findFirst: vi.fn().mockResolvedValue(null),
-          create: vi.fn().mockResolvedValue({}),
+          findMany: vi.fn().mockResolvedValue([]),
+          createMany: vi.fn().mockResolvedValue({ count: 0 }),
         },
       };
 
@@ -1471,7 +1477,37 @@ describe("vacation router", () => {
 
       expect(result.created).toBeGreaterThan(0);
       expect(result.resources).toBe(2);
-      expect(db.vacation.create).toHaveBeenCalled();
+      expect(db.vacation.createMany).toHaveBeenCalled();
+    });
+
+    it("resolves holidays once per unique country/state combination", async () => {
+      // 3 resources: res_1 and res_2 share the same combo, res_3 is different
+      const db = {
+        resource: {
+          findMany: vi.fn().mockResolvedValue([
+            { id: "res_1", federalState: "BY", countryId: "de", country: { code: "DE" }, metroCityId: null, metroCity: null },
+            { id: "res_2", federalState: "BY", countryId: "de", country: { code: "DE" }, metroCityId: null, metroCity: null },
+            { id: "res_3", federalState: "BE", countryId: "de", country: { code: "DE" }, metroCityId: null, metroCity: null },
+          ]),
+        },
+        user: {
+          findUnique: vi.fn().mockResolvedValue({ id: "admin_1" }),
+        },
+        vacation: {
+          findMany: vi.fn().mockResolvedValue([]),
+          createMany: vi.fn().mockResolvedValue({ count: 0 }),
+        },
+        holidayCalendar: {
+          findMany: vi.fn().mockResolvedValue([]),
+        },
+      };
+
+      const caller = createAdminCaller(db);
+      const result = await caller.batchCreatePublicHolidays({ year: 2026 });
+
+      // 3 resources, 2 unique combos → holiday calendars queried twice, not 3 times
+      expect(db.holidayCalendar.findMany).toHaveBeenCalledTimes(2);
+      expect(result.resources).toBe(3);
     });
 
     it("skips already existing holidays", async () => {
@@ -1485,8 +1521,15 @@ describe("vacation router", () => {
           findUnique: vi.fn().mockResolvedValue({ id: "admin_1" }),
         },
         vacation: {
-          findFirst: vi.fn().mockResolvedValue({ id: "existing" }),
-          create: vi.fn(),
+          // Return one entry per day of 2026 so every holiday date is "already existing"
+          findMany: vi.fn().mockResolvedValue(
+            Array.from({ length: 365 }, (_, i) => {
+              const d = new Date(Date.UTC(2026, 0, 1));
+              d.setUTCDate(d.getUTCDate() + i);
+              return { resourceId: "res_1", startDate: d };
+            }),
+          ),
+          createMany: vi.fn(),
         },
       };
 
@@ -1497,7 +1540,7 @@ describe("vacation router", () => {
       });
 
       expect(result.created).toBe(0);
-      expect(db.vacation.create).not.toHaveBeenCalled();
+      expect(db.vacation.createMany).not.toHaveBeenCalled();
     });
 
     it("forbids non-admin users", async () => {