#458 MEDIUM: TOCTOU race conditions in DB operations

Check-then-act patterns without atomicity: 1. S3 deduplication (storage/s3_provider.py:169-178) 2. Workflow definition hash (services/workflow_versioning_service.py:236-315) 3. Approval creation (tools/approval_tool.py:62-96) 4. Tenant config cache (config.py:596-600) Fix: Use INSERT ON CONFLICT, atomic ops, or locking.