#542 [API/Race] rbac.py TOCTOU in API key validation

File: api/middleware/rbac.py:146-209. _validate_api_key performs SELECT then UPDATE without FOR UPDATE lock. Between SELECT and UPDATE, another process could deactivate the key. IMPACT: Security bypass possible. FIX: Use UPDATE ... WHERE ... RETURNING pattern.