#550 [API/Race] approvals.py no locking on approval state transitions

File: api/blueprints/v1/approvals.py:99-157. approve() and reject() endpoints call service without locking. Concurrent approvals/rejections can lead to inconsistent state. FIX: ApprovalService must use SELECT FOR UPDATE before state transition.