#559 [API/Race] tenant_apps.py TOCTOU in enable_app/disable_app

File: api/blueprints/v1/tenant_apps.py:554-657. SELECT to check current status, then UPDATE. Concurrent enable/disable requests could both see same state. FIX: Combine into UPDATE ... WHERE status = expected_status RETURNING.