feat: auto-cascade cron + admin waitlist management procedures

- expirePendingPastDeadline service: scans PENDING confirmations past
  deadline, marks each EXPIRED + audit-logs, then promotes the next
  waitlist entry per affected category (using each program's grand-final
  round configJson for windowHours).
- /api/cron/finalist-confirmations: hourly cron entrypoint (CRON_SECRET
  header gate), wraps the service.
- finalist.addToWaitlist: insert at a specific rank, shifting later
  entries down (transactional).
- finalist.reorderWaitlist: rewrite a category's rank order in one go,
  using a temp-rank trick to avoid unique-constraint conflicts mid-update.
- finalist.manualPromote: out-of-rank-order admin promote with audit log
  (FINALIST_MANUAL_PROMOTE) + fresh confirmation email.

2 new tests. Suite at 14/14 for finalist-confirmation.

src/app/api/cron/finalist-confirmations/route.ts

@@ -0,0 +1,17 @@
+import { NextResponse, type NextRequest } from 'next/server'
+import { prisma } from '@/lib/prisma'
+import { expirePendingPastDeadline } from '@/server/services/finalist-confirmation'
+
+export async function GET(request: NextRequest): Promise<NextResponse> {
+  const cronSecret = request.headers.get('x-cron-secret')
+  if (!cronSecret || cronSecret !== process.env.CRON_SECRET) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+  try {
+    const result = await expirePendingPastDeadline(prisma)
+    return NextResponse.json({ ok: true, ...result })
+  } catch (error) {
+    console.error('[Cron] finalist-confirmations failed:', error)
+    return NextResponse.json({ error: 'Internal error' }, { status: 500 })
+  }
+}