Rework the dbauthz authorization for GetWorkspaceBuildProvisionerStateByID
to properly enforce policy.ActionUpdate on the template, matching the
actual security policy that was previously only enforced in the HTTP
handler (workspaceBuildState).

Changes:
- Rewrite the SQL query to JOIN through workspace_builds → workspaces →
  templates, returning template columns needed for RBACObject().
- Add RBACObject() method on GetWorkspaceBuildProvisionerStateByIDRow
  that returns rbac.ResourceTemplate with the correct ID, org, and ACLs.
- Replace the manual three-query dbauthz implementation with a single
  fetchWithAction call using policy.ActionUpdate.
- Remove the handler-level RBAC check from workspaceBuildState since
  dbauthz now handles it properly.
- Elevate wsbuilder's getState() to use dbauthz.AsProvisionerd context
  since internal state copying during build creation should not require
  template update permissions.
- Fix pre-existing rename: GetWorkspaceAgentAndLatestBuildByAuthToken →
  GetAuthenticatedWorkspaceAgentAndBuildByAuthToken (syncs with main).

Use workspace_builds.template_version_id → template_versions → templates
instead of workspace_builds.workspace_id → workspaces → templates. The
build already references its template version directly, so this is the
more natural join path to reach the template.

Revert to joining workspace_builds → workspaces → templates since
template_versions.template_id can be NULL in tests where the version
is created before the template.

Also change wsbuilder mock from Times(1) to AnyTimes() since
getState() short-circuits for orphan/explicit state paths.

Split the provisioner state mock out of withLastBuildFound into a
separate withLastBuildState helper with Times(1). Only tests that
actually reach getState() include it:
- Orphan tests skip getState() (returns nil early)
- DoNotModifyImmutables and StartWorkspaceWithLegacyParameterValues
  fail during parameter validation before reaching getState()

The wsbuilder is part of the API server, not a provisioner daemon.
AsSystemRestricted is the correct system context for internal
operations that bypass RBAC.

AsSystemRestricted does not have ActionUpdate on ResourceTemplate,
so it would fail the dbauthz check. AsProvisionerd does have this
permission, and semantically fits since the wsbuilder is preparing
state for the provisioner daemon. Added comment explaining the
elevation.

Introduces a dedicated AsWorkspaceBuilder dbauthz subject with minimal
permissions for the workspace builder:

- ActionRead on ResourceProvisionerDaemon (eligibility checks)
- ActionUpdate on ResourceProvisionerJobs (marking orphan jobs complete)
- ActionUpdate on ResourceTemplate (reading provisioner state)

This replaces the previous use of AsProvisionerd and
AsSystemReadProvisionerDaemons in wsbuilder, giving the workspace
builder its own least-privilege identity instead of borrowing the
provisioner daemon's broad permissions.