fix: include locale-prefixed paths in botid client-side protection

[volnei]

What does this PR do?

Ensures the botid client-side protection path pattern covers all URL variants that resolve to the booking API endpoint, including those with locale prefixes (e.g., /en/, /fr/).

The initBotId protect config now uses a wildcard path */api/book/event instead of the exact path /api/book/event, so the x-is-human challenge header is correctly attached regardless of any path prefix.

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. N/A — no docs change needed.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

1. Set NEXT_PUBLIC_VERCEL_USE_BOTID_IN_BOOKER=1 in your environment.
2. Open a booking page and attempt to book.
3. In browser DevTools Network tab, confirm the x-is-human header is attached to the booking POST request for both direct and locale-prefixed URL variants.

Important review notes

• Wildcard behavior: The botid library converts * to .* in a regex anchored with ^...$. .* matches zero or more characters, so the original /api/book/event path still matches (empty prefix).
• Other booking endpoints: /api/book/instant-event and /api/book/recurring-event exist but are not currently in the protect list — this PR only fixes the existing protected path.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[cubic-dev-ai]

No issues found across 1 file

[paragon-review]

Paragon: tests updated

1 new test generated for this PR.

New Tests

• instrumentation-client BotId client-side protection — Tests the initBotId configuration in instrumentation-client.ts, verifying the wildcard path pattern '*/api/book/event' matches locale-prefixed paths, POST method protection, and conditional initialization based on env vars and window.crypto availability.

Details

New Tests

• instrumentation-client BotId client-side protection (unit)