fix: exempt /api/clubs/me from tenant validation

- Add path exemption in TenantValidationMiddleware for /api/clubs/me
- Change authorization policy from RequireMember to RequireViewer
- Fix KEYCLOAK_CLIENT_ID in docker-compose.yml (workclub-app)
- Resolves frontend chicken-and-egg problem for club discovery

Verified:
- /api/clubs/me returns 200 OK without X-Tenant-Id header
- /api/tasks still requires X-Tenant-Id (400 Bad Request)
- Other endpoints unaffected

backend/WorkClub.Api/Endpoints/Clubs/ClubEndpoints.cs

@@ -11,7 +11,7 @@ public static class ClubEndpoints
         var group = app.MapGroup("/api/clubs");
 
         group.MapGet("/me", GetMyClubs)
-            .RequireAuthorization("RequireMember")
+            .RequireAuthorization("RequireViewer")
             .WithName("GetMyClubs");
 
         group.MapGet("/current", GetCurrentClub)

backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs

@@ -22,6 +22,14 @@ public class TenantValidationMiddleware
             return;
         }
 
+        // Exempt /api/clubs/me from tenant validation - this is the bootstrap endpoint
+        if (context.Request.Path.StartsWithSegments("/api/clubs/me"))
+        {
+            _logger.LogInformation("TenantValidationMiddleware: Exempting {Path} from tenant validation", context.Request.Path);
+            await _next(context);
+            return;
+        }
+
         if (!context.Request.Headers.TryGetValue("X-Tenant-Id", out var tenantIdHeader) ||
             string.IsNullOrWhiteSpace(tenantIdHeader))
         {