fix: stabilize auth-to-tenant flow and correct tenant header mapping

Resolve post-login routing and tenant context issues by proxying frontend API
calls, redirecting authenticated users away from /login, and hardening club
loading with retries/loading guards.

Align tenant identity end-to-end by returning tenantId in /api/clubs/me and
sending X-Tenant-Id from cookie-backed tenantId instead of local clubId,
restoring authorized tasks/shifts data access after club selection.

frontend/src/components/auth-guard.tsx

@@ -7,7 +7,7 @@ import { useTenant } from '../contexts/tenant-context';
 
 export function AuthGuard({ children }: { children: ReactNode }) {
   const { data: session, status } = useSession();
-  const { activeClubId, clubs, setActiveClub } = useTenant();
+  const { activeClubId, clubs, setActiveClub, clubsLoading } = useTenant();
   const router = useRouter();
 
   useEffect(() => {
@@ -38,6 +38,14 @@ export function AuthGuard({ children }: { children: ReactNode }) {
     return null;
   }
 
+  if (status === 'authenticated' && clubsLoading) {
+    return (
+      <div className="flex items-center justify-center min-h-screen">
+        <p>Loading...</p>
+      </div>
+    );
+  }
+
   if (clubs.length === 0 && status === 'authenticated') {
     return (
       <div className="flex flex-col items-center justify-center min-h-screen gap-4">