fix(auth): add JWT audience claim and disable issuer validation

- Added Keycloak audience protocol mapper to workclub-app client
  - Maps 'workclub-api' to aud claim in access tokens
- Disabled issuer validation in API for local dev
  - External clients use localhost:8080, internal use keycloak:8080
  - Prevents validation mismatch in Docker network environment

This resolves 401 Unauthorized errors on all authenticated endpoints.

Ref: .sisyphus/evidence/final-f3-manual-qa.md lines 418-444

backend/WorkClub.Api/Program.cs

@@ -47,7 +47,7 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
         options.RequireHttpsMetadata = false;
         options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
         {
-            ValidateIssuer = true,
+            ValidateIssuer = false,  // Disabled for local dev - external clients use localhost:8080, internal use keycloak:8080
             ValidateAudience = true,
             ValidateLifetime = true,
             ValidateIssuerSigningKey = true

docker-compose.yml

@@ -63,6 +63,7 @@ services:
       ConnectionStrings__DefaultConnection: "Host=postgres;Port=5432;Database=workclub;Username=workclub;Password=dev_password_change_in_production"
       Keycloak__Authority: "http://keycloak:8080/realms/workclub"
       Keycloak__Audience: "workclub-api"
+      Keycloak__TokenValidationParameters__ValidateIssuer: "false"
     ports:
       - "5001:8080"
     volumes: