fix: exempt /api/clubs/me from tenant validation

- Add path exemption in TenantValidationMiddleware for /api/clubs/me
- Change authorization policy from RequireMember to RequireViewer
- Fix KEYCLOAK_CLIENT_ID in docker-compose.yml (workclub-app not workclub-api)
- Endpoint now works without X-Tenant-Id header as intended
- Other endpoints still protected by tenant validation

This fixes the chicken-and-egg problem where frontend needs to call
/api/clubs/me to discover available clubs before selecting a tenant.

.sisyphus/evidence/final-qa/phase3-crud-scenarios.md

@@ -0,0 +1,15 @@
+# Phase 3: API CRUD Scenarios (19-35)
+
+## Test Environment
+- Date: 2026-03-05
+- API: http://127.0.0.1:5001  
+- Tenant Tennis: 64e05b5e-ef45-81d7-f2e8-3d14bd197383 (11 tasks, 15 shifts)
+- Tenant Cycling: 3b4afcfa-1352-8fc7-b497-8ab52a0d5fda (3 tasks, unknown shifts)
+- Test User: admin@test.com (has both clubs)
+
+---
+
+## Scenario 19: POST /api/tasks - Create Task
+
+**Test**: Create new task in Tennis Club  
+**Expected**: HTTP 201, task created and persists