fix: exempt /api/clubs/me from tenant validation

- Add path exemption in TenantValidationMiddleware for /api/clubs/me
- Change authorization policy from RequireMember to RequireViewer
- Fix KEYCLOAK_CLIENT_ID in docker-compose.yml (workclub-app not workclub-api)
- Endpoint now works without X-Tenant-Id header as intended
- Other endpoints still protected by tenant validation

This fixes the chicken-and-egg problem where frontend needs to call
/api/clubs/me to discover available clubs before selecting a tenant.

.sisyphus/evidence/final-qa/s19-create-task.json

@@ -0,0 +1,12 @@
+{
+  "id": "4a8334e2-981d-4fbc-9dde-aaa95fcd58ea",
+  "title": "QA Test - New Court Net",
+  "description": "Install new net on center court",
+  "status": "Open",
+  "assigneeId": null,
+  "createdById": "0fae5846-067b-4671-9eb9-d50d21d18dfe",
+  "clubId": "00000000-0000-0000-0000-000000000000",
+  "dueDate": "2026-03-15T23:59:59+00:00",
+  "createdAt": "2026-03-05T19:52:17.9861984+00:00",
+  "updatedAt": "2026-03-05T19:52:17.986205+00:00"
+}