fix: exempt /api/clubs/me from tenant validation

- Add path exemption in TenantValidationMiddleware for /api/clubs/me
- Change authorization policy from RequireMember to RequireViewer
- Fix KEYCLOAK_CLIENT_ID in docker-compose.yml (workclub-app not workclub-api)
- Endpoint now works without X-Tenant-Id header as intended
- Other endpoints still protected by tenant validation

This fixes the chicken-and-egg problem where frontend needs to call
/api/clubs/me to discover available clubs before selecting a tenant.

.sisyphus/evidence/final-qa/s57-race-condition.json

@@ -0,0 +1,11 @@
+Attempting concurrent signups (member1 and member2 simultaneously)...
+
+MEMBER1_HTTP:200
+"Shift is at full capacity"
+MEMBER2_HTTP:409
+
+Verifying final signup count (should be 1, one should have failed)...
+{
+  "signups": 1,
+  "capacity": 1
+}