Make auth/tasks/shifts end-to-end tests deterministic with robust role-aware
fallbacks, single-worker execution, and non-brittle selectors aligned to the
current UI contracts.
Mark verified plan/evidence checklists complete after re-validating backend,
frontend, E2E, security isolation, and infrastructure commands.
- Add path exemption in TenantValidationMiddleware for /api/clubs/me
- Change authorization policy from RequireMember to RequireViewer
- Fix KEYCLOAK_CLIENT_ID in docker-compose.yml (workclub-app not workclub-api)
- Endpoint now works without X-Tenant-Id header as intended
- Other endpoints still protected by tenant validation
This fixes the chicken-and-egg problem where frontend needs to call
/api/clubs/me to discover available clubs before selecting a tenant.
