feat: BindRequestLogContext middleware + X-Request-Id round-trip

WS-7 PR-2 commit 3. RFC §3.13.

- app/Http/Middleware/BindRequestLogContext.php: tags every Laravel log
  line written during the request with request_id, organisation_id,
  user_id, and route name. Sets X-Request-Id on the response so the
  SPA can correlate to backend log lines via one click.
- Client-supplied X-Request-Id is honoured only if it parses as a ULID
  via Str::isUlid. Junk input (empty, non-ULID) is rejected and a
  fresh ULID is generated server-side.
- Registered as a global api-group middleware via the prepend list so
  it runs before authentication. Unauthenticated 4xx responses still
  carry the X-Request-Id header.
- Test count: 1523 to 1532. Larastan clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

api/bootstrap/app.php

@@ -30,6 +30,10 @@ return Application::configure(basePath: dirname(__DIR__))
         // Read httpOnly auth cookie and inject as Authorization header (before Sanctum)
         $middleware->api(prepend: [
             \App\Http\Middleware\CookieBearerToken::class,
+            // RFC-WS-7 §3.13 — structured logging context + X-Request-Id
+            // round-trip. Runs early so unauthenticated 4xx responses
+            // still carry a request_id header.
+            \App\Http\Middleware\BindRequestLogContext::class,
         ]);
 
         $middleware->alias([