feat: BindSentryContext middleware + queue job attempt tagging

WS-7 PR-2 commit 2.

- app/Http/Middleware/BindSentryContext.php: sets RFC §3.6 tags on the
  active Sentry scope (app, http.method, route_name, actor_type,
  user_id, organisation_id, event_id, impersonation). Multi-tenant
  invariant: throws RuntimeException in local/testing when an auth
  request to a tenant-scoped route lacks organisation_id; logs a
  warning in production so the user flow still completes.
- app/Listeners/Observability/TagJobAttemptOnSentry.php: tags
  queue.attempt on the scope from the JobProcessing event. Default
  stack-trace grouping preserved per §3.11.
- ActorType: VOLUNTEER case reserved for a future role split. Current
  resolver maps non-admin authenticated users to ORG_MEMBER.
- bootstrap/app.php: registers sentry.context alias. Applied inside
  auth:sanctum groups in routes/api.php so it runs after auth.
- AppServiceProvider::boot registers the queue listener.

Test count: 1507 to 1523. Larastan clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

api/bootstrap/app.php

@@ -36,6 +36,11 @@ return Application::configure(basePath: dirname(__DIR__))
             'portal.token' => \App\Http\Middleware\PortalTokenMiddleware::class,
             'role' => \Spatie\Permission\Middleware\RoleMiddleware::class,
             'impersonation' => \App\Http\Middleware\HandleImpersonation::class,
+            // RFC-WS-7 §3.6 — applied inside auth:sanctum groups so it runs
+            // after authentication and can read $request->user(). Cannot live
+            // on the api group because route-level auth middleware runs after
+            // group middleware in Laravel.
+            'sentry.context' => \App\Http\Middleware\BindSentryContext::class,
         ]);
     })
     ->withExceptions(function (Exceptions $exceptions): void {