feat: BindSentryContext middleware + queue job attempt tagging

WS-7 PR-2 commit 2.

- app/Http/Middleware/BindSentryContext.php: sets RFC §3.6 tags on the
  active Sentry scope (app, http.method, route_name, actor_type,
  user_id, organisation_id, event_id, impersonation). Multi-tenant
  invariant: throws RuntimeException in local/testing when an auth
  request to a tenant-scoped route lacks organisation_id; logs a
  warning in production so the user flow still completes.
- app/Listeners/Observability/TagJobAttemptOnSentry.php: tags
  queue.attempt on the scope from the JobProcessing event. Default
  stack-trace grouping preserved per §3.11.
- ActorType: VOLUNTEER case reserved for a future role split. Current
  resolver maps non-admin authenticated users to ORG_MEMBER.
- bootstrap/app.php: registers sentry.context alias. Applied inside
  auth:sanctum groups in routes/api.php so it runs after auth.
- AppServiceProvider::boot registers the queue listener.

Test count: 1507 to 1523. Larastan clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

api/routes/api.php

@@ -120,7 +120,7 @@ Route::middleware('throttle:30,1')->group(function (): void {
 
 // Platform Admin routes
 Route::prefix('admin')
-    ->middleware(['auth:sanctum', 'impersonation', 'role:super_admin'])
+    ->middleware(['auth:sanctum', 'impersonation', 'sentry.context', 'role:super_admin'])
     ->name('admin.')
     ->group(function () {
         // Organisations
@@ -155,7 +155,7 @@ Route::prefix('admin')
     });
 
 // Protected routes
-Route::middleware(['auth:sanctum', 'impersonation'])->group(function () {
+Route::middleware(['auth:sanctum', 'impersonation', 'sentry.context'])->group(function () {
     // Impersonation (stop — accessible by impersonated user, not just super_admin)
     Route::post('admin/stop-impersonation', [AdminImpersonationController::class, 'stop']);