API authentication accepts session tokens and workspace headers

Two authentication improvements shipped together to tighten access control across the API.

• First-party session tokens are now accepted on all authenticated API routes, so browser-based flows no longer require a separate API key
• x-tenant-id is now validated against the caller's workspace membership; unrecognized or unauthorized values are rejected rather than passed through
• Staff email allowlist is honored even when the database promotion step fails, preventing lockouts during degraded states