Move workspace_id ownership validation from handler-level decorators into
the OpenAPI auth pipeline. guard_workspace() sets workspace_membership and
allowed_roles on RequestContext; pipeline steps load the tenant, verify
membership via TenantAccountJoin, check workspace_id mismatch, and gate
on role — all before the handler runs. Covers CE/EE/SaaS editions.
Migrates apps.py and workspaces.py endpoints; replaces the ad-hoc
require_workspace_role decorator with pipeline-native enforcement.