Add excluded paths support for forward auth (fixes #108)

Allow users to exclude specific paths from Authentik/CPM forward auth
protection. When excluded_paths is set, all paths require authentication
EXCEPT the excluded ones — useful for apps like Navidrome that need
/share/* and /rest/* to bypass auth.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

app/api/v1/openapi.json/route.ts

@@ -1448,6 +1448,7 @@ const spec = {
           trustedProxies: { type: "array", items: { type: "string" }, example: ["private_ranges"] },
           setOutpostHostHeader: { type: "boolean" },
           protectedPaths: { type: ["array", "null"], items: { type: "string" }, description: "Paths to protect (null = all)" },
+          excludedPaths: { type: ["array", "null"], items: { type: "string" }, description: "Paths to exclude from auth (bypassed while rest is protected)" },
         },
       },
       LoadBalancerConfig: {