fix(auth): allow /api/cron paths past middleware (self-guarded by CRON_SECRET)

The middleware matcher intercepts /api/cron/* but the prefix was absent from
publicPaths, so unauthenticated scheduler calls were 307'd to /login and the
cron handlers never ran. All 9 cron routes already enforce x-cron-secret, so
opening the prefix is safe and unblocks the new final-document-reminders cron
(and repairs the existing crons). Same class of gap as the /lunch/pick fix.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

src/lib/auth.config.ts

@@ -61,6 +61,7 @@ export const authConfig: NextAuthConfig = {
         '/lunch/pick', // external attendees pick a dish via signed token (no account)
         '/api/auth',
         '/api/trpc', // tRPC handles its own auth via procedures
+        '/api/cron', // cron endpoints self-guard via x-cron-secret (CRON_SECRET)
       ]
 
       // Check if it's a public path