Add AUDIT_INCLUDED_PATHS env var for whitelist-based audit filtering. When set, only matching paths are audited and AUDIT_EXCLUDED_PATHS is ignored. Auth endpoints (signin/signout/signup) are always logged regardless of filtering mode.