feat: implement togglable debug log streaming for server stdout/stderr and client console logs

- Created server/utils/logCapture.js to intercept and buffer server output, stripping ANSI escape codes.
- Created server/middleware/logStreamAuth.js enforcing subnet IP filtering (LOG_ALLOW_SUBNETS), Emby session cookie, Basic Auth fallback, and X-Webhook-Secret header bypass.
- Created server/routes/debug.js with SSE streams /api/debug/server-logs, /api/debug/client-logs and batched POST /api/debug/client-logs. Exposes public configuration status at /api/debug/status.
- Integrated log capture and mounted debug routes in server/app.js and server/index.js.
- Implemented client/src/utils/clientLogCapture.js in the frontend SPA to hook console log/warn/error and flush batched console events.
- Documented all endpoints in OpenAPI server/openapi.yaml, ARCHITECTURE.md, and README.md.
- Wrote route integration tests and frontend console capture tests, with full validation in swagger-coverage.

server/app.js

@@ -26,6 +26,7 @@ const historyRoutes = require('./routes/history');
 const authRoutes = require('./routes/auth');
 const webhookRoutes = require('./routes/webhook');
 const ombiRoutes = require('./routes/ombi');
+const debugRoutes = require('./routes/debug');
 const verifyCsrf = require('./middleware/verifyCsrf');
 
 function createApp({ skipRateLimits = false } = {}) {
@@ -213,6 +214,7 @@ function createApp({ skipRateLimits = false } = {}) {
   app.use('/api', apiLimiter);
   app.use('/api/auth', authRoutes);
   app.use('/api/webhook', webhookRoutes);
+  app.use('/api/debug', debugRoutes);
 
   // CSRF protection for all state-changing API requests below
   app.use('/api', verifyCsrf);