fix: exclude openapi spec from authentication middleware

Co-authored-by: aider (openai/andrew/openrouter/deepseek/deepseek-chat-v3.1) <aider@aider.chat>

src/modes/server.rs

@@ -98,15 +98,23 @@ async fn run_server(
         .route("/mcp", post(mcp::handle_mcp_request))
         .with_state(state.clone());
     
-    let app = Router::new()
+    // Create routes that don't require authentication
-        // Add API, documentation, and pages routes first
+    let open_routes = Router::new()
-        .merge(api::add_routes(Router::new()))
         .merge(api::add_docs_routes(Router::new()))
+        .with_state(state.clone())
+        .layer(axum::middleware::from_fn(logging_middleware))
+        .layer(
+            ServiceBuilder::new()
+                .layer(TraceLayer::new_for_http())
+                .layer(CorsLayer::permissive())
+        );
+
+    // Create routes that require authentication
+    let protected_routes = Router::new()
+        .merge(api::add_routes(Router::new()))
         .merge(pages::add_routes(Router::new()))
         .merge(mcp_router)
-        // Apply state
         .with_state(state)
-        // Add middleware layers (applied in reverse order)
         .layer(axum::middleware::from_fn(logging_middleware))
         .layer(axum::middleware::from_fn(create_auth_middleware(config.password.clone(), config.password_hash.clone())))
         .layer(
@@ -115,6 +123,9 @@ async fn run_server(
                 .layer(CorsLayer::permissive())
         );
 
+    // Combine both route groups
+    let app = open_routes.merge(protected_routes);
+    
     let addr: SocketAddr = bind_address.parse()?;
     
     info!("SERVER: HTTP server listening on {}", addr);