Allow API/_next requests to bypass middleware; fix settings save; standardize public URL

Allowed requests to paths starting with /api/ and /_next/ to pass through middleware unchanged so relative fetch() calls from subdomain pages reach the intended Next.js route handlers.auth
Updated project creation and settings forms to use buildChangelogUrl for the public URL display, ensuring consistent URLs across the app.frontend

Resolved the project settings PATCH handler to look up the internal user ID before saving so settings are recorded with the correct internal user.backend