Three pieces land together so NpgsqlRest can act as an external Web API
service for a separate partner or frontend application:

1. Fix: named cookie schemes actually authenticate requests.
   Auth:Schemes (3.13.0) issued the cookie correctly on login but no
   endpoint accepted it because the default authenticate scheme was
   chosen without counting named schemes, and the policy-scheme
   selector only branched on Bearer-vs-cookie header type. Builder
   now pre-scans Auth:Schemes for Cookie-type entries, registers a
   synthetic policy scheme (`NpgsqlRest_PolicyScheme`) when only
   cookie schemes drive the multi-scheme case, and dispatches by
   matching the actual cookie name present on the request.

2. Feat: CookieSameSite + CookieSecure config on the main scheme and
   each Auth:Schemes:<name> Cookies-type entry. Required for SPA
   on a different origin calling this API — without these,
   ASP.NET's defaults (Lax / SameAsRequest) silently drop the
   session cookie on cross-site requests. Unset = ASP.NET default
   (existing behavior preserved). Startup warning fires when
   SameSite=None is set without Secure=Always so the
   "logs in but next request is anonymous" trap is observable.

3. Feat: OpenAPI filtering for partner-facing documents.
   - OpenApiOptions: IncludeSchemas, ExcludeSchemas, NameSimilarTo,
     NameNotSimilarTo (PostgreSQL SIMILAR TO patterns translated to
     anchored .NET regex), RequiresAuthorizationOnly.
   - New @openapi comment annotation: `hide` / `hidden` / `ignore`
     skips the routine from the document; `tag <name>` / `tags <a>,<b>`
     replaces the default schema-name tag for Swagger UI grouping.
   - Filter gate runs before any work in OpenApi.Handle() — endpoint
     stays HTTP-reachable, only the spec entry is suppressed.
   - Wired into NpgsqlRestClient via NpgsqlRest:OpenApiOptions, with
     defaults in ConfigDefaults / template comments in ConfigTemplate
     and appsettings.json / descriptions in ConfigSchemaGenerator.
   - App.BuildOpenApiOptions extracted for direct testability.

Tests
- 16 AuthPolicySchemeTests: CookieSchemesInOrder population, policy
  scheme registration decisions, ForwardDefaultSelector dispatch.
- 15 AuthCookieSameSiteSecureTests: all enum parsing, invalid-value
  fail-fast (root + named scheme), unset preserves ASP.NET default,
  per-scheme inheritance and override.
- 16 OpenApiFilterTests: each filter in isolation + composition,
  SIMILAR TO syntax (`_`, `%`, alternation, anchoring).
- 9 OpenApiAnnotationTests: all four hide aliases, tag single/multi,
  original-casing preservation, default schema-tag control.
- 11 OpenApiClientConfigTests: appsettings.json -> OpenApiOptions
  wiring per key, plus the full partner-facing config round-trip.

2020/2020 tests pass. No breaking changes — every new config key
defaults to "no filter" or "ASP.NET default", so existing
appsettings.json files work unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>