OpenConceptLab/ocl_online#70 | Track signup and logout in analytics

Remove /users/signup/ and /users/logout/ from AnalyticsMiddleware's
ignore list. They're real user-intent events — top-of-funnel and
session-end signals — and belong in APITransaction like the login
events previously added in ocl_online#55.

The remaining ignore_paths stay skipped — favicon, swagger, redoc,
version, toggles, OIDC code exchange, api-token, password reset, and
/user (singular). Those are noise/auth flows that don't represent
meaningful usage.

Verified no password leak: core/services/analytics_event_emitter.py
captures request method, path (URL + query string), headers (with
auth/cookie redacted), and client — never the request body. Signup
payloads carry the password in POST body, which is not emitted.

Part of the data-extraction-v2 coverage audit. See
ocl-strategy/docs/plans/data-extraction-v2-plan.md item 6 section.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: paynejd

core/middlewares/middlewares.py

@@ -275,11 +275,13 @@ def __call__(self, request):
         response = self.get_response(request)
         path = request.path
 
-        ignore_any_under_paths = ['/users/logout/', '/users/signup/']
+        # /users/signup/ and /users/logout/ are tracked — they're real
+        # user-intent events (top-of-funnel + session-end signal). Login
+        # tracking was added previously via ocl_online#55.
+        ignore_any_under_paths = []
         ignore_paths = [
             '', '/swagger', '/redoc', '/version', '/toggles', '/users/oidc/code-exchange', '/favicon.ico',
             '/users/api-token', '/users/password/reset', '/user',
-            *[p.rstrip('/') for p in ignore_any_under_paths]
         ]
         if path.rstrip("/") not in ignore_paths and not any(path.startswith(p) for p in ignore_any_under_paths):
             duration_ms = int((time.monotonic() - start) * 1000)