Bypass session auth for remote ingest endpoints

The remote app's ingest endpoints use key-based authentication (the key
is in the URL), but they were being blocked by the global session auth
check in require_login(). Remote observers from external IPs were getting
redirected to /login instead of reaching their own key validation.

Add app:remote.ingest_upload and app:remote.ingest_event to the session
bypass allowlist so they can use their intended key-based auth.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>