fix: final cleanup — disable radial menu, document auth pattern

B14: Comment out RadialMenu render — all 5 wedges show "coming soon"
     toasts with no functional actions. Code preserved for when
     actions are wired.

B5:  Add detailed JSDoc to fetchAuthState explaining the
     redirect:manual pattern and its dependencies on Caddy/Authentik
     configuration.

B9:  Investigated — user-select CSS errors come from MapLibre's own
     maplibre-gl.css, not our code. WONTFIX (library issue).

Caddy changes (CT 101):
B6:  Fixed recon.echo6.co header stripping bug — same pattern as navi
B8:  Added /api/traffic/* to @authed_user (TomTom API must be authed)

src/api.js

@@ -292,7 +292,18 @@ export async function fetchLandclass(lat, lon, signal) {
 
 /**
  * Check authentication state via whoami endpoint.
- * Uses redirect: manual to detect auth without triggering navigation.
+ *
+ * PATTERN: Uses fetch with redirect:'manual' to detect Authentik SSO state
+ * without triggering browser navigation. When unauthenticated, Caddy's
+ * forward_auth returns a 302 redirect to Authentik. With redirect:'manual',
+ * the browser exposes this as resp.type === 'opaqueredirect' instead of
+ * following the redirect.
+ *
+ * DEPENDENCIES:
+ * - /api/auth/whoami must be in Caddy's @authed_user path matcher
+ * - Authentik proxy outpost must return 302 (not 401) for unauthed requests
+ * - If Authentik changes to return 401, update the status check below
+ *
  * @returns {Promise<{authenticated: boolean, username: string|null}>}
  */
 export async function fetchAuthState() {