fix: filter trending noise, fix sidecar auth & restore tech panels — v2.2.6

- Expand SUPPRESSED_TRENDING_TERMS from 13 to ~170 entries to filter
  common English words (department, state, news, etc.) from intelligence
  findings
- Move sidecar admin endpoints (debug-toggle, traffic-log, env-update,
  local-status) before LOCAL_API_TOKEN auth gate — settings window sends
  bare fetch without token, causing silent 401 failures
- Restore Market Radar and Economic Indicators panels to tech variant
- Remove stale Documentation section from README
- Clean up .env.example cyber threat keys (handled internally)
- Bump v2.2.6

src-tauri/sidecar/local-api-server.mjs

@@ -298,15 +298,7 @@ async function dispatch(requestUrl, req, routes, context) {
     return handleLocalServiceStatus(context);
   }
 
-  const expectedToken = process.env.LOCAL_API_TOKEN;
-  if (expectedToken) {
-    const authHeader = req.headers.authorization || '';
-    if (authHeader !== `Bearer ${expectedToken}`) {
-      context.logger.warn(`[local-api] unauthorized request to ${requestUrl.pathname}`);
-      return json({ error: 'Unauthorized' }, 401);
-    }
-  }
-
+  // Localhost-only diagnostics — no token required
   if (requestUrl.pathname === '/api/local-status') {
     return json({
       success: true,
@@ -360,6 +352,15 @@ async function dispatch(requestUrl, req, routes, context) {
     return json({ error: 'POST required' }, 405);
   }
 
+  const expectedToken = process.env.LOCAL_API_TOKEN;
+  if (expectedToken) {
+    const authHeader = req.headers.authorization || '';
+    if (authHeader !== `Bearer ${expectedToken}`) {
+      context.logger.warn(`[local-api] unauthorized request to ${requestUrl.pathname}`);
+      return json({ error: 'Unauthorized' }, 401);
+    }
+  }
+
   if (context.cloudFallback && cloudPreferred.has(requestUrl.pathname)) {
     const cloudResponse = await tryCloudFallback(requestUrl, req, context);
     if (cloudResponse) return cloudResponse;