fix(web): csp font violation, /pricing 401, residual login emoji

Three bugs caught via devtools on live site:

**1. CSP 'font-src 'self' data:' violation × 3 per landing load.**
BaseLayout was loading Geist + Geist_Mono via next/font/google. In
prod builds Next.js self-hosts those under /_next/static, but the
generated CSS still references `--font-sans: "Geist", …` which some
browsers resolve by re-requesting fonts.gstatic.com. Since we ship
Anthropic Sans/Serif/Mono self-hosted already (/fonts/*.woff2 via
@font-face in globals.css), the Geist dependency was pure overhead.

Removed `next/font/google` imports entirely. Added a `.cm-root`
class on <html> that remaps the Tailwind `--font-sans/--font-mono`
tokens to our `--cm-font-sans/--cm-font-mono` vars — so every
Tailwind `font-sans` / `font-mono` utility now resolves to Anthropic
families. No Google Fonts fetch, no CSP violation.

**2. /pricing 401 on public visit.**
`<Plan>` calls `useCustomer()` → `GET /api/billing/customer` which
needs auth. Unauthed visitor on /pricing → 401 in devtools + wasted
round trip. Gated `useCustomer` on `authClient.useSession()` —
query `enabled: !!session?.user`. Public visitors now skip the fetch
entirely; signed-in users still get their customer record.

**3. Residual "Welcome back! 👋" on /auth/login (both locales).**
Emoji sweep (e91fc80) missed the i18n translation files. Removed 👋
from en/auth.json + es/auth.json login header titles.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/web/src/assets/styles/globals.css

@@ -154,3 +154,13 @@
 :root {
   color-scheme: dark;
 }
+
+/* Override the Tailwind default --font-sans / --font-mono CSS vars
+   (which BaseLayout used to populate from next/font/google Geist).
+   We self-host Anthropic Sans/Serif/Mono now — no Google Fonts fetch,
+   no CSP font-src violation. */
+.cm-root {
+  --font-sans: var(--cm-font-sans);
+  --font-mono: var(--cm-font-mono);
+  --font-serif: var(--cm-font-serif);
+}