fix(sacred-valley): review polish — render-gen guard, auth-boundary tests, PNG sig, dedup note

Addresses final-review findings: I1 render-generation guard prevents a double-mount
/timer leak on rapid re-navigation; I2 adds anonymous-rejection tests for the owner-only
POST /speedtest/run and /health/check; M1 CSS comment; M2 cron↔worker dedup note;
M4 full 8-byte PNG signature check; M5 card-contract unit test for all 7 cards.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

public/views/sacred_valley.js

@@ -14,8 +14,10 @@ import speedtest from './cards/speedtest.js';
 
 const CARD_MODULES = [clock, weather, hostPerf, jobs, inbox, search, speedtest];   // grows in later tasks
 let active = [];                                   // mounted cards needing stop()
+let renderGen = 0;                                 // guards against overlapping async renders
 
 export async function render(main) {
+  const myGen = ++renderGen;
   active.forEach(c => c.stop && c.stop()); active = []; stopHealthBand();
   mount(main,
     el('h1', { class: 'view-h1' }, 'Sacred Valley'),
@@ -26,6 +28,9 @@ export async function render(main) {
 
   let layout = { card_order: [], hidden: [], sizes: {} };
   try { layout = await api.get('/api/dashboard/layout'); } catch { /* defaults */ }
+  // A newer render() started while we awaited — bail before mounting timers/DOM
+  // so we don't double-mount cards or leak intervals onto the live grid.
+  if (myGen !== renderGen) return;
 
   const grid = document.getElementById('sv-cards');
   const ordered = orderCards(CARD_MODULES, layout);