fix(sacred-valley): review polish — render-gen guard, auth-boundary tests, PNG sig, dedup note

Addresses final-review findings: I1 render-generation guard prevents a double-mount
/timer leak on rapid re-navigation; I2 adds anonymous-rejection tests for the owner-only
POST /speedtest/run and /health/check; M1 CSS comment; M2 cron↔worker dedup note;
M4 full 8-byte PNG signature check; M5 card-contract unit test for all 7 cards.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

tests/api/health.test.js

@@ -10,6 +10,8 @@ beforeAll(async () => {
 });
 describe('health api', () => {
   it('401 without auth', async () => expect((await request(app).get('/api/health/services')).status).toBe(401));
+  it('POST /check rejects anonymous (owner-only mutation)', async () =>
+    expect((await request(app).post('/api/health/check')).status).toBe(401));
   it('returns groups with counts + merged cached status', async () => {
     const res = await request(app).get('/api/health/services').set(ownerHeaders);
     expect(res.status).toBe(200);

tests/api/speedtest.test.js

@@ -7,6 +7,8 @@ let app, ownerHeaders;
 beforeAll(async () => { ({ app, ownerHeaders } = await setup()); await repo.record({ down_mbps: 50, up_mbps: 10, ping_ms: 12 }); });
 describe('speedtest api', () => {
   it('401 without auth', async () => expect((await request(app).get('/api/speedtest/history')).status).toBe(401));
+  it('POST /run rejects anonymous (auth boundary before enqueue)', async () =>
+    expect((await request(app).post('/api/speedtest/run')).status).toBe(401));
   it('history returns rows', async () => {
     const res = await request(app).get('/api/speedtest/history').set(ownerHeaders);
     expect(res.status).toBe(200);