Vendor + SRI-pin front-end libs; add render smoke gate (v0.1.0:82)

React/ReactDOM/Babel were loaded from the unpkg CDN at runtime — react@18
and react-dom@18 weren't even exact-pinned, and none had SRI. A CDN swap (or
react auto-resolving a new 18.x) could blank the whole app with no change on
our side: exactly the v78/v79 blank-screen class. It also made the self-hosted
box depend on outbound internet to render.

Vendor the three libs into frontend/assets/vendor/ (React 18.3.1, ReactDOM
18.3.1, @babel/standalone 7.29.7) and load them same-origin with sha384
integrity attributes. They now ship inside the s9pk (Dockerfile already COPYs
frontend/; server.py serves /assets/* with the path-containment check), so a
CDN can never swap prod deps again and no outbound fetch is needed at runtime.

Add start9/0.4/render-smoke.mjs: a jsdom render smoke check that (1) runs the
shipped Babel over the app's inline JSX and asserts a classic, non-module,
parseable script (the v79 ESM-import regression), and (2) mounts the app in
jsdom and asserts the login UI renders (the v78 blank-screen class). Wired into
the default `make` goal so every package build is gated on the frontend
actually rendering — closing the "verified live via curl only" gap. jsdom is a
build-time devDependency, not shipped in the image.

start9/0.4/Makefile

@@ -1,4 +1,18 @@
 # overrides to s9pk.mk must precede the include statement
 ARCHES := x86
 
+# Gate the default `make` on the frontend render smoke check (catches the v78/v79
+# blank-screen class that curl/health checks miss). render-smoke.mjs is dev/build-time
+# only — it is not shipped in the image.
+.DEFAULT_GOAL := verified-build
+
 include s9pk.mk
+
+render-smoke: | node_modules
+	@echo " Render smoke check (frontend)..."
+	@node render-smoke.mjs
+
+verified-build: render-smoke
+	@$(MAKE) --no-print-directory $(ARCHES)
+
+.PHONY: render-smoke verified-build