Vendor + SRI-pin front-end libs; add render smoke gate (v0.1.0:82)

React/ReactDOM/Babel were loaded from the unpkg CDN at runtime — react@18
and react-dom@18 weren't even exact-pinned, and none had SRI. A CDN swap (or
react auto-resolving a new 18.x) could blank the whole app with no change on
our side: exactly the v78/v79 blank-screen class. It also made the self-hosted
box depend on outbound internet to render.

Vendor the three libs into frontend/assets/vendor/ (React 18.3.1, ReactDOM
18.3.1, @babel/standalone 7.29.7) and load them same-origin with sha384
integrity attributes. They now ship inside the s9pk (Dockerfile already COPYs
frontend/; server.py serves /assets/* with the path-containment check), so a
CDN can never swap prod deps again and no outbound fetch is needed at runtime.

Add start9/0.4/render-smoke.mjs: a jsdom render smoke check that (1) runs the
shipped Babel over the app's inline JSX and asserts a classic, non-module,
parseable script (the v79 ESM-import regression), and (2) mounts the app in
jsdom and asserts the login UI renders (the v78 blank-screen class). Wired into
the default `make` goal so every package build is gated on the frontend
actually rendering — closing the "verified live via curl only" gap. jsdom is a
build-time devDependency, not shipped in the image.

start9/0.4/startos/versions/index.ts

@@ -42,8 +42,9 @@ import { v_0_1_0_78 } from './v0.1.0.78'
 import { v_0_1_0_79 } from './v0.1.0.79'
 import { v_0_1_0_80 } from './v0.1.0.80'
 import { v_0_1_0_81 } from './v0.1.0.81'
+import { v_0_1_0_82 } from './v0.1.0.82'
 
 export const versionGraph = VersionGraph.of({
-  current: v_0_1_0_81,
-  other: [v_0_1_0_39, v_0_1_0_40, v_0_1_0_41, v_0_1_0_42, v_0_1_0_43, v_0_1_0_44, v_0_1_0_45, v_0_1_0_46, v_0_1_0_47, v_0_1_0_48, v_0_1_0_49, v_0_1_0_50, v_0_1_0_51, v_0_1_0_52, v_0_1_0_53, v_0_1_0_54, v_0_1_0_55, v_0_1_0_56, v_0_1_0_57, v_0_1_0_58, v_0_1_0_59, v_0_1_0_60, v_0_1_0_61, v_0_1_0_62, v_0_1_0_63, v_0_1_0_64, v_0_1_0_65, v_0_1_0_66, v_0_1_0_67, v_0_1_0_68, v_0_1_0_69, v_0_1_0_70, v_0_1_0_71, v_0_1_0_72, v_0_1_0_73, v_0_1_0_74, v_0_1_0_75, v_0_1_0_76, v_0_1_0_77, v_0_1_0_78, v_0_1_0_79, v_0_1_0_80],
+  current: v_0_1_0_82,
+  other: [v_0_1_0_39, v_0_1_0_40, v_0_1_0_41, v_0_1_0_42, v_0_1_0_43, v_0_1_0_44, v_0_1_0_45, v_0_1_0_46, v_0_1_0_47, v_0_1_0_48, v_0_1_0_49, v_0_1_0_50, v_0_1_0_51, v_0_1_0_52, v_0_1_0_53, v_0_1_0_54, v_0_1_0_55, v_0_1_0_56, v_0_1_0_57, v_0_1_0_58, v_0_1_0_59, v_0_1_0_60, v_0_1_0_61, v_0_1_0_62, v_0_1_0_63, v_0_1_0_64, v_0_1_0_65, v_0_1_0_66, v_0_1_0_67, v_0_1_0_68, v_0_1_0_69, v_0_1_0_70, v_0_1_0_71, v_0_1_0_72, v_0_1_0_73, v_0_1_0_74, v_0_1_0_75, v_0_1_0_76, v_0_1_0_77, v_0_1_0_78, v_0_1_0_79, v_0_1_0_80, v_0_1_0_81],
 })

start9/0.4/startos/versions/v0.1.0.82.ts

@@ -0,0 +1,21 @@
+import { VersionInfo } from '@start9labs/start-sdk'
+
+// Vendor + SRI-pin the front-end libs. Code-only, no schema change (migrations are no-ops):
+//   * React 18.3.1, ReactDOM 18.3.1, and @babel/standalone 7.29.7 are now vendored into
+//     frontend/assets/vendor/ and loaded same-origin with sha384 integrity attributes,
+//     instead of from the unpkg CDN. A CDN can no longer swap our prod deps (the v78/v79
+//     blank-screen class), and the box needs no outbound internet to render the UI.
+//   * Adds start9/0.4/render-smoke.mjs — a jsdom render smoke check (transform-level +
+//     real mount of the login UI) wired into the default `make` goal, so every package
+//     build is gated on the frontend actually rendering. Dev/build-time only; not shipped.
+export const v_0_1_0_82 = VersionInfo.of({
+  version: '0.1.0:82',
+  releaseNotes: {
+    en_US: [
+      'Front-end libraries (React, ReactDOM, Babel) are now bundled in the package and',
+      'integrity-checked instead of loaded from a CDN, so the app renders reliably with no',
+      'external dependency. No data changes.',
+    ].join(' '),
+  },
+  migrations: { up: async () => {}, down: async () => {} },
+})