harden(make-pdf): emoji gate + font install per adversarial review

Codex adversarial pass on the implementation diff flagged five robustness
gaps, all fixed here:
- emoji-gate skipped green in CI when poppler/font prerequisites were absent,
  which could let the tofu regression ship behind a green build. Missing
  prerequisites are now a HARD FAILURE when process.env.CI is set; local dev
  still skips cleanly.
- execFileSync children (make-pdf, pdffonts, pdftoppm, fc-match) had no
  timeout; a wedged binary or hostile GSTACK_*_BIN override could hang the
  job past Bun's test timeout. Each child now has a 25s ceiling.
- PPM parser trusted header tokens blindly; malformed/variant output gave a
  silently-wrong count. Now validates magic/dimensions/maxval and pixel-buffer
  length, handles header comments, throws a hard diagnostic on mismatch.
- predictable /tmp paths were collision/symlink-prone; now mkdtempSync under
  /tmp (kept under /tmp for browse's validateOutputPath allowlist).
- only apt-get update was timeout-wrapped; dnf/pacman/apk installs and apt
  install can hang on locks/mirrors. All package installs now timeout-bound.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

test/setup-emoji-font.test.ts

@@ -52,6 +52,12 @@ describe('setup: ensure_emoji_font static invariants', () => {
   test('install path is non-interactive and timeout-guarded', () => {
     expect(helper).toContain('DEBIAN_FRONTEND=noninteractive');
     expect(helper).toMatch(/timeout 30 .*apt-get update/);
+    // Every package-manager INSTALL (not just apt update) must be timeout-bound
+    // so a stuck lock/mirror fails fast instead of hanging setup.
+    expect(helper).toMatch(/timeout \d+ .*apt-get install/);
+    expect(helper).toMatch(/timeout \d+ .*dnf install/);
+    expect(helper).toMatch(/timeout \d+ .*pacman -Sy/);
+    expect(helper).toMatch(/timeout \d+ .*apk add/);
   });
 
   test('covers all four package managers with the correct package names', () => {