Secure ntfy topic: add auth token to prevent public subscription/spoofing

[FrederikHandberg]

Problem

https://ntfy.sh/jensen-tutoria is a public topic. Anyone who discovers it can:

• Subscribe and receive all system failure alerts, job completions, morning report notifications
• Push fake alerts that could trigger false responses

This is the primary push channel for Jensen's system health notifications.

Fix

1. Create an ntfy access token at https://ntfy.sh/account
2. Add NTFY_TOKEN to ~/.secrets or the .env equivalent
3. Update all notify.sh calls to include -H "Authorization: Bearer $NTFY_TOKEN"
4. Update the ntfy topic to be private/protected
5. Update any Shortcuts or iOS ntfy subscriptions with the token

This is a free tier feature. One env var, one header change.

Acceptance Criteria

• ntfy access token created and stored in ~/.secrets
• All notify.sh calls use the auth header
• Topic is no longer publicly subscribable
• Existing iOS/Shortcuts notifications still work with auth

Context

From Jensen limitation audit (2026-03-22). Workstream: WS-001.

[FrederikHandberg]

Partial: notify.sh now reads NTFY_TOKEN from ~/.secrets and passes it as Authorization header when set. No-op when absent (backwards-compatible). Remaining action for Frederik: create ntfy access token at https://ntfy.sh/account and add NTFY_TOKEN= to ~/.secrets. Then change the topic to protected. Commit: db3c678