verification: add smoke test suite for Sinatra app (no behavior change)

[barretts]

What

Adds the first test infrastructure to this repo (previously zero tests):

• Gemfile -- rspec + rack-test in :test group
• .rspec config
• spec/spec_helper.rb -- minimal Rack::Test setup against Sinatra::Application
• spec/smoke_spec.rb -- 7 assertions verifying the Sinatra app boots and serves traffic

Why

Establishes layer L4 (smoke) of the workspace verification ladder
defined in heroku/3pp-grackle/docs/verification-specs/12factor.md.

This repo previously had zero automated tests -- a syntax error or
removed Sinatra method would ship to prod undetected. The smoke catches
the most common regression class: gem bumps (rack, sinatra,
rack-session, i18n) that accidentally break require-time init or
middleware-stack composition.

This is the Phase 1 pilot for the Ruby-app pattern -- the same shape
will be reused for signup, trials-manager, www, elements,
and jambox.

Asserts (boot-only)

1. Loading web.rb does not raise (Sinatra/rack/i18n init succeeds)
2. GET / returns 200 with HTML body referencing Twelve-Factor
3. GET /ja/ returns 200 (localized path; i18n routing alive)
4. GET /__nonexistent__ returns 404 (not 500)
5. Rack is at version 3.x or higher
6. Sinatra is at version 3.x or higher
7. Sinatra::Application constant is defined (boot completed)

CVE-specific floor assertions (e.g. rack >= 3.1.21) are deliberately
NOT in this smoke -- those belong in L7 regression tests on the
relevant fix PRs. Mixing them would make this smoke fail on main
whenever a CVE bump hadn't merged yet, defeating its purpose as a
"does it boot?" gate.

Local verification

$ bundle exec rspec spec/smoke_spec.rb
12factor smoke -- Sinatra app boot
  app loads
    web.rb required without error during spec_helper load
  GET /
    returns HTTP 200
    returns an HTML body referencing Twelve-Factor
  GET /ja/
    returns HTTP 200 (localized path -- i18n routing alive)
  GET /__nonexistent__
    returns 404, not 500
  core stack loads at meaningful versions
    Rack is at version 3.x or higher
    Sinatra is loaded

7 examples, 0 failures

Behavior change

None. This PR only adds test infrastructure. web.rb, the locale
files, and the views are untouched. The two new test gems
(rspec, rack-test) are in the :test Gemfile group and not
shipped to production.

Recommended follow-up: CI workflow

This repo's only existing GHA-equivalent is a no-op .travis.yml
(script: exit 0). A GitHub Actions workflow that runs rspec
on every PR would close the gap. Suggested content (deferred from this
PR per local security-hook policy on workflow edits):

name: CI
on:
  pull_request:
  push:
    branches: [main]
jobs:
  smoke:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: ruby/setup-ruby@v1
        with:
          bundler-cache: true
      - run: bundle exec rspec spec/smoke_spec.rb

Refs

• 3pp-grackle Phase 1 verification-specs initiative
• Spec: docs/verification-specs/12factor.md
• Cross-repo index: docs/verification-specs/INDEX.md