Anon /api/activity 401 console-noise on public/open pages

Follow-up from the 2026-06-15 web route audit (see task "Web app route audit"). Anonymous visitors trigger GET /api/activity -> 401 on public/open surfaces (profile /u/<handle>, open project /app/projects/u/...). Pages render fine; this is console-noise + a wasted request, not a functional break.

Not fixed in the audit branch because: the fetch source is diffuse (NOT HomeRecents — it also fetches /api/projects, which did not 401 for anon, so HomeRecents isn't mounted anon). Gating the shared useActivityFeed hook on auth breaks every authed-only caller's test (ActivityScene/HistoryTab/ObjectTimeline) for a cosmetic issue.

Right fix: identify the exact client component that mounts useActivityFeed (or fetches /api/activity directly) on anon-reachable public/open pages, and gate it with the hook's EXISTING enabled param (enabled: !!user) at that call site — no shared-hook change, no blast radius on protected tests. Then re-run the anon crawl (scripts/crawl-anon.mjs pattern) to confirm 0x /api/activity 401.

Note: the sibling /api/jump-index 401 was already fixed in the audit branch (useJumpIndex now skips the auth-gated fetch for anon).