Fix 7 bugs: security, memory leak, stale state, error handling

- WebSocket: verify task ownership before allowing subscribe (security)
- POI routes: replace assert with HTTPException for production safety
- cancel_task: return HTTP 404 instead of 200 for missing tasks
- routing_config: add descriptive ValueError for invalid env vars
- POIManager: show error feedback instead of silently swallowing failures
- VisualizationCard: reset POI/travel mode state on metric switch
- Map: clean up heatmap layers/sources on unmount to prevent memory leak
- Update test to expect 404 from cancel_task ownership check

frontend/src/components/Map.tsx

@@ -194,6 +194,19 @@ export function Map(props: MapProps) {
             if (updateTimeoutRef.current) {
                 clearTimeout(updateTimeoutRef.current);
             }
+            // Remove heatmap layers and sources before destroying the map
+            if (heatmapRef.current && mapRef.current) {
+                for (const layerId of ['hexgrid-heatmap', 'hexgrid-heatmap-back']) {
+                    if (mapRef.current.getLayer(layerId)) {
+                        mapRef.current.removeLayer(layerId);
+                    }
+                }
+                for (const sourceId of ['hexgrid-heatmap', 'hexgrid-heatmap-back']) {
+                    if (mapRef.current.getSource(sourceId)) {
+                        mapRef.current.removeSource(sourceId);
+                    }
+                }
+            }
             heatmapRef.current = null;
             isMapLoadedRef.current = false;
             mapRef.current?.remove();