Signed Open Graph card URLs prevent broken card images

Open Graph card images are now served from a single signed endpoint. Each page signs the exact card payload it advertises, and the image controller verifies that signature before rendering the card. This fixes cases where a page advertised a card image URL that returned Not Found because the page and image controller were computing the card data independently. Existing page authorization still applies to private card data, and unchanged card data still produces the same stable image address.