Review: this branch does not build

The headline issue is that the merge of main into this branch (5852175) was resolved by concatenating both sides of the conflict in apps/backend/src/routes/public.ts instead of merging them. The result does not parse, let alone type-check, so none of the validation listed in the PR description can be passing on the current head.

Reproduced locally on 5852175:

# typecheck
src/routes/public.ts(81,7): error TS1005: 'try' expected.
src/routes/public.ts(136,7): error TS1005: 'try' expected.
src/routes/public.ts(182,7): error TS1005: 'try' expected.
src/routes/public.ts(231,4): error TS1128: Declaration or statement expected.

# lint
src/routes/public.ts 81:6 error Parsing error: 'try' expected

# vitest
The symbol "CACHE_CONTROL_HEADER" has already been declared (public.ts:34:6)
Unexpected "catch" (public.ts:81:6)
  -> public.test.ts: 0 tests collected, suite fails to load

The PR note says the build is "blocked by existing unrelated TypeScript issues" — that is not accurate. The failures above are caused by this branch's merge, not by pre-existing problems, and they are syntax errors, not type nits.

Must fix (blocking)

1. public.ts: redo the merge by hand. Every handler now contains the new code, a duplicated copy of the old code that is unreachable after a return, and a second catch block — that is what produces the 'try' expected errors at lines 81, 136, 182. Duplicated import * as publicService (lines 3 & 9) and duplicated const CACHE_CONTROL_HEADER (lines 21 & 34) also need to collapse to one each.
2. Get tsc --noEmit, eslint, and vitest green and re-run the commands in the PR description before re-requesting review.

Should fix

3. The client-side OG meta tags will not be seen by any social scraper. Slack/Twitter/Facebook/Discord/WhatsApp crawlers do not execute JavaScript; they read the initial HTML response. Injecting og:* / twitter:* via a React useEffect (ProfilePage.tsx) means the rich preview this PR is built for never renders for those bots. The backend image endpoint is fine, but the tags pointing at it need to be server-rendered (SSR / prerender / a meta-injecting middleware on the profile route). As written, the feature does not achieve its stated goal.
4. fetchAvatarBase64 SSRF guard is incomplete and unbounded. Requiring https:// does not prevent SSRF — https://169.254.169.254/..., https://localhost, and https://10.0.0.x are all still fetched server-side. There is also no response-size cap, so a malicious avatar URL can stream an arbitrarily large body into memory via arrayBuffer(). See inline comment.

Nits

5. The OG route queries app.prisma.user.findUnique directly, while every other handler in this file goes through publicService. Inconsistent; consider moving it behind the service for testability and parity.
6. buildMetaDescription counts platforms via profile.links.length, but the image counts _count.platformLinks. These can disagree (links shown vs total connected).

The OG image generation itself (og-image.ts SVG template, XML escaping, hex sanitisation, initials fallback, fire-and-forget cache write, the test coverage) is solid work. The blocker is purely the broken merge — fix that and most of this is mergeable.