Decouple cross-domain DB queries for per-app database split

Move Ghost membership sync from blog to account service so blog no
longer queries account tables (users, ghost_labels, etc.). Account
runs membership sync at startup and exposes HTTP action/data endpoints
for webhook-triggered syncs and user lookups.

Key changes:
- account/services/ghost_membership.py: all membership sync functions
- account/bp/actions + data: ghost-sync-member, user-by-email, newsletters
- blog ghost_sync.py: stripped to content-only (posts, authors, tags)
- blog webhook member: delegates to account via call_action()
- try_publish: opens federation session when DBs differ
- oauth.py callback: uses get_account_session() for OAuthCode
- page_configs moved from db_events to db_blog in split script

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

shared/infrastructure/ghost_admin_token.py

@@ -0,0 +1,46 @@
+import os
+import time
+import jwt  # PyJWT
+from typing import Tuple
+
+
+def _split_key(raw_key: str) -> Tuple[str, bytes]:
+    """
+    raw_key is the 'id:secret' from Ghost.
+    Returns (id, secret_bytes)
+    """
+    key_id, key_secret_hex = raw_key.split(':', 1)
+    secret_bytes = bytes.fromhex(key_secret_hex)
+    return key_id, secret_bytes
+
+
+def make_ghost_admin_jwt() -> str:
+    """
+    Generate a short-lived JWT suitable for Authorization: Ghost <token>
+    """
+    raw_key = os.environ["GHOST_ADMIN_API_KEY"]
+    key_id, secret_bytes = _split_key(raw_key)
+
+    now = int(time.time())
+
+    payload = {
+        "iat": now,
+        "exp": now + 5 * 60,   # now + 5 minutes
+        "aud": "/admin/",
+    }
+
+    headers = {
+        "alg": "HS256",
+        "kid": key_id,
+        "typ": "JWT",
+    }
+
+    token = jwt.encode(
+        payload,
+        secret_bytes,
+        algorithm="HS256",
+        headers=headers,
+    )
+
+    # PyJWT returns str in recent versions; Ghost expects bare token string
+    return token