Harden deploy workflow and guard Sequoia publishing

[tripledoublev]

Summary

This PR hardens the deploy workflow and adds guardrails around standard.site / Sequoia publishing.

Closes #554

What changed

• harden deploy workflow secret handling and cleanup
• pin actions/checkout, EndBug/add-and-commit, and sequoia-cli
• remove noisy runner debug steps and dead Brotli install
• switch deploy SSH from StrictHostKeyChecking=no to accept-new
• fix social_cards_automation_scripts/editPosts.sh so it updates frontmatter without duplicating image: keys
• run sequoia sync --update-frontmatter before publish
• fail publish when duplicate remote site.standard.document paths already exist for local posts

Why

We confirmed that duplicate site.standard.document records already exist on the PDS for several recent posts. We also verified from Sequoia's current code path that publish decides create vs update from frontmatter atUri, so missing frontmatter mappings can silently create new remote records.

This PR does not clean up old duplicate records. It prevents further silent duplication and makes the current failure mode explicit in CI until the remote state is repaired.

Verification

• workflow YAML parses
• shell scripts pass syntax checks
• editPosts.sh was exercised against a temp markdown file
• duplicate checker was run against the live PDS and correctly detected existing duplicate paths