Return the signed event to the app via custom scheme, not a browser page

A signer-owned Custom Tab never reliably displayed the browser handoff
page, so the token never returned. The Nostr launcher now uses the app's
custom scheme as the callback (einundzwanzig://signed/{k1}/): Amber opens
it directly after signing and the app exchanges the event for a token via
/api/mobile/token — no browser handoff in the loop.

app/Http/Controllers/MobileAuthController.php

@@ -158,9 +158,15 @@ final class MobileAuthController extends Controller
         // encodeURIComponent(JSON.stringify(event)) — the exact encoding
         // Amber accepts. Building it server-side produced subtly different
         // percent-encoding that Amber rejected as malformed.
+        //
+        // The callback is the app's custom scheme, not a portal URL: the
+        // signer opens it directly after signing, so the app receives the
+        // signed event and exchanges it for a token via /api/mobile/token —
+        // no browser handoff page (which a signer-owned Custom Tab failed to
+        // display reliably).
         return view('auth.mobile-nostr-launch', [
             'k1' => $k1,
-            'callbackUrl' => url('/auth/mobile/signed/'.$k1.'/'),
+            'callbackUrl' => 'einundzwanzig://signed/'.$k1.'/',
         ]);
     }