refactor: separate Feed domain state from persistence DTO

Move four DDD tensions on the Feed aggregate to ground:

- #1 The aggregate now holds a domain FeedState (camelCase) instead of the
  snake_case FeedConfig DTO; infrastructure/feed-mapper.ts owns the
  FeedState<->FeedConfig/FeedListItem translation as the sole snake_case site
  outside the HTTP edge.
- #3 Replace the edit() recomputeExpiry control flag with a Lifetime VO:
  passing a lifetime recomputes expiry, omitting it preserves the current one
  (the dashboard quick-edit path).
- #4 Domain events carry their own feedId; dispatchFeedEvents centralizes the
  drain+dispatch in the application layer (no more manual pullEvents at call
  sites), keeping infra->application dependency direction intact.
- #6 Rename FeedId.fromTrusted to FeedId.unchecked to make the absence of
  revalidation explicit.

Adds Lifetime + feed-mapper round-trip tests. 353 tests green, tsc clean,
wrangler dry-run OK. Docs (CLAUDE.md) synced.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/domain/value-objects/feed-id.ts

@@ -17,11 +17,13 @@ export class FeedId {
   }
 
   /**
-   * Wrap an id we already trust — a value we minted ourselves and round-tripped
-   * through our own links or KV keys (route params, the feed list, email keys).
-   * No validation: a wrong id simply misses in KV and 404s, exactly as before.
+   * Wrap a string as a FeedId WITHOUT revalidating it. The caller asserts the id
+   * originated from our own minting — a route param echoing a stored id, a
+   * `feeds:list` entry, or an email/KV key. The name is deliberately blunt: a
+   * wrong id is not rejected here, it simply misses in KV and 404s downstream.
+   * Untrusted external input (an inbound address) must go through `parse` instead.
    */
-  static fromTrusted(value: string): FeedId {
+  static unchecked(value: string): FeedId {
     return new FeedId(value);
   }