refactor(domain): purify the Feed aggregate (Track D — points 1, 4, 6b)

Remove the infrastructure Env leak and ambient time from the domain core, and
model the sender policy as a value object.

- Point 1: Feed.create/edit no longer receive Env. The application layer resolves
  the effective lifetime (parsing FEED_TTL_HOURS and applying the server override)
  via feed-service.resolveTtlHours and hands the domain a plain ttlHours.
  resolveExpiresAt(ttlHours, now) is now pure.
- Point 4: introduce a Clock port (systemClock default), injected at
  create/reconstitute. The aggregate uses clock.now() instead of Date.now().
  The isExpired edge helper keeps its Date.now() default for routes.
- Point 6b: extract SenderPolicy value object built once from the lists
  (decide(senders)) instead of re-parsing per sender; applySenderPolicy is now a
  thin wrapper over it.

Coverage moved with the logic: the FEED_TTL_HOURS override is now pinned by
feed-service.test.ts; aggregate tests use an injected fixed clock.

351 tests pass; tsc --noEmit clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/application/feed-service.test.ts

@@ -0,0 +1,76 @@
+import { describe, it, expect } from "vitest";
+import { createMockEnv } from "../test/setup";
+import { createFeedRecord, editFeed } from "./feed-service";
+import type { Env } from "../types";
+
+const mkEnv = (overrides: Partial<Env> = {}) =>
+  ({ ...createMockEnv(), ...overrides }) as unknown as Env;
+
+const baseInput = {
+  title: "N",
+  language: "en",
+  allowedSenders: [],
+  blockedSenders: [],
+};
+
+const TWO_HOURS = 2 * 3_600_000;
+
+// The lifetime policy (parse env, apply the server-side FEED_TTL_HOURS override)
+// lives here in the application layer; the domain only receives a resolved
+// ttlHours. These tests pin that policy at the public service boundary.
+describe("createFeedRecord — TTL policy", () => {
+  it("never expires when neither server nor client lifetime is set", async () => {
+    const { config } = await createFeedRecord(mkEnv(), { ...baseInput });
+    expect(config.expires_at).toBeUndefined();
+  });
+
+  it("uses the client lifetimeHours when there is no server override", async () => {
+    const before = Date.now();
+    const { config } = await createFeedRecord(mkEnv(), {
+      ...baseInput,
+      lifetimeHours: 2,
+    });
+    expect(config.expires_at!).toBeGreaterThanOrEqual(before + TWO_HOURS);
+  });
+
+  it("lets a server FEED_TTL_HOURS override a larger client lifetime", async () => {
+    const before = Date.now();
+    const { config } = await createFeedRecord(mkEnv({ FEED_TTL_HOURS: "1" }), {
+      ...baseInput,
+      lifetimeHours: 9999,
+    });
+    // 1h (server) wins over 9999h (client).
+    expect(config.expires_at!).toBeLessThan(before + TWO_HOURS);
+  });
+});
+
+describe("editFeed — TTL policy", () => {
+  it("recomputes expiry from the server override on edit", async () => {
+    const env = mkEnv({ FEED_TTL_HOURS: "1" });
+    const { feedId } = await createFeedRecord(env, { ...baseInput });
+
+    const before = Date.now();
+    const result = await editFeed(env, feedId, { title: "renamed" });
+
+    expect(result.status).toBe("ok");
+    if (result.status === "ok") {
+      expect(result.config.title).toBe("renamed");
+      expect(result.config.expires_at!).toBeLessThan(before + TWO_HOURS);
+    }
+  });
+
+  it("preserves expiry when neither server TTL nor client lifetime is given", async () => {
+    const env = mkEnv();
+    const { feedId, config } = await createFeedRecord(env, {
+      ...baseInput,
+      lifetimeHours: 5,
+    });
+
+    const result = await editFeed(env, feedId, { title: "x" });
+
+    expect(result.status).toBe("ok");
+    if (result.status === "ok") {
+      expect(result.config.expires_at).toBe(config.expires_at);
+    }
+  });
+});