refactor: tighten DDD boundaries on the Feed aggregate

Address five modeling tensions in one pass:

- Encapsulation: the Feed aggregate no longer exposes raw config/metadata
  (a shallow Readonly still leaked mutable arrays). It now offers
  intention-revealing accessors that return copies, plus
  toConfigSnapshot/toMetadataSnapshot for the repository and summary() for
  the global registry.
- feeds:list consistency: FeedRepository.save/saveConfig upsert the registry
  entry from feed.summary(), so services no longer mirror title/description/
  expiry by hand (the old add/updateInList footgun is gone).
- domain/feed.ts: drop the dead applySenderPolicy, internalise resolveExpiresAt
  and trimToByteBudget into the aggregate; feed.ts keeps only the shared
  isExpired predicate used by the read-model routes.
- Single edit path: remove editDetails; edit(patch, deps) is the sole config
  mutation, with a systematic expired guard. Renaming an expired feed now 403s.
- FeedId flows through the application and infrastructure signatures;
  fromTrusted/parse happen once at the edge, .value only at the serialisation
  boundaries (urls, feed-generator, feed-keys, logs, JSON).

347 tests green, tsc clean, Worker bundle builds.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/routes/hub.ts

@@ -72,12 +72,10 @@ hubRouter.post("/", async (c) => {
     );
   }
   const format = match[1] as "rss" | "atom";
-  const feedId = match[2];
+  const feedId = FeedId.fromTrusted(match[2]);
 
   // Verify the feed exists before accepting any subscription
-  const feedConfig = await FeedRepository.from(env).getConfig(
-    FeedId.fromTrusted(feedId),
-  );
+  const feedConfig = await FeedRepository.from(env).getConfig(feedId);
   if (!feedConfig) {
     return c.text("Not Found: feed does not exist", 404);
   }