refactor: move KV repositories to infrastructure (Track P — points 2, 6c)

Make the domain stop depending on infrastructure ("imports point inward").

- Point 2: relocate the four KV adapters (FeedRepository, IconRepository,
  WebSubSubscriptionRepository, CountersRepository) from domain/ to
  infrastructure/, where the logger import is legitimate. The domain now keeps
  only the pure key schema (feed-keys.ts), the Feed aggregate and value objects;
  it imports nothing outward. Deliberately no hand-rolled 24-method port
  interface (YAGNI without DI) — relocation alone fixes the direction.
- Point 6c: EmailParser.extractFeedId now returns a validated FeedId value
  object instead of a raw string, so the most untrusted input (an inbound
  recipient address) is guarded at the parse boundary and no longer round-trips
  through FeedId.fromTrusted in the ingest path.

All import paths updated; CLAUDE.md source layout/KV-schema notes updated.
351 tests pass; tsc --noEmit clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/domain/email-parser.ts

@@ -1,10 +1,15 @@
 import { EmailData } from "../types";
-import { FeedId } from "../domain/value-objects/feed-id";
+import { FeedId } from "./value-objects/feed-id";
 
 export class EmailParser {
-  // Matches noun1.noun2.XY (the feed ID format) before the @ symbol
-  static extractFeedId(emailAddress: string): string | null {
-    return FeedId.parse(emailAddress)?.value ?? null;
+  /**
+   * Extract the feed id from an inbound recipient address. Returns a validated
+   * `FeedId` value object (not a raw string) so the most untrusted input in the
+   * system — an address typed by a sender — is guarded at the parse boundary and
+   * never needs `FeedId.fromTrusted` downstream.
+   */
+  static extractFeedId(emailAddress: string): FeedId | null {
+    return FeedId.parse(emailAddress);
   }
 
   // eslint-disable-next-line @typescript-eslint/no-explicit-any