chore(geocoding): remove Pelias + close 3 bypass paths to public Nominatim

Pelias was retired from the Mac mini on 2026-04-28; photon-self
(self-hosted Photon on mana-gpu) has been the live primary since then.
This removes the now-dead Pelias adapter, config, tests, and the
services/mana-geocoding/pelias/ stack — the entire compose file, the
geojsonify_place_details.js patch, the setup.sh import script.

Provider chain is now `photon-self → photon → nominatim`. The chain
keeps its `privacy: 'local' | 'public'` split, sensitive-query
blocking, coord quantization, and aggressive caching unchanged.

Three direct calls to nominatim.openstreetmap.org that bypassed
mana-geocoding now route through the wrapper:

- citycorners/add-city + citycorners/cities/[slug]/add use the shared
  searchAddress() client (browser → same-origin proxy → mana-geocoding
  → photon-self).
- memoro mobile drops its OSM reverse-geocoding fallback entirely;
  Expo's on-device reverse-geocoding stays as the sole path. Routing
  through the wrapper would require a memoro-server proxy endpoint —
  a follow-up if Expo's quality proves insufficient.

Other behavioral changes:

- CACHE_PUBLIC_TTL_MS dropped from 7d → 1h. The long TTL was a
  privacy-amplification trick from the Pelias era; with photon-self
  serving the bulk of traffic, a transient cross-LAN blip was pinning
  cached fallback answers for days. 1h gives quick recovery.
- /health/pelias renamed to /health/photon-self; prometheus blackbox
  config + status-page generator updated.
- mana-geocoding container no longer needs `extra_hosts:
  host.docker.internal:host-gateway` (was only there for the
  Pelias-on-host-network era).

113 tests passing. CLAUDE.md rewritten to reflect the post-Pelias
architecture.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

services/mana-geocoding/src/index.ts

@@ -1,9 +1,8 @@
 /**
- * mana-geocoding — Self-hosted geocoding proxy.
- *
- * Wraps a local Pelias instance with caching and OSM → PlaceCategory
- * mapping. All geocoding queries stay within our infrastructure —
- * no user location data leaves the network.
+ * mana-geocoding — geocoding proxy with provider chain (photon-self →
+ * public photon → public nominatim) and aggressive caching. Sensitive
+ * queries are blocked from public providers; all forwarded queries are
+ * coordinate-quantized.
  */
 
 import { createApp } from './app';
@@ -12,13 +11,17 @@ import { loadConfig } from './config';
 const config = loadConfig();
 
 console.log(`mana-geocoding starting on port ${config.port}...`);
-console.log(`Pelias API: ${config.pelias.apiUrl}`);
+console.log(`Providers: ${config.providers.enabled.join(', ')}`);
+if (config.photonSelf.apiUrl) {
+	console.log(`photon-self: ${config.photonSelf.apiUrl}`);
+}
 
 export default {
 	port: config.port,
-	// Bun's default idleTimeout is 10s — too tight for Pelias cold queries
-	// that need to hit Elasticsearch and libpostal. 60s is generous enough
-	// for the worst-case while still cutting off stuck connections.
+	// Bun's default idleTimeout is 10s — too tight for cold cross-LAN
+	// queries to photon-self that hit OpenSearch on a fresh shard. 60s is
+	// generous enough for the worst case while still cutting off stuck
+	// connections.
 	idleTimeout: 60,
 	fetch: createApp(config).fetch,
 };