Prober: probe a curated allowlist only (not the harvested directory); default daily

[melvincarvalho]

Security posture: safe-then-expand. Today the prober dials every relay in the relays collection — but that set is attacker-influenceable (anyone can publish a kind-3/10002 relay list we harvest). So an attacker can make our host connect out to arbitrary external targets. The internal-IP SSRF screen mitigates the worst case but the target set itself shouldn't be attacker-controlled.

Fix

• Prober dials only a curated allowlist — a small built-in set of well-known relays, expandable via PROBE_RELAYS (comma list). It no longer reads the harvested directory for targets.
• Default interval → once a day (PROBE_INTERVAL default 86400000). A handful of trusted relays daily is negligible outbound.
• Each allowlisted relay still gets health-upserted into the directory (real data for the ones we vouch for).

Changes

• proberRelays(env) + DEFAULT_PROBE_RELAYS; sweepOnce uses it (drops the db.relays.find() target query). All entries still run through safeRelayUrl.
• proberConfig default interval 1h → 24h.
• USAGE + .env.example document PROBE_RELAYS.
• Tests for proberRelays + updated interval default.

Out of scope (follow-ups)

• Directory display still shows harvested relays with stale health (not re-probed) — decide whether to scope the page to probed relays.
• Relay-URL harvesting now only grows the DB (prober ignores it) — decide whether to disable it.