feat: GEO_FORCE_OFFLINE flag to suppress runtime ipinfo.io egress

[NotYuSheng]

Description

GeoIpService attempts an outbound call to ipinfo.io at runtime — a connectivity probe (PROBE_URL) plus per-IP lookups (IPINFO_URL) — and falls back to the bundled DB-IP Lite MMDB when offline (GeoIpService.java:63,66). The fallback is graceful, but there is no way to suppress the egress attempt entirely. For strict air-gapped or egress-monitored deployments, the periodic outbound attempt (~every 60s while resolving new IPs) is undesirable.

Identified in the production readiness assessment (#366, docs/production-readiness.md, finding P2-4) and relevant to the project's offline requirement.

Acceptance Criteria

• Add a GEO_FORCE_OFFLINE (or equivalent) flag, default off, that:
  • skips the connectivity probe and ipinfo.io lookups entirely, and
  • resolves geo exclusively from the bundled MMDB (geo_source = mmdb).
• When set, no outbound ipinfo.io connections are attempted (verify via egress logs).
• Document the flag and the one intentional runtime egress in the offline verification checklist.

Affected Files

• backend/src/main/java/com/tracepcap/analysis/service/GeoIpService.java
• backend/src/main/resources/application.yml
• .env.example