Replace DashboardBlockingMiddleware + APIBlockingMiddleware with a single
GenocidalBlockingMiddleware that blocks ALL routes (not just dashboard or API)
under any of three conditions:

1. Server's own public IP resolves to Israel — detected once at startup via
   api.ipify.org + geolocation lookup, stored in _server_ip_blocked flag
2. Host header domain ends with .il (port stripped before check)
3. Connecting client IP resolves to Israel (per-request geolocation lookup)

/blocked is always allowed through to avoid redirect loops.
API/MCP routes return JSON 403; all other routes redirect to /blocked.