Summary

Why

Generated static sites need a lightweight publishing path that does not create a repository-backed deployment or start the sandbox build pipeline. This adds an authenticated builder boundary for raw HTML and multipart static bundles while keeping public aliases separate from private Worker identifiers and making ephemeral cleanup durable across partial external failures.

What was done

• Add authenticated POST /deploy-html support for raw HTML and multipart static bundles with a 10 MB body limit, static-path validation, a per-user Cloudflare rate limit, and friendly adjective-noun-xxxxxxxx aliases. This PR exposes infrastructure capability only; it does not add a Kilo app UI or in-repository caller.
• Persist quick-deploy lifecycle state in Postgres deployments_ephemeral: insert a pending row before provisioning, activate it after alias mapping, and use claim-safe five-minute cleanup sweeps for expired or failed resources.
• Deploy each site under a private qdpl-<uuid> Worker name, reject direct private-host routing, and map the friendly alias through the dispatcher KV API with guarded forward/reverse compensation.
• Best-effort enable the existing Made with Kilo App Builder banner for quick-deployed HTML, without failing site availability when banner setup fails.
• Scrub ephemeral ownership and schedule immediate cleanup during GDPR soft-delete, and share slug generation and validation through @kilocode/worker-utils/deployment-slug without changing persistent deployment URL formats.

High-level architecture

sequenceDiagram
  actor Client as Quick-deploy client
  participant Builder as Builder Worker
  participant DB as Hyperdrive / Postgres
  participant CF as Cloudflare API + private qdpl Worker
  participant Dispatcher as Dispatcher API / public router
  participant KV as DEPLOY_KV

  Client->>Builder: POST /deploy-html with bearer token and static assets
  Builder->>Builder: Authenticate, rate-limit, validate upload and TTL
  Builder->>DB: Lock retained owner and insert pending lifecycle row
  Builder->>CF: Deploy assets under private qdpl UUID
  Builder->>DB: Check stored and ephemeral slug conflicts
  Builder->>Dispatcher: PUT /api/slug-mapping/{worker}
  Dispatcher->>KV: Update reciprocal alias keys with compensation
  Builder->>Dispatcher: PUT /api/app-builder-banner/{worker} (best effort)
  Dispatcher->>KV: Enable banner key
  Builder->>DB: Activate row with alias and expiry
  Builder-->>Client: Return friendly URL and expiry

  Client->>Dispatcher: GET friendly public URL
  Dispatcher->>KV: Resolve slug2worker mapping
  KV-->>Dispatcher: Return private qdpl UUID
  Dispatcher->>CF: Dispatch request to private Worker
  CF-->>Dispatcher: Return static response
  Dispatcher-->>Client: Return response, injecting banner when enabled

  opt Five-minute scheduled cleanup
    Builder->>DB: Claim bounded due rows with SKIP LOCKED
    par Independent teardown attempts
      Builder->>Dispatcher: DELETE alias mapping
    and
      Builder->>Dispatcher: DELETE banner key
    and
      Builder->>CF: Delete private Worker and assets
    end
    alt All teardown targets succeed
      Builder->>DB: Delete claimed lifecycle row
    else Any teardown target fails
      Builder->>DB: Clear claim and retry after five minutes
    end
  end

Architecture decision

Decision: Store ephemeral deployment lifecycle state in Postgres while keeping dispatcher alias routing KV-only.

Context: Quick deployments need ownership-aware cleanup, GDPR handling, retry scheduling, and recoverable claims without holding database locks across Cloudflare or dispatcher I/O. Public requests still need the existing low-latency dispatcher routing model.

Rationale: A pending Postgres row is written before external provisioning, then transitioned with compare-and-swap semantics after mapping succeeds. Scheduled workers claim bounded due rows with FOR UPDATE SKIP LOCKED, tear down alias, banner, and Worker resources independently, and retain retry state after partial failure. Direct KV alias updates stay narrow and use guarded compensation for reciprocal keys.

Consequences: Cleanup work is observable and retryable in Postgres, but alias routing remains KV-backed and eventually consistent. Alias mutations are not globally serialized, so the guarded remap and deletion compensation paths deserve focused review.

Verification

• Submitted an authenticated Postgres-backed HTML quick deployment and opened the returned public URL.

Visual Changes

• No Kilo app UI changes.
• Quick-deployed HTML pages best-effort reuse the existing Made with Kilo App Builder banner; no new banner design is introduced.

Reviewer Notes

• Reconcile the generated Postgres migration before merge: this branch currently adds 0153_nosy_psynapse, while current main already contains migrations 0153 and 0154. Regenerate migration artifacts after rebasing; do not hand-edit them.
• Roll out in order after migration reconciliation: apply the Postgres migration, deploy dispatcher compatibility and routing changes, deploy web mapping integration, then deploy builder cleanup changes.
• Set dispatcher BACKEND_AUTH_TOKEN, builder DISPATCHER_AUTH_TOKEN, and web USER_DEPLOYMENTS_DISPATCHER_AUTH_KEY to the same dispatcher management API credential.
• Review shared dispatcher remap and deletion compensation carefully: ordinary persisted deployment create and rename flows use the same /api/slug-mapping/:worker seam.
• Postgres cleanup claims at most 25 due rows per five-minute sweep, retries failed teardown after five minutes, and recovers stale claims after 20 minutes.
• Admission is intentionally narrow: Cloudflare rate limiting remains, but this slice does not enforce an exact outstanding ephemeral-resource quota.