Lays groundwork for /try — shared types (Valibot), DB migration 0043
(system user sentinel + trial_waitlist table), wrangler TRIAL_COUNTER DO
binding (v7 migration) + trial env vars, trial services (HMAC-signed
cookies with constant-time compare, KV kill-switch with 30s cache +
fail-closed, discovery prompt), 501 route stubs under /api/trial/*,
TrialCounter DO with atomic transactionSync increment/decrement, frontend
Try/TryDiscovery stubs mounted at /try + /try/:trialId, operator docs
at docs/guides/trial-configuration.md, and 43 unit tests covering
cookie round-trip/tamper/expiry, kill-switch cache/TTL/fail-closed, and
TrialCounter cap enforcement.

Trials remain disabled by default (kill-switch fails closed) so this is
safe to deploy without setting TRIAL_CLAIM_TOKEN_SECRET. Wave 1 will wire
the live create/events/claim/waitlist handlers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

… kill-switch

Previously, self-hosters had to manually run `wrangler secret put
TRIAL_CLAIM_TOKEN_SECRET` and `wrangler kv key put trials:enabled true`
before the /try flow would work on staging. Wire both into the standard
deployment pipeline so staging trials are live out of the box.

Changes:
- infra/resources/secrets.ts: add `trial-claim-token-secret` RandomId
  resource (32 bytes base64) + export `trialClaimTokenSecret` Pulumi
  output, same persistence pattern as encryptionKey / jwtPrivateKey.
- infra/index.ts: re-export the new output.
- scripts/deploy/configure-secrets.sh: read trialClaimTokenSecret from
  Pulumi state and set it as a required Worker secret on every deploy.
- .github/workflows/deploy-reusable.yml: add a staging-only step that
  sets KV `trials:enabled=true` via wrangler after the worker deploys.
  Production stays opt-in per spec (operator flips the flag manually
  when ready to accept live trial traffic).
- docs/guides/trial-configuration.md: document the automation — no more
  manual secret-put or kv-put steps for staging.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

`wrangler kv key put` writes to remote by default; --remote is not a
valid flag for that subcommand and caused the staging deploy's trial
kill-switch step to fail.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…olve it

Track A (create.ts) inserted trial records into D1 only; Track B readers
(events.ts, claim.ts, trial-runner.ts) all look trials up via
trial-store.readTrial() which reads from KV. The result: every SSE
connection 404'd with "Trial not found or expired" seconds after the
trial was created.

Integration fix:
- create.ts calls writeTrial() after the D1 insert, with projectId=''
  (Track B's orchestrator rewrites the KV record once the project row
  exists). On KV failure, roll back the D1 row and release the
  TrialCounter slot so we don't burn a cap entry.
- writeTrial() skips the trial-by-project index when projectId is
  empty, preventing all pending trials from colliding on
  `trial-by-project:`.
- events.ts: use errors.notFound('Trial') — previous argument produced
  doubled "Trial not found or expired not found".

Added a regression test asserting writeTrial is invoked from the happy
path (captures the exact KV put) so this bug cannot silently recur.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…760)

* task: move trial-orchestrator-wire-up to active

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(shared): add trial orchestrator timing/retry constants

Introduce DEFAULT_TRIAL_ORCHESTRATOR_* and DEFAULT_TRIAL_KNOWLEDGE_*
constants used by the alarm-driven TrialOrchestrator DO and the fast-path
GitHub knowledge probes fired from POST /api/trial/create. Every value is
env-var overridable (Constitution Principle XI).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(trial): add TrialOrchestrator DO binding, env vars, sentinel installation

- Declare TRIAL_ORCHESTRATOR DO binding + v9 migration in wrangler.toml
- Extend Env interface with TrialOrchestrator/Knowledge tuning knobs and
  TRIAL_ANONYMOUS_INSTALLATION_ID override
- Migration 0045 seeds the system_anonymous_trials_installation sentinel
  row so anonymous trial projects can satisfy the NOT NULL + FK constraint
  on projects.installation_id without owning a real GitHub App install

The DO class itself is added in the next commit.

* feat(trial): add TrialOrchestrator DO state machine

Adds the alarm-driven TrialOrchestrator Durable Object (one per trialId)
that replaces the fire-and-forget `waitUntil(provisionTrial())` pattern
with a resumable state machine.

Module layout mirrors TaskRunner:
  - types.ts     — TrialOrchestratorStep union + persisted state shape
  - helpers.ts   — re-exports TaskRunner helpers; adds sentinel-user /
                   sentinel-installation resolvers + safeEmitTrialEvent.
  - steps.ts     — per-step handlers (project_creation, node_selection,
                   node_provisioning, node_agent_ready, workspace_creation,
                   workspace_ready, discovery_agent_start, running).
  - index.ts     — DO class: start(), alarm() dispatch, backoff retry,
                   overall-timeout guard, trial.error emission on failure.

Each step emits `trial.progress` at entry so the SSE stream reflects
where the orchestrator is. Terminal `running` step is idle — the ACP
bridge (wired separately) is responsible for emitting `trial.ready`
after the discovery agent produces its first assistant turn.

All timing/retry knobs read from env vars with DEFAULT_* fallbacks
(Constitution Principle XI). Adds two new optional env fields:
TRIAL_VM_SIZE and TRIAL_VM_LOCATION for trial-specific VM overrides.

Exports the class from apps/api/src/index.ts so the Workers runtime
can instantiate it via the TRIAL_ORCHESTRATOR binding (already declared
in wrangler.toml v9 migration).

Task: tasks/active/2026-04-19-trial-orchestrator-wire-up.md

* feat(trial): bridge ACP/MCP events into trial SSE stream

Adds a dedicated `services/trial/bridge.ts` module with three helpers that
hook into existing hot paths and fan qualifying events out as `trial.*` SSE
events:

  - bridgeAcpSessionTransition: `running` → trial.ready (with workspaceUrl
    derived from BASE_DOMAIN + workspaceId), `failed` → trial.error.
  - bridgeKnowledgeAdded:       fires trial.knowledge when the discovery
    agent adds a knowledge observation via MCP.
  - bridgeIdeaCreated:          fires trial.idea with a summary-clipped
    excerpt when the discovery agent creates an idea via MCP.

All three helpers short-circuit on non-trial projects after a single
`readTrialByProject(env, projectId)` KV lookup, so normal (non-trial)
project traffic only pays that one extra KV read on qualifying events.

Hook sites:
  - ProjectData DO `transitionAcpSession` — dynamic-imports the bridge
    and dispatches after the transition succeeds, guarded by `if (projectId)`
    and wrapped in try/catch so bridge errors never block the transition.
    Casts `this.env` through unknown to the worker-scope Env because the
    DO's local Env type is intentionally narrow.
  - `handleAddKnowledge` MCP handler — dispatches after addKnowledgeObservation.
  - `handleCreateIdea`   MCP handler — dispatches after the DB insert.

Every dispatch is fire-and-forget; bridge errors are already caught
inside each helper but the call sites add a second try/catch for defense.

Task: tasks/active/2026-04-19-trial-orchestrator-wire-up.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(trial): wire TrialOrchestrator + GitHub knowledge into POST /api/trial/create

Adds two fire-and-forget dispatches after the trial record is written and
before the HTTP response returns, via c.executionCtx.waitUntil:

1. TrialOrchestrator DO `start()` — kicks off the alarm-driven state machine
   that provisions a project, workspace, and discovery agent session. The
   DO is idempotent on `start()`, so accidental re-invocations no-op.

2. emitGithubKnowledgeEvents() — hits unauthenticated GitHub REST endpoints
   (`/repos/:o/:n`, `/repos/:o/:n/languages`, `/repos/:o/:n/readme`) in
   parallel and emits up to `TRIAL_KNOWLEDGE_MAX_EVENTS` `trial.knowledge`
   events within ~`TRIAL_KNOWLEDGE_GITHUB_TIMEOUT_MS` each. Surfaces
   description, primary language, stars, topics, license, language breakdown,
   and README first paragraph so the SSE stream shows activity within ~3s
   while the VM provisions in the background.

Both helpers fully swallow errors — an orchestrator dispatch failure or
GitHub rate-limit hit never blocks the response or crashes the Worker.

All knobs are env-configurable per Constitution Principle XI:
- TRIAL_KNOWLEDGE_GITHUB_TIMEOUT_MS (default 5000)
- TRIAL_KNOWLEDGE_MAX_EVENTS (default 10)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test(trial): cover orchestrator dispatch, bridge, and GitHub knowledge probe

Adds four categories of behavioral tests for the trial onboarding wiring:

1. trial-create.ts.test.ts (+2 cases)
   - Asserts TrialOrchestrator.start() is dispatched via waitUntil with
     trialId, repoOwner, repoName, and canonical repoUrl.
   - Asserts a rejecting start() does NOT propagate — the HTTP response
     still returns 201 (fire-and-forget contract).
   - Updates makeEnv() to stub TRIAL_ORCHESTRATOR + TRIAL_EVENT_BUS
     bindings and introduces makeExecutionCtx() helper.
   - Also adds a graceful-fallback in create.ts so routes that run without
     a Worker executionCtx (unit tests) still complete instead of 500-ing
     on Hono's "This context has no ExecutionContext" throw.

2. trial-github-knowledge.test.ts (new, 5 cases)
   - Happy path: verifies description, primary language, stars, topics,
     license, language breakdown, and README paragraph are all emitted.
   - TRIAL_KNOWLEDGE_MAX_EVENTS cap is enforced.
   - Total network failure → 0 events, no throw.
   - Non-2xx repo metadata response → 0 events, no throw.
   - emitTrialEvent rejection → no throw (last line of defense).

3. trial-orchestrator.test.ts (new, 4 cases)
   - start() persists initial state with currentStep='project_creation'
     and schedules an alarm.
   - start() is idempotent — second call with same input is a no-op and
     does not re-schedule the alarm.
   - alarm() on a completed state is a terminal no-op.
   - alarm() emits trial.error and marks completed when the overall
     timeout budget is exceeded.

4. trial-bridge.test.ts (new, 9 cases)
   - bridgeAcpSessionTransition: no-ops on non-trial projects, emits
     trial.ready on 'running' with ws-{id}.{BASE_DOMAIN} URL, emits
     trial.error on 'failed', no-ops on other transitions, swallows
     emitter errors.
   - bridgeKnowledgeAdded / bridgeIdeaCreated: no-op on non-trial,
     emit correct event shape when trial exists, swallow errors.

All 3,793 tests pass; typecheck clean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs(trial): document TrialOrchestrator + GitHub knowledge fast-path

Adds an "Orchestrator and Fast-Path Knowledge" section to the trial
configuration guide covering the two fire-and-forget background tasks
dispatched from POST /api/trial/create (TrialOrchestrator DO and the
GitHub REST knowledge probe) plus the ACP/MCP event bridge, with
tunables tables for both.

Also records the change in CLAUDE.md "Recent Changes" and marks the
corresponding checklist items in the task file.

* style(trial): sort imports per eslint rules

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(trial): emit trial.started event from orchestrator start()

The SSE stream's first real event must be `trial.started` so the
frontend can transition out of the "Warming up..." empty state.
Without it, viewers sat on the placeholder until `trial.progress` or
`trial.knowledge` arrived — which could be 3-5s later.

Added unit test asserting `emitTrialEvent` is called exactly once with
type='trial.started' and the expected shape.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test(trial): capability test chaining start() + alarm() through event bus

Addresses task-completion-validator HIGH finding #2: no capability
test exercised the full orchestrator state machine through the event
bus seam. Existing per-method tests covered each transition in
isolation but did not chain them.

New test drives:
  start() → persist + setAlarm + emit trial.started
    → (simulate expired budget)
    → alarm() → mark failed + emit trial.error

The `emitTrialEvent` mock is the event-bus seam; its downstream is
already covered by tests/unit/routes/trial-events.test.ts which
verifies the bus → SSE stream path.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore(trial): archive orchestrator wire-up task

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test(trial): cover alarm() retry/backoff + step handler invariants

Addresses test-engineer review HIGH findings #1 and #2 (partial).

Finding #1 — alarm() retry/backoff:
Added 4 tests driving the step-error catch branches via a `./steps`
vi.mock. Covers transient-error + retries-remaining (increments counter
and schedules backoff, no failTrial), permanent-error (immediate
failTrial regardless of budget), transient-error with retries exhausted
(promotes to failTrial), and the null-state guard (alarm fires before
start()).

Finding #2 — step handlers:
New `trial-orchestrator-steps.test.ts` covers the two highest-value
invariants that don't need D1/DO plumbing mocks:
  - handleRunning marks state.completed = true
  - handleDiscoveryAgentStart throws permanent on missing IDs
  - handleDiscoveryAgentStart is idempotent when session already linked

Broader per-handler coverage (project_creation / node_selection /
node_provisioning / node_agent_ready / workspace_creation /
workspace_ready) tracked in
tasks/backlog/2026-04-19-trial-orchestrator-step-handler-coverage.md —
those paths require mocks for drizzle + node-agent + project-data
services and are out of scope for this PR.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(trial): remove hardcoded BASE_DOMAIN fallback + extract heartbeat skew constant

Addresses constitution-validator findings:

HIGH — bridge.ts:41 had `env.BASE_DOMAIN || 'workspaces.example.com'` fallback.
BASE_DOMAIN is a non-optional binding; a misconfiguration that let it be empty
would silently generate workspace URLs pointing at workspaces.example.com
instead of failing loudly. Removed the fallback.

MEDIUM — steps.ts had a hardcoded `30_000` heartbeat-skew window. Extracted to
DEFAULT_TRIAL_ORCHESTRATOR_HEARTBEAT_SKEW_MS (shared), TRIAL_ORCHESTRATOR_HEARTBEAT_SKEW_MS
env override, getHeartbeatSkewMs() getter on the DO, threaded through
TrialOrchestratorContext.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(trial): per-IP rate limit on POST /api/trial/create + SSE injection guard

Addresses security-auditor HIGH findings:

1. Rate limit on POST /api/trial/create (was missing)
   - New rateLimitTrialCreate() factory (useIp=true, keyPrefix=trial-create)
   - Default 10 req/hr, configurable via RATE_LIMIT_TRIAL_CREATE env var
   - Tighter than the general anonymous bucket because each trial create
     allocates a Durable Object, fires ~4 GitHub API calls, and consumes
     a monthly trial slot
   - Mounted per-route in create.ts so the limiter sees request env
   - Regression test exercises 429 path with IP-scoped KV window

2. SSE event-name sanitization in formatSse()
   - Strips CR/LF to prevent SSE-frame injection if a future caller ever
     bypasses the TrialEvent discriminated union via `as never` casts or
     dynamic event names
   - Function now exported for direct testing
   - New trial-events-format.test.ts covers: happy path stable shape,
     CR/LF strip on hostile event name (single event frame survives),
     and JSON data escaping for embedded newlines

* fix(trial): switch TrialOrchestrator to new_sqlite_classes + drop premature status gate

Addresses cloudflare-specialist HIGH findings:

1. wrangler.toml v9 migration: new_classes -> new_sqlite_classes
   Cloudflare recommends SQLite-backed storage for new DO classes; the
   KV-style ctx.storage.put() API works identically on both backends but
   SQLite is the future-forward choice. TrialOrchestrator has not yet been
   deployed to any environment (introduced in this PR chain), so flipping
   the migration type is safe.

2. handleNodeProvisioning: remove synchronous status='running' gate
   After provisionNode() returns, async-IP providers (Scaleway, GCP) leave
   the node in 'creating' status — the IP and status='running' flip happens
   on the first heartbeat. Synchronously requiring status='running' here
   forced every async-IP trial through the retry/backoff cycle until the
   heartbeat landed, wasting retry budget and risking permanent failure on
   slow VM boots. The next step (node_agent_ready) polls heartbeat freshness
   with its own timeout, which correctly handles both sync (Hetzner) and
   async (Scaleway/GCP) provisioning paths.

Regression test: handleNodeProvisioning advances to node_agent_ready even
when provisionNode() leaves the node in 'creating' status.

* fix(trial): HMAC-verify fingerprint cookie before reusing UUID

Security-auditor HIGH: the old code extracted the fingerprint UUID from the
`sam_trial_fingerprint` cookie by splitting on the last `.` without verifying
the HMAC signature. An attacker who learned a victim's fingerprint UUID
(from logs, a captured cookie, or a prior trial row) could forge
`<victimUuid>.anything` to overwrite the `trial-by-fingerprint:<victimUuid>`
KV index to point at their own trial. The victim's subsequent OAuth hook
lookup would then redirect them to the attacker's trial project.

Fix: call verifyFingerprint(existingFp, secret) and only trust the returned
UUID. Fall back to crypto.randomUUID() on invalid / missing signature. The
secret is already resolved earlier in the same handler (line 195-203).

Added regression test in trial-create.ts.test.ts — a forged cookie MUST NOT
reuse the victim's UUID; a fresh UUID is minted instead. Updated the
"reuses existing fingerprint" test to use a validly-signed cookie.

---------

Co-authored-by: Raphaël Titsworth-Morin <raphael@raphaeltm.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

)

* task: move trial-events-debug to active

* task: instrument trial event bus path for staging triage

Add high-signal log.info points at every boundary in the trial event
flow so `wrangler tail` can show exactly where the pipeline drops:

- create.ts: log dispatch_begin, orchestrator_task.{enter,stub_ready,
  start_returned}, knowledge_task.{enter,done}, waitUntil_registered
- trial-runner.ts:emitTrialEvent — log emit_begin / emit_ok
- trial-orchestrator: start.enter, state_put, alarm_set,
  trial_started_emitted; alarm.enter
- trial-event-bus: handleAppend.enter / stored / rejected_closed

Pure instrumentation — no behavior change. Will be pared back or
removed once the failure mode is identified on staging.

* fix(trial): emit unnamed SSE frames so EventSource.onmessage fires

Root cause of the zero-events-on-staging incident (2026-04-19):
formatSse() wrote named SSE frames ('event: trial.knowledge\ndata: {...}')
but the frontend subscribes via source.onmessage, which only fires for the
default (unnamed) event. Bytes arrived on the wire — curl saw them — but no
frontend-visible event was ever dispatched.

Change the SSE serializer to emit unnamed frames ('data: {...}'). The
TrialEvent payload itself carries a 'type' discriminator so no information
is lost. Update the unit test to lock in the new contract (no 'event:' line)
and point at the post-mortem.

Also fix a latent eventsUrl contract mismatch: POST /api/trial/create
returned '/api/trial/events?trialId=X' while the real route is
'/api/trial/:trialId/events'. The frontend builds its own URL so end-users
weren't affected, but the response-field contract was wrong. The previous
unit test used toContain() on a substring, masking the drift.

See docs/notes/2026-04-19-trial-sse-named-events-postmortem.md.

* test(trial): add TrialEventBus → SSE capability test

Regression guard for the 2026-04-19 incident. Seeds a trial in KV, appends
events directly on the TrialEventBus DO (identical to emitTrialEvent()),
opens the SSE stream via SELF.fetch with a valid fingerprint cookie, reads
the raw stream bytes, and asserts:

  - HTTP 200 + correct content-type
  - At least one 'data: {...}' frame
  - No 'event:' line anywhere (the regression guard)
  - The parsed JSON payload round-trips through the bus intact

Also add TRIAL_EVENT_BUS DO binding and TRIAL_* env bindings to the workers
vitest config so this test (and future trial-related worker tests) can
construct stubs.

Note: the existing workers test pool is currently broken on this branch and
base (miniflare WebSocket exits unexpectedly on all 6 pre-existing worker
tests too — not caused by this change). Once the pool is unblocked this
test runs as-is.

* docs(trial): post-mortem + rule 13 ban curl-only SSE verification

Post-mortem covers what broke, the two-layer contract mismatch (named SSE
events + wrong eventsUrl shape), timeline, why it wasn't caught (no E2E
capability test, curl used instead of a real browser, frontend test path
not exercised), the class of bug, and the process fixes landing in this PR.

Update rule 13 (staging verification) to explicitly ban curl-only
verification for browser-consumed SSE/WebSocket streams — curl confirms the
byte stream, only a real browser confirms dispatch to onmessage.

* task: record root cause + fixes on trial SSE events task

* test(trial): update trial-events.test SSE assertion for unnamed frames

The integration test for GET /api/trial/:trialId/events was asserting the
old named-event contract ('event: trial.ready'). With the formatSse() fix
the frame is unnamed; update the assertion to lock in the new contract
(data: line present, no event: line).

* task: archive trial SSE events debugging task

* chore(trial): address review findings on SSE events fix

- Add TRIAL_ORCHESTRATOR + TRIAL_COUNTER DO bindings to
  apps/api/vitest.workers.config.ts (cloudflare-specialist MEDIUM)
- CLAUDE.md: prepend 'trial-sse-events-fix' entry to Recent Changes
  (doc-sync-validator MEDIUM)
- Fix broken link in postmortem (tasks/active -> docs/notes) and tick
  the completed rule-13 follow-up checkbox (doc-sync-validator LOW)
- Add cross-reference from .claude/rules/02-quality-gates.md to the
  rule-13 curl-only SSE-verification ban (doc-sync-validator LOW)
- File pre-existing HIGH (AbortController not propagated into
  busStub.fetch) and MEDIUM (nextCursor persistence) as backlog tasks
  so they're tracked but don't block this fix PR

---------

Co-authored-by: Raphaël Titsworth-Morin <raphael@raphaeltm.com>

…g-mvp

…into sam/trial-onboarding-mvp

Add AI usage section to the admin analytics dashboard, powered by
the AI Gateway Logs API. Shows token usage, estimated cost, trial
vs. authenticated breakdown, per-model metrics, and daily trends.

Backend:
- New admin endpoint GET /api/admin/analytics/ai-usage?period=7d
  queries AI Gateway logs with pagination and aggregates by model/day
- AI proxy now tags requests with projectId and trialId in
  cf-aig-metadata for trial usage attribution
- Configurable via AI_USAGE_PAGE_SIZE, AI_USAGE_MAX_PAGES env vars

Frontend:
- AIUsageChart component with KPI cards, stacked bar chart (tokens
  by model), daily usage area chart, and model breakdown table
- Integrated into admin analytics dashboard above DAU chart
- Graceful fallback if AI Gateway is not configured (catch + null)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…stics

The CF AI Gateway Logs API uses `order_by_direction` (not `direction`) for
sort order, and error responses now include the upstream body for easier
debugging.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

The Cloudflare AI Gateway Logs API enforces a maximum per_page of 50.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(trial): address review findings from trial onboarding subagents

Security and correctness fixes from 7 specialist reviewers:

CRITICAL:
- Fix cookie domain mismatch: claim.ts clearClaimCookie and oauth-hook.ts
  buildClaimCookie now pass domain from BASE_DOMAIN (matching create.ts)

HIGH:
- TrialEventBus DO: persist `closed` flag to storage so it survives eviction
- AI proxy: sanitize error bodies — log raw errors server-side, return generic
  messages to clients (prevents internal URL/config leakage)
- Admin AI usage: sanitize CF API error responses the same way
- SSE events endpoint: add per-IP rate limiting (30 req/5min via KV)
- Deploy pipeline: forward ANTHROPIC_API_KEY_TRIAL as optional Worker secret
- sync-wrangler-config: inject ENVIRONMENT var into generated env sections
- Remove hardcoded DEFAULT_GATEWAY_ID; require AI_GATEWAY_ID from env

MEDIUM:
- Cron collision: move trial counter rollover from 03:00 to 05:00 UTC
  (avoids collision with daily analytics forward job at 03:00)
- Replace magic number in create.ts with DEFAULT_TRIAL_CLAIM_TTL_MS constant
- Add trial secrets to secrets-taxonomy.md and trial-configuration.md
- Add comprehensive trial + AI proxy env vars to .env.example
- Fix test mocks: add ctx.storage to TrialEventBus tests, add KV to SSE tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(trial): address CTO review — 6 quality improvements

1. Reject unknown IP: SSE rate limit now returns 400 when no client IP
   header is present, instead of sharing a single "unknown" bucket across
   all headerless clients. CF-Connecting-IP is always present on Workers.

2. Document KV rate limit trade-off: added inline comment explaining why
   KV's non-atomic read-modify-write is acceptable here (storm prevention,
   not exact enforcement) vs DO-based counters for credential rotation.

3. Clean up formatSse: removed unused _eventName parameter that gave the
   false impression the event name was being used. Updated all call sites
   and tests.

4. Cookie domain consistency test: new regression test suite asserting
   that buildClaimCookie, clearClaimCookie, and buildFingerprintCookie
   produce matching Domain= attributes. Explicitly demonstrates the bug
   where clearing without a domain fails to delete a domain-scoped cookie.

5. AI_GATEWAY_ID self-hoster safe: returns an empty summary (zero counts)
   when AI_GATEWAY_ID is not configured, instead of throwing. Self-hosters
   who don't use AI Gateway get a clean "no data" admin dashboard.

6. Fix .env.example cron default: TRIAL_CRON_ROLLOVER_CRON now shows
   "0 5 1 * *" matching the actual default after the collision fix.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Raphaël Titsworth-Morin <raphael@raphaeltm.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>