Add workflows + second public R2 bucket

[Judyzc]

Addresses (fixes) #209. Tested on staging.

High-level explanation of changes:

• 1st Problem: AI content rating could time out after 30 seconds because Cloudflare Workers can only run a request for 30 seconds. This can leave a test in "IN_PROGRESS" state, never able to be accessed or re-uploaded.
  • Solution: added Cloudflare Workflow for AI content rating. Workflows can run up to 5 minutes, auto retry step(s) if configured.
• 2nd Problem: filmstrip and other assets from R2 respond intermittently with http 500 errors, because the D1/prisma lookup for the asset's content rating (we only want to serve safe assets so we need to ensure the content_rating for each asset is "SAFE") overwhelms the database pool connection.
  • Solution: make a 2nd and always public R2 bucket for "SAFE" content that will have a custom domain endpoint. This public endpoint will serve assets instead of D1/the Worker. I've already made and configured the custom domains for the public R2 buckets (staging and prod) using the production UI dashboard.
  • Solution should work because essentially "if someone has a testId, they could already read all the files. The public bucket doesn't open any new attack surface — it just serves the same already-public data without a Worker in the middle" (argument from AI)

New upload flows for different environments:

Dev, AI off (default)

• Upload → files written to local private R2, no workflow, test accessible immediately (AI disabled so no rating gate)
• Serving → All assets served through /api/tests/* → local Worker → local private R2

Dev, AI on (.dev.vars override)

• Upload → files written to local private R2, workflow runs locally, AI rates it, if SAFE copies to local public R2
• Serving → PUBLIC_ASSETS_URL absent → hasPublicBucket() false → resolveAssetBase returns '' → all assets still served through /api/tests/* → local Worker → local private R2 (public R2 is ignored for serving)

Staging

• Upload → files written to remote private R2, workflow triggers on Cloudflare, if SAFE copies to remote public R2
• Serving → For SAFE tests: resolveAssetBase finds config.json in public R2 → screenshot/filmstrip/video URLs built as https://assets-staging.telescopetest.io/... in page HTML → browser loads them directly from the edge, no Worker
• For pre-workflow tests (not yet in public R2): falls back to /api/tests/* → Worker → private R2

Production

• Same as staging, https://assets.telescopetest.io instead

Follow-up

We'll need some kind of one-time script or process to move all the current R2 files that are safe into the public bucket. Right now, the code has a fallback to use D1/the Worker if the asset isn't in the public bucket. This is so the PR doesn't break any existing results/functionality when merged.

But I think ideally we'd do this process: (1) merge this PR (with fallback code) -> (2) run one-time script to move files -> (3) clean up fallback code

[Judyzc]

./src/worker.ts is required to export AiContentRatingWorkflow as a named export alongside Astro's request handler — the standard @astrojs/cloudflare/entrypoints/server entrypoint doesn't support additional exports (https://docs.astro.build/en/guides/integrations-guide/cloudflare/#changed-custom-entrypoint-api).

[Judyzc]

Now get R2 assets from public bucket if safe (bypass Worker completely).

[Judyzc]

Now get R2 assets from public bucket if safe (bypass Worker completely).