Add optional Cloudflare Workers deploy for veriflier

[heydemoura]

Summary

• Adds an optional, additive Cloudflare Workers + Containers deploy path for the veriflier, alongside the existing Docker / TeamCity targets. No Go code or wire protocol changes — the same POST /check / GET /status contract is fronted by a three-line Worker (deploy/workers/worker/index.ts) that dispatches to a Cloudflare Container instance via a Durable Object binding.
• The Container pulls ghcr.io/automattic/veriflier:latest (published by .github/workflows/docker-publish.yml on every push to v2) instead of running a local docker build at deploy time. wrangler deploy resolves the GHCR image, copies it into CF's container registry, and ships the Worker.
• Wiring into Jetmon is a single entry in the VERIFIERS array in config/config.json; rollback is removing that entry and SIGHUP'ing jetmon.

Prerequisites before this can ship beyond staging

• The ghcr.io/automattic/veriflier GHCR package must be flipped from private to public (per docs/docker-images.md), so Cloudflare can pull without credentials. Until then wrangler deploy will fail with a pull-auth error.
• Vendor approval (Systems / Barry), CF account decision, and cost ceiling modeling — captured in deploy/workers/README.md "Open questions before promoting beyond staging".

Test plan

• npm install in deploy/workers/worker/ succeeds
• wrangler dev boots locally and curl http://localhost:8787/status returns the same shape as curl http://localhost:7803/status against the Docker-compose veriflier
• Once GHCR package is public: wrangler deploy --env staging succeeds and the deployed Worker's /status returns ok
• Add the staging Worker to VERIFIERS in a non-prod jetmon config, SIGHUP, and confirm the orchestrator includes it in quorum (visible in jetmon dashboard / logs)
• Remove the VERIFIERS entry and SIGHUP — confirm the remaining verifliers continue serving without disruption (rollback verification)

🤖 Generated with Claude Code