feat(kiloclaw): add image tag based version pinning

[St0rmz1]

Add admin-controlled per-user version pinning with image_tag as the unique deployable identity and image_digest for content integrity.

• New DB tables: kiloclaw_available_versions (catalog), kiloclaw_version_pins (per user pins)
• Admin versions router: CRUD for catalog entries, pin/unpin users, publish versions
• Cron sync: worker KV → Postgres catalog with atomic upserts and digest conflict rejection
• Provision flow: cloud reads pin from Postgres, passes tag+digest to worker
• Worker: accepts pinnedImageTag, skips KV lookup for pinned users, tracks isPinned
• Digest uniqueness enforced at every layer (Postgres, admin publish, sync, worker KV)
• Admin UI: pin management on instance detail, version stats cards, sync button
• Tests for all new functionality

[kiloconnect]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Notes

All previously flagged issues have been addressed in the latest commits:

• ✅ TOCTOU race in publishVersion — Now uses FOR UPDATE inside a transaction (lines 106–168 of admin-kiloclaw-versions-router.ts)
• ✅ KV list() pagination — New listAllKvKeys helper in kiloclaw/src/routes/platform.ts follows cursors until list_complete
• ✅ break in cron sync loop — Replaced with continue so remaining entries are still processed
• ✅ GDPR softDeleteUser — kiloclaw_version_pins deletion added to src/lib/user.ts with corresponding test

The implementation is well-structured:

• Version catalog (kiloclaw_available_versions) with proper unique indexes on image_tag, image_digest (partial), and is_latest per variant (partial)
• Pin system (kiloclaw_version_pins) with upsert semantics and graceful degradation in the provision path
• Cron sync with rate limiting (MAX_NEW_PER_SYNC = 5), deduplication, and digest conflict rejection
• Worker DO correctly handles pinned vs unpinned paths with isPinned state tracking

Files Reviewed (17 files)

• kiloclaw/scripts/push-dev.sh — digest fetch + .dev.vars update
• kiloclaw/src/durable-objects/kiloclaw-instance.ts — pinned/unpinned provision paths
• kiloclaw/src/durable-objects/kiloclaw-instance-pinning.test.ts — DO pinning tests
• kiloclaw/src/routes/platform.ts — provision pin passthrough, listAllKvKeys, versions/publish endpoints
• kiloclaw/src/schemas/image-version.ts — KV entry schema + key helpers
• kiloclaw/src/schemas/instance-config.ts — ProvisionRequestSchema with pin fields
• src/app/api/cron/sync-kiloclaw-versions/route.ts — cron sync with dedup + rate limit
• src/db/schema.ts — kiloclaw_available_versions + kiloclaw_version_pins tables
• src/db/schema.test.ts — enum check for KiloClawVersionStatus
• src/lib/kiloclaw/kiloclaw-internal-client.ts — publishImageVersion + listVersions methods
• src/lib/kiloclaw/types.ts — ProvisionInput pin fields
• src/lib/user.ts — GDPR soft-delete for kiloclaw_version_pins
• src/lib/user.test.ts — GDPR soft-delete test
• src/routers/admin-kiloclaw-versions-router.ts — full admin CRUD router
• src/routers/admin-kiloclaw-versions-router.test.ts — admin router tests
• src/routers/admin-router.ts — router registration
• src/routers/kiloclaw-router.ts — provision pin lookup
• src/routers/kiloclaw-router-pinning.test.ts — provision pinning tests
• vercel.json — cron schedule
• src/db/migrations/ — migration files (skipped)