@checkstack/automation-backend 0.2.0 → 0.3.0

package/src/entity/create-handle.ts

@@ -0,0 +1,344 @@
+/**
+ * Builds an `EntityHandle` for one validated kind — the Model B reactive
+ * wrapper (reactive automation engine §4, reshaped).
+ *
+ * `defineEntity` owns NO current-state storage. The plugin owns its state
+ * and exposes it through a `read` accessor; this handle makes that state
+ * REACTIVE by funneling every write through one driven entry point:
+ *
+ *   handle.mutate({ id, opts?, apply })
+ *
+ * The orchestration (`mutate` and `remove` share it):
+ *
+ *   1. Snapshot `prev` via `read([id])` BEFORE the write, so a change can
+ *      never be missed (we never re-read prev AFTER the plugin has written).
+ *   2. Run the plugin's `apply()` — the ACTUAL write against its OWN storage,
+ *      committed in the PLUGIN's own transaction. `apply` returns the
+ *      resulting current state (`next`); `remove`'s `apply` returns void and
+ *      `next` is `null` (tombstone). `apply` takes NO tx: a plugin-backed kind
+ *      lives behind a different drizzle client than `entity_transitions`, so
+ *      it cannot share the framework transaction.
+ *   3. AFTER the plugin write has committed: validate `next` (zod) and diff
+ *      prev → next. On a real diff, append the field-level transition rows to
+ *      `entity_transitions` in the FRAMEWORK's OWN transaction (a separate
+ *      db/client from the plugin's write).
+ *   4. Emit the internal `ENTITY_CHANGED` event carrying the mutating actor.
+ *      A rolled-back / throwing `apply` emits nothing and logs nothing — the
+ *      plugin write is the source of truth.
+ *
+ * Masking boundary: run-originated secret masking is confined to the EMITTED
+ * `ENTITY_CHANGED` payload and the `entity_transitions` rows. `mutate` returns
+ * the UNMASKED, zod-validated resulting state — the contract is "returns the
+ * resulting state", and masking is an emission/persistence concern, not part
+ * of the value the calling plugin gets back.
+ *
+ * Cross-plugin transaction boundary (the deliberate tradeoff): the plugin
+ * write (step 2) and the transition append (step 3) are NOT in one shared db
+ * transaction — they target different schemas behind different clients. The
+ * plugin write is authoritative; the transition append is a post-commit
+ * framework write. A failure between them leaves correct plugin state with a
+ * missing history row (a gap, never a corruption). A plugin platform must NOT
+ * couple plugin writes to framework-internal tables, so this decoupling is
+ * intentional. See `define-entity.ts` for the full rationale.
+ *
+ * A structurally-unchanged write (returns an equal state) is a no-op: the
+ * plugin write still happened, but no transition is appended and no event is
+ * emitted.
+ */
+import type { z } from "zod";
+import { SYSTEM_ACTOR, type Actor } from "@checkstack/common";
+
+import type {
+  EntityHandle,
+  EntityMutationOpts,
+  EntityRead,
+  MutateInput,
+  RemoveInput,
+} from "./define-entity";
+import type { EntityStore, TransitionAppend } from "./entity-store";
+import { serializeFieldValue } from "./entity-store";
+import { diffEntityState } from "./diff";
+import type { ChangeEmitter } from "./change-emitter";
+import type { RunSecretRegistry } from "../dispatch/run-secret-registry";
+
+export interface CreateHandleArgs<TState extends Record<string, unknown>> {
+  kind: string;
+  schema: z.ZodType<TState>;
+  store: EntityStore;
+  emitter: ChangeEmitter;
+  secretRegistry: RunSecretRegistry;
+  /** Plugin-owned current-state accessor (the single read path). */
+  read: EntityRead<TState>;
+}
+
+/** Resolve the effective actor for a mutation (defaults to the system actor). */
+function resolveActor(opts?: EntityMutationOpts): Actor {
+  return opts?.actor ?? SYSTEM_ACTOR;
+}
+
+/** Apply run-scoped secret masking to a payload when the write is run-originated. */
+function maskForRun(args: {
+  registry: RunSecretRegistry;
+  runId: string | undefined;
+  value: Record<string, unknown>;
+}): Record<string, unknown> {
+  const { registry, runId, value } = args;
+  if (!runId) return value;
+  // maskDeep returns the same JSON-shape with secret VALUES redacted.
+  const masked = registry.maskDeep(runId, value);
+  return masked as Record<string, unknown>;
+}
+
+export function createEntityHandle<TState extends Record<string, unknown>>(
+  args: CreateHandleArgs<TState>,
+): EntityHandle<TState> {
+  const { kind, schema, store, emitter, secretRegistry, read } = args;
+
+  /** Resolve the current state of one id via the plugin read accessor. */
+  async function readOne(id: string): Promise<TState | undefined> {
+    const map = await read([id]);
+    return map[id];
+  }
+
+  /** Build the transition rows for a changed-field set (prev/next views). */
+  function buildTransitions(args2: {
+    prev: Record<string, unknown> | null;
+    next: Record<string, unknown>;
+    changedFields: string[];
+  }): TransitionAppend[] {
+    const { prev, next, changedFields } = args2;
+    return changedFields.map((field) => ({
+      field,
+      fromValue: prev ? serializeFieldValue(prev[field]) : null,
+      toValue: serializeFieldValue(next[field]),
+    }));
+  }
+
+  /**
+   * Snapshot `prev` via the plugin `read` accessor STRICTLY BEFORE any write,
+   * masking run-originated reads. A change can never be missed because we
+   * never re-read prev after the write.
+   */
+  async function snapshotPrev(
+    id: string,
+    opts?: EntityMutationOpts,
+  ): Promise<Record<string, unknown> | null> {
+    const prevRaw = (await readOne(id)) ?? null;
+    return prevRaw === null
+      ? null
+      : maskForRun({
+          registry: secretRegistry,
+          runId: opts?.runId,
+          value: prevRaw as Record<string, unknown>,
+        });
+  }
+
+  /**
+   * Validate (zod) the post-write state WITHOUT masking. This is the state
+   * `mutate` returns to its caller — the contract is "returns the resulting
+   * state", and masking is purely an emission/persistence concern (it must
+   * not leak into the value the calling plugin gets back). A tombstone has no
+   * state.
+   */
+  function validateNext(applied: TState | null): Record<string, unknown> | null {
+    return applied === null
+      ? null
+      : (schema.parse(applied) as Record<string, unknown>);
+  }
+
+  /**
+   * Mask an already-validated state for the run-originated emit/transition
+   * path ONLY (a tombstone has none). Keeps secret VALUES out of the emitted
+   * `ENTITY_CHANGED` payload and the `entity_transitions` rows, while the
+   * unmasked validated state is what `mutate` returns.
+   */
+  function maskNext(
+    validated: Record<string, unknown> | null,
+    opts?: EntityMutationOpts,
+  ): Record<string, unknown> | null {
+    return validated === null
+      ? null
+      : maskForRun({
+          registry: secretRegistry,
+          runId: opts?.runId,
+          value: validated,
+        });
+  }
+
+  /**
+   * Diff prev → next, append transitions, and emit `ENTITY_CHANGED` when
+   * there is a real change. `appendTransitions` performs the durable
+   * transition write for a non-tombstone diff in a fresh framework tx AFTER
+   * the plugin write has committed.
+   *
+   * Masking boundary (reactive automation engine §3.5, §12): `prev` and
+   * `maskedNext` are the run-masked views — they feed the diff, the
+   * `entity_transitions` rows, and the emitted payload, so secret VALUES never
+   * leak into history or change events. `returnNext` is the UNMASKED, validated
+   * state echoed back to `mutate` (the caller gets the real resulting state;
+   * masking is purely an emission/persistence concern).
+   */
+  async function diffAppendEmit(args2: {
+    id: string;
+    opts?: EntityMutationOpts;
+    prev: Record<string, unknown> | null;
+    maskedNext: Record<string, unknown> | null;
+    returnNext: Record<string, unknown> | null;
+    appendTransitions: (rows: TransitionAppend[]) => Promise<void>;
+  }): Promise<Record<string, unknown> | null> {
+    const { id, opts, prev, maskedNext, returnNext, appendTransitions } = args2;
+
+    const { changedFields, delta } = diffEntityState({ prev, next: maskedNext });
+
+    // Structurally unchanged ⇒ no transition, no emit (the write itself may
+    // still have touched non-state columns; that is the plugin's concern).
+    if (changedFields.length === 0) return returnNext;
+
+    // Append transitions for a real write (a tombstone records none, like the
+    // old `remove`). Built from the MASKED next so secret values stay out of
+    // the durable history.
+    if (maskedNext !== null) {
+      await appendTransitions(
+        buildTransitions({ prev, next: maskedNext, changedFields }),
+      );
+    }
+
+    // Tombstone wire shape (§13.2): `delta` is `{}` because the tombstone
+    // signal is `next === null`, not a per-field null delta. A real write
+    // carries the changed-field delta. `changedFields` is still the set of
+    // prev fields (drives the change-event `changedFields` list).
+    await emitter.emit({
+      kind,
+      id,
+      prev,
+      next: maskedNext,
+      delta: maskedNext === null ? {} : delta,
+      changedFields,
+      actor: resolveActor(opts),
+      occurredAt: new Date().toISOString(),
+      // Per-change identity, generated ONCE here so it travels with every
+      // at-least-once redelivery of THIS change. Two distinct changes within
+      // one millisecond share an `occurredAt`; the changeId keeps them
+      // distinct in the Stage-2 trigger jobId (§13.2).
+      changeId: crypto.randomUUID(),
+    });
+
+    return returnNext;
+  }
+
+  /**
+   * PLUGIN-BACKED driven pipeline for `mutate` / `remove`. The plugin's
+   * `apply()` runs FIRST and commits in the PLUGIN's own transaction (no
+   * framework tx is handed in — a plugin-backed kind lives behind a different
+   * client). Only AFTER that commit does the framework open its OWN
+   * transaction to append the transition log, then emit. The plugin write is
+   * authoritative; a throwing `apply` appends nothing and emits nothing.
+   */
+  async function drivePluginBacked(input: {
+    id: string;
+    opts?: EntityMutationOpts;
+    apply: () => Promise<TState | null>;
+  }): Promise<Record<string, unknown> | null> {
+    const { id, opts, apply } = input;
+
+    // 1. Snapshot prev STRICTLY BEFORE the plugin write (masked view, for the
+    //    diff / transitions / emit).
+    const prev = await snapshotPrev(id, opts);
+
+    // 2. Run the plugin write, committed in the PLUGIN's own tx. A throw
+    //    propagates here, so nothing below runs (no append, no emit). Validate
+    //    once; `returnNext` is the UNMASKED state echoed to the caller and
+    //    `maskedNext` is the run-masked view used only for emit/transitions.
+    const returnNext = validateNext(await apply());
+    const maskedNext = maskNext(returnNext, opts);
+
+    // 3 + 4. AFTER the plugin commit, append transitions in the FRAMEWORK's
+    //    own tx, then emit. Not atomic with the plugin write (documented
+    //    cross-plugin tx boundary): a failure here leaves correct plugin state
+    //    with a missing history row, never a corrupted state.
+    return diffAppendEmit({
+      id,
+      opts,
+      prev,
+      maskedNext,
+      returnNext,
+      appendTransitions: (rows) =>
+        store.runInTransaction((tx) =>
+          store.appendTransitions({ tx, kind, entityId: id, transitions: rows }),
+        ),
+    });
+  }
+
+  /** Resolve "in this value since" for a field via the transition log. */
+  async function inStateSinceFor(
+    id: string,
+    field: string,
+  ): Promise<Date | null> {
+    const current = await readOne(id);
+    if (current === undefined) return null;
+    return store.inStateSince({
+      kind,
+      entityId: id,
+      field,
+      currentValue: current[field],
+    });
+  }
+
+  return {
+    kind,
+
+    async mutate(input: MutateInput<TState>): Promise<TState> {
+      const { id, opts, apply } = input;
+      // `apply` always returns a (non-null) state, so the pipeline resolves it
+      // regardless of whether the diff was a no-op.
+      const next = await drivePluginBacked({ id, opts, apply: () => apply() });
+      // Unreachable: `mutate`'s apply never yields null. Guarded for types.
+      if (next === null) {
+        throw new Error(
+          `EntityHandle.mutate: apply for kind "${kind}" id "${id}" resolved to no state`,
+        );
+      }
+      return next as TState;
+    },
+
+    async remove(input: RemoveInput): Promise<void> {
+      const { id, opts, apply } = input;
+      await drivePluginBacked({
+        id,
+        opts,
+        apply: async () => {
+          await apply();
+          return null;
+        },
+      });
+    },
+
+    async get(id) {
+      return readOne(id);
+    },
+
+    async getMany(ids) {
+      return read(ids);
+    },
+
+    async inStateSince(id, field) {
+      return inStateSinceFor(id, field);
+    },
+
+    async inStateForMs(id, field) {
+      const since = await inStateSinceFor(id, field);
+      if (since === null) return 0;
+      return Math.max(Date.now() - since.getTime(), 0);
+    },
+
+    async transitionCount({ id, field, windowMs }) {
+      return store.transitionCount({
+        kind,
+        entityId: id,
+        field,
+        windowMs,
+        now: new Date(),
+      });
+    },
+  };
+}

package/src/entity/cross-pod-read-consistency.it.test.ts

@@ -0,0 +1,281 @@
+/**
+ * Integration test (real Postgres): cross-pod reactive-entity read consistency.
+ *
+ * This is the DETERMINISTIC backstop for `.agent/rules/state-and-scale.md`
+ * that the single-process unit suite structurally cannot provide: "Does a read
+ * return the same answer on every pod?". The unit suite runs in one process, so
+ * a value written in that process is trivially visible to the same process —
+ * green typecheck/lint/tests do NOT prove scale-correctness. This test catches
+ * the class of bug where a reactive entity's CURRENT state is stored
+ * process-local (pod-local) memory instead of shared durable storage.
+ *
+ * ## Two-pod model (faithful proxy, justified)
+ *
+ * A full second platform boot per case is unnecessary to expose the bug: the
+ * bug is purely about WHERE the `read` accessor resolves state from. We model
+ * TWO independent "pods" as two independent entity registries, each with its
+ * OWN `EntityStore` over its OWN `pg.Pool` connection, BOTH pointed at the SAME
+ * Postgres database + schema:
+ *
+ *   - instance A — registry A + store A + pool A
+ *   - instance B — registry B + store B + pool B
+ *
+ * Separate pools/registries = separate processes for the property under test
+ * (no shared JS heap between A and B), while one DB + schema = the shared
+ * durable substrate N pods share in production. A mutation driven on A's handle
+ * (the pod that "claims the dispatch job") must be visible to B's `read` (the
+ * pod that later runs scope enrichment / `wait_until` re-eval).
+ *
+ * ## What it asserts
+ *
+ *   1. DURABLE kind (`it-shared`): `read` resolves from a shared table. A write
+ *      on A is visible to B's `get` AND B's `getMany` (scope-resolution shape).
+ *      This is the property a correct reactive entity MUST have.
+ *
+ *   2. POD-LOCAL kind (`it-pod-local`, NEGATIVE CONTROL): `read` resolves from a
+ *      per-instance in-memory Map. A write on A is INVISIBLE to B's read. We
+ *      ASSERT the inconsistency, so the test documents the bug shape and proves
+ *      it has teeth — a pod-local `read` for a real entity WOULD fail assertion
+ *      (1). If durable storage ever silently aliased the in-memory map (e.g. a
+ *      shared module singleton), this control would start failing.
+ *
+ * Gated behind `CHECKSTACK_IT=1` so the default `bun test` never runs it.
+ * Connection comes from `CHECKSTACK_IT_PG_URL`. Each run isolates itself in a
+ * freshly created Postgres schema and cleans up after itself.
+ */
+import { afterAll, beforeAll, describe, expect, it } from "bun:test";
+import { drizzle } from "drizzle-orm/node-postgres";
+import { z } from "zod";
+import { Pool } from "pg";
+
+import type { SafeDatabase } from "@checkstack/backend-api";
+
+import { entityTransitions } from "../schema";
+import type { EntityHandle, EntityRead } from "./define-entity";
+import { createEntityRegistry } from "./registry";
+import { createEntityStore } from "./entity-store";
+import { createChangeEmitter } from "./change-emitter";
+import { createRunSecretRegistry } from "../dispatch/run-secret-registry";
+
+const PG_URL =
+  process.env.CHECKSTACK_IT_PG_URL ??
+  "postgres://postgres:postgres@localhost:5432/postgres";
+
+const SCHEMA = `it_crosspod_${crypto.randomUUID().replace(/-/g, "")}`;
+
+/** The representative shared-table state shape. */
+const sharedStateSchema = z.object({ status: z.string() });
+type SharedState = z.infer<typeof sharedStateSchema>;
+
+const podLocalStateSchema = z.object({ status: z.string() });
+type PodLocalState = z.infer<typeof podLocalStateSchema>;
+
+const SHARED_KIND = "it-shared";
+const POD_LOCAL_KIND = "it-pod-local";
+
+/** A `SafeDatabase` over a pool (drizzle's NodePgDatabase, query-API omitted). */
+type StoreSchema = { entityTransitions: typeof entityTransitions };
+
+/**
+ * One simulated pod: an independent registry + store + emitter over its own
+ * pool, plus its own pod-local in-memory map (the negative control's backing
+ * store). The DURABLE kind reads the shared `it_entities` table; the POD-LOCAL
+ * kind reads THIS pod's map.
+ */
+interface Pod {
+  readonly pool: Pool;
+  readonly sharedHandle: EntityHandle<SharedState>;
+  readonly podLocalHandle: EntityHandle<PodLocalState>;
+  /** This pod's pod-local backing store (per-instance heap state). */
+  readonly localMap: Map<string, PodLocalState>;
+  end(): Promise<void>;
+}
+
+describe.skipIf(!process.env.CHECKSTACK_IT)(
+  "cross-pod reactive-entity read consistency (real Postgres)",
+  () => {
+    const pods: Pod[] = [];
+
+    /** Build one independent "pod" over its own connection to the shared DB. */
+    function makePod(): Pod {
+      const pool = new Pool({
+        connectionString: PG_URL,
+        options: `-c search_path=${SCHEMA}`,
+      });
+      const db = drizzle({
+        client: pool,
+        schema: { entityTransitions },
+      }) as unknown as SafeDatabase<StoreSchema>;
+
+      const emitter = createChangeEmitter();
+      const secretRegistry = createRunSecretRegistry();
+      const registry = createEntityRegistry({ secretRegistry, emitter });
+      registry.setStore({ store: createEntityStore(db) });
+
+      // DURABLE kind: `read` resolves from the SHARED `it_entities` table, so a
+      // write on any pod is visible to every pod. This is the correct shape.
+      const sharedRead: EntityRead<SharedState> = async (ids) => {
+        if (ids.length === 0) return {};
+        const { rows } = await pool.query<{ id: string; status: string }>(
+          `SELECT id, status FROM "${SCHEMA}".it_entities WHERE id = ANY($1)`,
+          [ids as string[]],
+        );
+        const out: Record<string, SharedState> = {};
+        for (const row of rows) out[row.id] = { status: row.status };
+        return out;
+      };
+      const sharedHandle = registry.defineEntity<SharedState>({
+        kind: SHARED_KIND,
+        state: sharedStateSchema,
+        read: sharedRead,
+      });
+
+      // POD-LOCAL kind (NEGATIVE CONTROL): `read` resolves from THIS pod's
+      // in-memory map. A write on pod A's map is invisible to pod B — the
+      // horizontal-scale bug this whole guard exists to forbid.
+      const localMap = new Map<string, PodLocalState>();
+      const podLocalRead: EntityRead<PodLocalState> = async (ids) => {
+        const out: Record<string, PodLocalState> = {};
+        for (const id of ids) {
+          const value = localMap.get(id);
+          if (value) out[id] = value;
+        }
+        return out;
+      };
+      const podLocalHandle = registry.defineEntity<PodLocalState>({
+        kind: POD_LOCAL_KIND,
+        state: podLocalStateSchema,
+        read: podLocalRead,
+      });
+
+      return {
+        pool,
+        sharedHandle,
+        podLocalHandle,
+        localMap,
+        end: () => pool.end(),
+      };
+    }
+
+    let podA: Pod;
+    let podB: Pod;
+
+    beforeAll(async () => {
+      const setupPool = new Pool({ connectionString: PG_URL });
+      try {
+        await setupPool.query(`CREATE SCHEMA IF NOT EXISTS "${SCHEMA}"`);
+        // The plugin-owned shared state table the DURABLE kind reads from.
+        await setupPool.query(`
+          CREATE TABLE "${SCHEMA}".it_entities (
+            id text PRIMARY KEY,
+            status text NOT NULL
+          )
+        `);
+        // The framework transition log every handle appends to (Model B).
+        await setupPool.query(`
+          CREATE TABLE "${SCHEMA}".entity_transitions (
+            id text PRIMARY KEY,
+            kind text NOT NULL,
+            entity_id text NOT NULL,
+            field text NOT NULL,
+            from_value text,
+            to_value text NOT NULL,
+            transitioned_at timestamp NOT NULL DEFAULT now()
+          )
+        `);
+      } finally {
+        await setupPool.end();
+      }
+
+      podA = makePod();
+      podB = makePod();
+      pods.push(podA, podB);
+    });
+
+    afterAll(async () => {
+      await Promise.all(pods.map((p) => p.end()));
+      const cleanupPool = new Pool({ connectionString: PG_URL });
+      try {
+        await cleanupPool.query(`DROP SCHEMA IF EXISTS "${SCHEMA}" CASCADE`);
+      } finally {
+        await cleanupPool.end();
+      }
+    });
+
+    /** The plugin write for the DURABLE kind: UPSERT the shared table row. */
+    function writeShared(pod: Pod, id: string, status: string) {
+      return async (): Promise<SharedState> => {
+        await pod.pool.query(
+          `INSERT INTO "${SCHEMA}".it_entities (id, status) VALUES ($1, $2)
+             ON CONFLICT (id) DO UPDATE SET status = EXCLUDED.status`,
+          [id, status],
+        );
+        return { status };
+      };
+    }
+
+    /** The plugin "write" for the POD-LOCAL kind: mutate THIS pod's map only. */
+    function writePodLocal(pod: Pod, id: string, status: string) {
+      return async (): Promise<PodLocalState> => {
+        pod.localMap.set(id, { status });
+        return { status };
+      };
+    }
+
+    it("durable kind: a write on pod A is visible to pod B's read + getMany", async () => {
+      const id = `ent-${crypto.randomUUID()}`;
+
+      // Mutate via pod A's handle (the pod that claimed the dispatch).
+      await podA.sharedHandle.mutate({ id, apply: writeShared(podA, id, "open") });
+
+      // Pod A sees its own write (sanity).
+      expect(await podA.sharedHandle.get(id)).toEqual({ status: "open" });
+
+      // The property under test: pod B — a DIFFERENT registry over a DIFFERENT
+      // connection, no shared heap — sees the SAME value.
+      expect(await podB.sharedHandle.get(id)).toEqual({ status: "open" });
+
+      // Scope-resolution shape (`getMany`) is consistent across pods too.
+      const manyB = await podB.sharedHandle.getMany([id]);
+      expect(manyB[id]).toEqual({ status: "open" });
+
+      // A follow-up write on A is likewise visible on B (not just first-write).
+      await podA.sharedHandle.mutate({
+        id,
+        apply: writeShared(podA, id, "resolved"),
+      });
+      expect(await podB.sharedHandle.get(id)).toEqual({ status: "resolved" });
+    });
+
+    it("NEGATIVE CONTROL: a pod-local read does NOT see another pod's write (proves teeth)", async () => {
+      const id = `ent-${crypto.randomUUID()}`;
+
+      // Mutate the POD-LOCAL kind on pod A: only pod A's in-memory map changes.
+      await podA.podLocalHandle.mutate({
+        id,
+        apply: writePodLocal(podA, id, "open"),
+      });
+
+      // Pod A sees its own pod-local write.
+      expect(await podA.podLocalHandle.get(id)).toEqual({ status: "open" });
+
+      // Pod B's read resolves from ITS OWN (empty) map — the write is invisible.
+      // This is exactly the horizontal-scale bug the guard forbids. We assert
+      // the inconsistency so the test documents the failure shape WITHOUT
+      // itself failing: were `it-pod-local` a real reactive entity, the durable
+      // assertion above would FAIL for it.
+      expect(await podB.podLocalHandle.get(id)).toBeUndefined();
+      const manyB = await podB.podLocalHandle.getMany([id]);
+      expect(manyB[id]).toBeUndefined();
+
+      // Cross-check: the DURABLE kind would have been visible here — so the
+      // difference is purely WHERE state lives, not a test artifact.
+      const durableId = `ent-${crypto.randomUUID()}`;
+      await podA.sharedHandle.mutate({
+        id: durableId,
+        apply: writeShared(podA, durableId, "open"),
+      });
+      expect(await podB.sharedHandle.get(durableId)).toEqual({ status: "open" });
+    });
+  },
+);