fix(cloudflare): harden Secret + ContainerApplication reconcile + add lifecycle convergence tests

[sam-goodwin]

Two reconciler gaps in Cloudflare/SecretsStore/Secret.ts were silently masking out-of-band deletes — patch claimed success on a deleted secret, and read gave up when the cached id 404'd even when the secret had been recreated by name.

Reconciler changes

   if (scopesChanged || commentChanged) {
     const patched = yield* patchStoreSecret({ ... }).pipe(
       Effect.catchTag("SecretNotFound", () =>
-        Effect.succeed(undefined),
+        Effect.succeed("recreate" as const),
       ),
     );
-    if (patched) {
-      return { secretId: observed.id, ... }; // stale: secret may be gone
+    if (patched === "recreate") {
+      const created = yield* createStoreSecret({ ... });
+      return toAttributes(created.result[0]!);
     }
+    return { secretId: observed.id, ..., status: patched.status, ... };
   }

 read: Effect.fn(function* ({ id, olds, output }) {
   if (output?.secretId) {
-    return yield* getStoreSecret({ ... }).pipe(
-      Effect.catchTag("SecretNotFound", () => Effect.succeed(undefined)),
-    );
+    const byId = yield* getStoreSecret({ ... }).pipe(
+      Effect.catchTag("SecretNotFound", () => Effect.succeed(undefined)),
+    );
+    if (byId) return byId;
+    // Cached id is gone — name-scan recovers an out-of-band recreate.
+    const match = yield* lookupByName(output.accountId, output.storeId, name);
+    if (!match) return undefined;
+    return { secretId: match.id, ... };
   }

New lifecycle tests

None added in this PR. Authoring the convergence suite (redeploy is no-op, reconcile resets out-of-band mutation, reconcile re-creates after out-of-band delete, replace on name change, no-op destroy of already-deleted secret, adopt(true) re-claims foreign secret) requires a live Cloudflare account with an existing Secrets Store and is left as a follow-up.

ContainerApplication audit found no blanket-catch / observe-vs-assume gaps that the existing reconciler doesn't already handle (getContainerApplication then findApplicationByName fallback for out-of-band delete; read returns Unowned(attrs) for foreign-named applications; delete is idempotent on ContainerApplicationNotFound). No source change made there.

Distilled patch

No patch needed. Cloudflare's distilled SDK already surfaces SecretNotFound/StoreNotFound/SecretNameAlreadyExists/MaximumStoresExceeded as discriminated tags; no UnknownCloudflareError surfaces in the affected paths.

[alchemy-version-bot]

Install the packages built from this commit:

alchemy

bun add alchemy@https://pkg.ing/alchemy/e0342a1

@alchemy.run/better-auth

bun add @alchemy.run/better-auth@https://pkg.ing/@alchemy.run/better-auth/e0342a1

@alchemy.run/pr-package

bun add @alchemy.run/pr-package@https://pkg.ing/@alchemy.run/pr-package/e0342a1

[alchemy-version-bot]

Website Preview Deployed

URL: https://alchemyeffectwebsite-worker-pr-223-34n5gxym54mzvmxr.testing-2b2.workers.dev

Built from commit e0342a1.

---

This comment updates automatically with each push.

[sam-goodwin]

Superseded by #249 (consolidated hardening sweep). Closing — the equivalent commit landed on claude/harden-all.