Summary
In process_pending_secret_requests(), if a single-task plan completes before the first tick loop iteration processes any secret requests, the secret bridging is never called. This affects plans where the only task completes instantly (e.g., cached responses, very fast sub-agents).
Reproduction
- Create a single-task plan where the sub-agent requests a secret and completes before the first
wait_event() fires the secret check.
- The secret request is never shown to the user.
Expected behavior
Secret requests are always processed before the scheduler terminates, even if the graph completes on the first tick.
Impact
Low — only affects single-task plans with instant completion AND a secret request.
Suggested fix
Move the secret drain loop to run BEFORE wait_event() AND AFTER tick() actions are processed (already done), but also add a final drain pass after the tick loop exits.
Identified as IC-CRIT-10 in validator review of PR for issue #1434.
Summary
In
process_pending_secret_requests(), if a single-task plan completes before the first tick loop iteration processes any secret requests, the secret bridging is never called. This affects plans where the only task completes instantly (e.g., cached responses, very fast sub-agents).Reproduction
wait_event()fires the secret check.Expected behavior
Secret requests are always processed before the scheduler terminates, even if the graph completes on the first tick.
Impact
Low — only affects single-task plans with instant completion AND a secret request.
Suggested fix
Move the secret drain loop to run BEFORE
wait_event()AND AFTERtick()actions are processed (already done), but also add a final drain pass after the tick loop exits.Identified as IC-CRIT-10 in validator review of PR for issue #1434.