Log cleanup failures in prepare_session_resources #31
Description
Summary
When fails partway through secret creation (e.g., secret #2 fails after secret #1 was created), runs but its error is discarded with . If the cleanup itself fails, previously-created credentials persist on the host with no indication to the operator.
This is the same gap that the current remediation patch addresses in 's two cleanup paths (create-failure and run-plus-cleanup-failure). The site was explicitly scoped out of that patch but has the identical pattern.
Constraints
- The fix must be consistent with however the current patch surfaces cleanup failures in (currently: log to stderr, return the primary error).
- No new error variants or public API changes.
- Predecessor: the in-flight remediation for attached-start reaping and cleanup-failure visibility.
Acceptance Criteria
- When fails and the subsequent also fails, the cleanup failure is observable in process stderr.
- The primary error (the secret creation failure) is still the returned error.
- The cleanup-log mechanism is the same one used by 's cleanup paths — no second logging pattern.