Background
Surfaced in PR #603 blind-round-2 security review (sec-M6). The PostToolUse emitter uses post-only transition detection (cycle 1 simplification): `_is_terminal_status_update` returns True only on `status=completed` or `status=deleted`.
Issue
If the lead transfers task ownership from a regular owner to a SELF_COMPLETE_EXEMPT_AGENT (e.g., `secretary`) WITHOUT changing status, the active-count drops 1→0 (the task no longer counts as lifecycle-relevant), but `_is_terminal_status_update` returns False (status unchanged). No Teardown directive emits. The Monitor keeps running with no active tasks remaining.
STATE_FILE references an orphaned monitor_task_id from the prior session.
Boundedness
- SessionEnd `cleanup_wake_registry` (session_end.py) catches it on session exit (path-validated unlink + best-effort TaskStop)
- In-session orphan Monitor doesn't break the wake mechanism — wake fires still deliver to the lead
- Owner-flip-to-exempt without status change is rare in practice (typically owner changes accompany status transitions)
Possible future paths
- Add "count drop" detection in emitter that fires on any TaskUpdate where post < pre (independent of status field). Means recomputing pre-state for non-status TaskUpdates — adds complexity to post-only detection model deliberately simplified in cycle 1.
- Detect carve-out membership flip explicitly: read pre-update task state, check if owner crossed SELF_COMPLETE_EXEMPT_AGENTS membership boundary. Narrow scope, avoids full pre-state recompute.
- Accept current behavior; SessionEnd cleanup is the safety net.
Source
Blind-round-2 security review (May 2026). Security-engineer flagged as MINOR; user directed to file as tracking issue.
Background
Surfaced in PR #603 blind-round-2 security review (sec-M6). The PostToolUse emitter uses post-only transition detection (cycle 1 simplification): `_is_terminal_status_update` returns True only on `status=completed` or `status=deleted`.
Issue
If the lead transfers task ownership from a regular owner to a SELF_COMPLETE_EXEMPT_AGENT (e.g., `secretary`) WITHOUT changing status, the active-count drops 1→0 (the task no longer counts as lifecycle-relevant), but `_is_terminal_status_update` returns False (status unchanged). No Teardown directive emits. The Monitor keeps running with no active tasks remaining.
STATE_FILE references an orphaned monitor_task_id from the prior session.
Boundedness
Possible future paths
Source
Blind-round-2 security review (May 2026). Security-engineer flagged as MINOR; user directed to file as tracking issue.