`lk agent deploy --image` silently ignores `--secrets-file` and `--secrets`

[maktoufzied]

Description

When deploying an existing agent with a prebuilt image, secrets flags are accepted but never processed — no warning, no error. The deploy succeeds, so the omission is invisible until you notice the agent's env vars are stale.

lk agent deploy \
  --secrets-file .env.production \
  --config livekit.toml \
  --image my-prebuilt-image
# image deploys fine; .env.production is silently never pushed

Cause

In deployAgent (cmd/lk/agent.go, ~768 on main), the --image/--image-tar branch returns before requireSecrets is reached:

if imageRef != "" || imageTar != "" {
    if err := deployPrebuiltImage(buildContext, agentId, imageRef, imageTar); err != nil {
        return fmt.Errorf("unable to deploy prebuilt image: %w", err)
    }
    fmt.Println("Deployed agent")
    return nil
}

secrets, err := requireSecrets(ctx, cmd, false, true)  // never reached with --image

Notably, createAgent calls requireSecrets before its image branch (~577), so lk agent create --image does honor secrets — only deploy drops them, which suggests this is unintentional rather than by design.

Impact

We use --image because LiveKit Cloud's remote builder can't authenticate to our private package registry, so local builds are the only option. Our CI passed --secrets-file on every deploy for weeks; every deploy shipped new code while the agent's env vars stayed frozen at the last source-build deploy. Nothing in the output hinted secrets were being skipped.

Expected

Either of:

1. Push the provided secrets on the prebuilt-image path too (matching create and the source-build path), or
2. At minimum, fail or loudly warn when --secrets-file/--secrets is combined with --image/--image-tar.

Option 1 seems right given create already behaves that way.

Environment

• livekit-cli v2.16.3 (also verified against current main)
• Workaround: run lk agent update-secrets --secrets-file ... explicitly before lk agent deploy --image ...