Fix: always load flat secret as primary regardless of labeled secrets

cdk/lib/agent-claw-stack.ts

@@ -230,6 +230,11 @@ export class AgentClawStack extends cdk.Stack {
       actions: ['secretsmanager:GetSecretValue'],
       resources: [`arn:aws:secretsmanager:${this.region}:${this.account}:secret:agent-claw/google-credentials/*`],
     }));
+    runtime1Role.addToPolicy(new iam.PolicyStatement({
+      sid: 'GoogleCredentialsListRuntime',
+      actions: ['secretsmanager:ListSecrets'],
+      resources: ['*'],
+    }));
 
     // Pass workspace_mcp MCP URL to agent-runner (informational)
     agentRunnerFn.addEnvironment('WORKSPACE_MCP_URL', workspaceMcpMcpUrl);