POST /_api/projects/<name>/promote returns the full project including its env dict with plaintext secrets (GITHUB_CLIENT_SECRET, GOOGLE_CLIENT_SECRET, etc.), while GET /_api/projects correctly redacts them. So an admin promote call spills secrets to the console/logs where the read path wouldn't.
Fix: apply the same env redaction to the promote (and any other project-returning mutation) response as GET /_api/projects uses. Admin API responses shouldn't echo raw secrets.
Observed live on pod.dstack promoting oauth3.
🤖 Generated with Claude Code
POST /_api/projects/<name>/promotereturns the full project including itsenvdict with plaintext secrets (GITHUB_CLIENT_SECRET, GOOGLE_CLIENT_SECRET, etc.), whileGET /_api/projectscorrectly redacts them. So an admin promote call spills secrets to the console/logs where the read path wouldn't.Fix: apply the same env redaction to the promote (and any other project-returning mutation) response as
GET /_api/projectsuses. Admin API responses shouldn't echo raw secrets.Observed live on pod.dstack promoting oauth3.
🤖 Generated with Claude Code