Below is the (secrets redacted) output I'm seeing. The default client-id and client-secret appear to be my actual secrets. This wouldn't be a problem in the before times, but now we have agents running shell commands and uploading the output into the cloud all day. Pulling all of the help output into context is just the kind of thing agents love to do, but if they do that here, it's a credentials leak. If nothing worse it triggers credential rotation policies, causing great annoyance.
$ pscale auth login --help
Authenticate with the PlanetScale API
Usage:
pscale auth login [flags]
Flags:
--api-url string The PlanetScale Auth API base URL. (default "https://auth.planetscale.com/")
--client-id string The client ID for the PlanetScale CLI application. (default "SECRET")
--client-secret string The client ID for the PlanetScale CLI application (default "SECRET")
-h, --help help for login
Global Flags:
--api-token string The API token to use for authenticating against the PlanetScale API.
--config string Config file (default is $HOME/.config/planetscale/pscale.yml)
--debug Enable debug mode
-f, --format string Show output in a specific format. Possible values: [human, json, csv] (default "human")
--no-color Disable color output
--service-token string Service Token for authenticating.
--service-token-id string The Service Token ID for authenticating.
Below is the (secrets redacted) output I'm seeing. The default client-id and client-secret appear to be my actual secrets. This wouldn't be a problem in the before times, but now we have agents running shell commands and uploading the output into the cloud all day. Pulling all of the help output into context is just the kind of thing agents love to do, but if they do that here, it's a credentials leak. If nothing worse it triggers credential rotation policies, causing great annoyance.