fix: address PR review feedback

- Change body logging from log to debug level (avoid leaking IAM data in prod)
- Roll back optimistic state on API failure in project picker
- Rename orgId → gcpOrgId to avoid shadowing app org ID
- Add defensive validation for servicesByProject JSON shape
- Add .catch() to prevent unhandled promise rejections in ServiceCard

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tofikwest

apps/api/src/cloud-security/gcp-command-executor.ts

@@ -217,7 +217,7 @@ async function executeOnce(
   logger.log(`${step.method} ${url} — ${step.purpose}`);
   if (effectiveBody && (step.method === 'POST' || step.method === 'PUT' || step.method === 'PATCH')) {
     const bodyStr = JSON.stringify(effectiveBody);
-    logger.log(`  Body (${bodyStr.length} chars): ${bodyStr.substring(0, 2000)}${bodyStr.length > 2000 ? '...' : ''}`);
+    logger.debug(`  Body (${bodyStr.length} chars): ${bodyStr.substring(0, 2000)}${bodyStr.length > 2000 ? '...' : ''}`);
   }
 
   const response = await fetch(url, {

apps/api/src/integration-platform/controllers/services.controller.ts

@@ -97,10 +97,15 @@ export class ServicesController {
 
     // Per-project service mapping (GCP only)
     const servicesByProject =
-      (variables.servicesByProject as Record<string, string[]>) ?? {};
+      variables.servicesByProject &&
+      typeof variables.servicesByProject === 'object' &&
+      !Array.isArray(variables.servicesByProject)
+        ? (variables.servicesByProject as Record<string, string[]>)
+        : {};
     // Invert: service → project IDs
     const projectsByService: Record<string, string[]> = {};
     for (const [projectId, serviceIds] of Object.entries(servicesByProject)) {
+      if (!Array.isArray(serviceIds)) continue;
       for (const svcId of serviceIds) {
         (projectsByService[svcId] ??= []).push(projectId);
       }

apps/app/src/app/(app)/[orgId]/cloud-tests/components/ServiceCard.tsx

@@ -163,7 +163,7 @@ export function ServiceCard({
             role="switch"
             aria-checked={isEnabled}
             disabled={toggling}
-            onClick={() => void Promise.resolve(onToggle?.(service.id, !isEnabled))}
+            onClick={() => void Promise.resolve(onToggle?.(service.id, !isEnabled)).catch(() => {})}
             className={`relative inline-flex h-5 w-9 shrink-0 cursor-pointer items-center rounded-full transition-colors disabled:opacity-50 ${
               isEnabled ? 'bg-primary' : 'bg-muted-foreground/30'
             }`}

apps/app/src/app/(app)/[orgId]/integrations/[slug]/components/ProviderDetailView.tsx

@@ -308,10 +308,11 @@ export function ProviderDetailView({
               <GcpProjectPicker
                 organizations={gcpOrgs}
                 selectedProjectIds={gcpSelectedProjectIds}
-                onToggleProject={(orgId, projectId) => {
-                  const next = gcpSelectedProjectIds.includes(projectId)
-                    ? gcpSelectedProjectIds.filter((id) => id !== projectId)
-                    : [...gcpSelectedProjectIds, projectId];
+                onToggleProject={(gcpOrgId, projectId) => {
+                  const prev = gcpSelectedProjectIds;
+                  const next = prev.includes(projectId)
+                    ? prev.filter((id) => id !== projectId)
+                    : [...prev, projectId];
                   setGcpSelectedProjectIds(next);
                   // Build name map keyed by both project ID and project number
                   const allProjects = gcpOrgs.flatMap((o) => o.projects);
@@ -328,10 +329,11 @@ export function ProviderDetailView({
                   void api
                     .post(
                       `/v1/cloud-security/select-gcp-projects/${selectedConnection.id}`,
-                      { projectIds: next, projectNames, gcpOrganizationId: orgId },
+                      { projectIds: next, projectNames, gcpOrganizationId: gcpOrgId },
                     )
                     .then(async (res) => {
                       if (res.error) {
+                        setGcpSelectedProjectIds(prev);
                         toast.error('Failed to update projects');
                         return;
                       }

apps/app/src/app/(app)/[orgId]/integrations/[slug]/components/ServiceCard.tsx

@@ -148,7 +148,7 @@ export function ServiceCard({
             role="switch"
             aria-checked={isEnabled}
             disabled={toggling}
-            onClick={() => void Promise.resolve(onToggle?.(service.id, !isEnabled))}
+            onClick={() => void Promise.resolve(onToggle?.(service.id, !isEnabled)).catch(() => {})}
             className={`relative inline-flex h-5 w-9 shrink-0 cursor-pointer items-center rounded-full transition-colors disabled:opacity-50 ${
               isEnabled ? 'bg-primary' : 'bg-muted-foreground/30'
             }`}