From 8dd952a8f75d6c40b59482661612ba2df7eb245f Mon Sep 17 00:00:00 2001
From: Brian Durand <bbdurand@gmail.com>
Date: Wed, 18 Mar 2026 18:34:21 -0700
Subject: [PATCH 1/2] hide runtime settings on secret fields when they are not
 secure

---
 CHANGELOG.md                              |  6 ++++++
 VERSION                                   |  2 +-
 lib/ultra_settings/configuration.rb       | 11 ++++++++++-
 spec/ultra_settings/configuration_spec.rb | 15 +++++++++++++++
 4 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 633a459..d4ce9bb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 2.9.1
+
+### Fixed
+
+- Fixed a bug where the web UI showed runtime settings as valid data sources for secret fields even when `UltraSettings.runtime_settings_secure` was set to `false`.
+
 ## 2.9.0
 
 ### Added
diff --git a/VERSION b/VERSION
index c8e38b6..dedcc7d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.9.0
+2.9.1
diff --git a/lib/ultra_settings/configuration.rb b/lib/ultra_settings/configuration.rb
index 4cc821e..32a0f1d 100644
--- a/lib/ultra_settings/configuration.rb
+++ b/lib/ultra_settings/configuration.rb
@@ -560,7 +560,7 @@ def __available_sources__(name)
 
       sources = []
       sources << :env if field.env_var
-      sources << :settings if !field.static? && field.runtime_setting && UltraSettings.__runtime_settings__
+      sources << :settings if __runtime_setting_allowed?(field)
       sources << :yaml if field.yaml_key && self.class.configuration_file
       sources << :default unless field.default.nil?
       sources
@@ -646,5 +646,14 @@ def __use_default?(value, default_if)
     def __yaml_config__
       @ultra_settings_yaml_config ||= self.class.load_yaml_config || {}
     end
+
+    def __runtime_setting_allowed?(field)
+      return false unless UltraSettings.__runtime_settings__
+      return false if field.static?
+      return false unless field.runtime_setting
+      return false if field.secret? && !UltraSettings.runtime_settings_secure?
+
+      true
+    end
   end
 end
diff --git a/spec/ultra_settings/configuration_spec.rb b/spec/ultra_settings/configuration_spec.rb
index 9828b5e..8b6c881 100644
--- a/spec/ultra_settings/configuration_spec.rb
+++ b/spec/ultra_settings/configuration_spec.rb
@@ -326,6 +326,21 @@
       config = TestConfiguration.instance
       expect(config.__available_sources__(:static)).not_to include(:settings)
     end
+
+    it "does not include runtime settings for secret fields when runtime_settings_secure is false", settings: {"my_service.host" => "host"} do
+      config = MyServiceConfiguration.instance
+      expect(config.__available_sources__(:host)).to include(:settings)
+      UltraSettings.runtime_settings_secure = false
+      begin
+        # non-secret field still includes :settings
+        expect(config.__available_sources__(:host)).to include(:settings)
+        # secret field should exclude :settings when runtime_settings_secure is false
+        test_config = TestConfiguration.instance
+        expect(test_config.__available_sources__(:secret)).not_to include(:settings)
+      ensure
+        UltraSettings.runtime_settings_secure = true
+      end
+    end
   end
 
   describe "__value_from_source__" do

From 3cba2e1c3b49a77f27d3d1e8947f33164dc878ad Mon Sep 17 00:00:00 2001
From: Brian Durand <bbdurand@gmail.com>
Date: Wed, 18 Mar 2026 18:39:03 -0700
Subject: [PATCH 2/2] test app runtime setting not secure by default

---
 config.ru                                      | 1 +
 test_app/config/initializers/ultra_settings.rb | 1 +
 2 files changed, 2 insertions(+)

diff --git a/config.ru b/config.ru
index 563d13d..a32d4bf 100644
--- a/config.ru
+++ b/config.ru
@@ -28,6 +28,7 @@ else
 end
 
 UltraSettings.fields_secret_by_default = false
+UltraSettings.runtime_settings_secure = false
 UltraSettings.yaml_config_path = File.join(__dir__, "spec", "config")
 UltraSettings.runtime_settings_url = ENV.fetch("RUNTIME_SETTINGS_URL", "http://localhost:9494#edit=${name}&type=${type}&description=${description}")
 
diff --git a/test_app/config/initializers/ultra_settings.rb b/test_app/config/initializers/ultra_settings.rb
index c03a37d..4a03830 100644
--- a/test_app/config/initializers/ultra_settings.rb
+++ b/test_app/config/initializers/ultra_settings.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 UltraSettings.fields_secret_by_default = false
+UltraSettings.runtime_settings_secure = false
 
 UltraSettings.runtime_settings = {
   "app.service_timeout" => 2.0