`uv add` puts plaintext credentials in `pyproject.toml`

[charliermarsh]

Hey,

Sorry to chime in on a closed issue, but I did get owned by this issue recently, using uv==0.5.11.
Both UV_DEFAULT_INDEX and UV_EXTRA_INDEX_URL are defined as environment variables, but I did not set anything in pyproject.toml, so using uv add library leaked my private info.

I have read the docs on configuration and private indexes, but I don't get the point of defining a [[tool.uv.index]] entry in the pyproject.toml if you have environment variables or a proper global uv.toml file.

Originally posted by @gaspardc-met in #8483