feat(v3): migrate workspace to API, Tauri desktop, and v3 crates; remove legacy MCP stack

- Add apps/api, desktop Tauri shell, domain/application/crypto/device-auth/infrastructure-db
- Replace desktop-daemon vault integration; drop secrets-core and secrets-mcp*
- Ignore apps/desktop/dist and generated Tauri icons; document icon/dist steps in AGENTS.md
- Apply rustfmt; fix clippy (collapsible_if, HTTP method as str)

crates/application/Cargo.toml

@@ -0,0 +1,18 @@
+[package]
+name = "secrets-application"
+version = "0.1.0"
+edition.workspace = true
+
+[lib]
+name = "secrets_application"
+path = "src/lib.rs"
+
+[dependencies]
+anyhow.workspace = true
+chrono.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+sqlx.workspace = true
+uuid.workspace = true
+
+secrets-domain = { path = "../domain" }

crates/application/src/conflict.rs

@@ -0,0 +1,9 @@
+use secrets_domain::VaultObjectEnvelope;
+use uuid::Uuid;
+
+#[derive(Debug, Clone)]
+pub struct RevisionConflict {
+    pub change_id: Uuid,
+    pub object_id: Uuid,
+    pub server_object: Option<VaultObjectEnvelope>,
+}

crates/application/src/lib.rs

@@ -0,0 +1,3 @@
+pub mod conflict;
+pub mod sync;
+pub mod vault_store;

crates/application/src/sync.rs

@@ -0,0 +1,252 @@
+use anyhow::Result;
+use sqlx::PgPool;
+use uuid::Uuid;
+
+use secrets_domain::{
+    SyncAcceptedChange, SyncConflict, SyncPullRequest, SyncPullResponse, SyncPushRequest,
+    SyncPushResponse, VaultObjectChange, VaultObjectEnvelope,
+};
+
+use crate::vault_store::{
+    get_object, list_objects_since, list_tombstones_since, max_server_revision,
+};
+
+fn detect_conflict(
+    change: &VaultObjectChange,
+    existing: Option<&VaultObjectEnvelope>,
+) -> Option<SyncConflict> {
+    match (change.base_revision, existing) {
+        (Some(base_revision), Some(server_object)) if server_object.revision != base_revision => {
+            Some(SyncConflict {
+                change_id: change.change_id,
+                object_id: change.object_id,
+                reason: "revision_conflict".to_string(),
+                server_object: Some(server_object.clone()),
+            })
+        }
+        _ if !matches!(change.operation.as_str(), "upsert" | "delete") => Some(SyncConflict {
+            change_id: change.change_id,
+            object_id: change.object_id,
+            reason: "unsupported_operation".to_string(),
+            server_object: existing.cloned(),
+        }),
+        _ => None,
+    }
+}
+
+pub async fn sync_pull(
+    pool: &PgPool,
+    user_id: Uuid,
+    request: SyncPullRequest,
+) -> Result<SyncPullResponse> {
+    let cursor = request.cursor.unwrap_or(0).max(0);
+    let limit = request.limit.unwrap_or(200).clamp(1, 500);
+    let objects = list_objects_since(pool, user_id, cursor, limit).await?;
+    let tombstones = if request.include_deleted {
+        list_tombstones_since(pool, user_id, cursor, limit).await?
+    } else {
+        Vec::new()
+    };
+    let server_revision = max_server_revision(pool, user_id).await?;
+    let next_cursor = objects
+        .last()
+        .map(|object| object.revision)
+        .unwrap_or(cursor);
+
+    Ok(SyncPullResponse {
+        server_revision,
+        next_cursor,
+        has_more: (objects.len() as i64) >= limit,
+        objects,
+        tombstones,
+    })
+}
+
+pub async fn sync_push(
+    pool: &PgPool,
+    user_id: Uuid,
+    request: SyncPushRequest,
+) -> Result<SyncPushResponse> {
+    let mut accepted = Vec::new();
+    let mut conflicts = Vec::new();
+
+    for change in request.changes {
+        let existing = get_object(pool, user_id, change.object_id).await?;
+        if let Some(conflict) = detect_conflict(&change, existing.as_ref()) {
+            conflicts.push(conflict);
+            continue;
+        }
+
+        let next_revision = existing
+            .as_ref()
+            .map(|object| object.revision + 1)
+            .unwrap_or(1);
+        let next_cipher_version = change.cipher_version.unwrap_or(1);
+        let next_ciphertext = change.ciphertext.clone().unwrap_or_default();
+        let next_content_hash = change.content_hash.clone().unwrap_or_default();
+        let next_deleted_at = if change.operation == "delete" {
+            Some(chrono::Utc::now())
+        } else {
+            None
+        };
+
+        match change.operation.as_str() {
+            "upsert" => {
+                sqlx::query(
+                    r#"
+                    INSERT INTO vault_objects (
+                        object_id, user_id, object_kind, revision, cipher_version, ciphertext, content_hash, deleted_at, updated_at, created_by_device
+                    )
+                    VALUES ($1, $2, $3, $4, $5, $6, $7, NULL, NOW(), NULL)
+                    ON CONFLICT (object_id)
+                    DO UPDATE SET
+                        revision = EXCLUDED.revision,
+                        cipher_version = EXCLUDED.cipher_version,
+                        ciphertext = EXCLUDED.ciphertext,
+                        content_hash = EXCLUDED.content_hash,
+                        deleted_at = NULL,
+                        updated_at = NOW()
+                    "#,
+                )
+                .bind(change.object_id)
+                .bind(user_id)
+                .bind(change.object_kind.as_str())
+                .bind(next_revision)
+                .bind(next_cipher_version)
+                .bind(next_ciphertext.clone())
+                .bind(next_content_hash.clone())
+                .execute(pool)
+                .await?;
+            }
+            "delete" => {
+                sqlx::query(
+                    r#"
+                    UPDATE vault_objects
+                    SET revision = $1, deleted_at = NOW(), updated_at = NOW()
+                    WHERE object_id = $2
+                      AND user_id = $3
+                    "#,
+                )
+                .bind(next_revision)
+                .bind(change.object_id)
+                .bind(user_id)
+                .execute(pool)
+                .await?;
+            }
+            _ => unreachable!("unsupported operations are filtered by detect_conflict"),
+        }
+
+        sqlx::query(
+            r#"
+            INSERT INTO vault_object_revisions (
+                object_id, user_id, revision, cipher_version, ciphertext, content_hash, deleted_at, created_at
+            )
+            VALUES ($1, $2, $3, $4, $5, $6, $7, NOW())
+            "#,
+        )
+        .bind(change.object_id)
+        .bind(user_id)
+        .bind(next_revision)
+        .bind(next_cipher_version)
+        .bind(next_ciphertext)
+        .bind(next_content_hash)
+        .bind(next_deleted_at)
+        .execute(pool)
+        .await?;
+
+        accepted.push(SyncAcceptedChange {
+            change_id: change.change_id,
+            object_id: change.object_id,
+            revision: next_revision,
+        });
+    }
+
+    let server_revision = max_server_revision(pool, user_id).await?;
+    Ok(SyncPushResponse {
+        server_revision,
+        accepted,
+        conflicts,
+    })
+}
+
+pub async fn fetch_object(
+    pool: &PgPool,
+    user_id: Uuid,
+    object_id: Uuid,
+) -> Result<Option<VaultObjectEnvelope>> {
+    get_object(pool, user_id, object_id).await
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use chrono::Utc;
+    use secrets_domain::{VaultObjectChange, VaultObjectKind};
+    use uuid::Uuid;
+
+    fn sample_change(operation: &str, base_revision: Option<i64>) -> VaultObjectChange {
+        VaultObjectChange {
+            change_id: Uuid::nil(),
+            object_id: Uuid::max(),
+            object_kind: VaultObjectKind::Cipher,
+            operation: operation.to_string(),
+            base_revision,
+            cipher_version: Some(1),
+            ciphertext: Some(vec![1, 2, 3]),
+            content_hash: Some("sha256:test".to_string()),
+        }
+    }
+
+    fn sample_object(revision: i64) -> VaultObjectEnvelope {
+        VaultObjectEnvelope {
+            object_id: Uuid::max(),
+            object_kind: VaultObjectKind::Cipher,
+            revision,
+            cipher_version: 1,
+            ciphertext: vec![9, 9, 9],
+            content_hash: "sha256:server".to_string(),
+            deleted_at: None,
+            updated_at: Utc::now(),
+        }
+    }
+
+    #[test]
+    fn conflict_when_base_revision_is_stale() {
+        let mut change = sample_change("upsert", Some(3));
+        let server = sample_object(5);
+        change.object_id = server.object_id;
+
+        let conflict = detect_conflict(&change, Some(&server)).expect("expected conflict");
+
+        assert_eq!(conflict.reason, "revision_conflict");
+        assert_eq!(conflict.object_id, server.object_id);
+        assert_eq!(
+            conflict
+                .server_object
+                .as_ref()
+                .map(|object| object.revision),
+            Some(5)
+        );
+    }
+
+    #[test]
+    fn no_conflict_when_revision_matches() {
+        let mut change = sample_change("upsert", Some(5));
+        let server = sample_object(5);
+        change.object_id = server.object_id;
+
+        let conflict = detect_conflict(&change, Some(&server));
+
+        assert!(conflict.is_none());
+    }
+
+    #[test]
+    fn unsupported_operation_is_conflict() {
+        let change = sample_change("merge", None);
+
+        let conflict = detect_conflict(&change, None).expect("expected unsupported operation");
+
+        assert_eq!(conflict.reason, "unsupported_operation");
+        assert!(conflict.server_object.is_none());
+    }
+}

crates/application/src/vault_store.rs

@@ -0,0 +1,147 @@
+use anyhow::{Context, Result};
+use chrono::{DateTime, Utc};
+use sqlx::PgPool;
+use uuid::Uuid;
+
+use secrets_domain::{VaultObjectEnvelope, VaultObjectKind, VaultTombstone};
+
+#[derive(Debug, sqlx::FromRow)]
+struct VaultObjectRow {
+    object_id: Uuid,
+    _object_kind: String,
+    revision: i64,
+    cipher_version: i32,
+    ciphertext: Vec<u8>,
+    content_hash: String,
+    deleted_at: Option<DateTime<Utc>>,
+    updated_at: DateTime<Utc>,
+}
+
+impl From<VaultObjectRow> for VaultObjectEnvelope {
+    fn from(row: VaultObjectRow) -> Self {
+        Self {
+            object_id: row.object_id,
+            object_kind: VaultObjectKind::Cipher,
+            revision: row.revision,
+            cipher_version: row.cipher_version,
+            ciphertext: row.ciphertext,
+            content_hash: row.content_hash,
+            deleted_at: row.deleted_at,
+            updated_at: row.updated_at,
+        }
+    }
+}
+
+pub async fn list_objects_since(
+    pool: &PgPool,
+    user_id: Uuid,
+    cursor: i64,
+    limit: i64,
+) -> Result<Vec<VaultObjectEnvelope>> {
+    let rows = sqlx::query_as::<_, VaultObjectRow>(
+        r#"
+        SELECT
+            object_id,
+            object_kind AS _object_kind,
+            revision,
+            cipher_version,
+            ciphertext,
+            content_hash,
+            deleted_at,
+            updated_at
+        FROM vault_objects
+        WHERE user_id = $1
+          AND revision > $2
+        ORDER BY revision ASC
+        LIMIT $3
+        "#,
+    )
+    .bind(user_id)
+    .bind(cursor)
+    .bind(limit.max(1))
+    .fetch_all(pool)
+    .await
+    .context("failed to list vault objects")?;
+
+    Ok(rows.into_iter().map(Into::into).collect())
+}
+
+pub async fn get_object(
+    pool: &PgPool,
+    user_id: Uuid,
+    object_id: Uuid,
+) -> Result<Option<VaultObjectEnvelope>> {
+    let row = sqlx::query_as::<_, VaultObjectRow>(
+        r#"
+        SELECT
+            object_id,
+            object_kind AS _object_kind,
+            revision,
+            cipher_version,
+            ciphertext,
+            content_hash,
+            deleted_at,
+            updated_at
+        FROM vault_objects
+        WHERE user_id = $1
+          AND object_id = $2
+        "#,
+    )
+    .bind(user_id)
+    .bind(object_id)
+    .fetch_optional(pool)
+    .await
+    .context("failed to load vault object")?;
+
+    Ok(row.map(Into::into))
+}
+
+pub async fn list_tombstones_since(
+    pool: &PgPool,
+    user_id: Uuid,
+    cursor: i64,
+    limit: i64,
+) -> Result<Vec<VaultTombstone>> {
+    let rows = sqlx::query_as::<_, (Uuid, i64, DateTime<Utc>)>(
+        r#"
+        SELECT object_id, revision, deleted_at
+        FROM vault_objects
+        WHERE user_id = $1
+          AND revision > $2
+          AND deleted_at IS NOT NULL
+        ORDER BY revision ASC
+        LIMIT $3
+        "#,
+    )
+    .bind(user_id)
+    .bind(cursor)
+    .bind(limit.max(1))
+    .fetch_all(pool)
+    .await
+    .context("failed to list tombstones")?;
+
+    Ok(rows
+        .into_iter()
+        .map(|(object_id, revision, deleted_at)| VaultTombstone {
+            object_id,
+            revision,
+            deleted_at,
+        })
+        .collect())
+}
+
+pub async fn max_server_revision(pool: &PgPool, user_id: Uuid) -> Result<i64> {
+    let revision = sqlx::query_scalar::<_, Option<i64>>(
+        r#"
+        SELECT MAX(revision)
+        FROM vault_objects
+        WHERE user_id = $1
+        "#,
+    )
+    .bind(user_id)
+    .fetch_one(pool)
+    .await
+    .context("failed to load max server revision")?;
+
+    Ok(revision.unwrap_or(0))
+}

crates/client-integrations/Cargo.toml

@@ -0,0 +1,13 @@
+[package]
+name = "secrets-client-integrations"
+version = "0.1.0"
+edition.workspace = true
+
+[lib]
+name = "secrets_client_integrations"
+path = "src/lib.rs"
+
+[dependencies]
+anyhow.workspace = true
+serde.workspace = true
+serde_json.workspace = true

crates/client-integrations/src/lib.rs

@@ -0,0 +1,162 @@
+use anyhow::{Context, Result};
+use serde_json::{Map, Value};
+use std::{
+    fs,
+    path::{Path, PathBuf},
+};
+
+pub trait ClientAdapter {
+    fn client_name(&self) -> &'static str;
+    fn config_path(&self) -> PathBuf;
+}
+
+pub struct CursorAdapter;
+
+impl ClientAdapter for CursorAdapter {
+    fn client_name(&self) -> &'static str {
+        "cursor"
+    }
+
+    fn config_path(&self) -> PathBuf {
+        default_home().join(".cursor").join("mcp.json")
+    }
+}
+
+pub struct ClaudeCodeAdapter;
+
+impl ClientAdapter for ClaudeCodeAdapter {
+    fn client_name(&self) -> &'static str {
+        "claude-code"
+    }
+
+    fn config_path(&self) -> PathBuf {
+        default_home().join(".claude").join("mcp.json")
+    }
+}
+
+fn default_home() -> PathBuf {
+    std::env::var_os("HOME")
+        .or_else(|| std::env::var_os("USERPROFILE"))
+        .map(PathBuf::from)
+        .unwrap_or_else(|| PathBuf::from("."))
+}
+
+pub fn has_managed_server(adapter: &dyn ClientAdapter, server_name: &str) -> Result<bool> {
+    let path = adapter.config_path();
+    let root = read_config_or_default(&path)?;
+    Ok(root
+        .get("mcpServers")
+        .and_then(Value::as_object)
+        .is_some_and(|servers| servers.contains_key(server_name)))
+}
+
+pub fn upsert_managed_server(
+    adapter: &dyn ClientAdapter,
+    server_name: &str,
+    server_config: Value,
+) -> Result<()> {
+    let path = adapter.config_path();
+    let mut root = read_config_or_default(&path)?;
+    let root_object = ensure_object(&mut root);
+    let mcp_servers = root_object
+        .entry("mcpServers".to_string())
+        .or_insert_with(|| Value::Object(Map::new()));
+    let servers_object = ensure_object(mcp_servers);
+    servers_object.insert(server_name.to_string(), server_config);
+    write_config_atomically(&path, &root)
+}
+
+fn read_config_or_default(path: &Path) -> Result<Value> {
+    if !path.exists() {
+        return Ok(Value::Object(Map::new()));
+    }
+    let raw =
+        fs::read_to_string(path).with_context(|| format!("failed to read {}", path.display()))?;
+    serde_json::from_str(&raw).with_context(|| format!("failed to parse {}", path.display()))
+}
+
+fn write_config_atomically(path: &Path, value: &Value) -> Result<()> {
+    if let Some(parent) = path.parent() {
+        fs::create_dir_all(parent)
+            .with_context(|| format!("failed to create {}", parent.display()))?;
+    }
+    let tmp_path = path.with_extension("json.tmp");
+    let body = serde_json::to_string_pretty(value).context("failed to serialize mcp config")?;
+    fs::write(&tmp_path, body)
+        .with_context(|| format!("failed to write {}", tmp_path.display()))?;
+    fs::rename(&tmp_path, path).with_context(|| format!("failed to replace {}", path.display()))?;
+    Ok(())
+}
+
+fn ensure_object(value: &mut Value) -> &mut Map<String, Value> {
+    if !value.is_object() {
+        *value = Value::Object(Map::new());
+    }
+    value.as_object_mut().expect("object just ensured")
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::time::{SystemTime, UNIX_EPOCH};
+
+    struct TestAdapter {
+        path: PathBuf,
+    }
+
+    impl ClientAdapter for TestAdapter {
+        fn client_name(&self) -> &'static str {
+            "test"
+        }
+
+        fn config_path(&self) -> PathBuf {
+            self.path.clone()
+        }
+    }
+
+    #[test]
+    fn upsert_preserves_other_servers() {
+        let unique = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .expect("clock")
+            .as_nanos();
+        let base = std::env::temp_dir().join(format!("secrets-client-integrations-{unique}"));
+        let adapter = TestAdapter {
+            path: base.join("mcp.json"),
+        };
+        fs::create_dir_all(adapter.path.parent().expect("parent")).expect("mkdir");
+        fs::write(
+            &adapter.path,
+            r#"{"mcpServers":{"postgres":{"command":"npx"},"secrets":{"url":"http://old"}}}"#,
+        )
+        .expect("seed config");
+
+        upsert_managed_server(
+            &adapter,
+            "secrets",
+            serde_json::json!({
+                "url": "http://127.0.0.1:9515/mcp"
+            }),
+        )
+        .expect("upsert config");
+
+        let root: Value =
+            serde_json::from_str(&fs::read_to_string(&adapter.path).expect("read back"))
+                .expect("parse back");
+        let servers = root
+            .get("mcpServers")
+            .and_then(Value::as_object)
+            .expect("mcpServers object");
+        assert!(servers.contains_key("postgres"));
+        assert_eq!(
+            servers
+                .get("secrets")
+                .and_then(Value::as_object)
+                .and_then(|value| value.get("url"))
+                .and_then(Value::as_str),
+            Some("http://127.0.0.1:9515/mcp")
+        );
+
+        let _ = fs::remove_dir_all(base);
+    }
+}

crates/crypto/Cargo.toml

@@ -0,0 +1,14 @@
+[package]
+name = "secrets-crypto"
+version = "0.1.0"
+edition.workspace = true
+
+[lib]
+name = "secrets_crypto"
+path = "src/lib.rs"
+
+[dependencies]
+aes-gcm.workspace = true
+anyhow.workspace = true
+hex.workspace = true
+rand.workspace = true

crates/crypto/src/lib.rs

@@ -0,0 +1,47 @@
+use aes_gcm::aead::{Aead, KeyInit};
+use aes_gcm::{Aes256Gcm, Nonce};
+use anyhow::{Context, Result};
+use rand::Rng;
+
+pub const KEY_CHECK_PLAINTEXT: &[u8] = b"secrets-v3-key-check";
+
+pub fn decode_hex(input: &str) -> Result<Vec<u8>> {
+    hex::decode(input.trim()).context("invalid hex")
+}
+
+pub fn encode_hex(input: &[u8]) -> String {
+    hex::encode(input)
+}
+
+pub fn extract_key_32(input: &str) -> Result<[u8; 32]> {
+    let bytes = decode_hex(input)?;
+    let key: [u8; 32] = bytes
+        .try_into()
+        .map_err(|_| anyhow::anyhow!("expected 32-byte key"))?;
+    Ok(key)
+}
+
+pub fn encrypt(key: &[u8; 32], plaintext: &[u8]) -> Result<Vec<u8>> {
+    let cipher = Aes256Gcm::new_from_slice(key).context("invalid AES-256 key")?;
+    let mut nonce_bytes = [0_u8; 12];
+    rand::rng().fill_bytes(&mut nonce_bytes);
+    let nonce = Nonce::from_slice(&nonce_bytes);
+    let mut out = nonce_bytes.to_vec();
+    out.extend(
+        cipher
+            .encrypt(nonce, plaintext)
+            .map_err(|_| anyhow::anyhow!("encryption failed"))?,
+    );
+    Ok(out)
+}
+
+pub fn decrypt(key: &[u8; 32], ciphertext: &[u8]) -> Result<Vec<u8>> {
+    if ciphertext.len() < 12 {
+        anyhow::bail!("ciphertext too short");
+    }
+    let cipher = Aes256Gcm::new_from_slice(key).context("invalid AES-256 key")?;
+    let (nonce, body) = ciphertext.split_at(12);
+    cipher
+        .decrypt(Nonce::from_slice(nonce), body)
+        .map_err(|_| anyhow::anyhow!("decryption failed"))
+}

crates/desktop-daemon/Cargo.toml

@@ -0,0 +1,26 @@
+[package]
+name = "secrets-desktop-daemon"
+version = "0.1.0"
+edition.workspace = true
+
+[lib]
+name = "secrets_desktop_daemon"
+path = "src/lib.rs"
+
+[[bin]]
+name = "secrets-desktop-daemon"
+path = "src/main.rs"
+
+[dependencies]
+anyhow.workspace = true
+axum.workspace = true
+dotenvy.workspace = true
+reqwest = { workspace = true, features = ["stream"] }
+rmcp.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+tokio.workspace = true
+tracing.workspace = true
+tracing-subscriber.workspace = true
+
+secrets-device-auth = { path = "../device-auth" }

crates/desktop-daemon/src/config.rs

@@ -0,0 +1,23 @@
+use anyhow::Result;
+
+#[derive(Debug, Clone)]
+pub struct DaemonConfig {
+    pub bind: String,
+}
+
+pub fn load_config() -> Result<DaemonConfig> {
+    let bind =
+        std::env::var("SECRETS_DAEMON_BIND").unwrap_or_else(|_| "127.0.0.1:9515".to_string());
+    if bind.trim().is_empty() {
+        anyhow::bail!("SECRETS_DAEMON_BIND must not be empty");
+    }
+    Ok(DaemonConfig { bind })
+}
+
+pub fn load_persisted_device_token() -> Result<Option<String>> {
+    let token = std::env::var("SECRETS_DEVICE_LOGIN_TOKEN")
+        .ok()
+        .map(|value| value.trim().to_string())
+        .filter(|value| !value.is_empty());
+    Ok(token)
+}

crates/desktop-daemon/src/exec.rs

@@ -13,7 +13,6 @@ const MAX_OUTPUT_CHARS: usize = 64 * 1024;
 #[derive(Clone, Debug, Deserialize)]
 pub struct TargetExecInput {
     pub target_ref: Option<String>,
-    pub target: Option<crate::target::TargetSnapshot>,
     pub command: String,
     pub timeout_secs: Option<u64>,
     pub working_dir: Option<String>,
@@ -138,63 +137,3 @@ pub async fn execute_command(
         stderr_truncated,
     })
 }
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::target::ExecutionTarget;
-    use serde_json::json;
-
-    #[tokio::test]
-    async fn execute_command_injects_target_env() {
-        let target = ExecutionTarget {
-            resolved: ResolvedTarget {
-                id: "entry-1".to_string(),
-                folder: "refining".to_string(),
-                name: "api".to_string(),
-                entry_type: Some("service".to_string()),
-            },
-            env: BTreeMap::from([
-                ("TARGET_HOST".to_string(), "47.238.146.244".to_string()),
-                ("TARGET_API_KEY".to_string(), "sk_test_123".to_string()),
-            ]),
-        };
-        let input = TargetExecInput {
-            target_ref: Some("entry-1".to_string()),
-            target: None,
-            command: "printf '%s|%s' \"$TARGET_HOST\" \"$TARGET_API_KEY\"".to_string(),
-            timeout_secs: Some(5),
-            working_dir: None,
-            env_overrides: None,
-        };
-        let result = execute_command(&input, &target, 5).await.unwrap();
-        assert_eq!(result.exit_code, Some(0));
-        assert_eq!(result.stdout, "47.238.146.244|sk_test_123");
-    }
-
-    #[tokio::test]
-    async fn execute_command_rejects_reserved_target_override() {
-        let target = ExecutionTarget {
-            resolved: ResolvedTarget {
-                id: "entry-1".to_string(),
-                folder: "refining".to_string(),
-                name: "api".to_string(),
-                entry_type: Some("service".to_string()),
-            },
-            env: BTreeMap::from([("TARGET_HOST".to_string(), "47.238.146.244".to_string())]),
-        };
-        let input = TargetExecInput {
-            target_ref: Some("entry-1".to_string()),
-            target: None,
-            command: "echo test".to_string(),
-            timeout_secs: Some(5),
-            working_dir: None,
-            env_overrides: Some(serde_json::from_value(json!({"TARGET_HOST":"override"})).unwrap()),
-        };
-        let err = execute_command(&input, &target, 5).await.unwrap_err();
-        assert!(
-            err.to_string()
-                .contains("cannot override reserved TARGET_* variables")
-        );
-    }
-}

crates/desktop-daemon/src/lib.rs

@@ -0,0 +1,684 @@
+pub mod config;
+pub mod exec;
+pub mod target;
+pub mod vault_client;
+
+use std::collections::HashMap;
+
+use anyhow::{Context, Result, anyhow};
+use axum::{
+    Router,
+    body::Body,
+    extract::State,
+    http::{StatusCode, header},
+    response::Response,
+    routing::{any, get},
+};
+use serde::Deserialize;
+use serde_json::{Value, json};
+
+use crate::{
+    exec::{TargetExecInput, execute_command},
+    target::{TargetSnapshot, build_execution_target},
+    vault_client::{
+        EntryDetail, EntrySummary, SecretHistoryItem, SecretValueField, authorized_get,
+        authorized_patch, authorized_post, entry_detail_payload, fetch_entry_detail,
+        fetch_revealed_entry_secrets,
+    },
+};
+
+#[derive(Clone)]
+pub struct AppState {
+    session_base: String,
+    client: reqwest::Client,
+}
+
+#[derive(Deserialize)]
+struct JsonRpcRequest {
+    #[serde(default)]
+    id: Value,
+    method: String,
+    #[serde(default)]
+    params: Value,
+}
+
+fn json_response(status: StatusCode, value: Value) -> Response {
+    Response::builder()
+        .status(status)
+        .header(header::CONTENT_TYPE, "application/json; charset=utf-8")
+        .body(Body::from(value.to_string()))
+        .expect("build response")
+}
+
+fn jsonrpc_result_response(id: Value, result: Value) -> Response {
+    json_response(
+        StatusCode::OK,
+        json!({
+            "jsonrpc": "2.0",
+            "id": id,
+            "result": result,
+        }),
+    )
+}
+
+fn tool_success_response(id: Value, value: Value) -> Response {
+    let pretty = serde_json::to_string_pretty(&value).unwrap_or_else(|_| value.to_string());
+    jsonrpc_result_response(
+        id,
+        json!({
+            "content": [
+                {
+                    "type": "text",
+                    "text": pretty
+                }
+            ],
+            "isError": false
+        }),
+    )
+}
+
+fn tool_error_response(id: Value, message: impl Into<String>) -> Response {
+    jsonrpc_result_response(
+        id,
+        json!({
+            "content": [
+                {
+                    "type": "text",
+                    "text": message.into()
+                }
+            ],
+            "isError": true
+        }),
+    )
+}
+
+fn initialize_response(id: Value) -> Response {
+    let session_id = format!(
+        "desktop-daemon-{}",
+        std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .map(|duration| duration.as_nanos())
+            .unwrap_or(0)
+    );
+    let payload = json!({
+        "jsonrpc": "2.0",
+        "id": id,
+        "result": {
+            "protocolVersion": "2025-06-18",
+            "capabilities": {
+                "tools": {}
+            },
+            "serverInfo": {
+                "name": "secrets-desktop-daemon",
+                "version": env!("CARGO_PKG_VERSION"),
+                "title": "Secrets Desktop Daemon"
+            },
+            "instructions": "Preferred tools: secrets_entry_find, secrets_entry_get, secrets_entry_add, secrets_entry_update, secrets_entry_delete, secrets_entry_restore, secrets_secret_add, secrets_secret_update, secrets_secret_delete, secrets_secret_history, secrets_secret_rollback, and target_exec. All data is resolved from the desktop app's unlocked local vault session. Legacy aliases secrets_find, secrets_add, and secrets_update remain supported."
+        }
+    });
+    Response::builder()
+        .status(StatusCode::OK)
+        .header(header::CONTENT_TYPE, "application/json; charset=utf-8")
+        .header("mcp-session-id", session_id)
+        .body(Body::from(payload.to_string()))
+        .expect("build response")
+}
+
+fn tool_definitions() -> Vec<Value> {
+    vec![
+        json!({
+            "name": "secrets_entry_find",
+            "description": "Find entries from the user's secrets vault.",
+            "inputSchema": {
+                "type": "object",
+                "properties": {
+                    "query": { "type": ["string", "null"] },
+                    "folder": { "type": ["string", "null"] },
+                    "type": { "type": ["string", "null"] }
+                }
+            }
+        }),
+        json!({
+            "name": "secrets_entry_get",
+            "description": "Get one entry from the unlocked local vault by entry id.",
+            "inputSchema": {
+                "type": "object",
+                "properties": {
+                    "id": { "type": "string" }
+                },
+                "required": ["id"]
+            }
+        }),
+        json!({
+            "name": "secrets_entry_add",
+            "description": "Create a new entry and optionally include initial secrets.",
+            "inputSchema": {
+                "type": "object",
+                "properties": {
+                    "folder": { "type": "string" },
+                    "name": { "type": "string" },
+                    "type": { "type": ["string", "null"] },
+                    "metadata": { "type": ["object", "null"] },
+                    "secrets": {
+                        "type": ["array", "null"],
+                        "items": {
+                            "type": "object",
+                            "properties": {
+                                "name": { "type": "string" },
+                                "secret_type": { "type": ["string", "null"] },
+                                "value": { "type": "string" }
+                            },
+                            "required": ["name", "value"]
+                        }
+                    }
+                },
+                "required": ["folder", "name"]
+            }
+        }),
+        json!({
+            "name": "secrets_entry_update",
+            "description": "Update an existing entry by id.",
+            "inputSchema": {
+                "type": "object",
+                "properties": {
+                    "id": { "type": "string" },
+                    "folder": { "type": ["string", "null"] },
+                    "name": { "type": ["string", "null"] },
+                    "type": { "type": ["string", "null"] },
+                    "metadata": { "type": ["object", "null"] }
+                },
+                "required": ["id"]
+            }
+        }),
+        json!({
+            "name": "secrets_entry_delete",
+            "description": "Move an entry into recycle bin by id.",
+            "inputSchema": {
+                "type": "object",
+                "properties": {
+                    "id": { "type": "string" }
+                },
+                "required": ["id"]
+            }
+        }),
+        json!({
+            "name": "secrets_entry_restore",
+            "description": "Restore a deleted entry from recycle bin by id.",
+            "inputSchema": {
+                "type": "object",
+                "properties": {
+                    "id": { "type": "string" }
+                },
+                "required": ["id"]
+            }
+        }),
+        json!({
+            "name": "secrets_secret_add",
+            "description": "Create one secret under an existing entry.",
+            "inputSchema": {
+                "type": "object",
+                "properties": {
+                    "entry_id": { "type": "string" },
+                    "name": { "type": "string" },
+                    "secret_type": { "type": ["string", "null"] },
+                    "value": { "type": "string" }
+                },
+                "required": ["entry_id", "name", "value"]
+            }
+        }),
+        json!({
+            "name": "secrets_secret_update",
+            "description": "Update one secret by id.",
+            "inputSchema": {
+                "type": "object",
+                "properties": {
+                    "id": { "type": "string" },
+                    "name": { "type": ["string", "null"] },
+                    "secret_type": { "type": ["string", "null"] },
+                    "value": { "type": ["string", "null"] }
+                },
+                "required": ["id"]
+            }
+        }),
+        json!({
+            "name": "secrets_secret_delete",
+            "description": "Delete one secret by id.",
+            "inputSchema": {
+                "type": "object",
+                "properties": {
+                    "id": { "type": "string" }
+                },
+                "required": ["id"]
+            }
+        }),
+        json!({
+            "name": "secrets_secret_history",
+            "description": "List history snapshots for one secret by id.",
+            "inputSchema": {
+                "type": "object",
+                "properties": {
+                    "id": { "type": "string" }
+                },
+                "required": ["id"]
+            }
+        }),
+        json!({
+            "name": "secrets_secret_rollback",
+            "description": "Rollback one secret by id to a previous version or history id.",
+            "inputSchema": {
+                "type": "object",
+                "properties": {
+                    "id": { "type": "string" },
+                    "version": { "type": ["integer", "null"] },
+                    "history_id": { "type": ["integer", "null"] }
+                },
+                "required": ["id"]
+            }
+        }),
+        json!({
+            "name": "target_exec",
+            "description": "Execute a local shell command with resolved TARGET_* environment variables from one entry.",
+            "inputSchema": {
+                "type": "object",
+                "properties": {
+                    "target_ref": { "type": ["string", "null"] },
+                    "command": { "type": "string" },
+                    "timeout_secs": { "type": ["integer", "null"] },
+                    "working_dir": { "type": ["string", "null"] },
+                    "env_overrides": { "type": ["object", "null"] }
+                },
+                "required": ["target_ref", "command"]
+            }
+        }),
+        json!({
+            "name": "secrets_find",
+            "description": "Legacy alias for secrets_entry_find.",
+            "inputSchema": {
+                "type": "object",
+                "properties": {
+                    "query": { "type": ["string", "null"] },
+                    "folder": { "type": ["string", "null"] },
+                    "type": { "type": ["string", "null"] }
+                }
+            }
+        }),
+        json!({
+            "name": "secrets_add",
+            "description": "Legacy alias for secrets_entry_add.",
+            "inputSchema": {
+                "type": "object",
+                "properties": {
+                    "folder": { "type": "string" },
+                    "name": { "type": "string" },
+                    "type": { "type": ["string", "null"] },
+                    "metadata": { "type": ["object", "null"] },
+                    "secrets": { "type": ["array", "null"] }
+                },
+                "required": ["folder", "name"]
+            }
+        }),
+        json!({
+            "name": "secrets_update",
+            "description": "Legacy alias for secrets_entry_update.",
+            "inputSchema": {
+                "type": "object",
+                "properties": {
+                    "id": { "type": "string" },
+                    "folder": { "type": ["string", "null"] },
+                    "name": { "type": ["string", "null"] },
+                    "type": { "type": ["string", "null"] },
+                    "metadata": { "type": ["object", "null"] }
+                },
+                "required": ["id"]
+            }
+        }),
+    ]
+}
+
+fn entry_detail_to_snapshot(detail: &EntryDetail) -> TargetSnapshot {
+    let metadata = detail
+        .metadata
+        .iter()
+        .map(|field| (field.label.clone(), Value::String(field.value.clone())))
+        .collect();
+    let secret_fields = detail
+        .secrets
+        .iter()
+        .map(|secret| crate::target::SecretFieldRef {
+            name: secret.name.clone(),
+            secret_type: Some(secret.secret_type.clone()),
+        })
+        .collect();
+    TargetSnapshot {
+        id: detail.id.clone(),
+        folder: detail.folder.clone(),
+        name: detail.name.clone(),
+        entry_type: Some(detail.cipher_type.clone()),
+        metadata,
+        secret_fields,
+    }
+}
+
+fn revealed_secrets_to_env(secrets: &[SecretValueField]) -> HashMap<String, Value> {
+    secrets
+        .iter()
+        .map(|secret| (secret.name.clone(), Value::String(secret.value.clone())))
+        .collect()
+}
+
+async fn call_tool(state: &AppState, name: &str, arguments: Value) -> Result<Value> {
+    match name {
+        "secrets_find" | "secrets_entry_find" => {
+            let folder = arguments
+                .get("folder")
+                .and_then(Value::as_str)
+                .map(ToOwned::to_owned);
+            let query = arguments
+                .get("query")
+                .and_then(Value::as_str)
+                .map(ToOwned::to_owned);
+            let entry_type = arguments
+                .get("type")
+                .and_then(Value::as_str)
+                .map(ToOwned::to_owned);
+            let mut params = Vec::new();
+            if let Some(folder) = folder {
+                params.push(("folder", folder));
+            }
+            if let Some(query) = query {
+                params.push(("query", query));
+            }
+            if let Some(entry_type) = entry_type {
+                params.push(("entry_type", entry_type));
+            }
+            params.push(("deleted_only", "false".to_string()));
+            let entries = authorized_get(state, "/vault/entries", &params)
+                .await?
+                .json::<Vec<EntrySummary>>()
+                .await
+                .context("failed to decode entries list")?;
+            Ok(json!({
+                "entries": entries.into_iter().map(|entry| {
+                    json!({
+                        "id": entry.id,
+                        "folder": entry.folder,
+                        "name": entry.name,
+                        "type": entry.cipher_type
+                    })
+                }).collect::<Vec<_>>()
+            }))
+        }
+        "secrets_entry_get" => {
+            let id = arguments
+                .get("id")
+                .and_then(Value::as_str)
+                .context("id is required")?;
+            let detail = fetch_entry_detail(state, id).await?;
+            let secrets = fetch_revealed_entry_secrets(state, id).await?;
+            Ok(entry_detail_payload(&detail, Some(&secrets)))
+        }
+        "secrets_add" | "secrets_entry_add" => {
+            let folder = arguments
+                .get("folder")
+                .and_then(Value::as_str)
+                .context("folder is required")?;
+            let name = arguments
+                .get("name")
+                .and_then(Value::as_str)
+                .context("name is required")?;
+            let entry_type = arguments
+                .get("type")
+                .and_then(Value::as_str)
+                .unwrap_or("entry");
+            let metadata = arguments
+                .get("metadata")
+                .cloned()
+                .unwrap_or_else(|| json!({}));
+            let res = authorized_post(
+                state,
+                "/vault/entries",
+                &json!({
+                    "folder": folder,
+                    "name": name,
+                    "entry_type": entry_type,
+                    "metadata": metadata,
+                    "secrets": arguments.get("secrets").cloned().unwrap_or(Value::Null)
+                }),
+            )
+            .await?;
+            Ok(res
+                .json::<Value>()
+                .await
+                .context("failed to decode create result")?)
+        }
+        "secrets_update" | "secrets_entry_update" => {
+            let id = arguments
+                .get("id")
+                .and_then(Value::as_str)
+                .context("id is required")?;
+            let body = json!({
+                "folder": arguments.get("folder").cloned().unwrap_or(Value::Null),
+                "entry_type": arguments.get("type").cloned().unwrap_or(Value::Null),
+                "title": arguments.get("name").cloned().unwrap_or(Value::Null),
+                "metadata": arguments.get("metadata").cloned().unwrap_or(Value::Null)
+            });
+            let res = authorized_patch(state, &format!("/vault/entries/{id}"), &body).await?;
+            Ok(res
+                .json::<Value>()
+                .await
+                .context("failed to decode update result")?)
+        }
+        "secrets_entry_delete" => {
+            let id = arguments
+                .get("id")
+                .and_then(Value::as_str)
+                .context("id is required")?;
+            let res =
+                authorized_post(state, &format!("/vault/entries/{id}/delete"), &json!({})).await?;
+            Ok(res
+                .json::<Value>()
+                .await
+                .context("failed to decode delete result")?)
+        }
+        "secrets_entry_restore" => {
+            let id = arguments
+                .get("id")
+                .and_then(Value::as_str)
+                .context("id is required")?;
+            let res =
+                authorized_post(state, &format!("/vault/entries/{id}/restore"), &json!({})).await?;
+            Ok(res
+                .json::<Value>()
+                .await
+                .context("failed to decode restore result")?)
+        }
+        "secrets_secret_add" => {
+            let entry_id = arguments
+                .get("entry_id")
+                .and_then(Value::as_str)
+                .context("entry_id is required")?;
+            let name = arguments
+                .get("name")
+                .and_then(Value::as_str)
+                .context("name is required")?;
+            let value = arguments
+                .get("value")
+                .and_then(Value::as_str)
+                .context("value is required")?;
+            let res = authorized_post(
+                state,
+                &format!("/vault/entries/{entry_id}/secrets"),
+                &json!({
+                    "name": name,
+                    "secret_type": arguments.get("secret_type").cloned().unwrap_or(Value::Null),
+                    "value": value
+                }),
+            )
+            .await?;
+            Ok(res
+                .json::<Value>()
+                .await
+                .context("failed to decode secret create result")?)
+        }
+        "secrets_secret_update" => {
+            let id = arguments
+                .get("id")
+                .and_then(Value::as_str)
+                .context("id is required")?;
+            let res = authorized_patch(
+                state,
+                &format!("/vault/secrets/{id}"),
+                &json!({
+                    "name": arguments.get("name").cloned().unwrap_or(Value::Null),
+                    "secret_type": arguments.get("secret_type").cloned().unwrap_or(Value::Null),
+                    "value": arguments.get("value").cloned().unwrap_or(Value::Null)
+                }),
+            )
+            .await?;
+            Ok(res
+                .json::<Value>()
+                .await
+                .context("failed to decode secret update result")?)
+        }
+        "secrets_secret_delete" => {
+            let id = arguments
+                .get("id")
+                .and_then(Value::as_str)
+                .context("id is required")?;
+            let res =
+                authorized_post(state, &format!("/vault/secrets/{id}/delete"), &json!({})).await?;
+            Ok(res
+                .json::<Value>()
+                .await
+                .context("failed to decode secret delete result")?)
+        }
+        "secrets_secret_history" => {
+            let id = arguments
+                .get("id")
+                .and_then(Value::as_str)
+                .context("id is required")?;
+            let history = authorized_get(state, &format!("/vault/secrets/{id}/history"), &[])
+                .await?
+                .json::<Vec<SecretHistoryItem>>()
+                .await
+                .context("failed to decode secret history")?;
+            Ok(json!({
+                "history": history.into_iter().map(|item| {
+                    json!({
+                        "history_id": item.history_id,
+                        "secret_id": item.secret_id,
+                        "name": item.name,
+                        "type": item.secret_type,
+                        "masked_value": item.masked_value,
+                        "value": item.value,
+                        "version": item.version,
+                        "action": item.action,
+                        "created_at": item.created_at
+                    })
+                }).collect::<Vec<_>>()
+            }))
+        }
+        "secrets_secret_rollback" => {
+            let id = arguments
+                .get("id")
+                .and_then(Value::as_str)
+                .context("id is required")?;
+            let res = authorized_post(
+                state,
+                &format!("/vault/secrets/{id}/rollback"),
+                &json!({
+                    "version": arguments.get("version").cloned().unwrap_or(Value::Null),
+                    "history_id": arguments.get("history_id").cloned().unwrap_or(Value::Null)
+                }),
+            )
+            .await?;
+            Ok(res
+                .json::<Value>()
+                .await
+                .context("failed to decode secret rollback result")?)
+        }
+        "target_exec" => {
+            let input: TargetExecInput =
+                serde_json::from_value(arguments).context("invalid target_exec arguments")?;
+            let target_ref = input
+                .target_ref
+                .as_ref()
+                .context("target_ref is required")?;
+            let detail = fetch_entry_detail(state, target_ref).await?;
+            let secrets = fetch_revealed_entry_secrets(state, target_ref).await?;
+            let execution_target = build_execution_target(
+                &entry_detail_to_snapshot(&detail),
+                &revealed_secrets_to_env(&secrets),
+            )?;
+            let result =
+                execute_command(&input, &execution_target, input.timeout_secs.unwrap_or(30))
+                    .await?;
+            Ok(serde_json::to_value(result).context("failed to encode exec result")?)
+        }
+        other => Err(anyhow!("unsupported tool: {other}")),
+    }
+}
+
+pub async fn handle_mcp(State(state): State<AppState>, body: String) -> Response {
+    let request: JsonRpcRequest = match serde_json::from_str(&body) {
+        Ok(request) => request,
+        Err(err) => {
+            return json_response(
+                StatusCode::BAD_REQUEST,
+                json!({
+                    "jsonrpc": "2.0",
+                    "id": null,
+                    "error": {
+                        "code": -32600,
+                        "message": format!("invalid request: {err}")
+                    }
+                }),
+            );
+        }
+    };
+
+    match request.method.as_str() {
+        "initialize" => initialize_response(request.id),
+        "tools/list" => jsonrpc_result_response(request.id, json!({ "tools": tool_definitions() })),
+        "tools/call" => {
+            let name = request
+                .params
+                .get("name")
+                .and_then(Value::as_str)
+                .unwrap_or_default();
+            let arguments = request
+                .params
+                .get("arguments")
+                .cloned()
+                .unwrap_or_else(|| json!({}));
+            match call_tool(&state, name, arguments).await {
+                Ok(value) => tool_success_response(request.id, value),
+                Err(err) => tool_error_response(request.id, err.to_string()),
+            }
+        }
+        other => json_response(
+            StatusCode::OK,
+            json!({
+                "jsonrpc": "2.0",
+                "id": request.id,
+                "error": {
+                    "code": -32601,
+                    "message": format!("method `{other}` not supported by secrets-desktop-daemon")
+                }
+            }),
+        ),
+    }
+}
+
+pub async fn build_router() -> Result<Router> {
+    let session_base = std::env::var("SECRETS_DESKTOP_SESSION_URL")
+        .unwrap_or_else(|_| "http://127.0.0.1:9520".to_string());
+    let state = AppState {
+        session_base,
+        client: reqwest::Client::new(),
+    };
+    Ok(Router::new()
+        .route("/healthz", get(|| async { "ok" }))
+        .route("/mcp", any(handle_mcp))
+        .with_state(state))
+}

crates/desktop-daemon/src/main.rs

@@ -0,0 +1,26 @@
+use anyhow::{Context, Result};
+use tracing_subscriber::EnvFilter;
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    let _ = dotenvy::dotenv();
+
+    tracing_subscriber::fmt()
+        .with_env_filter(
+            EnvFilter::try_from_default_env()
+                .unwrap_or_else(|_| "secrets_desktop_daemon=info".into()),
+        )
+        .init();
+
+    let config = secrets_desktop_daemon::config::load_config()?;
+    let app = secrets_desktop_daemon::build_router().await?;
+    let listener = tokio::net::TcpListener::bind(&config.bind)
+        .await
+        .with_context(|| format!("failed to bind {}", config.bind))?;
+
+    tracing::info!(bind = %config.bind, "secrets-desktop-daemon listening");
+    axum::serve(listener, app)
+        .await
+        .context("daemon server error")?;
+    Ok(())
+}

crates/desktop-daemon/src/target.rs

@@ -19,8 +19,6 @@ pub struct TargetSnapshot {
     #[serde(rename = "type")]
     pub entry_type: Option<String>,
     #[serde(default)]
-    pub notes: Option<String>,
-    #[serde(default)]
     pub metadata: Map<String, Value>,
     #[serde(default)]
     pub secret_fields: Vec<SecretFieldRef>,
@@ -116,9 +114,6 @@ pub fn build_execution_target(
     if let Some(entry_type) = snapshot.entry_type.as_ref().filter(|v| !v.is_empty()) {
         env.insert("TARGET_TYPE".to_string(), entry_type.clone());
     }
-    if let Some(notes) = snapshot.notes.as_ref().filter(|v| !v.is_empty()) {
-        env.insert("TARGET_NOTES".to_string(), notes.clone());
-    }
 
     for (key, value) in &snapshot.metadata {
         if let Some(value) = stringify_value(value) {
@@ -212,52 +207,126 @@ pub fn build_execution_target(
 #[cfg(test)]
 mod tests {
     use super::*;
-    use serde_json::json;
 
-    #[test]
-    fn build_execution_target_maps_common_aliases() {
-        let snapshot = TargetSnapshot {
+    fn build_snapshot() -> TargetSnapshot {
+        let mut metadata = Map::new();
+        metadata.insert(
+            "host".to_string(),
+            Value::String("git.example.com".to_string()),
+        );
+        metadata.insert("port".to_string(), Value::String("22".to_string()));
+        metadata.insert("username".to_string(), Value::String("deploy".to_string()));
+        metadata.insert(
+            "base_url".to_string(),
+            Value::String("https://api.example.com".to_string()),
+        );
+        TargetSnapshot {
             id: "entry-1".to_string(),
-            folder: "refining".to_string(),
-            name: "hk_api_hub".to_string(),
-            entry_type: Some("server".to_string()),
-            notes: None,
-            metadata: serde_json::from_value(json!({
-                "public_ip": "47.238.146.244",
-                "username": "ecs-user",
-                "base_url": "https://api.refining.dev"
-            }))
-            .unwrap(),
+            folder: "infra".to_string(),
+            name: "production".to_string(),
+            entry_type: Some("ssh_key".to_string()),
+            metadata,
             secret_fields: vec![
                 SecretFieldRef {
                     name: "api_key".to_string(),
-                    secret_type: None,
+                    secret_type: Some("text".to_string()),
                 },
                 SecretFieldRef {
-                    name: "hk-20240726.pem".to_string(),
+                    name: "token".to_string(),
+                    secret_type: Some("text".to_string()),
+                },
+                SecretFieldRef {
+                    name: "ssh_key".to_string(),
                     secret_type: Some("ssh-key".to_string()),
                 },
             ],
-        };
+        }
+    }
+
+    #[test]
+    fn derives_standard_target_env_keys() {
+        let snapshot = build_snapshot();
         let secrets = HashMap::from([
-            ("api_key".to_string(), json!("sk_test_123")),
+            ("api_key".to_string(), Value::String("ak-123".to_string())),
+            ("token".to_string(), Value::String("tok-456".to_string())),
             (
-                "hk-20240726.pem".to_string(),
-                json!("-----BEGIN PRIVATE KEY-----"),
+                "ssh_key".to_string(),
+                Value::String("-----BEGIN KEY-----".to_string()),
             ),
         ]);
 
-        let target = build_execution_target(&snapshot, &secrets).unwrap();
-        assert_eq!(target.env.get("TARGET_HOST").unwrap(), "47.238.146.244");
-        assert_eq!(target.env.get("TARGET_USER").unwrap(), "ecs-user");
+        let target = build_execution_target(&snapshot, &secrets).expect("build execution target");
+
         assert_eq!(
-            target.env.get("TARGET_BASE_URL").unwrap(),
-            "https://api.refining.dev"
+            target.env.get("TARGET_ENTRY_ID").map(String::as_str),
+            Some("entry-1")
         );
-        assert_eq!(target.env.get("TARGET_API_KEY").unwrap(), "sk_test_123");
         assert_eq!(
-            target.env.get("TARGET_SSH_KEY").unwrap(),
-            "-----BEGIN PRIVATE KEY-----"
+            target.env.get("TARGET_NAME").map(String::as_str),
+            Some("production")
+        );
+        assert_eq!(
+            target.env.get("TARGET_FOLDER").map(String::as_str),
+            Some("infra")
+        );
+        assert_eq!(
+            target.env.get("TARGET_TYPE").map(String::as_str),
+            Some("ssh_key")
+        );
+        assert_eq!(
+            target.env.get("TARGET_HOST").map(String::as_str),
+            Some("git.example.com")
+        );
+        assert_eq!(
+            target.env.get("TARGET_PORT").map(String::as_str),
+            Some("22")
+        );
+        assert_eq!(
+            target.env.get("TARGET_USER").map(String::as_str),
+            Some("deploy")
+        );
+        assert_eq!(
+            target.env.get("TARGET_BASE_URL").map(String::as_str),
+            Some("https://api.example.com")
+        );
+        assert_eq!(
+            target.env.get("TARGET_API_KEY").map(String::as_str),
+            Some("ak-123")
+        );
+        assert_eq!(
+            target.env.get("TARGET_TOKEN").map(String::as_str),
+            Some("tok-456")
+        );
+        assert_eq!(
+            target.env.get("TARGET_SSH_KEY").map(String::as_str),
+            Some("-----BEGIN KEY-----")
+        );
+    }
+
+    #[test]
+    fn exports_sanitized_meta_and_secret_keys() {
+        let mut snapshot = build_snapshot();
+        snapshot.metadata.insert(
+            "private-ip".to_string(),
+            Value::String("10.0.0.8".to_string()),
+        );
+        let secrets = HashMap::from([(
+            "access key id".to_string(),
+            Value::String("access-1".to_string()),
+        )]);
+
+        let target = build_execution_target(&snapshot, &secrets).expect("build execution target");
+
+        assert_eq!(
+            target.env.get("TARGET_META_PRIVATE_IP").map(String::as_str),
+            Some("10.0.0.8")
+        );
+        assert_eq!(
+            target
+                .env
+                .get("TARGET_SECRET_ACCESS_KEY_ID")
+                .map(String::as_str),
+            Some("access-1")
         );
     }
 }

crates/desktop-daemon/src/vault_client.rs

@@ -0,0 +1,168 @@
+use std::collections::HashMap;
+
+use anyhow::{Context, Result};
+use serde::Deserialize;
+use serde_json::{Value, json};
+
+use crate::AppState;
+
+#[derive(Debug, Deserialize)]
+pub struct EntrySummary {
+    pub id: String,
+    pub folder: String,
+    #[serde(rename = "title")]
+    pub name: String,
+    #[serde(rename = "subtitle")]
+    pub cipher_type: String,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct EntryDetail {
+    pub id: String,
+    #[serde(rename = "title")]
+    pub name: String,
+    pub folder: String,
+    #[serde(rename = "entry_type")]
+    pub cipher_type: String,
+    pub metadata: Vec<DetailField>,
+    pub secrets: Vec<SecretField>,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct DetailField {
+    pub label: String,
+    pub value: String,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct SecretField {
+    pub id: String,
+    pub name: String,
+    pub secret_type: String,
+    pub masked_value: String,
+    pub version: i64,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct SecretValueField {
+    pub id: String,
+    pub name: String,
+    pub value: String,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct SecretHistoryItem {
+    pub history_id: i64,
+    pub secret_id: String,
+    pub name: String,
+    pub secret_type: String,
+    pub masked_value: String,
+    pub value: String,
+    pub version: i64,
+    pub action: String,
+    pub created_at: String,
+}
+
+pub async fn authorized_get(
+    state: &AppState,
+    path: &str,
+    query: &[(&str, String)],
+) -> Result<reqwest::Response> {
+    state
+        .client
+        .get(format!("{}{}", state.session_base, path))
+        .query(query)
+        .send()
+        .await
+        .with_context(|| format!("desktop local vault unavailable: {path}"))?
+        .error_for_status()
+        .with_context(|| format!("desktop local vault requires sign-in and unlock: {path}"))
+}
+
+pub async fn authorized_patch(
+    state: &AppState,
+    path: &str,
+    body: &Value,
+) -> Result<reqwest::Response> {
+    state
+        .client
+        .patch(format!("{}{}", state.session_base, path))
+        .json(body)
+        .send()
+        .await
+        .with_context(|| format!("desktop local vault unavailable: {path}"))?
+        .error_for_status()
+        .with_context(|| format!("desktop local vault requires sign-in and unlock: {path}"))
+}
+
+pub async fn authorized_post(
+    state: &AppState,
+    path: &str,
+    body: &Value,
+) -> Result<reqwest::Response> {
+    state
+        .client
+        .post(format!("{}{}", state.session_base, path))
+        .json(body)
+        .send()
+        .await
+        .with_context(|| format!("desktop local vault unavailable: {path}"))?
+        .error_for_status()
+        .with_context(|| format!("desktop local vault requires sign-in and unlock: {path}"))
+}
+
+pub async fn fetch_entry_detail(state: &AppState, entry_id: &str) -> Result<EntryDetail> {
+    authorized_get(state, &format!("/vault/entries/{entry_id}"), &[])
+        .await?
+        .json::<EntryDetail>()
+        .await
+        .context("failed to decode entry detail")
+}
+
+pub async fn fetch_revealed_entry_secrets(
+    state: &AppState,
+    entry_id: &str,
+) -> Result<Vec<SecretValueField>> {
+    let detail = fetch_entry_detail(state, entry_id).await?;
+    let mut secrets = Vec::new();
+    for secret in detail.secrets {
+        let item = authorized_get(state, &format!("/vault/secrets/{}/value", secret.id), &[])
+            .await?
+            .json::<SecretValueField>()
+            .await
+            .context("failed to decode revealed secret value")?;
+        secrets.push(item);
+    }
+    Ok(secrets)
+}
+
+pub fn entry_detail_payload(detail: &EntryDetail, revealed: Option<&[SecretValueField]>) -> Value {
+    let revealed_by_id: HashMap<&str, &SecretValueField> = revealed
+        .unwrap_or(&[])
+        .iter()
+        .map(|secret| (secret.id.as_str(), secret))
+        .collect();
+    json!({
+        "id": detail.id,
+        "folder": detail.folder,
+        "name": detail.name,
+        "type": detail.cipher_type,
+        "metadata": detail.metadata.iter().map(|field| {
+            json!({
+                "label": field.label,
+                "value": field.value
+            })
+        }).collect::<Vec<_>>(),
+        "secrets": detail.secrets.iter().map(|secret| {
+            let revealed = revealed_by_id.get(secret.id.as_str());
+            json!({
+                "id": secret.id,
+                "name": secret.name,
+                "type": secret.secret_type,
+                "masked_value": secret.masked_value,
+                "value": revealed.map(|item| item.value.clone()),
+                "version": secret.version
+            })
+        }).collect::<Vec<_>>()
+    })
+}

crates/device-auth/Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "secrets-device-auth"
+version = "0.1.0"
+edition.workspace = true
+
+[lib]
+name = "secrets_device_auth"
+path = "src/lib.rs"
+
+[dependencies]
+anyhow.workspace = true
+hex.workspace = true
+rand.workspace = true
+sha2.workspace = true
+url.workspace = true
+uuid.workspace = true

crates/device-auth/src/lib.rs

@@ -0,0 +1,27 @@
+use anyhow::{Context, Result};
+use rand::{Rng, RngExt};
+use sha2::{Digest, Sha256};
+use url::Url;
+
+pub fn loopback_redirect_uri(port: u16) -> Result<Url> {
+    Url::parse(&format!("http://127.0.0.1:{port}/oauth/callback"))
+        .context("failed to build loopback redirect URI")
+}
+
+pub fn new_device_fingerprint() -> String {
+    let mut bytes = [0_u8; 16];
+    rand::rng().fill(&mut bytes);
+    hex::encode(bytes)
+}
+
+pub fn new_device_login_token() -> String {
+    let mut bytes = [0_u8; 32];
+    rand::rng().fill_bytes(&mut bytes);
+    hex::encode(bytes)
+}
+
+pub fn hash_device_login_token(token: &str) -> String {
+    let mut hasher = Sha256::new();
+    hasher.update(token.as_bytes());
+    hex::encode(hasher.finalize())
+}

crates/domain/Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "secrets-domain"
+version = "0.1.0"
+edition.workspace = true
+
+[lib]
+name = "secrets_domain"
+path = "src/lib.rs"
+
+[dependencies]
+argon2 = "0.5.3"
+chrono.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+thiserror.workspace = true
+uuid.workspace = true

crates/domain/src/auth.rs

@@ -0,0 +1,68 @@
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use serde_json::Value;
+use uuid::Uuid;
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct User {
+    pub id: Uuid,
+    pub email: Option<String>,
+    pub name: String,
+    pub avatar_url: Option<String>,
+    pub key_salt: Option<Vec<u8>>,
+    pub key_check: Option<Vec<u8>>,
+    pub key_params: Option<Value>,
+    pub key_version: i64,
+    pub created_at: DateTime<Utc>,
+    pub updated_at: DateTime<Utc>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct Device {
+    pub id: Uuid,
+    pub user_id: Uuid,
+    pub display_name: String,
+    pub platform: String,
+    pub client_version: String,
+    pub device_fingerprint: String,
+    pub created_at: DateTime<Utc>,
+    pub last_seen_at: DateTime<Utc>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DeviceLoginToken {
+    pub id: Uuid,
+    pub device_id: Uuid,
+    pub token_hash: String,
+    pub created_at: DateTime<Utc>,
+    pub last_seen_at: DateTime<Utc>,
+}
+
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "snake_case")]
+pub enum LoginMethod {
+    GoogleOauth,
+    DeviceToken,
+}
+
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "snake_case")]
+pub enum LoginResult {
+    Success,
+    Failed,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ClientLoginEvent {
+    pub id: i64,
+    pub user_id: Uuid,
+    pub device_id: Uuid,
+    pub device_name: String,
+    pub platform: String,
+    pub client_version: String,
+    pub ip_addr: Option<String>,
+    pub forwarded_ip: Option<String>,
+    pub login_method: LoginMethod,
+    pub login_result: LoginResult,
+    pub created_at: DateTime<Utc>,
+}

crates/domain/src/cipher.rs

@@ -0,0 +1,138 @@
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use serde_json::Value;
+use uuid::Uuid;
+
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "snake_case")]
+pub enum CipherType {
+    Login,
+    ApiKey,
+    SecureNote,
+    SshKey,
+    Identity,
+    Card,
+}
+
+impl CipherType {
+    pub fn as_str(&self) -> &'static str {
+        match self {
+            Self::Login => "login",
+            Self::ApiKey => "api_key",
+            Self::SecureNote => "secure_note",
+            Self::SshKey => "ssh_key",
+            Self::Identity => "identity",
+            Self::Card => "card",
+        }
+    }
+
+    pub fn parse(input: &str) -> Self {
+        match input {
+            "login" => Self::Login,
+            "api_key" => Self::ApiKey,
+            "secure_note" => Self::SecureNote,
+            "ssh_key" => Self::SshKey,
+            "identity" => Self::Identity,
+            "card" => Self::Card,
+            _ => Self::SecureNote,
+        }
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct CustomField {
+    pub name: String,
+    pub value: Value,
+    #[serde(default)]
+    pub sensitive: bool,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Default)]
+pub struct LoginPayload {
+    #[serde(default)]
+    pub username: Option<String>,
+    #[serde(default)]
+    pub uris: Vec<String>,
+    #[serde(default)]
+    pub password: Option<String>,
+    #[serde(default)]
+    pub totp: Option<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Default)]
+pub struct ApiKeyPayload {
+    #[serde(default)]
+    pub client_id: Option<String>,
+    #[serde(default)]
+    pub secret: Option<String>,
+    #[serde(default)]
+    pub base_url: Option<String>,
+    #[serde(default)]
+    pub host: Option<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Default)]
+pub struct SecureNotePayload {
+    #[serde(default)]
+    pub text: Option<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Default)]
+pub struct SshKeyPayload {
+    #[serde(default)]
+    pub username: Option<String>,
+    #[serde(default)]
+    pub host: Option<String>,
+    #[serde(default)]
+    pub port: Option<u16>,
+    #[serde(default)]
+    pub private_key: Option<String>,
+    #[serde(default)]
+    pub passphrase: Option<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+#[serde(tag = "kind", rename_all = "snake_case")]
+pub enum ItemPayload {
+    Login(LoginPayload),
+    ApiKey(ApiKeyPayload),
+    SecureNote(SecureNotePayload),
+    SshKey(SshKeyPayload),
+}
+
+impl Default for ItemPayload {
+    fn default() -> Self {
+        Self::SecureNote(SecureNotePayload::default())
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct CipherView {
+    pub id: Uuid,
+    pub cipher_type: CipherType,
+    pub name: String,
+    pub folder: String,
+    #[serde(default)]
+    pub notes: Option<String>,
+    #[serde(default)]
+    pub custom_fields: Vec<CustomField>,
+    #[serde(default)]
+    pub deleted_at: Option<DateTime<Utc>>,
+    pub revision_date: DateTime<Utc>,
+    pub payload: ItemPayload,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct Cipher {
+    pub id: Uuid,
+    pub user_id: Uuid,
+    pub object_kind: String,
+    pub cipher_type: CipherType,
+    pub revision: i64,
+    pub cipher_version: i32,
+    pub ciphertext: Vec<u8>,
+    pub content_hash: String,
+    pub deleted_at: Option<DateTime<Utc>>,
+    pub created_at: DateTime<Utc>,
+    pub updated_at: DateTime<Utc>,
+}

crates/domain/src/error.rs

@@ -0,0 +1,15 @@
+use thiserror::Error;
+
+#[derive(Debug, Error)]
+pub enum DomainError {
+    #[error("resource not found")]
+    NotFound,
+    #[error("resource already exists")]
+    Conflict,
+    #[error("validation failed: {0}")]
+    Validation(String),
+    #[error("authentication failed")]
+    AuthenticationFailed,
+    #[error("decryption failed")]
+    DecryptionFailed,
+}

crates/domain/src/kdf.rs

@@ -0,0 +1,37 @@
+use argon2::{Algorithm, Argon2, Params, Version};
+use serde::{Deserialize, Serialize};
+
+use crate::DomainError;
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "snake_case")]
+pub enum KdfType {
+    Argon2id,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct KdfConfig {
+    pub kdf_type: KdfType,
+    pub memory_kib: u32,
+    pub iterations: u32,
+    pub parallelism: u32,
+}
+
+impl Default for KdfConfig {
+    fn default() -> Self {
+        Self {
+            kdf_type: KdfType::Argon2id,
+            memory_kib: 64 * 1024,
+            iterations: 3,
+            parallelism: 4,
+        }
+    }
+}
+
+impl KdfConfig {
+    pub fn build_argon2(&self) -> Result<Argon2<'static>, DomainError> {
+        let params = Params::new(self.memory_kib, self.iterations, self.parallelism, Some(32))
+            .map_err(|err| DomainError::Validation(err.to_string()))?;
+        Ok(Argon2::new(Algorithm::Argon2id, Version::V0x13, params))
+    }
+}

crates/domain/src/lib.rs

@@ -0,0 +1,19 @@
+pub mod auth;
+pub mod cipher;
+pub mod error;
+pub mod kdf;
+pub mod sync;
+pub mod vault_object;
+
+pub use auth::{ClientLoginEvent, Device, DeviceLoginToken, LoginMethod, LoginResult, User};
+pub use cipher::{
+    ApiKeyPayload, Cipher, CipherType, CipherView, CustomField, ItemPayload, LoginPayload,
+    SecureNotePayload, SshKeyPayload,
+};
+pub use error::DomainError;
+pub use kdf::{KdfConfig, KdfType};
+pub use sync::{
+    SyncAcceptedChange, SyncConflict, SyncPullRequest, SyncPullResponse, SyncPushRequest,
+    SyncPushResponse,
+};
+pub use vault_object::{VaultObjectChange, VaultObjectEnvelope, VaultObjectKind, VaultTombstone};

crates/domain/src/sync.rs

@@ -0,0 +1,47 @@
+use serde::{Deserialize, Serialize};
+
+use crate::vault_object::{VaultObjectChange, VaultObjectEnvelope, VaultTombstone};
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct SyncPullRequest {
+    pub cursor: Option<i64>,
+    pub limit: Option<i64>,
+    #[serde(default)]
+    pub include_deleted: bool,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct SyncPullResponse {
+    pub server_revision: i64,
+    pub next_cursor: i64,
+    pub has_more: bool,
+    pub objects: Vec<VaultObjectEnvelope>,
+    pub tombstones: Vec<VaultTombstone>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct SyncPushRequest {
+    pub changes: Vec<VaultObjectChange>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct SyncAcceptedChange {
+    pub change_id: uuid::Uuid,
+    pub object_id: uuid::Uuid,
+    pub revision: i64,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct SyncConflict {
+    pub change_id: uuid::Uuid,
+    pub object_id: uuid::Uuid,
+    pub reason: String,
+    pub server_object: Option<VaultObjectEnvelope>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct SyncPushResponse {
+    pub server_revision: i64,
+    pub accepted: Vec<SyncAcceptedChange>,
+    pub conflicts: Vec<SyncConflict>,
+}

crates/domain/src/vault_object.rs

@@ -0,0 +1,48 @@
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use uuid::Uuid;
+
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "snake_case")]
+pub enum VaultObjectKind {
+    Cipher,
+}
+
+impl VaultObjectKind {
+    pub fn as_str(&self) -> &'static str {
+        match self {
+            Self::Cipher => "cipher",
+        }
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct VaultObjectEnvelope {
+    pub object_id: Uuid,
+    pub object_kind: VaultObjectKind,
+    pub revision: i64,
+    pub cipher_version: i32,
+    pub ciphertext: Vec<u8>,
+    pub content_hash: String,
+    pub deleted_at: Option<DateTime<Utc>>,
+    pub updated_at: DateTime<Utc>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct VaultObjectChange {
+    pub change_id: Uuid,
+    pub object_id: Uuid,
+    pub object_kind: VaultObjectKind,
+    pub operation: String,
+    pub base_revision: Option<i64>,
+    pub cipher_version: Option<i32>,
+    pub ciphertext: Option<Vec<u8>>,
+    pub content_hash: Option<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct VaultTombstone {
+    pub object_id: Uuid,
+    pub revision: i64,
+    pub deleted_at: DateTime<Utc>,
+}

crates/infrastructure-db/Cargo.toml

@@ -0,0 +1,15 @@
+[package]
+name = "secrets-infrastructure-db"
+version = "0.1.0"
+edition.workspace = true
+
+[lib]
+name = "secrets_infrastructure_db"
+path = "src/lib.rs"
+
+[dependencies]
+anyhow.workspace = true
+dotenvy.workspace = true
+sqlx.workspace = true
+tracing.workspace = true
+uuid.workspace = true

crates/infrastructure-db/src/lib.rs

@@ -0,0 +1,29 @@
+mod migrate;
+
+use anyhow::{Context, Result};
+use sqlx::PgPool;
+use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
+use std::str::FromStr;
+
+pub use migrate::migrate_current_schema;
+
+pub fn load_database_url() -> Result<String> {
+    std::env::var("SECRETS_DATABASE_URL")
+        .context("SECRETS_DATABASE_URL is required for current services")
+}
+
+pub async fn create_pool(database_url: &str) -> Result<PgPool> {
+    let options =
+        PgConnectOptions::from_str(database_url).context("failed to parse SECRETS_DATABASE_URL")?;
+    let pool = PgPoolOptions::new()
+        .max_connections(
+            std::env::var("SECRETS_DATABASE_POOL_SIZE")
+                .ok()
+                .and_then(|v| v.parse::<u32>().ok())
+                .unwrap_or(10),
+        )
+        .connect_with(options)
+        .await
+        .context("failed to connect to PostgreSQL")?;
+    Ok(pool)
+}

crates/infrastructure-db/src/migrate.rs

@@ -0,0 +1,108 @@
+use anyhow::Result;
+use sqlx::PgPool;
+
+pub async fn migrate_current_schema(pool: &PgPool) -> Result<()> {
+    sqlx::raw_sql(
+        r#"
+        CREATE TABLE IF NOT EXISTS users (
+            id          UUID PRIMARY KEY DEFAULT uuidv7(),
+            email       VARCHAR(256),
+            name        VARCHAR(256) NOT NULL DEFAULT '',
+            avatar_url  TEXT,
+            key_salt    BYTEA,
+            key_check   BYTEA,
+            key_params  JSONB,
+            key_version BIGINT NOT NULL DEFAULT 0,
+            created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+            updated_at  TIMESTAMPTZ NOT NULL DEFAULT NOW()
+        );
+
+        CREATE TABLE IF NOT EXISTS oauth_accounts (
+            id           UUID PRIMARY KEY DEFAULT uuidv7(),
+            user_id      UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+            provider     VARCHAR(32) NOT NULL,
+            provider_id  VARCHAR(256) NOT NULL,
+            email        VARCHAR(256),
+            name         VARCHAR(256),
+            avatar_url   TEXT,
+            created_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+            UNIQUE(provider, provider_id),
+            UNIQUE(user_id, provider)
+        );
+
+        CREATE TABLE IF NOT EXISTS devices (
+            id                 UUID PRIMARY KEY DEFAULT uuidv7(),
+            user_id            UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+            display_name       VARCHAR(256) NOT NULL,
+            platform           VARCHAR(64) NOT NULL,
+            client_version     VARCHAR(64) NOT NULL,
+            device_fingerprint TEXT NOT NULL,
+            created_at         TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+            last_seen_at       TIMESTAMPTZ NOT NULL DEFAULT NOW()
+        );
+        CREATE INDEX IF NOT EXISTS idx_devices_user_id ON devices(user_id);
+
+        CREATE TABLE IF NOT EXISTS device_login_tokens (
+            id           UUID PRIMARY KEY DEFAULT uuidv7(),
+            device_id    UUID NOT NULL REFERENCES devices(id) ON DELETE CASCADE,
+            token_hash   TEXT NOT NULL UNIQUE,
+            created_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+            last_seen_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+        );
+        CREATE INDEX IF NOT EXISTS idx_device_login_tokens_device_id ON device_login_tokens(device_id);
+
+        CREATE TABLE IF NOT EXISTS auth_events (
+            id             BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
+            user_id        UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+            device_id      UUID NOT NULL REFERENCES devices(id) ON DELETE CASCADE,
+            device_name    VARCHAR(256) NOT NULL,
+            platform       VARCHAR(64) NOT NULL,
+            client_version VARCHAR(64) NOT NULL,
+            ip_addr        TEXT,
+            forwarded_ip   TEXT,
+            login_method   VARCHAR(32) NOT NULL,
+            login_result   VARCHAR(32) NOT NULL,
+            created_at     TIMESTAMPTZ NOT NULL DEFAULT NOW()
+        );
+        CREATE INDEX IF NOT EXISTS idx_auth_events_user_id_created_at
+            ON auth_events(user_id, created_at DESC);
+        CREATE INDEX IF NOT EXISTS idx_auth_events_device_id_created_at
+            ON auth_events(device_id, created_at DESC);
+
+        CREATE TABLE IF NOT EXISTS vault_objects (
+            object_id         UUID PRIMARY KEY,
+            user_id           UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+            object_kind       VARCHAR(32) NOT NULL,
+            revision          BIGINT NOT NULL,
+            cipher_version    INTEGER NOT NULL DEFAULT 1,
+            ciphertext        BYTEA NOT NULL DEFAULT '\x',
+            content_hash      TEXT NOT NULL DEFAULT '',
+            deleted_at        TIMESTAMPTZ,
+            updated_at        TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+            created_by_device UUID REFERENCES devices(id) ON DELETE SET NULL
+        );
+        CREATE INDEX IF NOT EXISTS idx_vault_objects_user_revision
+            ON vault_objects(user_id, revision ASC);
+        CREATE INDEX IF NOT EXISTS idx_vault_objects_user_deleted
+            ON vault_objects(user_id, deleted_at);
+
+        CREATE TABLE IF NOT EXISTS vault_object_revisions (
+            object_id      UUID NOT NULL,
+            user_id        UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+            revision       BIGINT NOT NULL,
+            cipher_version INTEGER NOT NULL DEFAULT 1,
+            ciphertext     BYTEA NOT NULL DEFAULT '\x',
+            content_hash   TEXT NOT NULL DEFAULT '',
+            deleted_at     TIMESTAMPTZ,
+            created_at     TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+            PRIMARY KEY (object_id, revision)
+        );
+        CREATE INDEX IF NOT EXISTS idx_vault_object_revisions_user_revision
+            ON vault_object_revisions(user_id, revision ASC);
+        "#,
+    )
+    .execute(pool)
+    .await?;
+
+    Ok(())
+}

crates/secrets-core/Cargo.toml

@@ -1,27 +0,0 @@
-[package]
-name = "secrets-core"
-version = "0.1.0"
-edition.workspace = true
-
-[lib]
-name = "secrets_core"
-path = "src/lib.rs"
-
-[dependencies]
-aes-gcm.workspace = true
-anyhow.workspace = true
-thiserror.workspace = true
-chrono.workspace = true
-hex = "0.4"
-rand.workspace = true
-serde.workspace = true
-serde_json.workspace = true
-serde_yaml.workspace = true
-sqlx.workspace = true
-toml.workspace = true
-tokio.workspace = true
-tracing.workspace = true
-uuid.workspace = true
-
-[dev-dependencies]
-tempfile = "3"

crates/secrets-core/src/audit.rs

@@ -1,88 +0,0 @@
-use serde_json::{Value, json};
-use sqlx::{PgPool, Postgres, Transaction};
-use uuid::Uuid;
-
-pub const ACTION_LOGIN: &str = "login";
-pub const FOLDER_AUTH: &str = "auth";
-
-fn login_detail(provider: &str, client_ip: Option<&str>, user_agent: Option<&str>) -> Value {
-    json!({
-        "provider": provider,
-        "client_ip": client_ip,
-        "user_agent": user_agent,
-    })
-}
-
-/// Write a login audit entry without requiring an explicit transaction.
-pub async fn log_login(
-    pool: &PgPool,
-    entry_type: &str,
-    provider: &str,
-    user_id: Uuid,
-    client_ip: Option<&str>,
-    user_agent: Option<&str>,
-) {
-    let detail = login_detail(provider, client_ip, user_agent);
-    let result: Result<_, sqlx::Error> = sqlx::query(
-        "INSERT INTO audit_log (user_id, action, folder, type, name, detail) \
-         VALUES ($1, $2, $3, $4, $5, $6)",
-    )
-    .bind(user_id)
-    .bind(ACTION_LOGIN)
-    .bind(FOLDER_AUTH)
-    .bind(entry_type)
-    .bind(provider)
-    .bind(&detail)
-    .execute(pool)
-    .await;
-
-    if let Err(e) = result {
-        tracing::warn!(error = %e, entry_type, provider, "failed to write login audit log");
-    } else {
-        tracing::debug!(entry_type, provider, ?user_id, "login audit logged");
-    }
-}
-
-/// Write an audit entry within an existing transaction.
-pub async fn log_tx(
-    tx: &mut Transaction<'_, Postgres>,
-    user_id: Option<Uuid>,
-    action: &str,
-    folder: &str,
-    entry_type: &str,
-    name: &str,
-    detail: Value,
-) {
-    let result: Result<_, sqlx::Error> = sqlx::query(
-        "INSERT INTO audit_log (user_id, action, folder, type, name, detail) \
-         VALUES ($1, $2, $3, $4, $5, $6)",
-    )
-    .bind(user_id)
-    .bind(action)
-    .bind(folder)
-    .bind(entry_type)
-    .bind(name)
-    .bind(&detail)
-    .execute(&mut **tx)
-    .await;
-
-    if let Err(e) = result {
-        tracing::warn!(error = %e, "failed to write audit log");
-    } else {
-        tracing::debug!(action, folder, entry_type, name, "audit logged");
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn login_detail_includes_expected_fields() {
-        let detail = login_detail("google", Some("127.0.0.1"), Some("Mozilla/5.0"));
-
-        assert_eq!(detail["provider"], "google");
-        assert_eq!(detail["client_ip"], "127.0.0.1");
-        assert_eq!(detail["user_agent"], "Mozilla/5.0");
-    }
-}

crates/secrets-core/src/config.rs

@@ -1,71 +0,0 @@
-use std::path::PathBuf;
-
-use anyhow::{Context, Result};
-use sqlx::postgres::PgSslMode;
-
-#[derive(Debug, Clone)]
-pub struct DatabaseConfig {
-    pub url: String,
-    pub ssl_mode: Option<PgSslMode>,
-    pub ssl_root_cert: Option<PathBuf>,
-}
-
-/// Resolve database URL from environment.
-/// Priority: `SECRETS_DATABASE_URL` env var → error.
-pub fn resolve_db_url(override_url: &str) -> Result<String> {
-    if !override_url.is_empty() {
-        return Ok(override_url.to_string());
-    }
-
-    if let Ok(url) = std::env::var("SECRETS_DATABASE_URL")
-        && !url.is_empty()
-    {
-        return Ok(url);
-    }
-
-    anyhow::bail!(
-        "Database not configured. Set the SECRETS_DATABASE_URL environment variable.\n\
-         Example: SECRETS_DATABASE_URL=postgres://user:pass@host:port/dbname"
-    )
-}
-
-fn env_var_non_empty(name: &str) -> Option<String> {
-    std::env::var(name)
-        .ok()
-        .filter(|value| !value.trim().is_empty())
-}
-
-fn parse_ssl_mode_from_env() -> Result<Option<PgSslMode>> {
-    let Some(mode) = env_var_non_empty("SECRETS_DATABASE_SSL_MODE") else {
-        return Ok(None);
-    };
-
-    let parsed = mode.parse::<PgSslMode>().with_context(|| {
-        format!(
-            "Invalid SECRETS_DATABASE_SSL_MODE='{mode}'. Use one of: disable, allow, prefer, require, verify-ca, verify-full."
-        )
-    })?;
-    Ok(Some(parsed))
-}
-
-fn resolve_ssl_root_cert_from_env() -> Result<Option<PathBuf>> {
-    let Some(path) = env_var_non_empty("SECRETS_DATABASE_SSL_ROOT_CERT") else {
-        return Ok(None);
-    };
-    let path = PathBuf::from(path);
-    if !path.exists() {
-        anyhow::bail!(
-            "SECRETS_DATABASE_SSL_ROOT_CERT points to a missing file: {}",
-            path.display()
-        );
-    }
-    Ok(Some(path))
-}
-
-pub fn resolve_db_config(override_url: &str) -> Result<DatabaseConfig> {
-    Ok(DatabaseConfig {
-        url: resolve_db_url(override_url)?,
-        ssl_mode: parse_ssl_mode_from_env()?,
-        ssl_root_cert: resolve_ssl_root_cert_from_env()?,
-    })
-}

crates/secrets-core/src/crypto.rs

@@ -1,128 +0,0 @@
-use aes_gcm::{
-    Aes256Gcm, Key, Nonce,
-    aead::{Aead, AeadCore, KeyInit, OsRng},
-};
-use anyhow::{Context, Result, bail};
-use serde_json::Value;
-
-use crate::error::AppError;
-
-const NONCE_LEN: usize = 12;
-
-// ─── AES-256-GCM encrypt / decrypt ───────────────────────────────────────────
-
-/// Encrypt plaintext bytes with AES-256-GCM.
-/// Returns `nonce (12 B) || ciphertext+tag`.
-pub fn encrypt(master_key: &[u8; 32], plaintext: &[u8]) -> Result<Vec<u8>> {
-    let key = Key::<Aes256Gcm>::from_slice(master_key);
-    let cipher = Aes256Gcm::new(key);
-    let nonce = Aes256Gcm::generate_nonce(&mut OsRng);
-    let ciphertext = cipher
-        .encrypt(&nonce, plaintext)
-        .map_err(|e| anyhow::anyhow!("AES-256-GCM encryption failed: {}", e))?;
-    let mut out = Vec::with_capacity(NONCE_LEN + ciphertext.len());
-    out.extend_from_slice(&nonce);
-    out.extend_from_slice(&ciphertext);
-    Ok(out)
-}
-
-/// Decrypt `nonce (12 B) || ciphertext+tag` with AES-256-GCM.
-pub fn decrypt(master_key: &[u8; 32], data: &[u8]) -> Result<Vec<u8>> {
-    if data.len() < NONCE_LEN {
-        bail!(
-            "encrypted data too short ({}B); possibly corrupted",
-            data.len()
-        );
-    }
-    let (nonce_bytes, ciphertext) = data.split_at(NONCE_LEN);
-    let key = Key::<Aes256Gcm>::from_slice(master_key);
-    let cipher = Aes256Gcm::new(key);
-    let nonce = Nonce::from_slice(nonce_bytes);
-    cipher
-        .decrypt(nonce, ciphertext)
-        .map_err(|_| AppError::DecryptionFailed.into())
-}
-
-// ─── JSON helpers ─────────────────────────────────────────────────────────────
-
-/// Serialize a JSON Value and encrypt it. Returns the encrypted blob.
-pub fn encrypt_json(master_key: &[u8; 32], value: &Value) -> Result<Vec<u8>> {
-    let bytes = serde_json::to_vec(value).context("serialize JSON for encryption")?;
-    encrypt(master_key, &bytes)
-}
-
-/// Decrypt an encrypted blob and deserialize it as a JSON Value.
-pub fn decrypt_json(master_key: &[u8; 32], data: &[u8]) -> Result<Value> {
-    let bytes = decrypt(master_key, data)?;
-    serde_json::from_slice(&bytes).context("deserialize decrypted JSON")
-}
-
-// ─── Client-supplied key extraction ──────────────────────────────────────────
-
-/// Parse a 64-char hex string (from X-Encryption-Key header) into a 32-byte key.
-pub fn extract_key_from_hex(hex_str: &str) -> Result<[u8; 32]> {
-    let bytes = ::hex::decode(hex_str.trim())?;
-    if bytes.len() != 32 {
-        bail!(
-            "X-Encryption-Key must be 64 hex chars (32 bytes), got {} bytes",
-            bytes.len()
-        );
-    }
-    let mut key = [0u8; 32];
-    key.copy_from_slice(&bytes);
-    Ok(key)
-}
-
-// ─── Public hex helpers ───────────────────────────────────────────────────────
-
-pub mod hex {
-    use anyhow::Result;
-
-    pub fn encode_hex(bytes: &[u8]) -> String {
-        ::hex::encode(bytes)
-    }
-
-    pub fn decode_hex(s: &str) -> Result<Vec<u8>> {
-        Ok(::hex::decode(s.trim())?)
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn roundtrip_encrypt_decrypt() {
-        let key = [0x42u8; 32];
-        let plaintext = b"hello world";
-        let enc = encrypt(&key, plaintext).unwrap();
-        let dec = decrypt(&key, &enc).unwrap();
-        assert_eq!(dec, plaintext);
-    }
-
-    #[test]
-    fn encrypt_produces_different_ciphertexts() {
-        let key = [0x42u8; 32];
-        let plaintext = b"hello world";
-        let enc1 = encrypt(&key, plaintext).unwrap();
-        let enc2 = encrypt(&key, plaintext).unwrap();
-        assert_ne!(enc1, enc2);
-    }
-
-    #[test]
-    fn wrong_key_fails_decryption() {
-        let key1 = [0x42u8; 32];
-        let key2 = [0x43u8; 32];
-        let enc = encrypt(&key1, b"secret").unwrap();
-        assert!(decrypt(&key2, &enc).is_err());
-    }
-
-    #[test]
-    fn json_roundtrip() {
-        let key = [0x42u8; 32];
-        let value = serde_json::json!({"token": "abc123", "password": "hunter2"});
-        let enc = encrypt_json(&key, &value).unwrap();
-        let dec = decrypt_json(&key, &enc).unwrap();
-        assert_eq!(dec, value);
-    }
-}

crates/secrets-core/src/db.rs

@@ -1,657 +0,0 @@
-use std::str::FromStr;
-
-use anyhow::{Context, Result};
-use serde_json::{Map, Value};
-use sqlx::PgPool;
-use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
-
-use crate::config::DatabaseConfig;
-
-fn build_connect_options(config: &DatabaseConfig) -> Result<PgConnectOptions> {
-    let mut options = PgConnectOptions::from_str(&config.url)
-        .with_context(|| "failed to parse SECRETS_DATABASE_URL".to_string())?;
-
-    if let Some(mode) = config.ssl_mode {
-        options = options.ssl_mode(mode);
-    }
-    if let Some(path) = &config.ssl_root_cert {
-        options = options.ssl_root_cert(path);
-    }
-
-    Ok(options)
-}
-
-pub async fn create_pool(config: &DatabaseConfig) -> Result<PgPool> {
-    tracing::debug!("connecting to database");
-    let connect_options = build_connect_options(config)?;
-
-    // Connection pool configuration from environment
-    let max_connections = std::env::var("SECRETS_DATABASE_POOL_SIZE")
-        .ok()
-        .and_then(|v| v.parse::<u32>().ok())
-        .unwrap_or(10);
-
-    let acquire_timeout_secs = std::env::var("SECRETS_DATABASE_ACQUIRE_TIMEOUT")
-        .ok()
-        .and_then(|v| v.parse::<u64>().ok())
-        .unwrap_or(5);
-
-    let pool = PgPoolOptions::new()
-        .max_connections(max_connections)
-        .acquire_timeout(std::time::Duration::from_secs(acquire_timeout_secs))
-        .max_lifetime(std::time::Duration::from_secs(1800)) // 30 minutes
-        .idle_timeout(std::time::Duration::from_secs(600)) // 10 minutes
-        .connect_with(connect_options)
-        .await?;
-
-    tracing::debug!(
-        max_connections,
-        acquire_timeout_secs,
-        "database connection established"
-    );
-    Ok(pool)
-}
-
-pub async fn migrate(pool: &PgPool) -> Result<()> {
-    tracing::debug!("running migrations");
-    sqlx::raw_sql(
-        r#"
-        -- ── entries: top-level entities ─────────────────────────────────────────
-        CREATE TABLE IF NOT EXISTS entries (
-            id          UUID PRIMARY KEY DEFAULT uuidv7(),
-            user_id     UUID,
-            folder      VARCHAR(128) NOT NULL DEFAULT '',
-            type        VARCHAR(64)  NOT NULL DEFAULT '',
-            name        VARCHAR(256) NOT NULL,
-            notes       TEXT         NOT NULL DEFAULT '',
-            tags        TEXT[]       NOT NULL DEFAULT '{}',
-            metadata    JSONB        NOT NULL DEFAULT '{}',
-            version     BIGINT       NOT NULL DEFAULT 1,
-            created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
-            updated_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
-            deleted_at  TIMESTAMPTZ
-        );
-
-        -- Legacy unique constraint without user_id (single-user mode)
-        -- NOTE: These are rebuilt below with `deleted_at IS NULL` for soft-delete support.
-        CREATE UNIQUE INDEX IF NOT EXISTS idx_entries_unique_legacy
-            ON entries(folder, name)
-            WHERE user_id IS NULL;
-
-        -- Multi-user unique constraint
-        CREATE UNIQUE INDEX IF NOT EXISTS idx_entries_unique_user
-            ON entries(user_id, folder, name)
-            WHERE user_id IS NOT NULL;
-
-        CREATE INDEX IF NOT EXISTS idx_entries_folder   ON entries(folder) WHERE folder <> '';
-        CREATE INDEX IF NOT EXISTS idx_entries_type     ON entries(type) WHERE type <> '';
-        CREATE INDEX IF NOT EXISTS idx_entries_user_id  ON entries(user_id) WHERE user_id IS NOT NULL;
-        CREATE INDEX IF NOT EXISTS idx_entries_tags     ON entries USING GIN(tags);
-        CREATE INDEX IF NOT EXISTS idx_entries_metadata ON entries USING GIN(metadata jsonb_path_ops);
-
-        -- ── secrets: one row per encrypted field ─────────────────────────────────
-        CREATE TABLE IF NOT EXISTS secrets (
-            id          UUID PRIMARY KEY DEFAULT uuidv7(),
-            user_id     UUID,
-            name        VARCHAR(256) NOT NULL,
-            type        VARCHAR(64)  NOT NULL DEFAULT 'text',
-            encrypted   BYTEA        NOT NULL DEFAULT '\x',
-            version     BIGINT       NOT NULL DEFAULT 1,
-            created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
-            updated_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
-        );
-
-        CREATE INDEX IF NOT EXISTS idx_secrets_user_id  ON secrets(user_id) WHERE user_id IS NOT NULL;
-        CREATE UNIQUE INDEX IF NOT EXISTS idx_secrets_unique_user_name
-            ON secrets(user_id, name) WHERE user_id IS NOT NULL;
-        CREATE INDEX IF NOT EXISTS idx_secrets_name     ON secrets(name);
-        CREATE INDEX IF NOT EXISTS idx_secrets_type     ON secrets(type);
-
-        -- ── entry_secrets: N:N relation ────────────────────────────────────────────
-        CREATE TABLE IF NOT EXISTS entry_secrets (
-            entry_id    UUID NOT NULL REFERENCES entries(id) ON DELETE CASCADE,
-            secret_id   UUID NOT NULL REFERENCES secrets(id) ON DELETE CASCADE,
-            sort_order  INT NOT NULL DEFAULT 0,
-            created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-            PRIMARY KEY(entry_id, secret_id)
-        );
-        CREATE INDEX IF NOT EXISTS idx_entry_secrets_secret_id ON entry_secrets(secret_id);
-
-        -- ── entry_relations: parent-child links between entries ──────────────────
-        CREATE TABLE IF NOT EXISTS entry_relations (
-            parent_entry_id UUID NOT NULL REFERENCES entries(id) ON DELETE CASCADE,
-            child_entry_id  UUID NOT NULL REFERENCES entries(id) ON DELETE CASCADE,
-            created_at      TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-            PRIMARY KEY(parent_entry_id, child_entry_id),
-            CHECK (parent_entry_id <> child_entry_id)
-        );
-        CREATE INDEX IF NOT EXISTS idx_entry_relations_parent ON entry_relations(parent_entry_id);
-        CREATE INDEX IF NOT EXISTS idx_entry_relations_child ON entry_relations(child_entry_id);
-
-        -- ── audit_log: append-only operation log ─────────────────────────────────
-        CREATE TABLE IF NOT EXISTS audit_log (
-            id          BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
-            user_id     UUID,
-            action      VARCHAR(32)  NOT NULL,
-            folder      VARCHAR(128) NOT NULL DEFAULT '',
-            type        VARCHAR(64)  NOT NULL DEFAULT '',
-            name        VARCHAR(256) NOT NULL,
-            detail      JSONB        NOT NULL DEFAULT '{}',
-            created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
-        );
-
-        CREATE INDEX IF NOT EXISTS idx_audit_log_created      ON audit_log(created_at DESC);
-        CREATE INDEX IF NOT EXISTS idx_audit_log_folder_type  ON audit_log(folder, type);
-        CREATE INDEX IF NOT EXISTS idx_audit_log_user_id      ON audit_log(user_id) WHERE user_id IS NOT NULL;
-
-        -- ── entries_history ───────────────────────────────────────────────────────
-        CREATE TABLE IF NOT EXISTS entries_history (
-            id          BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
-            entry_id    UUID         NOT NULL,
-            folder      VARCHAR(128) NOT NULL DEFAULT '',
-            type        VARCHAR(64)  NOT NULL DEFAULT '',
-            name        VARCHAR(256) NOT NULL,
-            version     BIGINT       NOT NULL,
-            action      VARCHAR(16)  NOT NULL,
-            tags        TEXT[]       NOT NULL DEFAULT '{}',
-            metadata    JSONB        NOT NULL DEFAULT '{}',
-            created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
-        );
-
-        CREATE INDEX IF NOT EXISTS idx_entries_history_entry_id
-            ON entries_history(entry_id, version DESC);
-        CREATE INDEX IF NOT EXISTS idx_entries_history_folder_type_name
-            ON entries_history(folder, type, name, version DESC);
-
-        -- Backfill: add user_id to entries_history for multi-tenant isolation
-        ALTER TABLE entries_history ADD COLUMN IF NOT EXISTS user_id UUID;
-        CREATE INDEX IF NOT EXISTS idx_entries_history_user_id
-            ON entries_history(user_id) WHERE user_id IS NOT NULL;
-        ALTER TABLE entries_history DROP COLUMN IF EXISTS actor;
-
-        -- Backfill: add notes to entries if not present (fresh installs already have it)
-        ALTER TABLE entries ADD COLUMN IF NOT EXISTS notes TEXT NOT NULL DEFAULT '';
-        ALTER TABLE entries ADD COLUMN IF NOT EXISTS deleted_at TIMESTAMPTZ;
-
-        -- ── secrets_history: field-level snapshot ────────────────────────────────
-        CREATE TABLE IF NOT EXISTS secrets_history (
-            id              BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
-            secret_id       UUID         NOT NULL,
-            name            VARCHAR(256) NOT NULL,
-            encrypted       BYTEA        NOT NULL DEFAULT '\x',
-            action          VARCHAR(16)  NOT NULL,
-            created_at      TIMESTAMPTZ  NOT NULL DEFAULT NOW()
-        );
-
-        CREATE INDEX IF NOT EXISTS idx_secrets_history_secret_id
-            ON secrets_history(secret_id);
-
-        -- Drop redundant actor column (derivable via entries_history JOIN)
-        ALTER TABLE secrets_history DROP COLUMN IF EXISTS actor;
-
-        -- ── users ─────────────────────────────────────────────────────────────────
-        CREATE TABLE IF NOT EXISTS users (
-            id          UUID PRIMARY KEY DEFAULT uuidv7(),
-            email       VARCHAR(256),
-            name        VARCHAR(256) NOT NULL DEFAULT '',
-            avatar_url  TEXT,
-            key_salt    BYTEA,
-            key_check   BYTEA,
-            key_params  JSONB,
-            api_key     TEXT UNIQUE,
-            created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
-            updated_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
-        );
-
-        -- ── oauth_accounts: per-provider identity links ───────────────────────────
-        CREATE TABLE IF NOT EXISTS oauth_accounts (
-            id          UUID PRIMARY KEY DEFAULT uuidv7(),
-            user_id     UUID         NOT NULL REFERENCES users(id) ON DELETE CASCADE,
-            provider    VARCHAR(32)  NOT NULL,
-            provider_id VARCHAR(256) NOT NULL,
-            email       VARCHAR(256),
-            name        VARCHAR(256),
-            avatar_url  TEXT,
-            created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
-            UNIQUE(provider, provider_id)
-        );
-
-        CREATE INDEX IF NOT EXISTS idx_oauth_accounts_user ON oauth_accounts(user_id);
-        CREATE UNIQUE INDEX IF NOT EXISTS idx_oauth_accounts_user_provider
-            ON oauth_accounts(user_id, provider);
-
-        -- ── local_mcp_bind_sessions: short-lived browser approval state ──────────
-        CREATE TABLE IF NOT EXISTS local_mcp_bind_sessions (
-            bind_id      TEXT PRIMARY KEY,
-            device_code  TEXT NOT NULL,
-            user_id      UUID,
-            approved     BOOLEAN NOT NULL DEFAULT FALSE,
-            expires_at   TIMESTAMPTZ NOT NULL,
-            created_at   TIMESTAMPTZ NOT NULL DEFAULT NOW()
-        );
-        CREATE INDEX IF NOT EXISTS idx_local_mcp_bind_sessions_expires_at
-            ON local_mcp_bind_sessions(expires_at);
-        CREATE INDEX IF NOT EXISTS idx_local_mcp_bind_sessions_user_id
-            ON local_mcp_bind_sessions(user_id) WHERE user_id IS NOT NULL;
-
-        -- FK: user_id columns -> users(id) (nullable = legacy rows; ON DELETE SET NULL)
-        DO $$ BEGIN
-            IF NOT EXISTS (
-                SELECT 1 FROM pg_constraint WHERE conname = 'fk_entries_user_id'
-            ) THEN
-                ALTER TABLE entries
-                    ADD CONSTRAINT fk_entries_user_id
-                    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE SET NULL;
-            END IF;
-        END $$;
-
-        DO $$ BEGIN
-            IF NOT EXISTS (
-                SELECT 1 FROM pg_constraint WHERE conname = 'fk_entries_history_user_id'
-            ) THEN
-                ALTER TABLE entries_history
-                    ADD CONSTRAINT fk_entries_history_user_id
-                    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE SET NULL;
-            END IF;
-        END $$;
-
-        DO $$ BEGIN
-            IF NOT EXISTS (
-                SELECT 1 FROM pg_constraint WHERE conname = 'fk_secrets_user_id'
-            ) THEN
-                ALTER TABLE secrets
-                    ADD CONSTRAINT fk_secrets_user_id
-                    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE SET NULL;
-            END IF;
-        END $$;
-
-        DO $$ BEGIN
-            IF NOT EXISTS (
-                SELECT 1 FROM pg_constraint WHERE conname = 'fk_audit_log_user_id'
-            ) THEN
-                ALTER TABLE audit_log
-                    ADD CONSTRAINT fk_audit_log_user_id
-                    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE SET NULL;
-            END IF;
-        END $$;
-        "#,
-    )
-    .execute(pool)
-    .await?;
-    migrate_schema(pool).await?;
-    restore_plaintext_api_keys(pool).await?;
-
-    tracing::debug!("migrations complete");
-    Ok(())
-}
-
-/// Idempotent schema migration: rename namespace→folder, kind→type in existing databases.
-async fn migrate_schema(pool: &PgPool) -> Result<()> {
-    sqlx::raw_sql(
-        r#"
-        -- ── entries: rename namespace→folder, kind→type ──────────────────────────
-        DO $$ BEGIN
-            IF EXISTS (
-                SELECT 1 FROM information_schema.columns
-                WHERE table_name = 'entries' AND column_name = 'namespace'
-            ) THEN
-                ALTER TABLE entries RENAME COLUMN namespace TO folder;
-            END IF;
-        END $$;
-
-        DO $$ BEGIN
-            IF EXISTS (
-                SELECT 1 FROM information_schema.columns
-                WHERE table_name = 'entries' AND column_name = 'kind'
-            ) THEN
-                ALTER TABLE entries RENAME COLUMN kind TO type;
-            END IF;
-        END $$;
-
-        -- ── audit_log: rename namespace→folder, kind→type ────────────────────────
-        DO $$ BEGIN
-            IF EXISTS (
-                SELECT 1 FROM information_schema.columns
-                WHERE table_name = 'audit_log' AND column_name = 'namespace'
-            ) THEN
-                ALTER TABLE audit_log RENAME COLUMN namespace TO folder;
-            END IF;
-        END $$;
-
-        DO $$ BEGIN
-            IF EXISTS (
-                SELECT 1 FROM information_schema.columns
-                WHERE table_name = 'audit_log' AND column_name = 'kind'
-            ) THEN
-                ALTER TABLE audit_log RENAME COLUMN kind TO type;
-            END IF;
-        END $$;
-
-        -- ── entries_history: rename namespace→folder, kind→type ──────────────────
-        DO $$ BEGIN
-            IF EXISTS (
-                SELECT 1 FROM information_schema.columns
-                WHERE table_name = 'entries_history' AND column_name = 'namespace'
-            ) THEN
-                ALTER TABLE entries_history RENAME COLUMN namespace TO folder;
-            END IF;
-        END $$;
-
-        DO $$ BEGIN
-            IF EXISTS (
-                SELECT 1 FROM information_schema.columns
-                WHERE table_name = 'entries_history' AND column_name = 'kind'
-            ) THEN
-                ALTER TABLE entries_history RENAME COLUMN kind TO type;
-            END IF;
-        END $$;
-
-        -- ── Set empty defaults for new folder/type columns ────────────────────────
-        DO $$ BEGIN
-            IF EXISTS (
-                SELECT 1 FROM information_schema.columns
-                WHERE table_name = 'entries' AND column_name = 'folder'
-            ) THEN
-                UPDATE entries SET folder = '' WHERE folder IS NULL;
-                ALTER TABLE entries ALTER COLUMN folder SET NOT NULL;
-                ALTER TABLE entries ALTER COLUMN folder SET DEFAULT '';
-            END IF;
-        END $$;
-
-        DO $$ BEGIN
-            IF EXISTS (
-                SELECT 1 FROM information_schema.columns
-                WHERE table_name = 'entries' AND column_name = 'type'
-            ) THEN
-                UPDATE entries SET type = '' WHERE type IS NULL;
-                ALTER TABLE entries ALTER COLUMN type SET NOT NULL;
-                ALTER TABLE entries ALTER COLUMN type SET DEFAULT '';
-            END IF;
-        END $$;
-
-        DO $$ BEGIN
-            IF EXISTS (
-                SELECT 1 FROM information_schema.columns
-                WHERE table_name = 'audit_log' AND column_name = 'folder'
-            ) THEN
-                UPDATE audit_log SET folder = '' WHERE folder IS NULL;
-                ALTER TABLE audit_log ALTER COLUMN folder SET NOT NULL;
-                ALTER TABLE audit_log ALTER COLUMN folder SET DEFAULT '';
-            END IF;
-        END $$;
-
-        DO $$ BEGIN
-            IF EXISTS (
-                SELECT 1 FROM information_schema.columns
-                WHERE table_name = 'audit_log' AND column_name = 'type'
-            ) THEN
-                UPDATE audit_log SET type = '' WHERE type IS NULL;
-                ALTER TABLE audit_log ALTER COLUMN type SET NOT NULL;
-                ALTER TABLE audit_log ALTER COLUMN type SET DEFAULT '';
-            END IF;
-        END $$;
-
-        DO $$ BEGIN
-            IF EXISTS (
-                SELECT 1 FROM information_schema.columns
-                WHERE table_name = 'entries_history' AND column_name = 'folder'
-            ) THEN
-                UPDATE entries_history SET folder = '' WHERE folder IS NULL;
-                ALTER TABLE entries_history ALTER COLUMN folder SET NOT NULL;
-                ALTER TABLE entries_history ALTER COLUMN folder SET DEFAULT '';
-            END IF;
-        END $$;
-
-        DO $$ BEGIN
-            IF EXISTS (
-                SELECT 1 FROM information_schema.columns
-                WHERE table_name = 'entries_history' AND column_name = 'type'
-            ) THEN
-                UPDATE entries_history SET type = '' WHERE type IS NULL;
-                ALTER TABLE entries_history ALTER COLUMN type SET NOT NULL;
-                ALTER TABLE entries_history ALTER COLUMN type SET DEFAULT '';
-            END IF;
-        END $$;
-
-        -- ── Rebuild unique indexes on entries: folder is now part of the key ────────
-        -- (user_id, folder, name) allows same name in different folders.
-        DROP INDEX IF EXISTS idx_entries_unique_legacy;
-        DROP INDEX IF EXISTS idx_entries_unique_user;
-
-        CREATE UNIQUE INDEX IF NOT EXISTS idx_entries_unique_legacy
-            ON entries(folder, name)
-            WHERE user_id IS NULL AND deleted_at IS NULL;
-
-        CREATE UNIQUE INDEX IF NOT EXISTS idx_entries_unique_user
-            ON entries(user_id, folder, name)
-            WHERE user_id IS NOT NULL AND deleted_at IS NULL;
-
-        -- ── Replace old namespace/kind indexes ────────────────────────────────────
-        DROP INDEX IF EXISTS idx_entries_namespace;
-        DROP INDEX IF EXISTS idx_entries_kind;
-        DROP INDEX IF EXISTS idx_audit_log_ns_kind;
-        DROP INDEX IF EXISTS idx_entries_history_ns_kind_name;
-
-        CREATE INDEX IF NOT EXISTS idx_entries_folder
-            ON entries(folder) WHERE folder <> '';
-        CREATE INDEX IF NOT EXISTS idx_entries_type
-            ON entries(type) WHERE type <> '';
-        CREATE INDEX IF NOT EXISTS idx_entries_deleted_at
-            ON entries(deleted_at) WHERE deleted_at IS NOT NULL;
-        CREATE INDEX IF NOT EXISTS idx_audit_log_folder_type
-            ON audit_log(folder, type);
-        CREATE INDEX IF NOT EXISTS idx_entries_history_folder_type_name
-            ON entries_history(folder, type, name, version DESC);
-
-        -- ── Drop legacy actor columns ─────────────────────────────────────────────
-        ALTER TABLE secrets_history DROP COLUMN IF EXISTS actor;
-        ALTER TABLE audit_log DROP COLUMN IF EXISTS actor;
-
-        -- ── key_version: incremented on passphrase change to invalidate other sessions ──
-        ALTER TABLE users ADD COLUMN IF NOT EXISTS key_version BIGINT NOT NULL DEFAULT 0;
-        "#,
-    )
-    .execute(pool)
-    .await?;
-    Ok(())
-}
-
-async fn restore_plaintext_api_keys(pool: &PgPool) -> Result<()> {
-    let has_users_api_key: bool = sqlx::query_scalar(
-        "SELECT EXISTS (
-            SELECT 1
-            FROM information_schema.columns
-            WHERE table_schema = 'public'
-              AND table_name = 'users'
-              AND column_name = 'api_key'
-        )",
-    )
-    .fetch_one(pool)
-    .await?;
-
-    if !has_users_api_key {
-        sqlx::query("ALTER TABLE users ADD COLUMN api_key TEXT")
-            .execute(pool)
-            .await?;
-        sqlx::query("CREATE UNIQUE INDEX IF NOT EXISTS idx_users_api_key ON users(api_key) WHERE api_key IS NOT NULL")
-            .execute(pool)
-            .await?;
-    }
-
-    let has_api_keys_table: bool = sqlx::query_scalar(
-        "SELECT EXISTS (
-            SELECT 1
-            FROM information_schema.tables
-            WHERE table_schema = 'public'
-              AND table_name = 'api_keys'
-        )",
-    )
-    .fetch_one(pool)
-    .await?;
-
-    if !has_api_keys_table {
-        return Ok(());
-    }
-
-    #[derive(sqlx::FromRow)]
-    struct UserWithoutKey {
-        id: uuid::Uuid,
-    }
-
-    let users_without_key: Vec<UserWithoutKey> =
-        sqlx::query_as("SELECT DISTINCT user_id AS id FROM api_keys WHERE user_id NOT IN (SELECT id FROM users WHERE api_key IS NOT NULL)")
-            .fetch_all(pool)
-            .await?;
-
-    for user in users_without_key {
-        let new_key = crate::service::api_key::generate_api_key();
-        sqlx::query("UPDATE users SET api_key = $1 WHERE id = $2")
-            .bind(&new_key)
-            .bind(user.id)
-            .execute(pool)
-            .await?;
-    }
-
-    sqlx::query("DROP TABLE IF EXISTS api_keys")
-        .execute(pool)
-        .await?;
-
-    Ok(())
-}
-
-// ── Entry-level history snapshot ─────────────────────────────────────────────
-
-pub struct EntrySnapshotParams<'a> {
-    pub entry_id: uuid::Uuid,
-    pub user_id: Option<uuid::Uuid>,
-    pub folder: &'a str,
-    pub entry_type: &'a str,
-    pub name: &'a str,
-    pub version: i64,
-    pub action: &'a str,
-    pub tags: &'a [String],
-    pub metadata: &'a Value,
-}
-
-pub async fn snapshot_entry_history(
-    tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
-    p: EntrySnapshotParams<'_>,
-) -> Result<()> {
-    sqlx::query(
-        "INSERT INTO entries_history \
-         (entry_id, folder, type, name, version, action, tags, metadata, user_id) \
-         VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
-    )
-    .bind(p.entry_id)
-    .bind(p.folder)
-    .bind(p.entry_type)
-    .bind(p.name)
-    .bind(p.version)
-    .bind(p.action)
-    .bind(p.tags)
-    .bind(p.metadata)
-    .bind(p.user_id)
-    .execute(&mut **tx)
-    .await?;
-    Ok(())
-}
-
-// ── Secret field-level history snapshot ──────────────────────────────────────
-
-pub struct SecretSnapshotParams<'a> {
-    pub secret_id: uuid::Uuid,
-    pub name: &'a str,
-    pub encrypted: &'a [u8],
-    pub action: &'a str,
-}
-
-pub async fn snapshot_secret_history(
-    tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
-    p: SecretSnapshotParams<'_>,
-) -> Result<()> {
-    sqlx::query(
-        "INSERT INTO secrets_history \
-         (secret_id, name, encrypted, action) \
-         VALUES ($1, $2, $3, $4)",
-    )
-    .bind(p.secret_id)
-    .bind(p.name)
-    .bind(p.encrypted)
-    .bind(p.action)
-    .execute(&mut **tx)
-    .await?;
-    Ok(())
-}
-
-pub const ENTRY_HISTORY_SECRETS_KEY: &str = "__secrets_snapshot_v1";
-
-#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
-pub struct EntrySecretSnapshot {
-    pub name: String,
-    #[serde(rename = "type")]
-    pub secret_type: String,
-    pub encrypted_hex: String,
-}
-
-pub async fn metadata_with_secret_snapshot(
-    tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
-    entry_id: uuid::Uuid,
-    metadata: &Value,
-) -> Result<Value> {
-    #[derive(sqlx::FromRow)]
-    struct Row {
-        name: String,
-        #[sqlx(rename = "type")]
-        secret_type: String,
-        encrypted: Vec<u8>,
-    }
-
-    let rows: Vec<Row> = sqlx::query_as(
-        "SELECT s.name, s.type, s.encrypted \
-         FROM entry_secrets es \
-         JOIN secrets s ON s.id = es.secret_id \
-         WHERE es.entry_id = $1 \
-         ORDER BY s.name ASC",
-    )
-    .bind(entry_id)
-    .fetch_all(&mut **tx)
-    .await?;
-
-    let snapshots: Vec<EntrySecretSnapshot> = rows
-        .into_iter()
-        .map(|r| EntrySecretSnapshot {
-            name: r.name,
-            secret_type: r.secret_type,
-            encrypted_hex: ::hex::encode(r.encrypted),
-        })
-        .collect();
-
-    let mut merged = match metadata.clone() {
-        Value::Object(obj) => obj,
-        _ => Map::new(),
-    };
-    merged.insert(
-        ENTRY_HISTORY_SECRETS_KEY.to_string(),
-        serde_json::to_value(snapshots)?,
-    );
-    Ok(Value::Object(merged))
-}
-
-pub fn strip_secret_snapshot_from_metadata(metadata: &Value) -> Value {
-    let mut m = match metadata.clone() {
-        Value::Object(obj) => obj,
-        _ => return metadata.clone(),
-    };
-    m.remove(ENTRY_HISTORY_SECRETS_KEY);
-    Value::Object(m)
-}
-
-pub fn entry_secret_snapshot_from_metadata(metadata: &Value) -> Option<Vec<EntrySecretSnapshot>> {
-    let Value::Object(map) = metadata else {
-        return None;
-    };
-    let raw = map.get(ENTRY_HISTORY_SECRETS_KEY)?;
-    serde_json::from_value(raw.clone()).ok()
-}
-
-// ── DB helpers ────────────────────────────────────────────────────────────────

crates/secrets-core/src/error.rs

@@ -1,172 +0,0 @@
-use sqlx::error::DatabaseError;
-
-/// Structured business errors for the secrets service.
-///
-/// These replace ad-hoc `anyhow` strings for expected failure modes,
-/// allowing MCP and Web layers to map to appropriate protocol-level errors.
-#[derive(Debug, thiserror::Error)]
-pub enum AppError {
-    #[error("A secret with the name '{secret_name}' already exists for this user")]
-    ConflictSecretName { secret_name: String },
-
-    #[error("An entry with folder='{folder}' and name='{name}' already exists")]
-    ConflictEntryName { folder: String, name: String },
-
-    #[error("Entry not found")]
-    NotFoundEntry,
-
-    #[error("User not found")]
-    NotFoundUser,
-
-    #[error("Secret not found")]
-    NotFoundSecret,
-
-    #[error("Authentication failed")]
-    AuthenticationFailed,
-
-    #[error("Unauthorized: insufficient permissions")]
-    Unauthorized,
-
-    #[error("Validation failed: {message}")]
-    Validation { message: String },
-
-    #[error("Concurrent modification detected")]
-    ConcurrentModification,
-
-    #[error("Decryption failed — the encryption key may be incorrect")]
-    DecryptionFailed,
-
-    #[error("Encryption key not set — user must set passphrase first")]
-    EncryptionKeyNotSet,
-
-    #[error(transparent)]
-    Internal(#[from] anyhow::Error),
-}
-
-impl AppError {
-    /// Try to convert a sqlx database error into a structured `AppError`.
-    ///
-    /// The caller should provide the context (which table was being written,
-    /// what values were being inserted) so we can produce a meaningful error.
-    pub fn from_db_error(err: sqlx::Error, ctx: DbErrorContext<'_>) -> Self {
-        if let sqlx::Error::Database(ref db_err) = err
-            && db_err.code().as_deref() == Some("23505")
-        {
-            return Self::from_unique_violation(db_err.as_ref(), ctx);
-        }
-        AppError::Internal(err.into())
-    }
-
-    fn from_unique_violation(db_err: &dyn DatabaseError, ctx: DbErrorContext<'_>) -> Self {
-        let constraint = db_err.constraint();
-
-        match constraint {
-            Some("idx_secrets_unique_user_name") => AppError::ConflictSecretName {
-                secret_name: ctx.secret_name.unwrap_or("unknown").to_string(),
-            },
-            Some("idx_entries_unique_user") | Some("idx_entries_unique_legacy") => {
-                AppError::ConflictEntryName {
-                    folder: ctx.folder.unwrap_or("").to_string(),
-                    name: ctx.name.unwrap_or("unknown").to_string(),
-                }
-            }
-            _ => {
-                // Fall back to message-based detection for unnamed constraints
-                let msg = db_err.message();
-                if msg.contains("secrets") {
-                    AppError::ConflictSecretName {
-                        secret_name: ctx.secret_name.unwrap_or("unknown").to_string(),
-                    }
-                } else {
-                    AppError::ConflictEntryName {
-                        folder: ctx.folder.unwrap_or("").to_string(),
-                        name: ctx.name.unwrap_or("unknown").to_string(),
-                    }
-                }
-            }
-        }
-    }
-}
-
-/// Context hints used when converting a database error to `AppError`.
-#[derive(Debug, Default, Clone, Copy)]
-pub struct DbErrorContext<'a> {
-    pub secret_name: Option<&'a str>,
-    pub folder: Option<&'a str>,
-    pub name: Option<&'a str>,
-}
-
-impl<'a> DbErrorContext<'a> {
-    pub fn secret_name(name: &'a str) -> Self {
-        Self {
-            secret_name: Some(name),
-            ..Default::default()
-        }
-    }
-
-    pub fn entry(folder: &'a str, name: &'a str) -> Self {
-        Self {
-            folder: Some(folder),
-            name: Some(name),
-            ..Default::default()
-        }
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn app_error_display_messages() {
-        let err = AppError::ConflictSecretName {
-            secret_name: "token".to_string(),
-        };
-        assert!(err.to_string().contains("token"));
-
-        let err = AppError::ConflictEntryName {
-            folder: "refining".to_string(),
-            name: "gitea".to_string(),
-        };
-        assert!(err.to_string().contains("refining"));
-        assert!(err.to_string().contains("gitea"));
-
-        let err = AppError::NotFoundEntry;
-        assert_eq!(err.to_string(), "Entry not found");
-
-        let err = AppError::NotFoundUser;
-        assert_eq!(err.to_string(), "User not found");
-
-        let err = AppError::NotFoundSecret;
-        assert_eq!(err.to_string(), "Secret not found");
-
-        let err = AppError::AuthenticationFailed;
-        assert_eq!(err.to_string(), "Authentication failed");
-
-        let err = AppError::Unauthorized;
-        assert!(err.to_string().contains("Unauthorized"));
-
-        let err = AppError::Validation {
-            message: "too long".to_string(),
-        };
-        assert!(err.to_string().contains("too long"));
-
-        let err = AppError::ConcurrentModification;
-        assert!(err.to_string().contains("Concurrent modification"));
-
-        let err = AppError::EncryptionKeyNotSet;
-        assert!(err.to_string().contains("Encryption key not set"));
-    }
-
-    #[test]
-    fn db_error_context_helpers() {
-        let ctx = DbErrorContext::secret_name("my_key");
-        assert_eq!(ctx.secret_name, Some("my_key"));
-        assert!(ctx.folder.is_none());
-
-        let ctx = DbErrorContext::entry("prod", "db-creds");
-        assert_eq!(ctx.folder, Some("prod"));
-        assert_eq!(ctx.name, Some("db-creds"));
-        assert!(ctx.secret_name.is_none());
-    }
-}

crates/secrets-core/src/lib.rs

@@ -1,8 +0,0 @@
-pub mod audit;
-pub mod config;
-pub mod crypto;
-pub mod db;
-pub mod error;
-pub mod models;
-pub mod service;
-pub mod taxonomy;

crates/secrets-core/src/models.rs

@@ -1,357 +0,0 @@
-use chrono::{DateTime, Utc};
-use serde::{Deserialize, Serialize};
-use serde_json::Value;
-use std::collections::BTreeMap;
-use uuid::Uuid;
-
-/// A top-level entry (server, service, account, person, …).
-/// Sensitive fields are stored separately in `secrets`.
-#[derive(Debug, Serialize, Deserialize, sqlx::FromRow)]
-pub struct Entry {
-    pub id: Uuid,
-    pub user_id: Option<Uuid>,
-    pub folder: String,
-    #[serde(rename = "type")]
-    #[sqlx(rename = "type")]
-    pub entry_type: String,
-    pub name: String,
-    pub notes: String,
-    pub tags: Vec<String>,
-    pub metadata: Value,
-    pub version: i64,
-    pub created_at: DateTime<Utc>,
-    pub updated_at: DateTime<Utc>,
-    pub deleted_at: Option<DateTime<Utc>>,
-}
-
-/// A single encrypted field belonging to an Entry.
-#[derive(Debug, Serialize, Deserialize, sqlx::FromRow)]
-pub struct SecretField {
-    pub id: Uuid,
-    pub user_id: Option<Uuid>,
-    pub name: String,
-    #[serde(rename = "type")]
-    #[sqlx(rename = "type")]
-    pub secret_type: String,
-    /// AES-256-GCM ciphertext: nonce(12B) || ciphertext+tag
-    pub encrypted: Vec<u8>,
-    pub version: i64,
-    pub created_at: DateTime<Utc>,
-    pub updated_at: DateTime<Utc>,
-}
-
-// ── Internal query row types (shared across commands) ─────────────────────────
-
-/// Minimal entry row fetched for write operations (add / update / delete / rollback).
-#[derive(Debug, sqlx::FromRow)]
-pub struct EntryRow {
-    pub id: Uuid,
-    pub version: i64,
-    pub folder: String,
-    #[sqlx(rename = "type")]
-    pub entry_type: String,
-    pub tags: Vec<String>,
-    pub metadata: Value,
-    pub notes: String,
-    pub name: String,
-}
-
-/// Entry row including `name` (used for id-scoped web / service updates).
-#[derive(Debug, sqlx::FromRow)]
-pub struct EntryWriteRow {
-    pub id: Uuid,
-    pub version: i64,
-    pub folder: String,
-    #[sqlx(rename = "type")]
-    pub entry_type: String,
-    pub name: String,
-    pub tags: Vec<String>,
-    pub metadata: Value,
-    pub notes: String,
-    pub deleted_at: Option<DateTime<Utc>>,
-}
-
-impl From<&EntryWriteRow> for EntryRow {
-    fn from(r: &EntryWriteRow) -> Self {
-        EntryRow {
-            id: r.id,
-            version: r.version,
-            folder: r.folder.clone(),
-            entry_type: r.entry_type.clone(),
-            tags: r.tags.clone(),
-            metadata: r.metadata.clone(),
-            notes: r.notes.clone(),
-            name: r.name.clone(),
-        }
-    }
-}
-
-/// Minimal secret field row fetched before snapshots or cascade deletes.
-#[derive(Debug, sqlx::FromRow)]
-pub struct SecretFieldRow {
-    pub id: Uuid,
-    pub name: String,
-    pub encrypted: Vec<u8>,
-}
-
-// ── Export / Import types ──────────────────────────────────────────────────────
-
-/// Supported file formats for export/import.
-#[derive(Debug, Clone, Copy, PartialEq)]
-pub enum ExportFormat {
-    Json,
-    Toml,
-    Yaml,
-}
-
-impl std::str::FromStr for ExportFormat {
-    type Err = anyhow::Error;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        match s.to_lowercase().as_str() {
-            "json" => Ok(Self::Json),
-            "toml" => Ok(Self::Toml),
-            "yaml" | "yml" => Ok(Self::Yaml),
-            other => anyhow::bail!("Unknown format '{}'. Expected: json, toml, or yaml", other),
-        }
-    }
-}
-
-impl ExportFormat {
-    /// Infer format from file extension (.json / .toml / .yaml / .yml).
-    pub fn from_extension(path: &str) -> anyhow::Result<Self> {
-        let ext = path.rsplit('.').next().unwrap_or("").to_lowercase();
-        ext.parse().map_err(|_| {
-            anyhow::anyhow!(
-                "Cannot infer format from extension '.{}'. Use --format json|toml|yaml",
-                ext
-            )
-        })
-    }
-
-    /// Serialize ExportData to a string in this format.
-    pub fn serialize(&self, data: &ExportData) -> anyhow::Result<String> {
-        match self {
-            Self::Json => Ok(serde_json::to_string_pretty(data)?),
-            Self::Toml => {
-                let toml_val = json_to_toml_value(&serde_json::to_value(data)?)?;
-                toml::to_string_pretty(&toml_val)
-                    .map_err(|e| anyhow::anyhow!("TOML serialization failed: {}", e))
-            }
-            Self::Yaml => serde_yaml::to_string(data)
-                .map_err(|e| anyhow::anyhow!("YAML serialization failed: {}", e)),
-        }
-    }
-
-    /// Deserialize ExportData from a string in this format.
-    pub fn deserialize(&self, content: &str) -> anyhow::Result<ExportData> {
-        match self {
-            Self::Json => Ok(serde_json::from_str(content)?),
-            Self::Toml => {
-                let toml_val: toml::Value = toml::from_str(content)
-                    .map_err(|e| anyhow::anyhow!("TOML parse error: {}", e))?;
-                let json_val = toml_to_json_value(&toml_val);
-                Ok(serde_json::from_value(json_val)?)
-            }
-            Self::Yaml => serde_yaml::from_str(content)
-                .map_err(|e| anyhow::anyhow!("YAML parse error: {}", e)),
-        }
-    }
-}
-
-/// Top-level structure for export/import files.
-#[derive(Debug, Serialize, Deserialize)]
-pub struct ExportData {
-    pub version: u32,
-    pub exported_at: String,
-    pub entries: Vec<ExportEntry>,
-}
-
-/// A single entry with decrypted secrets for export/import.
-#[derive(Debug, Serialize, Deserialize)]
-pub struct ExportEntry {
-    pub name: String,
-    #[serde(default)]
-    pub folder: String,
-    #[serde(default, rename = "type")]
-    pub entry_type: String,
-    #[serde(default)]
-    pub notes: String,
-    #[serde(default)]
-    pub tags: Vec<String>,
-    #[serde(default)]
-    pub metadata: Value,
-    /// Decrypted secret fields. None means no secrets in this export (--no-secrets).
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub secrets: Option<BTreeMap<String, Value>>,
-    /// Per-secret types (`text`, `password`, `key`, …). Omitted in legacy exports; importers default to `"text"`.
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub secret_types: Option<BTreeMap<String, String>>,
-}
-
-// ── Multi-user models ──────────────────────────────────────────────────────────
-
-/// A registered user (created on first OAuth login).
-#[derive(Debug, Serialize, Deserialize, sqlx::FromRow)]
-pub struct User {
-    pub id: Uuid,
-    pub email: Option<String>,
-    pub name: String,
-    pub avatar_url: Option<String>,
-    /// PBKDF2 salt (32 B). NULL until user sets up passphrase.
-    pub key_salt: Option<Vec<u8>>,
-    /// AES-256-GCM encryption of the known constant "secrets-mcp-key-check".
-    /// Used to verify the passphrase without storing the key itself.
-    pub key_check: Option<Vec<u8>>,
-    /// Key derivation parameters, e.g. {"alg":"pbkdf2-sha256","iterations":600000}.
-    pub key_params: Option<serde_json::Value>,
-    /// Plaintext API key for MCP Bearer authentication. Auto-created on first login.
-    pub api_key: Option<String>,
-    /// Incremented each time the passphrase is changed; used to invalidate sessions on other devices.
-    pub key_version: i64,
-    pub created_at: DateTime<Utc>,
-    pub updated_at: DateTime<Utc>,
-}
-
-/// An OAuth account linked to a user.
-#[derive(Debug, Serialize, Deserialize, sqlx::FromRow)]
-pub struct OauthAccount {
-    pub id: Uuid,
-    pub user_id: Uuid,
-    pub provider: String,
-    pub provider_id: String,
-    pub email: Option<String>,
-    pub name: Option<String>,
-    pub avatar_url: Option<String>,
-    pub created_at: DateTime<Utc>,
-}
-
-/// A single audit log row, optionally scoped to a business user.
-#[derive(Debug, Serialize, Deserialize, sqlx::FromRow)]
-pub struct AuditLogEntry {
-    pub id: i64,
-    pub user_id: Option<Uuid>,
-    pub action: String,
-    pub folder: String,
-    #[serde(rename = "type")]
-    #[sqlx(rename = "type")]
-    pub entry_type: String,
-    pub name: String,
-    pub detail: Value,
-    pub created_at: DateTime<Utc>,
-}
-
-// ── TOML ↔ JSON value conversion ──────────────────────────────────────────────
-
-/// Convert a serde_json Value to a toml Value.
-/// `null` values are filtered out (TOML does not support null).
-/// Mixed-type arrays are serialised as JSON strings.
-pub fn json_to_toml_value(v: &Value) -> anyhow::Result<toml::Value> {
-    match v {
-        Value::Null => anyhow::bail!("TOML does not support null values"),
-        Value::Bool(b) => Ok(toml::Value::Boolean(*b)),
-        Value::Number(n) => {
-            if let Some(i) = n.as_i64() {
-                Ok(toml::Value::Integer(i))
-            } else if let Some(f) = n.as_f64() {
-                Ok(toml::Value::Float(f))
-            } else {
-                anyhow::bail!("unsupported number: {}", n)
-            }
-        }
-        Value::String(s) => Ok(toml::Value::String(s.clone())),
-        Value::Array(arr) => {
-            let items: anyhow::Result<Vec<toml::Value>> =
-                arr.iter().map(json_to_toml_value).collect();
-            match items {
-                Ok(vals) => Ok(toml::Value::Array(vals)),
-                Err(e) => {
-                    tracing::debug!(error = %e, "mixed-type array; falling back to JSON string");
-                    Ok(toml::Value::String(serde_json::to_string(v)?))
-                }
-            }
-        }
-        Value::Object(map) => {
-            let mut toml_map = toml::map::Map::new();
-            for (k, val) in map {
-                if val.is_null() {
-                    // Skip null entries
-                    continue;
-                }
-                match json_to_toml_value(val) {
-                    Ok(tv) => {
-                        toml_map.insert(k.clone(), tv);
-                    }
-                    Err(e) => {
-                        tracing::debug!(key = %k, error = %e, "field not representable in TOML; falling back to JSON string");
-                        toml_map
-                            .insert(k.clone(), toml::Value::String(serde_json::to_string(val)?));
-                    }
-                }
-            }
-            Ok(toml::Value::Table(toml_map))
-        }
-    }
-}
-
-/// Convert a toml Value back to a serde_json Value.
-pub fn toml_to_json_value(v: &toml::Value) -> Value {
-    match v {
-        toml::Value::Boolean(b) => Value::Bool(*b),
-        toml::Value::Integer(i) => Value::Number((*i).into()),
-        toml::Value::Float(f) => serde_json::Number::from_f64(*f)
-            .map(Value::Number)
-            .unwrap_or(Value::Null),
-        toml::Value::String(s) => Value::String(s.clone()),
-        toml::Value::Datetime(dt) => Value::String(dt.to_string()),
-        toml::Value::Array(arr) => Value::Array(arr.iter().map(toml_to_json_value).collect()),
-        toml::Value::Table(map) => {
-            let obj: serde_json::Map<String, Value> = map
-                .iter()
-                .map(|(k, v)| (k.clone(), toml_to_json_value(v)))
-                .collect();
-            Value::Object(obj)
-        }
-    }
-}
-
-#[cfg(test)]
-mod export_entry_tests {
-    use super::*;
-    use std::collections::BTreeMap;
-
-    #[test]
-    fn export_entry_roundtrip_includes_secret_types() {
-        let mut secrets = BTreeMap::new();
-        secrets.insert("k".to_string(), serde_json::json!("v"));
-        let mut types = BTreeMap::new();
-        types.insert("k".to_string(), "password".to_string());
-        let e = ExportEntry {
-            name: "n".to_string(),
-            folder: "f".to_string(),
-            entry_type: "t".to_string(),
-            notes: "".to_string(),
-            tags: vec![],
-            metadata: serde_json::json!({}),
-            secrets: Some(secrets),
-            secret_types: Some(types),
-        };
-        let json = serde_json::to_string(&e).unwrap();
-        let back: ExportEntry = serde_json::from_str(&json).unwrap();
-        assert_eq!(
-            back.secret_types
-                .as_ref()
-                .unwrap()
-                .get("k")
-                .map(String::as_str),
-            Some("password")
-        );
-    }
-
-    #[test]
-    fn export_entry_legacy_json_without_secret_types_deserializes() {
-        let json = r#"{"name":"a","folder":"","type":"","notes":"","tags":[],"metadata":{},"secrets":{"x":"y"}}"#;
-        let e: ExportEntry = serde_json::from_str(json).unwrap();
-        assert!(e.secret_types.is_none());
-    }
-}

crates/secrets-core/src/service/add.rs

@@ -1,813 +0,0 @@
-use anyhow::Result;
-use serde_json::{Map, Value};
-use sqlx::PgPool;
-use std::collections::{BTreeSet, HashSet};
-use std::fs;
-use uuid::Uuid;
-
-use crate::crypto;
-use crate::db;
-use crate::error::{AppError, DbErrorContext};
-use crate::models::EntryRow;
-
-// ── Key/value parsing helpers ─────────────────────────────────────────────────
-
-pub fn parse_kv(entry: &str) -> Result<(Vec<String>, Value)> {
-    if let Some((key, json_str)) = entry.split_once(":=") {
-        let val: Value = serde_json::from_str(json_str).map_err(|e| {
-            anyhow::anyhow!(
-                "Invalid JSON value for key '{}': {} (use key=value for plain strings)",
-                key,
-                e
-            )
-        })?;
-        return Ok((parse_key_path(key)?, val));
-    }
-
-    if let Some((key, raw_val)) = entry.split_once('=') {
-        let value = if let Some(path) = raw_val.strip_prefix('@') {
-            fs::read_to_string(path)
-                .map_err(|e| anyhow::anyhow!("Failed to read file '{}': {}", path, e))?
-        } else {
-            raw_val.to_string()
-        };
-        return Ok((parse_key_path(key)?, Value::String(value)));
-    }
-
-    if let Some((key, path)) = entry.split_once('@') {
-        let value = fs::read_to_string(path)
-            .map_err(|e| anyhow::anyhow!("Failed to read file '{}': {}", path, e))?;
-        return Ok((parse_key_path(key)?, Value::String(value)));
-    }
-
-    anyhow::bail!(
-        "Invalid format '{}'. Expected: key=value, key=@file, nested:key@file, or key:=<json>",
-        entry
-    )
-}
-
-pub fn build_json(entries: &[String]) -> Result<Value> {
-    let mut map = Map::new();
-    for entry in entries {
-        let (path, value) = parse_kv(entry)?;
-        insert_path(&mut map, &path, value)?;
-    }
-    Ok(Value::Object(map))
-}
-
-pub fn key_path_to_string(path: &[String]) -> String {
-    path.join(":")
-}
-
-pub fn collect_key_paths(entries: &[String]) -> Result<Vec<String>> {
-    entries
-        .iter()
-        .map(|entry| parse_kv(entry).map(|(path, _)| key_path_to_string(&path)))
-        .collect()
-}
-
-pub fn collect_field_paths(entries: &[String]) -> Result<Vec<String>> {
-    entries
-        .iter()
-        .map(|entry| parse_key_path(entry).map(|path| key_path_to_string(&path)))
-        .collect()
-}
-
-pub fn parse_key_path(key: &str) -> Result<Vec<String>> {
-    let path: Vec<String> = key
-        .split(':')
-        .map(str::trim)
-        .map(ToOwned::to_owned)
-        .collect();
-
-    if path.is_empty() || path.iter().any(|part| part.is_empty()) {
-        anyhow::bail!(
-            "Invalid key path '{}'. Use non-empty segments like 'credentials:content'.",
-            key
-        );
-    }
-    Ok(path)
-}
-
-pub fn insert_path(map: &mut Map<String, Value>, path: &[String], value: Value) -> Result<()> {
-    if path.is_empty() {
-        anyhow::bail!("Key path cannot be empty");
-    }
-    if path.len() == 1 {
-        map.insert(path[0].clone(), value);
-        return Ok(());
-    }
-    let head = path[0].clone();
-    let tail = &path[1..];
-    match map.entry(head.clone()) {
-        serde_json::map::Entry::Vacant(entry) => {
-            let mut child = Map::new();
-            insert_path(&mut child, tail, value)?;
-            entry.insert(Value::Object(child));
-        }
-        serde_json::map::Entry::Occupied(mut entry) => match entry.get_mut() {
-            Value::Object(child) => insert_path(child, tail, value)?,
-            _ => {
-                anyhow::bail!(
-                    "Cannot set nested key '{}' because '{}' is already a non-object value",
-                    key_path_to_string(path),
-                    head
-                );
-            }
-        },
-    }
-    Ok(())
-}
-
-pub fn remove_path(map: &mut Map<String, Value>, path: &[String]) -> Result<bool> {
-    if path.is_empty() {
-        anyhow::bail!("Key path cannot be empty");
-    }
-    if path.len() == 1 {
-        return Ok(map.remove(&path[0]).is_some());
-    }
-    let Some(value) = map.get_mut(&path[0]) else {
-        return Ok(false);
-    };
-    let Value::Object(child) = value else {
-        return Ok(false);
-    };
-    let removed = remove_path(child, &path[1..])?;
-    if child.is_empty() {
-        map.remove(&path[0]);
-    }
-    Ok(removed)
-}
-
-pub fn flatten_json_fields(prefix: &str, value: &Value) -> Vec<(String, Value)> {
-    match value {
-        Value::Object(map) => {
-            let mut out = Vec::new();
-            for (k, v) in map {
-                let full_key = if prefix.is_empty() {
-                    k.clone()
-                } else {
-                    format!("{}.{}", prefix, k)
-                };
-                out.extend(flatten_json_fields(&full_key, v));
-            }
-            out
-        }
-        other => vec![(prefix.to_string(), other.clone())],
-    }
-}
-
-// ── AddResult ─────────────────────────────────────────────────────────────────
-
-#[derive(Debug, serde::Serialize)]
-pub struct AddResult {
-    pub entry_id: Uuid,
-    pub name: String,
-    pub folder: String,
-    #[serde(rename = "type")]
-    pub entry_type: String,
-    pub tags: Vec<String>,
-    pub meta_keys: Vec<String>,
-    pub secret_keys: Vec<String>,
-}
-
-pub struct AddParams<'a> {
-    pub name: &'a str,
-    pub folder: &'a str,
-    pub entry_type: &'a str,
-    pub notes: &'a str,
-    pub tags: &'a [String],
-    pub meta_entries: &'a [String],
-    pub secret_entries: &'a [String],
-    pub secret_types: &'a std::collections::HashMap<String, String>,
-    pub link_secret_names: &'a [String],
-    /// Optional user_id for multi-user isolation (None = single-user CLI mode)
-    pub user_id: Option<Uuid>,
-}
-
-pub async fn run(pool: &PgPool, params: AddParams<'_>, master_key: &[u8; 32]) -> Result<AddResult> {
-    if params.folder.chars().count() > 128 {
-        anyhow::bail!("folder must be at most 128 characters");
-    }
-    if params.name.chars().count() > 256 {
-        anyhow::bail!("name must be at most 256 characters");
-    }
-    if params.entry_type.trim().chars().count() > 64 {
-        anyhow::bail!("type must be at most 64 characters");
-    }
-    let Value::Object(metadata_map) = build_json(params.meta_entries)? else {
-        unreachable!("build_json always returns a JSON object");
-    };
-    let entry_type = params.entry_type.trim();
-    let metadata = Value::Object(metadata_map);
-    let secret_json = build_json(params.secret_entries)?;
-    let meta_keys = collect_key_paths(params.meta_entries)?;
-    let secret_keys = collect_key_paths(params.secret_entries)?;
-    let flat_fields = flatten_json_fields("", &secret_json);
-    let new_secret_names: BTreeSet<String> =
-        flat_fields.iter().map(|(name, _)| name.clone()).collect();
-    let link_secret_names =
-        validate_link_secret_names(params.link_secret_names, &new_secret_names)?;
-
-    let mut tx = pool.begin().await?;
-
-    // Fetch existing entry by (user_id, folder, name) — the natural unique key
-    let existing: Option<EntryRow> = if let Some(uid) = params.user_id {
-        sqlx::query_as(
-            "SELECT id, version, folder, type, tags, metadata, notes, name FROM entries \
-             WHERE user_id = $1 AND folder = $2 AND name = $3 AND deleted_at IS NULL",
-        )
-        .bind(uid)
-        .bind(params.folder)
-        .bind(params.name)
-        .fetch_optional(&mut *tx)
-        .await?
-    } else {
-        sqlx::query_as(
-            "SELECT id, version, folder, type, tags, metadata, notes, name FROM entries \
-             WHERE user_id IS NULL AND folder = $1 AND name = $2 AND deleted_at IS NULL",
-        )
-        .bind(params.folder)
-        .bind(params.name)
-        .fetch_optional(&mut *tx)
-        .await?
-    };
-
-    if let Some(ref ex) = existing {
-        let history_metadata =
-            match db::metadata_with_secret_snapshot(&mut tx, ex.id, &ex.metadata).await {
-                Ok(v) => v,
-                Err(e) => {
-                    tracing::warn!(error = %e, "failed to build secret snapshot for entry history");
-                    ex.metadata.clone()
-                }
-            };
-        if let Err(e) = db::snapshot_entry_history(
-            &mut tx,
-            db::EntrySnapshotParams {
-                entry_id: ex.id,
-                user_id: params.user_id,
-                folder: params.folder,
-                entry_type,
-                name: params.name,
-                version: ex.version,
-                action: "add",
-                tags: &ex.tags,
-                metadata: &history_metadata,
-            },
-        )
-        .await
-        {
-            tracing::warn!(error = %e, "failed to snapshot entry history before upsert");
-        }
-    }
-
-    // Upsert the entry row. On conflict (existing entry with same user_id+folder+name),
-    // the entry columns are replaced wholesale. The old secret associations are torn down
-    // below within the same transaction, so the whole operation is atomic: if any step
-    // after this point fails, the transaction rolls back and the entry reverts to its
-    // pre-upsert state (including the version bump that happened in the DO UPDATE clause).
-    let entry_id: Uuid = if let Some(uid) = params.user_id {
-        sqlx::query_scalar(
-            r#"INSERT INTO entries (user_id, folder, type, name, notes, tags, metadata, version, updated_at)
-               VALUES ($1, $2, $3, $4, $5, $6, $7, 1, NOW())
-               ON CONFLICT (user_id, folder, name) WHERE user_id IS NOT NULL
-               DO UPDATE SET
-                   folder     = EXCLUDED.folder,
-                   type       = EXCLUDED.type,
-                   notes      = EXCLUDED.notes,
-                   tags       = EXCLUDED.tags,
-                   metadata   = EXCLUDED.metadata,
-                   version    = entries.version + 1,
-                   updated_at = NOW()
-               RETURNING id"#,
-        )
-        .bind(uid)
-        .bind(params.folder)
-        .bind(entry_type)
-        .bind(params.name)
-        .bind(params.notes)
-        .bind(params.tags)
-        .bind(&metadata)
-        .fetch_one(&mut *tx)
-        .await?
-    } else {
-        sqlx::query_scalar(
-            r#"INSERT INTO entries (folder, type, name, notes, tags, metadata, version, updated_at)
-               VALUES ($1, $2, $3, $4, $5, $6, 1, NOW())
-               ON CONFLICT (folder, name) WHERE user_id IS NULL
-               DO UPDATE SET
-                   folder     = EXCLUDED.folder,
-                   type       = EXCLUDED.type,
-                   notes      = EXCLUDED.notes,
-                   tags       = EXCLUDED.tags,
-                   metadata   = EXCLUDED.metadata,
-                   version    = entries.version + 1,
-                   updated_at = NOW()
-               RETURNING id"#,
-        )
-        .bind(params.folder)
-        .bind(entry_type)
-        .bind(params.name)
-        .bind(params.notes)
-        .bind(params.tags)
-        .bind(&metadata)
-        .fetch_one(&mut *tx)
-        .await?
-    };
-
-    let current_entry_version: i64 =
-        sqlx::query_scalar("SELECT version FROM entries WHERE id = $1")
-            .bind(entry_id)
-            .fetch_one(&mut *tx)
-            .await?;
-
-    if existing.is_some() {
-        #[derive(sqlx::FromRow)]
-        struct ExistingField {
-            id: Uuid,
-            name: String,
-            encrypted: Vec<u8>,
-        }
-        let existing_fields: Vec<ExistingField> = sqlx::query_as(
-            "SELECT s.id, s.name, s.encrypted \
-             FROM entry_secrets es \
-             JOIN secrets s ON s.id = es.secret_id \
-             WHERE es.entry_id = $1",
-        )
-        .bind(entry_id)
-        .fetch_all(&mut *tx)
-        .await?;
-
-        for f in &existing_fields {
-            if let Err(e) = db::snapshot_secret_history(
-                &mut tx,
-                db::SecretSnapshotParams {
-                    secret_id: f.id,
-                    name: &f.name,
-                    encrypted: &f.encrypted,
-                    action: "add",
-                },
-            )
-            .await
-            {
-                tracing::warn!(error = %e, "failed to snapshot secret field history");
-            }
-        }
-
-        let orphan_candidates: Vec<Uuid> = existing_fields.iter().map(|f| f.id).collect();
-
-        sqlx::query("DELETE FROM entry_secrets WHERE entry_id = $1")
-            .bind(entry_id)
-            .execute(&mut *tx)
-            .await?;
-
-        if !orphan_candidates.is_empty() {
-            sqlx::query(
-                "DELETE FROM secrets s \
-                 WHERE s.id = ANY($1) \
-                   AND NOT EXISTS (SELECT 1 FROM entry_secrets es WHERE es.secret_id = s.id)",
-            )
-            .bind(&orphan_candidates)
-            .execute(&mut *tx)
-            .await?;
-        }
-    }
-
-    for (field_name, field_value) in &flat_fields {
-        let encrypted = crypto::encrypt_json(master_key, field_value)?;
-        let secret_type = params
-            .secret_types
-            .get(field_name)
-            .map(|s| s.as_str())
-            .unwrap_or("text");
-        let secret_id: Uuid = sqlx::query_scalar(
-            "INSERT INTO secrets (user_id, name, type, encrypted) VALUES ($1, $2, $3, $4) RETURNING id",
-        )
-            .bind(params.user_id)
-            .bind(field_name)
-            .bind(secret_type)
-            .bind(&encrypted)
-            .fetch_one(&mut *tx)
-            .await
-            .map_err(|e| AppError::from_db_error(e, DbErrorContext::secret_name(field_name)))?;
-        sqlx::query("INSERT INTO entry_secrets (entry_id, secret_id) VALUES ($1, $2)")
-            .bind(entry_id)
-            .bind(secret_id)
-            .execute(&mut *tx)
-            .await?;
-    }
-
-    for link_name in &link_secret_names {
-        let secret_ids: Vec<Uuid> = if let Some(uid) = params.user_id {
-            sqlx::query_scalar("SELECT id FROM secrets WHERE user_id = $1 AND name = $2")
-                .bind(uid)
-                .bind(link_name)
-                .fetch_all(&mut *tx)
-                .await?
-        } else {
-            sqlx::query_scalar("SELECT id FROM secrets WHERE user_id IS NULL AND name = $1")
-                .bind(link_name)
-                .fetch_all(&mut *tx)
-                .await?
-        };
-
-        match secret_ids.len() {
-            0 => anyhow::bail!("Not found: secret named '{}'", link_name),
-            1 => {
-                sqlx::query(
-                    "INSERT INTO entry_secrets (entry_id, secret_id) VALUES ($1, $2) ON CONFLICT DO NOTHING",
-                )
-                .bind(entry_id)
-                .bind(secret_ids[0])
-                .execute(&mut *tx)
-                .await?;
-            }
-            n => anyhow::bail!(
-                "Ambiguous: {} secrets named '{}' found. Please deduplicate names first.",
-                n,
-                link_name
-            ),
-        }
-    }
-
-    if existing.is_none() {
-        let history_metadata =
-            match db::metadata_with_secret_snapshot(&mut tx, entry_id, &metadata).await {
-                Ok(v) => v,
-                Err(e) => {
-                    tracing::warn!(error = %e, "failed to build secret snapshot for entry history");
-                    metadata.clone()
-                }
-            };
-        if let Err(e) = db::snapshot_entry_history(
-            &mut tx,
-            db::EntrySnapshotParams {
-                entry_id,
-                user_id: params.user_id,
-                folder: params.folder,
-                entry_type,
-                name: params.name,
-                version: current_entry_version,
-                action: "create",
-                tags: params.tags,
-                metadata: &history_metadata,
-            },
-        )
-        .await
-        {
-            tracing::warn!(error = %e, "failed to snapshot entry history on create");
-        }
-    }
-
-    crate::audit::log_tx(
-        &mut tx,
-        params.user_id,
-        "add",
-        params.folder,
-        entry_type,
-        params.name,
-        serde_json::json!({
-            "tags": params.tags,
-            "meta_keys": meta_keys,
-            "secret_keys": secret_keys,
-        }),
-    )
-    .await;
-
-    tx.commit().await?;
-
-    Ok(AddResult {
-        entry_id,
-        name: params.name.to_string(),
-        folder: params.folder.to_string(),
-        entry_type: entry_type.to_string(),
-        tags: params.tags.to_vec(),
-        meta_keys,
-        secret_keys,
-    })
-}
-
-fn validate_link_secret_names(
-    link_secret_names: &[String],
-    new_secret_names: &BTreeSet<String>,
-) -> Result<Vec<String>> {
-    let mut deduped = Vec::new();
-    let mut seen = HashSet::new();
-
-    for raw in link_secret_names {
-        let trimmed = raw.trim();
-        if trimmed.is_empty() {
-            anyhow::bail!("link_secret_names contains an empty name");
-        }
-        if new_secret_names.contains(trimmed) {
-            anyhow::bail!(
-                "Conflict: secret '{}' is provided both in secrets/secrets_obj and link_secret_names",
-                trimmed
-            );
-        }
-        if seen.insert(trimmed.to_string()) {
-            deduped.push(trimmed.to_string());
-        }
-    }
-
-    Ok(deduped)
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use sqlx::PgPool;
-    use std::collections::BTreeSet;
-
-    #[test]
-    fn parse_nested_file_shorthand() {
-        use std::io::Write;
-        let mut f = tempfile::NamedTempFile::new().unwrap();
-        writeln!(f, "line1\nline2").unwrap();
-        let path = f.path().to_str().unwrap().to_string();
-        let entry = format!("credentials:content@{}", path);
-        let (path_parts, value) = parse_kv(&entry).unwrap();
-        assert_eq!(key_path_to_string(&path_parts), "credentials:content");
-        assert!(matches!(value, Value::String(_)));
-    }
-
-    #[test]
-    fn flatten_json_fields_nested() {
-        let v = serde_json::json!({
-            "username": "root",
-            "credentials": {
-                "type": "ssh",
-                "content": "pem"
-            }
-        });
-        let mut fields = flatten_json_fields("", &v);
-        fields.sort_by(|a, b| a.0.cmp(&b.0));
-        assert_eq!(fields[0].0, "credentials.content");
-        assert_eq!(fields[1].0, "credentials.type");
-        assert_eq!(fields[2].0, "username");
-    }
-
-    #[test]
-    fn validate_link_secret_names_conflict_with_new_secret() {
-        let mut new_names = BTreeSet::new();
-        new_names.insert("password".to_string());
-        let err = validate_link_secret_names(&[String::from("password")], &new_names)
-            .expect_err("must fail on overlap");
-        assert!(
-            err.to_string()
-                .contains("provided both in secrets/secrets_obj and link_secret_names")
-        );
-    }
-
-    #[test]
-    fn validate_link_secret_names_dedup_and_trim() {
-        let names = vec![
-            " shared_key ".to_string(),
-            "shared_key".to_string(),
-            "runner_token".to_string(),
-        ];
-        let deduped = validate_link_secret_names(&names, &BTreeSet::new()).unwrap();
-        assert_eq!(deduped, vec!["shared_key", "runner_token"]);
-    }
-
-    async fn maybe_test_pool() -> Option<PgPool> {
-        let Ok(url) = std::env::var("SECRETS_DATABASE_URL") else {
-            eprintln!("skip add linkage tests: SECRETS_DATABASE_URL is not set");
-            return None;
-        };
-        let Ok(pool) = PgPool::connect(&url).await else {
-            eprintln!("skip add linkage tests: cannot connect to database");
-            return None;
-        };
-        if let Err(e) = crate::db::migrate(&pool).await {
-            eprintln!("skip add linkage tests: migrate failed: {e}");
-            return None;
-        }
-        Some(pool)
-    }
-
-    async fn cleanup_test_rows(pool: &PgPool, marker: &str) -> Result<()> {
-        sqlx::query(
-            "DELETE FROM entries WHERE user_id IS NULL AND (name LIKE $1 OR folder LIKE $1)",
-        )
-        .bind(format!("%{marker}%"))
-        .execute(pool)
-        .await?;
-        sqlx::query(
-            "DELETE FROM secrets WHERE user_id IS NULL AND name LIKE $1 \
-             AND NOT EXISTS (SELECT 1 FROM entry_secrets es WHERE es.secret_id = secrets.id)",
-        )
-        .bind(format!("%{marker}%"))
-        .execute(pool)
-        .await?;
-        Ok(())
-    }
-
-    #[tokio::test]
-    async fn add_links_existing_secret_by_unique_name() -> Result<()> {
-        let Some(pool) = maybe_test_pool().await else {
-            return Ok(());
-        };
-        let suffix = Uuid::from_u128(rand::random()).to_string();
-        let marker = format!("link_unique_{}", &suffix[..8]);
-        let secret_name = format!("{}_secret", marker);
-        let entry_name = format!("{}_entry", marker);
-
-        cleanup_test_rows(&pool, &marker).await?;
-
-        let secret_id: Uuid = sqlx::query_scalar(
-            "INSERT INTO secrets (user_id, name, type, encrypted) VALUES (NULL, $1, 'text', $2) RETURNING id",
-        )
-        .bind(&secret_name)
-        .bind(vec![1_u8, 2, 3])
-        .fetch_one(&pool)
-        .await?;
-
-        run(
-            &pool,
-            AddParams {
-                name: &entry_name,
-                folder: &marker,
-                entry_type: "service",
-                notes: "",
-                tags: &[],
-                meta_entries: &[],
-                secret_entries: &[],
-                secret_types: &Default::default(),
-                link_secret_names: std::slice::from_ref(&secret_name),
-                user_id: None,
-            },
-            &[0_u8; 32],
-        )
-        .await?;
-
-        let linked: bool = sqlx::query_scalar(
-            "SELECT EXISTS( \
-               SELECT 1 FROM entry_secrets es \
-               JOIN entries e ON e.id = es.entry_id \
-               WHERE e.user_id IS NULL AND e.name = $1 AND es.secret_id = $2 \
-             )",
-        )
-        .bind(&entry_name)
-        .bind(secret_id)
-        .fetch_one(&pool)
-        .await?;
-        assert!(linked);
-
-        cleanup_test_rows(&pool, &marker).await?;
-        Ok(())
-    }
-
-    #[tokio::test]
-    async fn add_link_secret_name_not_found_fails() -> Result<()> {
-        let Some(pool) = maybe_test_pool().await else {
-            return Ok(());
-        };
-        let suffix = Uuid::from_u128(rand::random()).to_string();
-        let marker = format!("link_missing_{}", &suffix[..8]);
-        let secret_name = format!("{}_secret", marker);
-        let entry_name = format!("{}_entry", marker);
-
-        cleanup_test_rows(&pool, &marker).await?;
-
-        let err = run(
-            &pool,
-            AddParams {
-                name: &entry_name,
-                folder: &marker,
-                entry_type: "service",
-                notes: "",
-                tags: &[],
-                meta_entries: &[],
-                secret_entries: &[],
-                secret_types: &Default::default(),
-                link_secret_names: std::slice::from_ref(&secret_name),
-                user_id: None,
-            },
-            &[0_u8; 32],
-        )
-        .await
-        .expect_err("must fail when linked secret is not found");
-        assert!(err.to_string().contains("Not found: secret named"));
-
-        cleanup_test_rows(&pool, &marker).await?;
-        Ok(())
-    }
-
-    #[tokio::test]
-    async fn add_link_secret_name_ambiguous_fails() -> Result<()> {
-        let Some(pool) = maybe_test_pool().await else {
-            return Ok(());
-        };
-        let suffix = Uuid::from_u128(rand::random()).to_string();
-        let marker = format!("link_amb_{}", &suffix[..8]);
-        let secret_name = format!("{}_dup_secret", marker);
-        let entry_name = format!("{}_entry", marker);
-
-        cleanup_test_rows(&pool, &marker).await?;
-
-        sqlx::query(
-            "INSERT INTO secrets (user_id, name, type, encrypted) VALUES (NULL, $1, 'text', $2)",
-        )
-        .bind(&secret_name)
-        .bind(vec![1_u8])
-        .execute(&pool)
-        .await?;
-        sqlx::query(
-            "INSERT INTO secrets (user_id, name, type, encrypted) VALUES (NULL, $1, 'text', $2)",
-        )
-        .bind(&secret_name)
-        .bind(vec![2_u8])
-        .execute(&pool)
-        .await?;
-
-        let err = run(
-            &pool,
-            AddParams {
-                name: &entry_name,
-                folder: &marker,
-                entry_type: "service",
-                notes: "",
-                tags: &[],
-                meta_entries: &[],
-                secret_entries: &[],
-                secret_types: &Default::default(),
-                link_secret_names: std::slice::from_ref(&secret_name),
-                user_id: None,
-            },
-            &[0_u8; 32],
-        )
-        .await
-        .expect_err("must fail on ambiguous linked secret name");
-        assert!(err.to_string().contains("Ambiguous:"));
-
-        cleanup_test_rows(&pool, &marker).await?;
-        Ok(())
-    }
-
-    #[tokio::test]
-    async fn add_duplicate_secret_name_returns_conflict_error() -> Result<()> {
-        let Some(pool) = maybe_test_pool().await else {
-            return Ok(());
-        };
-        let suffix = Uuid::from_u128(rand::random()).to_string();
-        let marker = format!("dup_secret_{}", &suffix[..8]);
-        let entry_name = format!("{}_entry", marker);
-        let secret_name = "shared_token";
-
-        cleanup_test_rows(&pool, &marker).await?;
-
-        // First add succeeds
-        run(
-            &pool,
-            AddParams {
-                name: &entry_name,
-                folder: &marker,
-                entry_type: "service",
-                notes: "",
-                tags: &[],
-                meta_entries: &[],
-                secret_entries: &[format!("{}=value1", secret_name)],
-                secret_types: &Default::default(),
-                link_secret_names: &[],
-                user_id: None,
-            },
-            &[0_u8; 32],
-        )
-        .await?;
-
-        // Second add with same secret name under same user_id should fail with ConflictSecretName
-        let entry_name2 = format!("{}_entry2", marker);
-        let err = run(
-            &pool,
-            AddParams {
-                name: &entry_name2,
-                folder: &marker,
-                entry_type: "service",
-                notes: "",
-                tags: &[],
-                meta_entries: &[],
-                secret_entries: &[format!("{}=value2", secret_name)],
-                secret_types: &Default::default(),
-                link_secret_names: &[],
-                user_id: None,
-            },
-            &[0_u8; 32],
-        )
-        .await
-        .expect_err("must fail on duplicate secret name");
-
-        let app_err = err
-            .downcast_ref::<crate::error::AppError>()
-            .expect("error should be AppError");
-        assert!(
-            matches!(app_err, crate::error::AppError::ConflictSecretName { .. }),
-            "expected ConflictSecretName, got: {}",
-            app_err
-        );
-
-        cleanup_test_rows(&pool, &marker).await?;
-        Ok(())
-    }
-}

crates/secrets-core/src/service/api_key.rs

@@ -1,95 +0,0 @@
-use anyhow::Result;
-use sqlx::PgPool;
-use uuid::Uuid;
-
-use crate::error::AppError;
-
-const KEY_PREFIX: &str = "sk_";
-
-/// Generate a new API key: `sk_<64 hex chars>` = 67 characters total.
-pub fn generate_api_key() -> String {
-    use rand::RngExt;
-    let mut bytes = [0u8; 32];
-    rand::rng().fill(&mut bytes);
-    format!("{}{}", KEY_PREFIX, ::hex::encode(bytes))
-}
-
-/// Return the user's existing API key, or generate and store a new one if NULL.
-/// Uses a transaction with atomic update to prevent TOCTOU race conditions.
-pub async fn ensure_api_key(pool: &PgPool, user_id: Uuid) -> Result<String> {
-    let mut tx = pool.begin().await?;
-
-    // Lock the row and check existing key
-    let existing: (Option<String>,) =
-        sqlx::query_as("SELECT api_key FROM users WHERE id = $1 FOR UPDATE")
-            .bind(user_id)
-            .fetch_optional(&mut *tx)
-            .await?
-            .ok_or(AppError::NotFoundUser)?;
-
-    if let Some(key) = existing.0 {
-        tx.commit().await?;
-        return Ok(key);
-    }
-
-    // Generate and store new key atomically
-    let new_key = generate_api_key();
-    sqlx::query("UPDATE users SET api_key = $1 WHERE id = $2")
-        .bind(&new_key)
-        .bind(user_id)
-        .execute(&mut *tx)
-        .await?;
-
-    tx.commit().await?;
-    Ok(new_key)
-}
-
-/// Generate a fresh API key for the user, replacing the old one.
-pub async fn regenerate_api_key(pool: &PgPool, user_id: Uuid) -> Result<String> {
-    let new_key = generate_api_key();
-    let res = sqlx::query("UPDATE users SET api_key = $1 WHERE id = $2")
-        .bind(&new_key)
-        .bind(user_id)
-        .execute(pool)
-        .await?;
-    if res.rows_affected() == 0 {
-        return Err(AppError::NotFoundUser.into());
-    }
-    Ok(new_key)
-}
-
-/// Validate a Bearer token. Returns the `user_id` if the key matches.
-pub async fn validate_api_key(pool: &PgPool, raw_key: &str) -> Result<Option<Uuid>> {
-    let row: Option<(Uuid,)> = sqlx::query_as("SELECT id FROM users WHERE api_key = $1")
-        .bind(raw_key)
-        .fetch_optional(pool)
-        .await?;
-    Ok(row.map(|(id,)| id))
-}
-
-#[cfg(test)]
-mod tests {
-    use sqlx::PgPool;
-
-    use super::regenerate_api_key;
-    use crate::error::AppError;
-
-    #[tokio::test]
-    async fn regenerate_api_key_unknown_user_returns_not_found() {
-        let Ok(url) = std::env::var("SECRETS_DATABASE_URL") else {
-            return;
-        };
-        let Ok(pool) = PgPool::connect(&url).await else {
-            return;
-        };
-        let id = uuid::Uuid::new_v4();
-        let err = regenerate_api_key(&pool, id)
-            .await
-            .err()
-            .expect("expected error");
-        assert!(matches!(
-            err.downcast_ref::<AppError>(),
-            Some(AppError::NotFoundUser)
-        ));
-    }
-}

crates/secrets-core/src/service/audit_log.rs

@@ -1,39 +0,0 @@
-use anyhow::Result;
-use sqlx::PgPool;
-use uuid::Uuid;
-
-use crate::models::AuditLogEntry;
-
-pub async fn list_for_user(
-    pool: &PgPool,
-    user_id: Uuid,
-    limit: i64,
-    offset: i64,
-) -> Result<Vec<AuditLogEntry>> {
-    let limit = limit.clamp(1, 200);
-    let offset = offset.max(0);
-
-    let rows = sqlx::query_as(
-        "SELECT id, user_id, action, folder, type, name, detail, created_at \
-         FROM audit_log \
-         WHERE user_id = $1 \
-         ORDER BY created_at DESC, id DESC \
-         LIMIT $2 OFFSET $3",
-    )
-    .bind(user_id)
-    .bind(limit)
-    .bind(offset)
-    .fetch_all(pool)
-    .await?;
-
-    Ok(rows)
-}
-
-pub async fn count_for_user(pool: &PgPool, user_id: Uuid) -> Result<i64> {
-    let count: i64 =
-        sqlx::query_scalar("SELECT COUNT(*)::bigint FROM audit_log WHERE user_id = $1")
-            .bind(user_id)
-            .fetch_one(pool)
-            .await?;
-    Ok(count)
-}

crates/secrets-core/src/service/delete.rs

@@ -1,823 +0,0 @@
-use anyhow::Result;
-use serde_json::json;
-use sqlx::PgPool;
-use uuid::Uuid;
-
-use crate::db;
-use crate::error::AppError;
-use crate::models::{EntryRow, EntryWriteRow, SecretFieldRow};
-use crate::service::util::user_scope_condition;
-
-#[derive(Debug, serde::Serialize)]
-pub struct DeletedEntry {
-    pub name: String,
-    pub folder: String,
-    #[serde(rename = "type")]
-    pub entry_type: String,
-}
-
-#[derive(Debug, serde::Serialize)]
-pub struct DeleteResult {
-    pub deleted: Vec<DeletedEntry>,
-    pub dry_run: bool,
-}
-
-#[derive(Debug, serde::Serialize, sqlx::FromRow)]
-pub struct TrashEntry {
-    pub id: Uuid,
-    pub name: String,
-    pub folder: String,
-    #[serde(rename = "type")]
-    #[sqlx(rename = "type")]
-    pub entry_type: String,
-    pub deleted_at: chrono::DateTime<chrono::Utc>,
-}
-
-pub struct DeleteParams<'a> {
-    /// If set, delete a single entry by name.
-    pub name: Option<&'a str>,
-    /// Folder filter for bulk delete.
-    pub folder: Option<&'a str>,
-    /// Type filter for bulk delete.
-    pub entry_type: Option<&'a str>,
-    pub dry_run: bool,
-    pub user_id: Option<Uuid>,
-}
-
-/// Maximum number of entries that can be deleted in a single bulk operation.
-/// Prevents accidental mass deletion when filters are too broad.
-pub const MAX_BULK_DELETE: usize = 1000;
-
-pub async fn list_deleted_entries(
-    pool: &PgPool,
-    user_id: Uuid,
-    limit: u32,
-    offset: u32,
-) -> Result<Vec<TrashEntry>> {
-    sqlx::query_as(
-        "SELECT id, name, folder, type, deleted_at FROM entries \
-         WHERE user_id = $1 AND deleted_at IS NOT NULL \
-         ORDER BY deleted_at DESC, name ASC LIMIT $2 OFFSET $3",
-    )
-    .bind(user_id)
-    .bind(limit as i64)
-    .bind(offset as i64)
-    .fetch_all(pool)
-    .await
-    .map_err(Into::into)
-}
-
-pub async fn count_deleted_entries(pool: &PgPool, user_id: Uuid) -> Result<i64> {
-    sqlx::query_scalar::<_, i64>(
-        "SELECT COUNT(*)::bigint FROM entries WHERE user_id = $1 AND deleted_at IS NOT NULL",
-    )
-    .bind(user_id)
-    .fetch_one(pool)
-    .await
-    .map_err(Into::into)
-}
-
-pub async fn restore_deleted_by_id(pool: &PgPool, entry_id: Uuid, user_id: Uuid) -> Result<()> {
-    let mut tx = pool.begin().await?;
-    let row: Option<EntryWriteRow> = sqlx::query_as(
-        "SELECT id, version, folder, type, name, tags, metadata, notes, deleted_at FROM entries \
-         WHERE id = $1 AND user_id = $2 AND deleted_at IS NOT NULL FOR UPDATE",
-    )
-    .bind(entry_id)
-    .bind(user_id)
-    .fetch_optional(&mut *tx)
-    .await?;
-
-    let row = match row {
-        Some(r) => r,
-        None => {
-            tx.rollback().await?;
-            return Err(AppError::NotFoundEntry.into());
-        }
-    };
-
-    let conflict_exists: bool = sqlx::query_scalar(
-        "SELECT EXISTS(SELECT 1 FROM entries \
-         WHERE user_id = $1 AND folder = $2 AND name = $3 AND deleted_at IS NULL AND id <> $4)",
-    )
-    .bind(user_id)
-    .bind(&row.folder)
-    .bind(&row.name)
-    .bind(row.id)
-    .fetch_one(&mut *tx)
-    .await?;
-    if conflict_exists {
-        tx.rollback().await?;
-        return Err(AppError::ConflictEntryName {
-            folder: row.folder,
-            name: row.name,
-        }
-        .into());
-    }
-
-    sqlx::query("UPDATE entries SET deleted_at = NULL, updated_at = NOW() WHERE id = $1")
-        .bind(row.id)
-        .execute(&mut *tx)
-        .await?;
-
-    crate::audit::log_tx(
-        &mut tx,
-        Some(user_id),
-        "restore",
-        &row.folder,
-        &row.entry_type,
-        &row.name,
-        json!({ "entry_id": row.id }),
-    )
-    .await;
-    tx.commit().await?;
-    Ok(())
-}
-
-pub async fn purge_deleted_by_id(pool: &PgPool, entry_id: Uuid, user_id: Uuid) -> Result<()> {
-    let mut tx = pool.begin().await?;
-    let row: Option<EntryWriteRow> = sqlx::query_as(
-        "SELECT id, version, folder, type, name, tags, metadata, notes, deleted_at FROM entries \
-         WHERE id = $1 AND user_id = $2 AND deleted_at IS NOT NULL FOR UPDATE",
-    )
-    .bind(entry_id)
-    .bind(user_id)
-    .fetch_optional(&mut *tx)
-    .await?;
-
-    let row = match row {
-        Some(r) => r,
-        None => {
-            tx.rollback().await?;
-            return Err(AppError::NotFoundEntry.into());
-        }
-    };
-
-    purge_entry_record(&mut tx, row.id).await?;
-    crate::audit::log_tx(
-        &mut tx,
-        Some(user_id),
-        "purge",
-        &row.folder,
-        &row.entry_type,
-        &row.name,
-        json!({ "entry_id": row.id }),
-    )
-    .await;
-    tx.commit().await?;
-    Ok(())
-}
-
-pub async fn purge_expired_deleted_entries(pool: &PgPool) -> Result<u64> {
-    #[derive(sqlx::FromRow)]
-    struct ExpiredRow {
-        id: Uuid,
-    }
-
-    let mut tx = pool.begin().await?;
-    let rows: Vec<ExpiredRow> = sqlx::query_as(
-        "SELECT id FROM entries \
-         WHERE deleted_at IS NOT NULL \
-           AND deleted_at < NOW() - INTERVAL '3 months' \
-         FOR UPDATE",
-    )
-    .fetch_all(&mut *tx)
-    .await?;
-
-    for row in &rows {
-        purge_entry_record(&mut tx, row.id).await?;
-    }
-
-    tx.commit().await?;
-    Ok(rows.len() as u64)
-}
-
-/// Delete a single entry by id (multi-tenant: `user_id` must match).
-pub async fn delete_by_id(pool: &PgPool, entry_id: Uuid, user_id: Uuid) -> Result<DeleteResult> {
-    let mut tx = pool.begin().await?;
-    let row: Option<EntryWriteRow> = sqlx::query_as(
-        "SELECT id, version, folder, type, name, tags, metadata, notes, deleted_at FROM entries \
-         WHERE id = $1 AND user_id = $2 AND deleted_at IS NULL FOR UPDATE",
-    )
-    .bind(entry_id)
-    .bind(user_id)
-    .fetch_optional(&mut *tx)
-    .await?;
-
-    let row = match row {
-        Some(r) => r,
-        None => {
-            tx.rollback().await?;
-            anyhow::bail!("Entry not found");
-        }
-    };
-
-    let folder = row.folder.clone();
-    let entry_type = row.entry_type.clone();
-    let name = row.name.clone();
-    let entry_row: EntryRow = (&row).into();
-
-    snapshot_and_soft_delete(
-        &mut tx,
-        &folder,
-        &entry_type,
-        &name,
-        &entry_row,
-        Some(user_id),
-    )
-    .await?;
-    crate::audit::log_tx(
-        &mut tx,
-        Some(user_id),
-        "delete",
-        &folder,
-        &entry_type,
-        &name,
-        json!({ "source": "web", "entry_id": entry_id }),
-    )
-    .await;
-    tx.commit().await?;
-
-    Ok(DeleteResult {
-        deleted: vec![DeletedEntry {
-            name,
-            folder,
-            entry_type,
-        }],
-        dry_run: false,
-    })
-}
-
-pub async fn run(pool: &PgPool, params: DeleteParams<'_>) -> Result<DeleteResult> {
-    match params.name {
-        Some(name) => delete_one(pool, name, params.folder, params.dry_run, params.user_id).await,
-        None => {
-            if params.folder.is_none() && params.entry_type.is_none() {
-                anyhow::bail!(
-                    "Bulk delete requires at least one of: name, folder, or type filter."
-                );
-            }
-            delete_bulk(
-                pool,
-                params.folder,
-                params.entry_type,
-                params.dry_run,
-                params.user_id,
-            )
-            .await
-        }
-    }
-}
-
-async fn delete_one(
-    pool: &PgPool,
-    name: &str,
-    folder: Option<&str>,
-    dry_run: bool,
-    user_id: Option<Uuid>,
-) -> Result<DeleteResult> {
-    if dry_run {
-        // Dry-run uses the same disambiguation logic as actual delete:
-        // - 0 matches  → nothing to delete
-        // - 1 match    → show what would be deleted (with correct folder/type)
-        // - 2+ matches → disambiguation error (same as non-dry-run)
-        #[derive(sqlx::FromRow)]
-        struct DryRunRow {
-            folder: String,
-            #[sqlx(rename = "type")]
-            entry_type: String,
-        }
-
-        let mut idx = 1i32;
-        let user_cond = user_scope_condition(user_id, &mut idx);
-        let mut conditions = vec![user_cond];
-        if folder.is_some() {
-            conditions.push(format!("folder = ${}", idx));
-            idx += 1;
-        }
-        conditions.push(format!("name = ${}", idx));
-        let sql = format!(
-            "SELECT folder, type FROM entries WHERE {} AND deleted_at IS NULL",
-            conditions.join(" AND ")
-        );
-        let mut q = sqlx::query_as::<_, DryRunRow>(&sql);
-        if let Some(uid) = user_id {
-            q = q.bind(uid);
-        }
-        if let Some(f) = folder {
-            q = q.bind(f);
-        }
-        q = q.bind(name);
-        let rows = q.fetch_all(pool).await?;
-
-        return match rows.len() {
-            0 => Ok(DeleteResult {
-                deleted: vec![],
-                dry_run: true,
-            }),
-            1 => {
-                let row = rows
-                    .into_iter()
-                    .next()
-                    .ok_or_else(|| anyhow::anyhow!("internal: matched row vanished"))?;
-                Ok(DeleteResult {
-                    deleted: vec![DeletedEntry {
-                        name: name.to_string(),
-                        folder: row.folder,
-                        entry_type: row.entry_type,
-                    }],
-                    dry_run: true,
-                })
-            }
-            _ => {
-                let folders: Vec<&str> = rows.iter().map(|r| r.folder.as_str()).collect();
-                anyhow::bail!(
-                    "Ambiguous: {} entries named '{}' found in folders: [{}]. \
-                     Specify 'folder' to disambiguate.",
-                    rows.len(),
-                    name,
-                    folders.join(", ")
-                )
-            }
-        };
-    }
-
-    let mut tx = pool.begin().await?;
-
-    // Fetch matching rows with FOR UPDATE; use folder when provided to resolve ambiguity.
-    let mut idx = 1i32;
-    let user_cond = user_scope_condition(user_id, &mut idx);
-    let mut conditions = vec![user_cond];
-    if folder.is_some() {
-        conditions.push(format!("folder = ${}", idx));
-        idx += 1;
-    }
-    conditions.push(format!("name = ${}", idx));
-    let sql = format!(
-        "SELECT id, version, folder, type, tags, metadata, notes, name FROM entries \
-         WHERE {} AND deleted_at IS NULL FOR UPDATE",
-        conditions.join(" AND ")
-    );
-    let mut q = sqlx::query_as::<_, EntryRow>(&sql);
-    if let Some(uid) = user_id {
-        q = q.bind(uid);
-    }
-    if let Some(f) = folder {
-        q = q.bind(f);
-    }
-    q = q.bind(name);
-    let rows = q.fetch_all(&mut *tx).await?;
-
-    let row = match rows.len() {
-        0 => {
-            tx.rollback().await?;
-            return Ok(DeleteResult {
-                deleted: vec![],
-                dry_run: false,
-            });
-        }
-        1 => rows
-            .into_iter()
-            .next()
-            .ok_or_else(|| anyhow::anyhow!("internal: matched row vanished"))?,
-        _ => {
-            tx.rollback().await?;
-            let folders: Vec<&str> = rows.iter().map(|r| r.folder.as_str()).collect();
-            anyhow::bail!(
-                "Ambiguous: {} entries named '{}' found in folders: [{}]. \
-                 Specify 'folder' to disambiguate.",
-                rows.len(),
-                name,
-                folders.join(", ")
-            )
-        }
-    };
-
-    let folder = row.folder.clone();
-    let entry_type = row.entry_type.clone();
-    snapshot_and_soft_delete(&mut tx, &folder, &entry_type, name, &row, user_id).await?;
-    crate::audit::log_tx(
-        &mut tx,
-        user_id,
-        "delete",
-        &folder,
-        &entry_type,
-        name,
-        json!({}),
-    )
-    .await;
-    tx.commit().await?;
-
-    Ok(DeleteResult {
-        deleted: vec![DeletedEntry {
-            name: name.to_string(),
-            folder,
-            entry_type,
-        }],
-        dry_run: false,
-    })
-}
-
-async fn delete_bulk(
-    pool: &PgPool,
-    folder: Option<&str>,
-    entry_type: Option<&str>,
-    dry_run: bool,
-    user_id: Option<Uuid>,
-) -> Result<DeleteResult> {
-    #[derive(Debug, sqlx::FromRow)]
-    struct FullEntryRow {
-        id: Uuid,
-        version: i64,
-        folder: String,
-        #[sqlx(rename = "type")]
-        entry_type: String,
-        name: String,
-        metadata: serde_json::Value,
-        tags: Vec<String>,
-        notes: String,
-    }
-
-    let mut conditions: Vec<String> = Vec::new();
-    let mut idx: i32 = 1;
-
-    if user_id.is_some() {
-        conditions.push(format!("user_id = ${}", idx));
-        idx += 1;
-    } else {
-        conditions.push("user_id IS NULL".to_string());
-    }
-    if folder.is_some() {
-        conditions.push(format!("folder = ${}", idx));
-        idx += 1;
-    }
-    if entry_type.is_some() {
-        conditions.push(format!("type = ${}", idx));
-        idx += 1;
-    }
-
-    let where_clause = format!("WHERE {}", conditions.join(" AND "));
-    let _ = idx; // used only for placeholder numbering in conditions
-
-    if dry_run {
-        let sql = format!(
-            "SELECT id, version, folder, type, name, metadata, tags, notes \
-             FROM entries {where_clause} AND deleted_at IS NULL ORDER BY type, name"
-        );
-        let mut q = sqlx::query_as::<_, FullEntryRow>(&sql);
-        if let Some(uid) = user_id {
-            q = q.bind(uid);
-        }
-        if let Some(f) = folder {
-            q = q.bind(f);
-        }
-        if let Some(t) = entry_type {
-            q = q.bind(t);
-        }
-        let rows = q.fetch_all(pool).await?;
-
-        let deleted = rows
-            .iter()
-            .map(|r| DeletedEntry {
-                name: r.name.clone(),
-                folder: r.folder.clone(),
-                entry_type: r.entry_type.clone(),
-            })
-            .collect();
-        return Ok(DeleteResult {
-            deleted,
-            dry_run: true,
-        });
-    }
-
-    let mut tx = pool.begin().await?;
-
-    let sql = format!(
-        "SELECT id, version, folder, type, name, metadata, tags, notes \
-         FROM entries {where_clause} AND deleted_at IS NULL ORDER BY type, name FOR UPDATE"
-    );
-    let mut q = sqlx::query_as::<_, FullEntryRow>(&sql);
-    if let Some(uid) = user_id {
-        q = q.bind(uid);
-    }
-    if let Some(f) = folder {
-        q = q.bind(f);
-    }
-    if let Some(t) = entry_type {
-        q = q.bind(t);
-    }
-    let rows = q.fetch_all(&mut *tx).await?;
-
-    if rows.len() > MAX_BULK_DELETE {
-        tx.rollback().await?;
-        anyhow::bail!(
-            "Bulk delete would affect {} entries (limit: {}). \
-             Narrow your filters or delete entries individually.",
-            rows.len(),
-            MAX_BULK_DELETE,
-        );
-    }
-
-    let mut deleted = Vec::with_capacity(rows.len());
-    for row in &rows {
-        let entry_row: EntryRow = EntryRow {
-            id: row.id,
-            version: row.version,
-            folder: row.folder.clone(),
-            entry_type: row.entry_type.clone(),
-            tags: row.tags.clone(),
-            metadata: row.metadata.clone(),
-            notes: row.notes.clone(),
-            name: row.name.clone(),
-        };
-        snapshot_and_soft_delete(
-            &mut tx,
-            &row.folder,
-            &row.entry_type,
-            &row.name,
-            &entry_row,
-            user_id,
-        )
-        .await?;
-        crate::audit::log_tx(
-            &mut tx,
-            user_id,
-            "delete",
-            &row.folder,
-            &row.entry_type,
-            &row.name,
-            json!({"bulk": true}),
-        )
-        .await;
-        deleted.push(DeletedEntry {
-            name: row.name.clone(),
-            folder: row.folder.clone(),
-            entry_type: row.entry_type.clone(),
-        });
-    }
-
-    tx.commit().await?;
-
-    Ok(DeleteResult {
-        deleted,
-        dry_run: false,
-    })
-}
-
-async fn snapshot_and_soft_delete(
-    tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
-    folder: &str,
-    entry_type: &str,
-    name: &str,
-    row: &EntryRow,
-    user_id: Option<Uuid>,
-) -> Result<()> {
-    let history_metadata = match db::metadata_with_secret_snapshot(tx, row.id, &row.metadata).await
-    {
-        Ok(v) => v,
-        Err(e) => {
-            tracing::warn!(error = %e, "failed to build secret snapshot for entry history");
-            row.metadata.clone()
-        }
-    };
-
-    if let Err(e) = db::snapshot_entry_history(
-        tx,
-        db::EntrySnapshotParams {
-            entry_id: row.id,
-            user_id,
-            folder,
-            entry_type,
-            name,
-            version: row.version,
-            action: "delete",
-            tags: &row.tags,
-            metadata: &history_metadata,
-        },
-    )
-    .await
-    {
-        tracing::warn!(error = %e, "failed to snapshot entry history before delete");
-    }
-
-    let fields: Vec<SecretFieldRow> = sqlx::query_as(
-        "SELECT s.id, s.name, s.encrypted \
-         FROM entry_secrets es \
-         JOIN secrets s ON s.id = es.secret_id \
-         WHERE es.entry_id = $1",
-    )
-    .bind(row.id)
-    .fetch_all(&mut **tx)
-    .await?;
-
-    for f in &fields {
-        if let Err(e) = db::snapshot_secret_history(
-            tx,
-            db::SecretSnapshotParams {
-                secret_id: f.id,
-                name: &f.name,
-                encrypted: &f.encrypted,
-                action: "delete",
-            },
-        )
-        .await
-        {
-            tracing::warn!(error = %e, "failed to snapshot secret history before delete");
-        }
-    }
-
-    sqlx::query("UPDATE entries SET deleted_at = NOW(), updated_at = NOW() WHERE id = $1")
-        .bind(row.id)
-        .execute(&mut **tx)
-        .await?;
-
-    Ok(())
-}
-
-async fn purge_entry_record(
-    tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
-    entry_id: Uuid,
-) -> Result<()> {
-    let fields: Vec<SecretFieldRow> = sqlx::query_as(
-        "SELECT s.id, s.name, s.encrypted \
-         FROM entry_secrets es \
-         JOIN secrets s ON s.id = es.secret_id \
-         WHERE es.entry_id = $1",
-    )
-    .bind(entry_id)
-    .fetch_all(&mut **tx)
-    .await?;
-
-    sqlx::query("DELETE FROM entries WHERE id = $1")
-        .bind(entry_id)
-        .execute(&mut **tx)
-        .await?;
-
-    let secret_ids: Vec<Uuid> = fields.iter().map(|f| f.id).collect();
-    if !secret_ids.is_empty() {
-        sqlx::query(
-            "DELETE FROM secrets s \
-             WHERE s.id = ANY($1) \
-               AND NOT EXISTS (SELECT 1 FROM entry_secrets es WHERE es.secret_id = s.id)",
-        )
-        .bind(&secret_ids)
-        .execute(&mut **tx)
-        .await?;
-    }
-
-    Ok(())
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use sqlx::PgPool;
-
-    async fn maybe_test_pool() -> Option<PgPool> {
-        let Ok(url) = std::env::var("SECRETS_DATABASE_URL") else {
-            eprintln!("skip delete tests: SECRETS_DATABASE_URL is not set");
-            return None;
-        };
-        let Ok(pool) = PgPool::connect(&url).await else {
-            eprintln!("skip delete tests: cannot connect to database");
-            return None;
-        };
-        if let Err(e) = crate::db::migrate(&pool).await {
-            eprintln!("skip delete tests: migrate failed: {e}");
-            return None;
-        }
-        Some(pool)
-    }
-
-    async fn cleanup_single_user_rows(pool: &PgPool, marker: &str) -> Result<()> {
-        sqlx::query(
-            "DELETE FROM entries WHERE user_id IS NULL AND (name LIKE $1 OR folder LIKE $1)",
-        )
-        .bind(format!("%{marker}%"))
-        .execute(pool)
-        .await?;
-        sqlx::query(
-            "DELETE FROM secrets WHERE user_id IS NULL AND name LIKE $1 \
-             AND NOT EXISTS (SELECT 1 FROM entry_secrets es WHERE es.secret_id = secrets.id)",
-        )
-        .bind(format!("%{marker}%"))
-        .execute(pool)
-        .await?;
-        Ok(())
-    }
-
-    #[tokio::test]
-    async fn delete_dry_run_reports_matching_entry_without_writes() -> Result<()> {
-        let Some(pool) = maybe_test_pool().await else {
-            return Ok(());
-        };
-        let suffix = Uuid::from_u128(rand::random()).to_string();
-        let marker = format!("delete_dry_{}", &suffix[..8]);
-        let entry_name = format!("{}_entry", marker);
-
-        cleanup_single_user_rows(&pool, &marker).await?;
-
-        sqlx::query(
-            "INSERT INTO entries (user_id, folder, type, name, notes, tags, metadata) \
-             VALUES (NULL, $1, 'service', $2, '', '{}', '{}')",
-        )
-        .bind(&marker)
-        .bind(&entry_name)
-        .execute(&pool)
-        .await?;
-
-        let result = run(
-            &pool,
-            DeleteParams {
-                name: Some(&entry_name),
-                folder: Some(&marker),
-                entry_type: None,
-                dry_run: true,
-                user_id: None,
-            },
-        )
-        .await?;
-
-        assert!(result.dry_run);
-        assert_eq!(result.deleted.len(), 1);
-        assert_eq!(result.deleted[0].name, entry_name);
-
-        let still_exists: bool = sqlx::query_scalar(
-            "SELECT EXISTS(SELECT 1 FROM entries WHERE user_id IS NULL AND folder = $1 AND name = $2)",
-        )
-        .bind(&marker)
-        .bind(&entry_name)
-        .fetch_one(&pool)
-        .await?;
-        assert!(still_exists);
-
-        cleanup_single_user_rows(&pool, &marker).await?;
-        Ok(())
-    }
-
-    #[tokio::test]
-    async fn delete_by_id_removes_entry_and_orphan_secret() -> Result<()> {
-        let Some(pool) = maybe_test_pool().await else {
-            return Ok(());
-        };
-        let suffix = Uuid::from_u128(rand::random()).to_string();
-        let marker = format!("delete_id_{}", &suffix[..8]);
-        let user_id = Uuid::from_u128(rand::random());
-        let entry_name = format!("{}_entry", marker);
-        let secret_name = format!("{}_secret", marker);
-
-        sqlx::query("DELETE FROM entries WHERE user_id = $1 AND folder = $2")
-            .bind(user_id)
-            .bind(&marker)
-            .execute(&pool)
-            .await?;
-        sqlx::query("DELETE FROM secrets WHERE user_id = $1 AND name = $2")
-            .bind(user_id)
-            .bind(&secret_name)
-            .execute(&pool)
-            .await?;
-
-        let entry_id: Uuid = sqlx::query_scalar(
-            "INSERT INTO entries (user_id, folder, type, name, notes, tags, metadata) \
-             VALUES ($1, $2, 'service', $3, '', '{}', '{}') RETURNING id",
-        )
-        .bind(user_id)
-        .bind(&marker)
-        .bind(&entry_name)
-        .fetch_one(&pool)
-        .await?;
-        let secret_id: Uuid = sqlx::query_scalar(
-            "INSERT INTO secrets (user_id, name, type, encrypted) VALUES ($1, $2, 'text', $3) RETURNING id",
-        )
-        .bind(user_id)
-        .bind(&secret_name)
-        .bind(vec![1_u8, 2, 3])
-        .fetch_one(&pool)
-        .await?;
-        sqlx::query("INSERT INTO entry_secrets (entry_id, secret_id) VALUES ($1, $2)")
-            .bind(entry_id)
-            .bind(secret_id)
-            .execute(&pool)
-            .await?;
-
-        let result = delete_by_id(&pool, entry_id, user_id).await?;
-        assert!(!result.dry_run);
-        assert_eq!(result.deleted.len(), 1);
-        assert_eq!(result.deleted[0].name, entry_name);
-
-        let entry_exists: bool =
-            sqlx::query_scalar("SELECT EXISTS(SELECT 1 FROM entries WHERE id = $1)")
-                .bind(entry_id)
-                .fetch_one(&pool)
-                .await?;
-        let secret_exists: bool =
-            sqlx::query_scalar("SELECT EXISTS(SELECT 1 FROM secrets WHERE id = $1)")
-                .bind(secret_id)
-                .fetch_one(&pool)
-                .await?;
-        assert!(!entry_exists);
-        assert!(!secret_exists);
-
-        Ok(())
-    }
-}

crates/secrets-core/src/service/env_map.rs

@@ -1,122 +0,0 @@
-use anyhow::Result;
-use serde_json::Value;
-use sqlx::PgPool;
-use std::collections::HashMap;
-use uuid::Uuid;
-
-use crate::crypto;
-use crate::service::search::{fetch_entries, fetch_secrets_for_entries};
-
-/// Build an env variable map from entry secrets (for dry-run preview or injection).
-#[allow(clippy::too_many_arguments)]
-pub async fn build_env_map(
-    pool: &PgPool,
-    folder: Option<&str>,
-    entry_type: Option<&str>,
-    name: Option<&str>,
-    tags: &[String],
-    only_fields: &[String],
-    prefix: &str,
-    master_key: &[u8; 32],
-    user_id: Option<Uuid>,
-) -> Result<HashMap<String, String>> {
-    let entries = fetch_entries(pool, folder, entry_type, name, tags, None, None, user_id).await?;
-    if entries.is_empty() {
-        return Ok(HashMap::new());
-    }
-
-    let entry_ids: Vec<Uuid> = entries.iter().map(|e| e.id).collect();
-    let secrets_map = fetch_secrets_for_entries(pool, &entry_ids).await?;
-
-    let mut combined: HashMap<String, String> = HashMap::new();
-
-    for entry in &entries {
-        let all_fields = secrets_map.get(&entry.id).map(Vec::as_slice).unwrap_or(&[]);
-        let effective_prefix = env_prefix(entry, prefix);
-
-        let fields: Vec<_> = if only_fields.is_empty() {
-            all_fields.iter().collect()
-        } else {
-            all_fields
-                .iter()
-                .filter(|f| only_fields.contains(&f.name))
-                .collect()
-        };
-
-        for f in fields {
-            let decrypted = crypto::decrypt_json(master_key, &f.encrypted)?;
-            let seg = secret_name_to_env_segment(&f.name);
-            let key = format!("{}_{}", effective_prefix, seg);
-            if let Some(_old) = combined.insert(key.clone(), json_to_env_string(&decrypted)) {
-                anyhow::bail!(
-                    "environment variable name collision after normalization: '{}' (secret '{}')",
-                    key,
-                    f.name
-                );
-            }
-        }
-    }
-
-    Ok(combined)
-}
-
-/// Map a secret field name to an env key segment: `.` → `__`, `-` → `_`, then uppercase.
-/// Avoids collisions between e.g. `db.password` and `db_password`.
-fn secret_name_to_env_segment(name: &str) -> String {
-    name.replace('.', "__").replace('-', "_").to_uppercase()
-}
-
-fn env_prefix(entry: &crate::models::Entry, prefix: &str) -> String {
-    let name_part = entry.name.to_uppercase().replace(['-', '.', ' '], "_");
-    if prefix.is_empty() {
-        name_part
-    } else {
-        let normalized = prefix.to_uppercase().replace(['-', '.', ' '], "_");
-        let normalized = normalized.trim_end_matches('_');
-        format!("{}_{}", normalized, name_part)
-    }
-}
-
-fn json_to_env_string(v: &Value) -> String {
-    match v {
-        Value::String(s) => s.clone(),
-        Value::Null => String::new(),
-        other => other.to_string(),
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use serde_json::Value;
-
-    use super::{env_prefix, secret_name_to_env_segment};
-    use crate::models::Entry;
-
-    #[test]
-    fn secret_name_env_segment_disambiguates_dot_from_underscore() {
-        assert_eq!(secret_name_to_env_segment("db.password"), "DB__PASSWORD");
-        assert_eq!(secret_name_to_env_segment("db_password"), "DB_PASSWORD");
-        assert_eq!(secret_name_to_env_segment("api-key"), "API_KEY");
-    }
-
-    #[test]
-    fn env_prefix_with_and_without_prefix() {
-        let entry = Entry {
-            id: uuid::Uuid::new_v4(),
-            user_id: None,
-            folder: "test".into(),
-            entry_type: "server".into(),
-            name: "my-server".into(),
-            notes: String::new(),
-            tags: vec![],
-            metadata: Value::Null,
-            version: 1,
-            created_at: chrono::Utc::now(),
-            updated_at: chrono::Utc::now(),
-            deleted_at: None,
-        };
-        assert_eq!(env_prefix(&entry, ""), "MY_SERVER");
-        assert_eq!(env_prefix(&entry, "ALIYUN"), "ALIYUN_MY_SERVER");
-        assert_eq!(env_prefix(&entry, "aliyun_"), "ALIYUN_MY_SERVER");
-    }
-}

crates/secrets-core/src/service/export.rs

@@ -1,144 +0,0 @@
-use anyhow::Result;
-use serde_json::Value;
-use sqlx::PgPool;
-use std::collections::{BTreeMap, HashMap};
-use uuid::Uuid;
-
-use crate::crypto;
-use crate::models::{ExportData, ExportEntry, ExportFormat};
-use crate::service::search::{fetch_entries, fetch_secrets_for_entries};
-
-pub struct ExportParams<'a> {
-    pub folder: Option<&'a str>,
-    pub entry_type: Option<&'a str>,
-    pub name: Option<&'a str>,
-    pub tags: &'a [String],
-    pub query: Option<&'a str>,
-    pub no_secrets: bool,
-    pub user_id: Option<Uuid>,
-}
-
-pub async fn export(
-    pool: &PgPool,
-    params: ExportParams<'_>,
-    master_key: Option<&[u8; 32]>,
-) -> Result<ExportData> {
-    let entries = fetch_entries(
-        pool,
-        params.folder,
-        params.entry_type,
-        params.name,
-        params.tags,
-        params.query,
-        None,
-        params.user_id,
-    )
-    .await?;
-
-    let entry_ids: Vec<Uuid> = entries.iter().map(|e| e.id).collect();
-    let secrets_map: HashMap<Uuid, Vec<_>> = if !params.no_secrets && !entry_ids.is_empty() {
-        fetch_secrets_for_entries(pool, &entry_ids).await?
-    } else {
-        HashMap::new()
-    };
-
-    let mut export_entries: Vec<ExportEntry> = Vec::with_capacity(entries.len());
-    for entry in &entries {
-        let (secrets, secret_types) = if params.no_secrets {
-            (None, None)
-        } else {
-            let fields = secrets_map.get(&entry.id).map(Vec::as_slice).unwrap_or(&[]);
-            if fields.is_empty() {
-                (Some(BTreeMap::new()), Some(BTreeMap::new()))
-            } else {
-                let mk = master_key
-                    .ok_or_else(|| anyhow::anyhow!("master key required to decrypt secrets"))?;
-                let mut map = BTreeMap::new();
-                let mut type_map = BTreeMap::new();
-                for f in fields {
-                    let decrypted = crypto::decrypt_json(mk, &f.encrypted)?;
-                    map.insert(f.name.clone(), decrypted);
-                    type_map.insert(f.name.clone(), f.secret_type.clone());
-                }
-                (Some(map), Some(type_map))
-            }
-        };
-
-        export_entries.push(ExportEntry {
-            name: entry.name.clone(),
-            folder: entry.folder.clone(),
-            entry_type: entry.entry_type.clone(),
-            notes: entry.notes.clone(),
-            tags: entry.tags.clone(),
-            metadata: entry.metadata.clone(),
-            secrets,
-            secret_types,
-        });
-    }
-
-    Ok(ExportData {
-        version: 1,
-        exported_at: chrono::Utc::now().format("%Y-%m-%dT%H:%M:%SZ").to_string(),
-        entries: export_entries,
-    })
-}
-
-pub async fn export_to_file(
-    pool: &PgPool,
-    params: ExportParams<'_>,
-    master_key: Option<&[u8; 32]>,
-    file_path: &str,
-    format_override: Option<&str>,
-) -> Result<usize> {
-    let format = if let Some(f) = format_override {
-        f.parse::<ExportFormat>()?
-    } else {
-        ExportFormat::from_extension(file_path).unwrap_or(ExportFormat::Json)
-    };
-
-    let data = export(pool, params, master_key).await?;
-    let count = data.entries.len();
-    let serialized = format.serialize(&data)?;
-    std::fs::write(file_path, &serialized)?;
-    Ok(count)
-}
-
-pub async fn export_to_string(
-    pool: &PgPool,
-    params: ExportParams<'_>,
-    master_key: Option<&[u8; 32]>,
-    format: &str,
-) -> Result<String> {
-    let fmt = format.parse::<ExportFormat>()?;
-    let data = export(pool, params, master_key).await?;
-    fmt.serialize(&data)
-}
-
-// ── Build helpers for re-encoding values as CLI-style entries ─────────────────
-
-pub fn build_meta_entries(metadata: &Value) -> Vec<String> {
-    let mut entries = Vec::new();
-    if let Some(obj) = metadata.as_object() {
-        for (k, v) in obj {
-            entries.push(value_to_kv_entry(k, v));
-        }
-    }
-    entries
-}
-
-pub fn build_secret_entries(secrets: Option<&BTreeMap<String, Value>>) -> Vec<String> {
-    let mut entries = Vec::new();
-    if let Some(map) = secrets {
-        for (k, v) in map {
-            entries.push(value_to_kv_entry(k, v));
-        }
-    }
-    entries
-}
-
-pub fn value_to_kv_entry(key: &str, value: &Value) -> String {
-    match value {
-        Value::String(s) => format!("{}={}", key, s),
-        other => format!("{}:={}", key, other),
-    }
-}

crates/secrets-core/src/service/get_secret.rs

@@ -1,105 +0,0 @@
-use anyhow::Result;
-use serde_json::Value;
-use sqlx::PgPool;
-use std::collections::HashMap;
-use uuid::Uuid;
-
-use crate::crypto;
-use crate::error::AppError;
-use crate::service::search::{fetch_secrets_for_entries, resolve_entry, resolve_entry_by_id};
-
-/// Decrypt a single named field from an entry.
-/// `folder` is optional; if omitted and multiple entries share the name, an error is returned.
-pub async fn get_secret_field(
-    pool: &PgPool,
-    name: &str,
-    folder: Option<&str>,
-    field_name: &str,
-    master_key: &[u8; 32],
-    user_id: Option<Uuid>,
-) -> Result<Value> {
-    let entry = resolve_entry(pool, name, folder, user_id).await?;
-
-    let entry_ids = vec![entry.id];
-    let secrets_map = fetch_secrets_for_entries(pool, &entry_ids).await?;
-    let fields = secrets_map.get(&entry.id).map(Vec::as_slice).unwrap_or(&[]);
-
-    let field = fields
-        .iter()
-        .find(|f| f.name == field_name)
-        .ok_or_else(|| anyhow::anyhow!("Secret field '{}' not found", field_name))?;
-
-    crypto::decrypt_json(master_key, &field.encrypted)
-}
-
-/// Decrypt all secret fields from an entry. Returns a map field_name → decrypted Value.
-/// `folder` is optional; if omitted and multiple entries share the name, an error is returned.
-pub async fn get_all_secrets(
-    pool: &PgPool,
-    name: &str,
-    folder: Option<&str>,
-    master_key: &[u8; 32],
-    user_id: Option<Uuid>,
-) -> Result<HashMap<String, Value>> {
-    let entry = resolve_entry(pool, name, folder, user_id).await?;
-
-    let entry_ids = vec![entry.id];
-    let secrets_map = fetch_secrets_for_entries(pool, &entry_ids).await?;
-    let fields = secrets_map.get(&entry.id).map(Vec::as_slice).unwrap_or(&[]);
-
-    let mut map = HashMap::new();
-    for f in fields {
-        let decrypted = crypto::decrypt_json(master_key, &f.encrypted)?;
-        map.insert(f.name.clone(), decrypted);
-    }
-    Ok(map)
-}
-
-/// Decrypt a single named field from an entry, located by its UUID.
-pub async fn get_secret_field_by_id(
-    pool: &PgPool,
-    entry_id: Uuid,
-    field_name: &str,
-    master_key: &[u8; 32],
-    user_id: Option<Uuid>,
-) -> Result<Value> {
-    resolve_entry_by_id(pool, entry_id, user_id)
-        .await
-        .map_err(|_| anyhow::Error::from(AppError::NotFoundEntry))?;
-
-    let entry_ids = vec![entry_id];
-    let secrets_map = fetch_secrets_for_entries(pool, &entry_ids).await?;
-    let fields = secrets_map.get(&entry_id).map(Vec::as_slice).unwrap_or(&[]);
-
-    let field = fields
-        .iter()
-        .find(|f| f.name == field_name)
-        .ok_or_else(|| anyhow::anyhow!("Secret field '{}' not found", field_name))?;
-
-    crypto::decrypt_json(master_key, &field.encrypted)
-}
-
-/// Decrypt all secret fields from an entry, located by its UUID.
-/// Returns a map field_name → decrypted Value.
-pub async fn get_all_secrets_by_id(
-    pool: &PgPool,
-    entry_id: Uuid,
-    master_key: &[u8; 32],
-    user_id: Option<Uuid>,
-) -> Result<HashMap<String, Value>> {
-    // Validate entry exists (and that it belongs to the requesting user)
-    resolve_entry_by_id(pool, entry_id, user_id)
-        .await
-        .map_err(|_| anyhow::Error::from(AppError::NotFoundEntry))?;
-
-    let entry_ids = vec![entry_id];
-    let secrets_map = fetch_secrets_for_entries(pool, &entry_ids).await?;
-    let fields = secrets_map.get(&entry_id).map(Vec::as_slice).unwrap_or(&[]);
-
-    let mut map = HashMap::new();
-    for f in fields {
-        let decrypted = crypto::decrypt_json(master_key, &f.encrypted)?;
-        map.insert(f.name.clone(), decrypted);
-    }
-    Ok(map)
-}

crates/secrets-core/src/service/history.rs

@@ -1,64 +0,0 @@
-use anyhow::Result;
-use serde_json::Value;
-use sqlx::PgPool;
-use uuid::Uuid;
-
-use crate::service::search::resolve_entry;
-
-#[derive(Debug, serde::Serialize)]
-pub struct HistoryEntry {
-    pub version: i64,
-    pub action: String,
-    pub created_at: String,
-}
-
-/// Return version history for the entry identified by `name`.
-/// `folder` is optional; if omitted and multiple entries share the name, an error is returned.
-pub async fn run(
-    pool: &PgPool,
-    name: &str,
-    folder: Option<&str>,
-    limit: u32,
-    user_id: Option<Uuid>,
-) -> Result<Vec<HistoryEntry>> {
-    #[derive(sqlx::FromRow)]
-    struct Row {
-        version: i64,
-        action: String,
-        created_at: chrono::DateTime<chrono::Utc>,
-    }
-
-    let entry = resolve_entry(pool, name, folder, user_id).await?;
-
-    let rows: Vec<Row> = sqlx::query_as(
-        "SELECT DISTINCT ON (version) version, action, created_at \
-         FROM entries_history \
-         WHERE entry_id = $1 \
-         ORDER BY version DESC, id DESC \
-         LIMIT $2",
-    )
-    .bind(entry.id)
-    .bind(limit as i64)
-    .fetch_all(pool)
-    .await?;
-
-    Ok(rows
-        .into_iter()
-        .map(|r| HistoryEntry {
-            version: r.version,
-            action: r.action,
-            created_at: r.created_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
-        })
-        .collect())
-}
-
-pub async fn run_json(
-    pool: &PgPool,
-    name: &str,
-    folder: Option<&str>,
-    limit: u32,
-    user_id: Option<Uuid>,
-) -> Result<Value> {
-    let entries = run(pool, name, folder, limit, user_id).await?;
-    Ok(serde_json::to_value(entries)?)
-}

crates/secrets-core/src/service/import.rs

@@ -1,180 +0,0 @@
-use anyhow::Result;
-use sqlx::PgPool;
-use std::collections::HashMap;
-use uuid::Uuid;
-
-use crate::models::ExportFormat;
-use crate::service::add::{AddParams, run as add_run};
-use crate::service::export::{build_meta_entries, build_secret_entries};
-
-#[derive(Debug, serde::Serialize)]
-pub struct ImportSummary {
-    pub total: usize,
-    pub inserted: usize,
-    pub skipped: usize,
-    pub failed: usize,
-    pub dry_run: bool,
-}
-
-pub struct ImportParams<'a> {
-    pub file: &'a str,
-    pub force: bool,
-    pub dry_run: bool,
-    pub user_id: Option<Uuid>,
-}
-
-pub async fn run(
-    pool: &PgPool,
-    params: ImportParams<'_>,
-    master_key: &[u8; 32],
-) -> Result<ImportSummary> {
-    let format = ExportFormat::from_extension(params.file)?;
-    let content = std::fs::read_to_string(params.file)
-        .map_err(|e| anyhow::anyhow!("Cannot read file '{}': {}", params.file, e))?;
-    let data = format.deserialize(&content)?;
-
-    if data.version != 1 {
-        anyhow::bail!(
-            "Unsupported export version {}. Only version 1 is supported.",
-            data.version
-        );
-    }
-
-    let total = data.entries.len();
-    let mut inserted = 0usize;
-    let mut skipped = 0usize;
-    let mut failed = 0usize;
-
-    for entry in &data.entries {
-        let exists: bool = sqlx::query_scalar(
-            "SELECT EXISTS(SELECT 1 FROM entries \
-             WHERE folder = $1 AND name = $2 AND user_id IS NOT DISTINCT FROM $3)",
-        )
-        .bind(&entry.folder)
-        .bind(&entry.name)
-        .bind(params.user_id)
-        .fetch_one(pool)
-        .await
-        .map_err(|e| {
-            anyhow::anyhow!(
-                "Failed to check entry existence for '{}': {}",
-                entry.name,
-                e
-            )
-        })?;
-
-        if exists && !params.force {
-            return Err(anyhow::anyhow!(
-                "Import aborted: conflict on '{}'",
-                entry.name
-            ));
-        }
-
-        if params.dry_run {
-            if exists {
-                skipped += 1;
-            } else {
-                inserted += 1;
-            }
-            continue;
-        }
-
-        let secret_entries = build_secret_entries(entry.secrets.as_ref());
-        let meta_entries = build_meta_entries(&entry.metadata);
-        let secret_types_map: HashMap<String, String> = entry
-            .secret_types
-            .as_ref()
-            .map(|m| m.iter().map(|(k, v)| (k.clone(), v.clone())).collect())
-            .unwrap_or_default();
-
-        match add_run(
-            pool,
-            AddParams {
-                name: &entry.name,
-                folder: &entry.folder,
-                entry_type: &entry.entry_type,
-                notes: &entry.notes,
-                tags: &entry.tags,
-                meta_entries: &meta_entries,
-                secret_entries: &secret_entries,
-                secret_types: &secret_types_map,
-                link_secret_names: &[],
-                user_id: params.user_id,
-            },
-            master_key,
-        )
-        .await
-        {
-            Ok(_) => {
-                inserted += 1;
-            }
-            Err(e) => {
-                tracing::error!(
-                    name = entry.name,
-                    error = %e,
-                    "failed to import entry"
-                );
-                failed += 1;
-            }
-        }
-    }
-
-    if failed > 0 {
-        return Err(anyhow::anyhow!("{} record(s) failed to import", failed));
-    }
-
-    Ok(ImportSummary {
-        total,
-        inserted,
-        skipped,
-        failed,
-        dry_run: params.dry_run,
-    })
-}
-
-#[cfg(test)]
-mod tests {
-    use std::collections::{BTreeMap, HashMap};
-
-    use crate::models::ExportEntry;
-
-    /// Mirrors the map built in `run` before `AddParams` (legacy files omit `secret_types`).
-    fn secret_types_for_add(entry: &ExportEntry) -> HashMap<String, String> {
-        entry
-            .secret_types
-            .as_ref()
-            .map(|m| m.iter().map(|(k, v)| (k.clone(), v.clone())).collect())
-            .unwrap_or_default()
-    }
-
-    #[test]
-    fn secret_types_three_kinds_round_trip_for_add_params() {
-        let mut types = BTreeMap::new();
-        types.insert("p".into(), "password".into());
-        types.insert("k".into(), "key".into());
-        types.insert("t".into(), "text".into());
-        let entry = ExportEntry {
-            name: "n".into(),
-            folder: "f".into(),
-            entry_type: "ty".into(),
-            notes: "".into(),
-            tags: vec![],
-            metadata: serde_json::json!({}),
-            secrets: Some(BTreeMap::new()),
-            secret_types: Some(types),
-        };
-        let m = secret_types_for_add(&entry);
-        assert_eq!(m.get("p").map(String::as_str), Some("password"));
-        assert_eq!(m.get("k").map(String::as_str), Some("key"));
-        assert_eq!(m.get("t").map(String::as_str), Some("text"));
-    }
-
-    #[test]
-    fn secret_types_absent_defaults_to_empty_map_like_legacy_export() {
-        let json =
-            r#"{"name":"a","folder":"","type":"","notes":"","tags":[],"metadata":{},"secrets":{}}"#;
-        let entry: ExportEntry = serde_json::from_str(json).unwrap();
-        assert!(entry.secret_types.is_none());
-        assert!(secret_types_for_add(&entry).is_empty());
-    }
-}

crates/secrets-core/src/service/mod.rs

@@ -1,15 +0,0 @@
-pub mod add;
-pub mod api_key;
-pub mod audit_log;
-pub mod delete;
-pub mod env_map;
-pub mod export;
-pub mod get_secret;
-pub mod history;
-pub mod import;
-pub mod relations;
-pub mod rollback;
-pub mod search;
-pub mod update;
-pub mod user;
-pub mod util;

crates/secrets-core/src/service/relations.rs

@@ -1,324 +0,0 @@
-use std::collections::{BTreeSet, HashMap};
-
-use anyhow::Result;
-use sqlx::PgPool;
-use uuid::Uuid;
-
-use crate::error::AppError;
-
-#[derive(Debug, Clone, serde::Serialize, sqlx::FromRow)]
-pub struct RelationEntrySummary {
-    pub id: Uuid,
-    pub folder: String,
-    #[serde(rename = "type")]
-    #[sqlx(rename = "type")]
-    pub entry_type: String,
-    pub name: String,
-}
-
-#[derive(Debug, Clone, Default, serde::Serialize)]
-pub struct EntryRelations {
-    pub parents: Vec<RelationEntrySummary>,
-    pub children: Vec<RelationEntrySummary>,
-}
-
-pub async fn add_parent_relation(
-    pool: &PgPool,
-    parent_entry_id: Uuid,
-    child_entry_id: Uuid,
-    user_id: Option<Uuid>,
-) -> Result<()> {
-    if parent_entry_id == child_entry_id {
-        return Err(AppError::Validation {
-            message: "entry cannot reference itself".to_string(),
-        }
-        .into());
-    }
-
-    let mut tx = pool.begin().await?;
-    validate_live_entries(&mut tx, &[parent_entry_id, child_entry_id], user_id).await?;
-
-    let cycle_exists: bool = sqlx::query_scalar(
-        "WITH RECURSIVE descendants AS ( \
-           SELECT child_entry_id FROM entry_relations WHERE parent_entry_id = $1 \
-           UNION \
-           SELECT er.child_entry_id \
-           FROM entry_relations er \
-           JOIN descendants d ON d.child_entry_id = er.parent_entry_id \
-         ) \
-         SELECT EXISTS(SELECT 1 FROM descendants WHERE child_entry_id = $2)",
-    )
-    .bind(child_entry_id)
-    .bind(parent_entry_id)
-    .fetch_one(&mut *tx)
-    .await?;
-    if cycle_exists {
-        tx.rollback().await?;
-        return Err(AppError::Validation {
-            message: "adding this relation would create a cycle".to_string(),
-        }
-        .into());
-    }
-
-    sqlx::query(
-        "INSERT INTO entry_relations (parent_entry_id, child_entry_id) \
-         VALUES ($1, $2) ON CONFLICT DO NOTHING",
-    )
-    .bind(parent_entry_id)
-    .bind(child_entry_id)
-    .execute(&mut *tx)
-    .await?;
-    tx.commit().await?;
-    Ok(())
-}
-
-pub async fn remove_parent_relation(
-    pool: &PgPool,
-    parent_entry_id: Uuid,
-    child_entry_id: Uuid,
-    user_id: Option<Uuid>,
-) -> Result<()> {
-    let mut tx = pool.begin().await?;
-    validate_live_entries(&mut tx, &[parent_entry_id, child_entry_id], user_id).await?;
-    sqlx::query("DELETE FROM entry_relations WHERE parent_entry_id = $1 AND child_entry_id = $2")
-        .bind(parent_entry_id)
-        .bind(child_entry_id)
-        .execute(&mut *tx)
-        .await?;
-    tx.commit().await?;
-    Ok(())
-}
-
-pub async fn set_parent_relations(
-    pool: &PgPool,
-    child_entry_id: Uuid,
-    parent_entry_ids: &[Uuid],
-    user_id: Option<Uuid>,
-) -> Result<()> {
-    let deduped: Vec<Uuid> = parent_entry_ids
-        .iter()
-        .copied()
-        .collect::<BTreeSet<_>>()
-        .into_iter()
-        .collect();
-    if deduped.contains(&child_entry_id) {
-        return Err(AppError::Validation {
-            message: "entry cannot reference itself".to_string(),
-        }
-        .into());
-    }
-
-    let mut tx = pool.begin().await?;
-    let mut validate_ids = Vec::with_capacity(deduped.len() + 1);
-    validate_ids.push(child_entry_id);
-    validate_ids.extend(deduped.iter().copied());
-    validate_live_entries(&mut tx, &validate_ids, user_id).await?;
-
-    let current_parent_ids: Vec<Uuid> =
-        sqlx::query_scalar("SELECT parent_entry_id FROM entry_relations WHERE child_entry_id = $1")
-            .bind(child_entry_id)
-            .fetch_all(&mut *tx)
-            .await?;
-    let current: BTreeSet<Uuid> = current_parent_ids.into_iter().collect();
-    let target: BTreeSet<Uuid> = deduped.iter().copied().collect();
-
-    for parent_id in current.difference(&target) {
-        sqlx::query(
-            "DELETE FROM entry_relations WHERE parent_entry_id = $1 AND child_entry_id = $2",
-        )
-        .bind(*parent_id)
-        .bind(child_entry_id)
-        .execute(&mut *tx)
-        .await?;
-    }
-
-    for parent_id in target.difference(&current) {
-        let cycle_exists: bool = sqlx::query_scalar(
-            "WITH RECURSIVE descendants AS ( \
-               SELECT child_entry_id FROM entry_relations WHERE parent_entry_id = $1 \
-               UNION \
-               SELECT er.child_entry_id \
-               FROM entry_relations er \
-               JOIN descendants d ON d.child_entry_id = er.parent_entry_id \
-             ) \
-             SELECT EXISTS(SELECT 1 FROM descendants WHERE child_entry_id = $2)",
-        )
-        .bind(child_entry_id)
-        .bind(*parent_id)
-        .fetch_one(&mut *tx)
-        .await?;
-        if cycle_exists {
-            tx.rollback().await?;
-            return Err(AppError::Validation {
-                message: "adding this relation would create a cycle".to_string(),
-            }
-            .into());
-        }
-
-        sqlx::query(
-            "INSERT INTO entry_relations (parent_entry_id, child_entry_id) VALUES ($1, $2) \
-             ON CONFLICT DO NOTHING",
-        )
-        .bind(*parent_id)
-        .bind(child_entry_id)
-        .execute(&mut *tx)
-        .await?;
-    }
-
-    tx.commit().await?;
-    Ok(())
-}
-
-pub async fn get_relations_for_entries(
-    pool: &PgPool,
-    entry_ids: &[Uuid],
-    user_id: Option<Uuid>,
-) -> Result<HashMap<Uuid, EntryRelations>> {
-    if entry_ids.is_empty() {
-        return Ok(HashMap::new());
-    }
-
-    #[derive(sqlx::FromRow)]
-    struct ParentRow {
-        owner_entry_id: Uuid,
-        id: Uuid,
-        folder: String,
-        #[sqlx(rename = "type")]
-        entry_type: String,
-        name: String,
-    }
-
-    #[derive(sqlx::FromRow)]
-    struct ChildRow {
-        owner_entry_id: Uuid,
-        id: Uuid,
-        folder: String,
-        #[sqlx(rename = "type")]
-        entry_type: String,
-        name: String,
-    }
-
-    let (parents, children): (Vec<ParentRow>, Vec<ChildRow>) = if let Some(uid) = user_id {
-        let parents = sqlx::query_as(
-            "SELECT er.child_entry_id AS owner_entry_id, p.id, p.folder, p.type, p.name \
-             FROM entry_relations er \
-             JOIN entries p ON p.id = er.parent_entry_id \
-             JOIN entries c ON c.id = er.child_entry_id \
-             WHERE er.child_entry_id = ANY($1) \
-               AND p.user_id = $2 AND c.user_id = $2 \
-               AND p.deleted_at IS NULL AND c.deleted_at IS NULL \
-             ORDER BY er.child_entry_id, p.name ASC",
-        )
-        .bind(entry_ids)
-        .bind(uid)
-        .fetch_all(pool);
-        let children = sqlx::query_as(
-            "SELECT er.parent_entry_id AS owner_entry_id, c.id, c.folder, c.type, c.name \
-             FROM entry_relations er \
-             JOIN entries c ON c.id = er.child_entry_id \
-             JOIN entries p ON p.id = er.parent_entry_id \
-             WHERE er.parent_entry_id = ANY($1) \
-               AND p.user_id = $2 AND c.user_id = $2 \
-               AND p.deleted_at IS NULL AND c.deleted_at IS NULL \
-             ORDER BY er.parent_entry_id, c.name ASC",
-        )
-        .bind(entry_ids)
-        .bind(uid)
-        .fetch_all(pool);
-        (parents.await?, children.await?)
-    } else {
-        let parents = sqlx::query_as(
-            "SELECT er.child_entry_id AS owner_entry_id, p.id, p.folder, p.type, p.name \
-             FROM entry_relations er \
-             JOIN entries p ON p.id = er.parent_entry_id \
-             JOIN entries c ON c.id = er.child_entry_id \
-             WHERE er.child_entry_id = ANY($1) \
-               AND p.user_id IS NULL AND c.user_id IS NULL \
-               AND p.deleted_at IS NULL AND c.deleted_at IS NULL \
-             ORDER BY er.child_entry_id, p.name ASC",
-        )
-        .bind(entry_ids)
-        .fetch_all(pool);
-        let children = sqlx::query_as(
-            "SELECT er.parent_entry_id AS owner_entry_id, c.id, c.folder, c.type, c.name \
-             FROM entry_relations er \
-             JOIN entries c ON c.id = er.child_entry_id \
-             JOIN entries p ON p.id = er.parent_entry_id \
-             WHERE er.parent_entry_id = ANY($1) \
-               AND p.user_id IS NULL AND c.user_id IS NULL \
-               AND p.deleted_at IS NULL AND c.deleted_at IS NULL \
-             ORDER BY er.parent_entry_id, c.name ASC",
-        )
-        .bind(entry_ids)
-        .fetch_all(pool);
-        (parents.await?, children.await?)
-    };
-
-    let mut map: HashMap<Uuid, EntryRelations> = entry_ids
-        .iter()
-        .copied()
-        .map(|id| (id, EntryRelations::default()))
-        .collect();
-
-    for row in parents {
-        map.entry(row.owner_entry_id)
-            .or_default()
-            .parents
-            .push(RelationEntrySummary {
-                id: row.id,
-                folder: row.folder,
-                entry_type: row.entry_type,
-                name: row.name,
-            });
-    }
-
-    for row in children {
-        map.entry(row.owner_entry_id)
-            .or_default()
-            .children
-            .push(RelationEntrySummary {
-                id: row.id,
-                folder: row.folder,
-                entry_type: row.entry_type,
-                name: row.name,
-            });
-    }
-
-    Ok(map)
-}
-
-async fn validate_live_entries(
-    tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
-    entry_ids: &[Uuid],
-    user_id: Option<Uuid>,
-) -> Result<()> {
-    let unique_ids: Vec<Uuid> = entry_ids
-        .iter()
-        .copied()
-        .collect::<BTreeSet<_>>()
-        .into_iter()
-        .collect();
-    let live_count: i64 = if let Some(uid) = user_id {
-        sqlx::query_scalar(
-            "SELECT COUNT(*)::bigint FROM entries \
-             WHERE id = ANY($1) AND user_id = $2 AND deleted_at IS NULL",
-        )
-        .bind(&unique_ids)
-        .bind(uid)
-        .fetch_one(&mut **tx)
-        .await?
-    } else {
-        sqlx::query_scalar(
-            "SELECT COUNT(*)::bigint FROM entries \
-             WHERE id = ANY($1) AND user_id IS NULL AND deleted_at IS NULL",
-        )
-        .bind(&unique_ids)
-        .fetch_one(&mut **tx)
-        .await?
-    };
-
-    if live_count != unique_ids.len() as i64 {
-        return Err(AppError::NotFoundEntry.into());
-    }
-    Ok(())
-}

crates/secrets-core/src/service/rollback.rs

@@ -1,343 +0,0 @@
-use std::collections::HashSet;
-
-use anyhow::Result;
-use serde_json::Value;
-use sqlx::PgPool;
-use uuid::Uuid;
-
-use crate::db;
-use crate::error::AppError;
-use crate::models::EntryWriteRow;
-
-#[derive(Debug, serde::Serialize)]
-pub struct RollbackResult {
-    pub name: String,
-    pub folder: String,
-    #[serde(rename = "type")]
-    pub entry_type: String,
-    pub restored_version: i64,
-}
-
-/// Roll back entry `name` to `to_version` (or the most recent snapshot if None).
-pub async fn run(
-    pool: &PgPool,
-    entry_id: Uuid,
-    to_version: Option<i64>,
-    user_id: Option<Uuid>,
-) -> Result<RollbackResult> {
-    #[derive(sqlx::FromRow)]
-    struct EntryHistoryRow {
-        folder: String,
-        #[sqlx(rename = "type")]
-        entry_type: String,
-        name: String,
-        version: i64,
-        action: String,
-        tags: Vec<String>,
-        metadata: Value,
-    }
-
-    let mut tx = pool.begin().await?;
-
-    let live: Option<EntryWriteRow> = if let Some(uid) = user_id {
-        sqlx::query_as(
-            "SELECT id, version, folder, type, name, tags, metadata, notes, deleted_at FROM entries \
-             WHERE id = $1 AND user_id = $2 AND deleted_at IS NULL FOR UPDATE",
-        )
-        .bind(entry_id)
-        .bind(uid)
-        .fetch_optional(&mut *tx)
-        .await?
-    } else {
-        sqlx::query_as(
-            "SELECT id, version, folder, type, name, tags, metadata, notes, deleted_at FROM entries \
-             WHERE id = $1 AND user_id IS NULL AND deleted_at IS NULL FOR UPDATE",
-        )
-        .bind(entry_id)
-        .fetch_optional(&mut *tx)
-        .await?
-    };
-
-    let lr = live.ok_or(AppError::NotFoundEntry)?;
-
-    let snap: Option<EntryHistoryRow> = if let Some(ver) = to_version {
-        sqlx::query_as(
-            "SELECT folder, type, name, version, action, tags, metadata \
-             FROM entries_history \
-             WHERE entry_id = $1 AND version = $2 ORDER BY id ASC LIMIT 1",
-        )
-        .bind(entry_id)
-        .bind(ver)
-        .fetch_optional(&mut *tx)
-        .await?
-    } else {
-        sqlx::query_as(
-            "SELECT folder, type, name, version, action, tags, metadata \
-             FROM entries_history \
-             WHERE entry_id = $1 ORDER BY id DESC LIMIT 1",
-        )
-        .bind(entry_id)
-        .fetch_optional(&mut *tx)
-        .await?
-    };
-
-    let snap = snap.ok_or_else(|| {
-        anyhow::anyhow!(
-            "No history found for entry '{}'{}.",
-            lr.name,
-            to_version
-                .map(|v| format!(" at version {}", v))
-                .unwrap_or_default()
-        )
-    })?;
-
-    let snap_secret_snapshot = db::entry_secret_snapshot_from_metadata(&snap.metadata);
-    let snap_metadata = db::strip_secret_snapshot_from_metadata(&snap.metadata);
-
-    let live_entry_id = {
-        let history_metadata =
-            match db::metadata_with_secret_snapshot(&mut tx, lr.id, &lr.metadata).await {
-                Ok(v) => v,
-                Err(e) => {
-                    tracing::warn!(error = %e, "failed to build secret snapshot for entry history");
-                    lr.metadata.clone()
-                }
-            };
-
-        if let Err(e) = db::snapshot_entry_history(
-            &mut tx,
-            db::EntrySnapshotParams {
-                entry_id: lr.id,
-                user_id,
-                folder: &lr.folder,
-                entry_type: &lr.entry_type,
-                name: &lr.name,
-                version: lr.version,
-                action: "rollback",
-                tags: &lr.tags,
-                metadata: &history_metadata,
-            },
-        )
-        .await
-        {
-            tracing::warn!(error = %e, "failed to snapshot entry before rollback");
-        }
-
-        #[derive(sqlx::FromRow)]
-        struct LiveField {
-            id: Uuid,
-            name: String,
-            encrypted: Vec<u8>,
-        }
-        let live_fields: Vec<LiveField> = sqlx::query_as(
-            "SELECT s.id, s.name, s.encrypted \
-             FROM entry_secrets es \
-             JOIN secrets s ON s.id = es.secret_id \
-             WHERE es.entry_id = $1",
-        )
-        .bind(lr.id)
-        .fetch_all(&mut *tx)
-        .await?;
-
-        for f in &live_fields {
-            if let Err(e) = db::snapshot_secret_history(
-                &mut tx,
-                db::SecretSnapshotParams {
-                    secret_id: f.id,
-                    name: &f.name,
-                    encrypted: &f.encrypted,
-                    action: "rollback",
-                },
-            )
-            .await
-            {
-                tracing::warn!(error = %e, "failed to snapshot secret field before rollback");
-            }
-        }
-
-        sqlx::query(
-            "UPDATE entries SET folder = $1, type = $2, name = $3, notes = $4, tags = $5, metadata = $6, \
-             version = version + 1, updated_at = NOW() WHERE id = $7",
-        )
-        .bind(&snap.folder)
-        .bind(&snap.entry_type)
-        .bind(&snap.name)
-        .bind(&lr.notes)
-        .bind(&snap.tags)
-        .bind(&snap_metadata)
-        .bind(lr.id)
-        .execute(&mut *tx)
-        .await?;
-
-        lr.id
-    };
-
-    if let Some(secret_snapshot) = snap_secret_snapshot {
-        restore_entry_secrets(&mut tx, live_entry_id, user_id, &secret_snapshot).await?;
-    }
-
-    crate::audit::log_tx(
-        &mut tx,
-        user_id,
-        "rollback",
-        &snap.folder,
-        &snap.entry_type,
-        &snap.name,
-        serde_json::json!({
-            "entry_id": entry_id,
-            "restored_version": snap.version,
-            "original_action": snap.action,
-        }),
-    )
-    .await;
-
-    tx.commit().await?;
-
-    Ok(RollbackResult {
-        name: snap.name,
-        folder: snap.folder,
-        entry_type: snap.entry_type,
-        restored_version: snap.version,
-    })
-}
-
-async fn restore_entry_secrets(
-    tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
-    entry_id: Uuid,
-    user_id: Option<Uuid>,
-    snapshot: &[db::EntrySecretSnapshot],
-) -> Result<()> {
-    #[derive(sqlx::FromRow)]
-    struct LinkedSecret {
-        id: Uuid,
-        name: String,
-        encrypted: Vec<u8>,
-    }
-
-    let linked: Vec<LinkedSecret> = sqlx::query_as(
-        "SELECT s.id, s.name, s.encrypted \
-         FROM entry_secrets es \
-         JOIN secrets s ON s.id = es.secret_id \
-         WHERE es.entry_id = $1",
-    )
-    .bind(entry_id)
-    .fetch_all(&mut **tx)
-    .await?;
-
-    let target_names: HashSet<&str> = snapshot.iter().map(|s| s.name.as_str()).collect();
-
-    for s in &linked {
-        if target_names.contains(s.name.as_str()) {
-            continue;
-        }
-        if let Err(e) = db::snapshot_secret_history(
-            tx,
-            db::SecretSnapshotParams {
-                secret_id: s.id,
-                name: &s.name,
-                encrypted: &s.encrypted,
-                action: "rollback",
-            },
-        )
-        .await
-        {
-            tracing::warn!(error = %e, "failed to snapshot secret before rollback unlink");
-        }
-
-        sqlx::query("DELETE FROM entry_secrets WHERE entry_id = $1 AND secret_id = $2")
-            .bind(entry_id)
-            .bind(s.id)
-            .execute(&mut **tx)
-            .await?;
-
-        sqlx::query(
-            "DELETE FROM secrets s \
-             WHERE s.id = $1 \
-               AND NOT EXISTS (SELECT 1 FROM entry_secrets es WHERE es.secret_id = s.id)",
-        )
-        .bind(s.id)
-        .execute(&mut **tx)
-        .await?;
-    }
-
-    for snap in snapshot {
-        let encrypted = ::hex::decode(&snap.encrypted_hex).map_err(|e| {
-            anyhow::anyhow!("invalid secret snapshot data for '{}': {}", snap.name, e)
-        })?;
-
-        #[derive(sqlx::FromRow)]
-        struct ExistingSecret {
-            id: Uuid,
-            encrypted: Vec<u8>,
-        }
-
-        let existing: Option<ExistingSecret> = if let Some(uid) = user_id {
-            sqlx::query_as("SELECT id, encrypted FROM secrets WHERE user_id = $1 AND name = $2")
-                .bind(uid)
-                .bind(&snap.name)
-                .fetch_optional(&mut **tx)
-                .await?
-        } else {
-            sqlx::query_as("SELECT id, encrypted FROM secrets WHERE user_id IS NULL AND name = $1")
-                .bind(&snap.name)
-                .fetch_optional(&mut **tx)
-                .await?
-        };
-
-        let secret_id = if let Some(ex) = existing {
-            if ex.encrypted != encrypted
-                && let Err(e) = db::snapshot_secret_history(
-                    tx,
-                    db::SecretSnapshotParams {
-                        secret_id: ex.id,
-                        name: &snap.name,
-                        encrypted: &ex.encrypted,
-                        action: "rollback",
-                    },
-                )
-                .await
-            {
-                tracing::warn!(error = %e, "failed to snapshot secret before rollback restore");
-            }
-            sqlx::query(
-                "UPDATE secrets SET type = $1, encrypted = $2, version = version + 1, updated_at = NOW() \
-                 WHERE id = $3",
-            )
-            .bind(&snap.secret_type)
-            .bind(&encrypted)
-            .bind(ex.id)
-            .execute(&mut **tx)
-            .await?;
-            ex.id
-        } else if let Some(uid) = user_id {
-            sqlx::query_scalar(
-                "INSERT INTO secrets (user_id, name, type, encrypted) VALUES ($1, $2, $3, $4) RETURNING id",
-            )
-            .bind(uid)
-            .bind(&snap.name)
-            .bind(&snap.secret_type)
-            .bind(&encrypted)
-            .fetch_one(&mut **tx)
-            .await?
-        } else {
-            sqlx::query_scalar(
-                "INSERT INTO secrets (user_id, name, type, encrypted) VALUES (NULL, $1, $2, $3) RETURNING id",
-            )
-            .bind(&snap.name)
-            .bind(&snap.secret_type)
-            .bind(&encrypted)
-            .fetch_one(&mut **tx)
-            .await?
-        };
-
-        sqlx::query(
-            "INSERT INTO entry_secrets (entry_id, secret_id) VALUES ($1, $2) ON CONFLICT DO NOTHING",
-        )
-        .bind(entry_id)
-        .bind(secret_id)
-        .execute(&mut **tx)
-        .await?;
-    }
-
-    Ok(())
-}

crates/secrets-core/src/service/search.rs

@@ -1,421 +0,0 @@
-use anyhow::Result;
-use serde_json::Value;
-use sqlx::PgPool;
-use std::collections::HashMap;
-use uuid::Uuid;
-
-use crate::models::{Entry, SecretField};
-
-pub const FETCH_ALL_LIMIT: u32 = 10_000;
-
-/// Build an ILIKE pattern for fuzzy matching, escaping `%` and `_` literals.
-pub fn ilike_pattern(value: &str) -> String {
-    format!(
-        "%{}%",
-        value
-            .replace('\\', "\\\\")
-            .replace('%', "\\%")
-            .replace('_', "\\_")
-    )
-}
-
-pub struct SearchParams<'a> {
-    pub folder: Option<&'a str>,
-    pub entry_type: Option<&'a str>,
-    pub name: Option<&'a str>,
-    /// Fuzzy match on `entries.name` only (ILIKE with escaped `%`/`_`).
-    pub name_query: Option<&'a str>,
-    pub tags: &'a [String],
-    pub query: Option<&'a str>,
-    pub metadata_query: Option<&'a str>,
-    pub sort: &'a str,
-    pub limit: u32,
-    pub offset: u32,
-    /// Multi-user: filter by this user_id. None = single-user / no filter.
-    pub user_id: Option<Uuid>,
-}
-
-#[derive(Debug, serde::Serialize)]
-pub struct SearchResult {
-    pub entries: Vec<Entry>,
-    pub secret_schemas: HashMap<Uuid, Vec<SecretField>>,
-}
-
-/// List `entries` rows matching params (paged, ordered per `params.sort`).
-/// Does not read the `secrets` table.
-pub async fn list_entries(pool: &PgPool, params: SearchParams<'_>) -> Result<Vec<Entry>> {
-    fetch_entries_paged(pool, &params).await
-}
-
-/// Count `entries` rows matching the same filters as [`list_entries`] (ignores `sort` / `limit` / `offset`).
-/// Does not read the `secrets` table.
-pub async fn count_entries(pool: &PgPool, a: &SearchParams<'_>) -> Result<i64> {
-    let (where_clause, _) = entry_where_clause_and_next_idx(a);
-    let sql = format!("SELECT COUNT(*)::bigint FROM entries {where_clause}");
-    let mut q = sqlx::query_scalar::<_, i64>(&sql);
-    if let Some(uid) = a.user_id {
-        q = q.bind(uid);
-    }
-    if let Some(v) = a.folder {
-        q = q.bind(v);
-    }
-    if let Some(v) = a.entry_type {
-        q = q.bind(v);
-    }
-    if let Some(v) = a.name {
-        q = q.bind(v);
-    }
-    if let Some(v) = a.name_query {
-        let pattern = ilike_pattern(v);
-        q = q.bind(pattern);
-    }
-    for tag in a.tags {
-        q = q.bind(tag);
-    }
-    if let Some(v) = a.query {
-        let pattern = ilike_pattern(v);
-        q = q.bind(pattern);
-    }
-    if let Some(v) = a.metadata_query {
-        let pattern = ilike_pattern(v);
-        q = q.bind(pattern);
-    }
-    let n = q.fetch_one(pool).await?;
-    Ok(n)
-}
-
-/// Shared WHERE clause and the next `$n` index (for LIMIT/OFFSET in paged queries).
-fn entry_where_clause_and_next_idx(a: &SearchParams<'_>) -> (String, i32) {
-    let mut conditions: Vec<String> = Vec::new();
-    let mut idx: i32 = 1;
-
-    if a.user_id.is_some() {
-        conditions.push(format!("user_id = ${}", idx));
-        idx += 1;
-    } else {
-        conditions.push("user_id IS NULL".to_string());
-    }
-    conditions.push("deleted_at IS NULL".to_string());
-
-    if a.folder.is_some() {
-        conditions.push(format!("folder = ${}", idx));
-        idx += 1;
-    }
-    if a.entry_type.is_some() {
-        conditions.push(format!("type = ${}", idx));
-        idx += 1;
-    }
-    if a.name.is_some() {
-        conditions.push(format!("name = ${}", idx));
-        idx += 1;
-    }
-    if a.name_query.is_some() {
-        conditions.push(format!("name ILIKE ${} ESCAPE '\\'", idx));
-        idx += 1;
-    }
-    if !a.tags.is_empty() {
-        let placeholders: Vec<String> = a
-            .tags
-            .iter()
-            .map(|_| {
-                let p = format!("${}", idx);
-                idx += 1;
-                p
-            })
-            .collect();
-        conditions.push(format!(
-            "tags @> ARRAY[{}]::text[]",
-            placeholders.join(", ")
-        ));
-    }
-    if a.query.is_some() {
-        conditions.push(format!(
-            "(name ILIKE ${i} ESCAPE '\\' OR folder ILIKE ${i} ESCAPE '\\' \
-             OR type ILIKE ${i} ESCAPE '\\' OR notes ILIKE ${i} ESCAPE '\\' \
-             OR metadata::text ILIKE ${i} ESCAPE '\\' \
-             OR EXISTS (SELECT 1 FROM unnest(tags) t WHERE t ILIKE ${i} ESCAPE '\\'))",
-            i = idx
-        ));
-        idx += 1;
-    }
-    if a.metadata_query.is_some() {
-        conditions.push(format!(
-            "EXISTS (SELECT 1 FROM jsonb_path_query(metadata, 'strict $.** ? (@.type() != \"object\" && @.type() != \"array\")') AS val \
-             WHERE (val #>> '{{}}') ILIKE ${} ESCAPE '\\')",
-            idx
-        ));
-        idx += 1;
-    }
-
-    let where_clause = if conditions.is_empty() {
-        String::new()
-    } else {
-        format!("WHERE {}", conditions.join(" AND "))
-    };
-    (where_clause, idx)
-}
-
-pub async fn run(pool: &PgPool, params: SearchParams<'_>) -> Result<SearchResult> {
-    let entries = fetch_entries_paged(pool, &params).await?;
-    let entry_ids: Vec<Uuid> = entries.iter().map(|e| e.id).collect();
-    let secret_schemas = if !entry_ids.is_empty() {
-        fetch_secrets_for_entries(pool, &entry_ids).await?
-    } else {
-        HashMap::new()
-    };
-    Ok(SearchResult {
-        entries,
-        secret_schemas,
-    })
-}
-
-/// Fetch entries matching the given filters — returns all matching entries up to FETCH_ALL_LIMIT.
-#[allow(clippy::too_many_arguments)]
-pub async fn fetch_entries(
-    pool: &PgPool,
-    folder: Option<&str>,
-    entry_type: Option<&str>,
-    name: Option<&str>,
-    tags: &[String],
-    query: Option<&str>,
-    metadata_query: Option<&str>,
-    user_id: Option<Uuid>,
-) -> Result<Vec<Entry>> {
-    let params = SearchParams {
-        folder,
-        entry_type,
-        name,
-        name_query: None,
-        tags,
-        query,
-        metadata_query,
-        sort: "name",
-        limit: FETCH_ALL_LIMIT,
-        offset: 0,
-        user_id,
-    };
-    list_entries(pool, params).await
-}
-
-async fn fetch_entries_paged(pool: &PgPool, a: &SearchParams<'_>) -> Result<Vec<Entry>> {
-    let (where_clause, idx) = entry_where_clause_and_next_idx(a);
-
-    let order = match a.sort {
-        "updated" => "updated_at DESC",
-        "created" => "created_at DESC",
-        _ => "name ASC",
-    };
-
-    let limit_idx = idx;
-    let offset_idx = idx + 1;
-
-    let sql = format!(
-        "SELECT id, user_id, folder, type, name, notes, tags, metadata, version, \
-         created_at, updated_at, deleted_at \
-         FROM entries {where_clause} ORDER BY {order} LIMIT ${limit_idx} OFFSET ${offset_idx}"
-    );
-
-    let mut q = sqlx::query_as::<_, EntryRaw>(&sql);
-    if let Some(uid) = a.user_id {
-        q = q.bind(uid);
-    }
-    if let Some(v) = a.folder {
-        q = q.bind(v);
-    }
-    if let Some(v) = a.entry_type {
-        q = q.bind(v);
-    }
-    if let Some(v) = a.name {
-        q = q.bind(v);
-    }
-    if let Some(v) = a.name_query {
-        let pattern = ilike_pattern(v);
-        q = q.bind(pattern);
-    }
-    for tag in a.tags {
-        q = q.bind(tag);
-    }
-    if let Some(v) = a.query {
-        let pattern = ilike_pattern(v);
-        q = q.bind(pattern);
-    }
-    if let Some(v) = a.metadata_query {
-        let pattern = ilike_pattern(v);
-        q = q.bind(pattern);
-    }
-    q = q.bind(a.limit as i64).bind(a.offset as i64);
-
-    let rows = q.fetch_all(pool).await?;
-    Ok(rows.into_iter().map(Entry::from).collect())
-}
-
-/// Fetch all secret fields (including encrypted bytes) for a set of entry ids.
-pub async fn fetch_secrets_for_entries(
-    pool: &PgPool,
-    entry_ids: &[Uuid],
-) -> Result<HashMap<Uuid, Vec<SecretField>>> {
-    if entry_ids.is_empty() {
-        return Ok(HashMap::new());
-    }
-    let fields: Vec<EntrySecretRow> = sqlx::query_as(
-        "SELECT es.entry_id, s.id, s.user_id, s.name, s.type, s.encrypted, s.version, s.created_at, s.updated_at \
-         FROM entry_secrets es \
-         JOIN secrets s ON s.id = es.secret_id \
-         WHERE es.entry_id = ANY($1) \
-         ORDER BY es.entry_id, es.sort_order, s.name",
-    )
-    .bind(entry_ids)
-    .fetch_all(pool)
-    .await?;
-
-    let mut map: HashMap<Uuid, Vec<SecretField>> = HashMap::new();
-    for f in fields {
-        let entry_id = f.entry_id;
-        map.entry(entry_id).or_default().push(f.secret());
-    }
-    Ok(map)
-}
-
-/// Resolve exactly one entry by its UUID primary key.
-///
-/// Returns an error if the entry does not exist or does not belong to the given user.
-pub async fn resolve_entry_by_id(
-    pool: &PgPool,
-    id: Uuid,
-    user_id: Option<Uuid>,
-) -> Result<crate::models::Entry> {
-    let row: Option<EntryRaw> = if let Some(uid) = user_id {
-        sqlx::query_as(
-            "SELECT id, user_id, folder, type, name, notes, tags, metadata, version, \
-             created_at, updated_at, deleted_at FROM entries WHERE id = $1 AND user_id = $2 AND deleted_at IS NULL",
-        )
-        .bind(id)
-        .bind(uid)
-        .fetch_optional(pool)
-        .await?
-    } else {
-        sqlx::query_as(
-            "SELECT id, user_id, folder, type, name, notes, tags, metadata, version, \
-             created_at, updated_at, deleted_at FROM entries WHERE id = $1 AND user_id IS NULL AND deleted_at IS NULL",
-        )
-        .bind(id)
-        .fetch_optional(pool)
-        .await?
-    };
-    row.map(Entry::from)
-        .ok_or_else(|| anyhow::anyhow!("Entry with id '{}' not found", id))
-}
-
-/// Resolve exactly one entry by name, with optional folder for disambiguation.
-///
-/// - If `folder` is provided: exact `(folder, name)` match.
-/// - If `folder` is None and exactly one entry matches: returns it.
-/// - If `folder` is None and multiple entries match: returns an error listing
-///   the folders and asking the caller to specify one.
-pub async fn resolve_entry(
-    pool: &PgPool,
-    name: &str,
-    folder: Option<&str>,
-    user_id: Option<Uuid>,
-) -> Result<crate::models::Entry> {
-    let entries = fetch_entries(pool, folder, None, Some(name), &[], None, None, user_id).await?;
-    match entries.len() {
-        0 => {
-            if let Some(f) = folder {
-                anyhow::bail!("Not found: '{}' in folder '{}'", name, f)
-            } else {
-                anyhow::bail!("Not found: '{}'", name)
-            }
-        }
-        1 => entries
-            .into_iter()
-            .next()
-            .ok_or_else(|| anyhow::anyhow!("internal: resolve_entry result vanished")),
-        _ => {
-            let folders: Vec<&str> = entries.iter().map(|e| e.folder.as_str()).collect();
-            anyhow::bail!(
-                "Ambiguous: {} entries named '{}' found in folders: [{}]. \
-                 Specify 'folder' to disambiguate.",
-                entries.len(),
-                name,
-                folders.join(", ")
-            )
-        }
-    }
-}
-
-// ── Internal raw row (because user_id is nullable in DB) ─────────────────────
-#[derive(sqlx::FromRow)]
-struct EntryRaw {
-    id: Uuid,
-    user_id: Option<Uuid>,
-    folder: String,
-    #[sqlx(rename = "type")]
-    entry_type: String,
-    name: String,
-    notes: String,
-    tags: Vec<String>,
-    metadata: Value,
-    version: i64,
-    created_at: chrono::DateTime<chrono::Utc>,
-    updated_at: chrono::DateTime<chrono::Utc>,
-    deleted_at: Option<chrono::DateTime<chrono::Utc>>,
-}
-
-impl From<EntryRaw> for Entry {
-    fn from(r: EntryRaw) -> Self {
-        Entry {
-            id: r.id,
-            user_id: r.user_id,
-            folder: r.folder,
-            entry_type: r.entry_type,
-            name: r.name,
-            notes: r.notes,
-            tags: r.tags,
-            metadata: r.metadata,
-            version: r.version,
-            created_at: r.created_at,
-            updated_at: r.updated_at,
-            deleted_at: r.deleted_at,
-        }
-    }
-}
-
-#[derive(sqlx::FromRow)]
-struct EntrySecretRow {
-    entry_id: Uuid,
-    id: Uuid,
-    user_id: Option<Uuid>,
-    name: String,
-    #[sqlx(rename = "type")]
-    secret_type: String,
-    encrypted: Vec<u8>,
-    version: i64,
-    created_at: chrono::DateTime<chrono::Utc>,
-    updated_at: chrono::DateTime<chrono::Utc>,
-}
-
-impl EntrySecretRow {
-    fn secret(self) -> SecretField {
-        SecretField {
-            id: self.id,
-            user_id: self.user_id,
-            name: self.name,
-            secret_type: self.secret_type,
-            encrypted: self.encrypted,
-            version: self.version,
-            created_at: self.created_at,
-            updated_at: self.updated_at,
-        }
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn ilike_pattern_escapes_backslash_percent_and_underscore() {
-        assert_eq!(ilike_pattern(r"hello\_100%"), r"%hello\\\_100\%%");
-    }
-}

crates/secrets-core/src/service/update.rs

@@ -1,562 +0,0 @@
-use anyhow::Result;
-use serde_json::{Map, Value};
-use sqlx::PgPool;
-use uuid::Uuid;
-
-use crate::crypto;
-use crate::db;
-use crate::error::{AppError, DbErrorContext};
-use crate::models::{EntryRow, EntryWriteRow};
-use crate::service::add::{
-    collect_field_paths, collect_key_paths, flatten_json_fields, insert_path, parse_key_path,
-    parse_kv, remove_path,
-};
-use crate::service::util::user_scope_condition;
-
-#[derive(Debug, serde::Serialize)]
-pub struct UpdateResult {
-    pub name: String,
-    pub folder: String,
-    #[serde(rename = "type")]
-    pub entry_type: String,
-    pub add_tags: Vec<String>,
-    pub remove_tags: Vec<String>,
-    pub meta_keys: Vec<String>,
-    pub remove_meta: Vec<String>,
-    pub secret_keys: Vec<String>,
-    pub remove_secrets: Vec<String>,
-    pub linked_secrets: Vec<String>,
-    pub unlinked_secrets: Vec<String>,
-}
-
-pub struct UpdateParams<'a> {
-    pub name: &'a str,
-    /// Optional folder for disambiguation when multiple entries share the same name.
-    pub folder: Option<&'a str>,
-    pub notes: Option<&'a str>,
-    pub add_tags: &'a [String],
-    pub remove_tags: &'a [String],
-    pub meta_entries: &'a [String],
-    pub remove_meta: &'a [String],
-    pub secret_entries: &'a [String],
-    pub secret_types: &'a std::collections::HashMap<String, String>,
-    pub remove_secrets: &'a [String],
-    pub link_secret_names: &'a [String],
-    pub unlink_secret_names: &'a [String],
-    pub user_id: Option<Uuid>,
-}
-
-pub async fn run(
-    pool: &PgPool,
-    params: UpdateParams<'_>,
-    master_key: &[u8; 32],
-) -> Result<UpdateResult> {
-    if params.name.chars().count() > 256 {
-        anyhow::bail!("name must be at most 256 characters");
-    }
-    let mut tx = pool.begin().await?;
-
-    // Fetch matching rows with FOR UPDATE; use folder when provided to resolve ambiguity.
-    let mut idx = 1i32;
-    let user_cond = user_scope_condition(params.user_id, &mut idx);
-    let mut conditions = vec![user_cond];
-    if params.folder.is_some() {
-        conditions.push(format!("folder = ${}", idx));
-        idx += 1;
-    }
-    conditions.push(format!("name = ${}", idx));
-    let sql = format!(
-        "SELECT id, version, folder, type, tags, metadata, notes, name FROM entries \
-         WHERE {} AND deleted_at IS NULL FOR UPDATE",
-        conditions.join(" AND ")
-    );
-    let mut q = sqlx::query_as::<_, EntryRow>(&sql);
-    if let Some(uid) = params.user_id {
-        q = q.bind(uid);
-    }
-    if let Some(folder) = params.folder {
-        q = q.bind(folder);
-    }
-    q = q.bind(params.name);
-    let rows = q.fetch_all(&mut *tx).await?;
-
-    let row = match rows.len() {
-        0 => {
-            tx.rollback().await?;
-            return Err(AppError::NotFoundEntry.into());
-        }
-        1 => rows
-            .into_iter()
-            .next()
-            .ok_or_else(|| anyhow::anyhow!("internal: matched row vanished"))?,
-        _ => {
-            tx.rollback().await?;
-            let folders: Vec<&str> = rows.iter().map(|r| r.folder.as_str()).collect();
-            anyhow::bail!(
-                "Ambiguous: {} entries named '{}' found in folders: [{}]. \
-                 Specify 'folder' to disambiguate.",
-                rows.len(),
-                params.name,
-                folders.join(", ")
-            )
-        }
-    };
-
-    let history_metadata =
-        match db::metadata_with_secret_snapshot(&mut tx, row.id, &row.metadata).await {
-            Ok(v) => v,
-            Err(e) => {
-                tracing::warn!(error = %e, "failed to build secret snapshot for entry history");
-                row.metadata.clone()
-            }
-        };
-
-    if let Err(e) = db::snapshot_entry_history(
-        &mut tx,
-        db::EntrySnapshotParams {
-            entry_id: row.id,
-            user_id: params.user_id,
-            folder: &row.folder,
-            entry_type: &row.entry_type,
-            name: params.name,
-            version: row.version,
-            action: "update",
-            tags: &row.tags,
-            metadata: &history_metadata,
-        },
-    )
-    .await
-    {
-        tracing::warn!(error = %e, "failed to snapshot entry history before update");
-    }
-
-    let mut tags: Vec<String> = row.tags.clone();
-    for t in params.add_tags {
-        if !tags.contains(t) {
-            tags.push(t.clone());
-        }
-    }
-    tags.retain(|t| !params.remove_tags.contains(t));
-
-    let mut meta_map: Map<String, Value> = match row.metadata.clone() {
-        Value::Object(m) => m,
-        _ => Map::new(),
-    };
-    for entry in params.meta_entries {
-        let (path, value) = parse_kv(entry)?;
-        insert_path(&mut meta_map, &path, value)?;
-    }
-    for key in params.remove_meta {
-        let path = parse_key_path(key)?;
-        remove_path(&mut meta_map, &path)?;
-    }
-    let metadata = Value::Object(meta_map);
-
-    let new_notes = params.notes.unwrap_or(&row.notes);
-
-    let result = sqlx::query(
-        "UPDATE entries SET tags = $1, metadata = $2, notes = $3, \
-         version = version + 1, updated_at = NOW() \
-         WHERE id = $4 AND version = $5",
-    )
-    .bind(&tags)
-    .bind(&metadata)
-    .bind(new_notes)
-    .bind(row.id)
-    .bind(row.version)
-    .execute(&mut *tx)
-    .await?;
-
-    if result.rows_affected() == 0 {
-        tx.rollback().await?;
-        return Err(AppError::ConcurrentModification.into());
-    }
-
-    for entry in params.secret_entries {
-        let (path, field_value) = parse_kv(entry)?;
-        let flat = flatten_json_fields("", &{
-            let mut m = Map::new();
-            insert_path(&mut m, &path, field_value)?;
-            Value::Object(m)
-        });
-
-        for (field_name, fv) in &flat {
-            let encrypted = crypto::encrypt_json(master_key, fv)?;
-
-            #[derive(sqlx::FromRow)]
-            struct ExistingField {
-                id: Uuid,
-                encrypted: Vec<u8>,
-            }
-            let ef: Option<ExistingField> = sqlx::query_as(
-                "SELECT s.id, s.encrypted \
-                 FROM entry_secrets es \
-                 JOIN secrets s ON s.id = es.secret_id \
-                 WHERE es.entry_id = $1 AND s.name = $2",
-            )
-            .bind(row.id)
-            .bind(field_name)
-            .fetch_optional(&mut *tx)
-            .await?;
-
-            if let Some(ef) = &ef
-                && let Err(e) = db::snapshot_secret_history(
-                    &mut tx,
-                    db::SecretSnapshotParams {
-                        secret_id: ef.id,
-                        name: field_name,
-                        encrypted: &ef.encrypted,
-                        action: "update",
-                    },
-                )
-                .await
-            {
-                tracing::warn!(error = %e, "failed to snapshot secret field history");
-            }
-
-            if let Some(ef) = ef {
-                sqlx::query(
-                    "UPDATE secrets SET encrypted = $1, version = version + 1, updated_at = NOW() WHERE id = $2",
-                )
-                .bind(&encrypted)
-                .bind(ef.id)
-                .execute(&mut *tx)
-                .await?;
-            } else {
-                let secret_type = params
-                    .secret_types
-                    .get(field_name)
-                    .map(|s| s.as_str())
-                    .unwrap_or("text");
-                let secret_id: Uuid = sqlx::query_scalar(
-                    "INSERT INTO secrets (user_id, name, type, encrypted) VALUES ($1, $2, $3, $4) RETURNING id",
-                )
-                .bind(params.user_id)
-                .bind(field_name.to_string())
-                .bind(secret_type)
-                .bind(&encrypted)
-                .fetch_one(&mut *tx)
-                .await
-                .map_err(|e| AppError::from_db_error(e, DbErrorContext::secret_name(field_name)))?;
-                sqlx::query("INSERT INTO entry_secrets (entry_id, secret_id) VALUES ($1, $2)")
-                    .bind(row.id)
-                    .bind(secret_id)
-                    .execute(&mut *tx)
-                    .await?;
-            }
-        }
-    }
-
-    for key in params.remove_secrets {
-        let path = parse_key_path(key)?;
-        let field_name = path.join(".");
-
-        #[derive(sqlx::FromRow)]
-        struct FieldToDelete {
-            id: Uuid,
-            encrypted: Vec<u8>,
-        }
-        let field: Option<FieldToDelete> = sqlx::query_as(
-            "SELECT s.id, s.encrypted \
-             FROM entry_secrets es \
-             JOIN secrets s ON s.id = es.secret_id \
-             WHERE es.entry_id = $1 AND s.name = $2",
-        )
-        .bind(row.id)
-        .bind(&field_name)
-        .fetch_optional(&mut *tx)
-        .await?;
-
-        if let Some(f) = field {
-            if let Err(e) = db::snapshot_secret_history(
-                &mut tx,
-                db::SecretSnapshotParams {
-                    secret_id: f.id,
-                    name: &field_name,
-                    encrypted: &f.encrypted,
-                    action: "delete",
-                },
-            )
-            .await
-            {
-                tracing::warn!(error = %e, "failed to snapshot secret field history before delete");
-            }
-            sqlx::query("DELETE FROM entry_secrets WHERE entry_id = $1 AND secret_id = $2")
-                .bind(row.id)
-                .bind(f.id)
-                .execute(&mut *tx)
-                .await?;
-            sqlx::query(
-                "DELETE FROM secrets s \
-                 WHERE s.id = $1 \
-                   AND NOT EXISTS (SELECT 1 FROM entry_secrets es WHERE es.secret_id = s.id)",
-            )
-            .bind(f.id)
-            .execute(&mut *tx)
-            .await?;
-        }
-    }
-
-    // Link existing secrets by name
-    let mut linked_secrets = Vec::new();
-    for link_name in params.link_secret_names {
-        let link_name = link_name.trim();
-        if link_name.is_empty() {
-            anyhow::bail!("link_secret_names contains an empty name");
-        }
-        let secret_ids: Vec<Uuid> = if let Some(uid) = params.user_id {
-            sqlx::query_scalar("SELECT id FROM secrets WHERE user_id = $1 AND name = $2")
-                .bind(uid)
-                .bind(link_name)
-                .fetch_all(&mut *tx)
-                .await?
-        } else {
-            sqlx::query_scalar("SELECT id FROM secrets WHERE user_id IS NULL AND name = $1")
-                .bind(link_name)
-                .fetch_all(&mut *tx)
-                .await?
-        };
-
-        match secret_ids.len() {
-            0 => anyhow::bail!("Not found: secret named '{}'", link_name),
-            1 => {
-                sqlx::query(
-                    "INSERT INTO entry_secrets (entry_id, secret_id) VALUES ($1, $2) ON CONFLICT DO NOTHING",
-                )
-                .bind(row.id)
-                .bind(secret_ids[0])
-                .execute(&mut *tx)
-                .await?;
-                linked_secrets.push(link_name.to_string());
-            }
-            n => anyhow::bail!(
-                "Ambiguous: {} secrets named '{}' found. Please deduplicate names first.",
-                n,
-                link_name
-            ),
-        }
-    }
-
-    // Unlink secrets by name
-    let mut unlinked_secrets = Vec::new();
-    for unlink_name in params.unlink_secret_names {
-        let unlink_name = unlink_name.trim();
-        if unlink_name.is_empty() {
-            continue;
-        }
-
-        #[derive(sqlx::FromRow)]
-        struct SecretToUnlink {
-            id: Uuid,
-            encrypted: Vec<u8>,
-        }
-        let secret: Option<SecretToUnlink> = sqlx::query_as(
-            "SELECT s.id, s.encrypted \
-             FROM entry_secrets es \
-             JOIN secrets s ON s.id = es.secret_id \
-             WHERE es.entry_id = $1 AND s.name = $2",
-        )
-        .bind(row.id)
-        .bind(unlink_name)
-        .fetch_optional(&mut *tx)
-        .await?;
-
-        if let Some(s) = secret {
-            if let Err(e) = db::snapshot_secret_history(
-                &mut tx,
-                db::SecretSnapshotParams {
-                    secret_id: s.id,
-                    name: unlink_name,
-                    encrypted: &s.encrypted,
-                    action: "delete",
-                },
-            )
-            .await
-            {
-                tracing::warn!(error = %e, "failed to snapshot secret field history before unlink");
-            }
-            sqlx::query("DELETE FROM entry_secrets WHERE entry_id = $1 AND secret_id = $2")
-                .bind(row.id)
-                .bind(s.id)
-                .execute(&mut *tx)
-                .await?;
-            sqlx::query(
-                "DELETE FROM secrets s \
-                 WHERE s.id = $1 \
-                   AND NOT EXISTS (SELECT 1 FROM entry_secrets es WHERE es.secret_id = s.id)",
-            )
-            .bind(s.id)
-            .execute(&mut *tx)
-            .await?;
-            unlinked_secrets.push(unlink_name.to_string());
-        }
-    }
-
-    let meta_keys = collect_key_paths(params.meta_entries)?;
-    let remove_meta_keys = collect_field_paths(params.remove_meta)?;
-    let secret_keys = collect_key_paths(params.secret_entries)?;
-    let remove_secret_keys = collect_field_paths(params.remove_secrets)?;
-
-    crate::audit::log_tx(
-        &mut tx,
-        params.user_id,
-        "update",
-        &row.folder,
-        &row.entry_type,
-        params.name,
-        serde_json::json!({
-            "add_tags": params.add_tags,
-            "remove_tags": params.remove_tags,
-            "meta_keys": meta_keys,
-            "remove_meta": remove_meta_keys,
-            "secret_keys": secret_keys,
-            "remove_secrets": remove_secret_keys,
-            "linked_secrets": linked_secrets,
-            "unlinked_secrets": unlinked_secrets,
-        }),
-    )
-    .await;
-
-    tx.commit().await?;
-
-    Ok(UpdateResult {
-        name: params.name.to_string(),
-        folder: row.folder.clone(),
-        entry_type: row.entry_type.clone(),
-        add_tags: params.add_tags.to_vec(),
-        remove_tags: params.remove_tags.to_vec(),
-        meta_keys,
-        remove_meta: remove_meta_keys,
-        secret_keys,
-        remove_secrets: remove_secret_keys,
-        linked_secrets,
-        unlinked_secrets,
-    })
-}
-
-/// Update non-sensitive entry columns by primary key (multi-tenant: `user_id` must match).
-/// Does not read or modify `secrets` rows.
-pub struct UpdateEntryFieldsByIdParams<'a> {
-    pub folder: &'a str,
-    pub entry_type: &'a str,
-    pub name: &'a str,
-    pub notes: &'a str,
-    pub tags: &'a [String],
-    pub metadata: &'a serde_json::Value,
-}
-
-pub async fn update_fields_by_id(
-    pool: &PgPool,
-    entry_id: Uuid,
-    user_id: Uuid,
-    params: UpdateEntryFieldsByIdParams<'_>,
-) -> Result<()> {
-    if params.folder.chars().count() > 128 {
-        anyhow::bail!("folder must be at most 128 characters");
-    }
-    if params.entry_type.chars().count() > 64 {
-        anyhow::bail!("type must be at most 64 characters");
-    }
-    if params.name.chars().count() > 256 {
-        anyhow::bail!("name must be at most 256 characters");
-    }
-
-    let mut tx = pool.begin().await?;
-
-    let row: Option<EntryWriteRow> = sqlx::query_as(
-        "SELECT id, version, folder, type, name, tags, metadata, notes, deleted_at FROM entries \
-         WHERE id = $1 AND user_id = $2 AND deleted_at IS NULL FOR UPDATE",
-    )
-    .bind(entry_id)
-    .bind(user_id)
-    .fetch_optional(&mut *tx)
-    .await?;
-
-    let row = match row {
-        Some(r) => r,
-        None => {
-            tx.rollback().await?;
-            return Err(AppError::NotFoundEntry.into());
-        }
-    };
-
-    let history_metadata =
-        match db::metadata_with_secret_snapshot(&mut tx, row.id, &row.metadata).await {
-            Ok(v) => v,
-            Err(e) => {
-                tracing::warn!(error = %e, "failed to build secret snapshot for entry history");
-                row.metadata.clone()
-            }
-        };
-
-    if let Err(e) = db::snapshot_entry_history(
-        &mut tx,
-        db::EntrySnapshotParams {
-            entry_id: row.id,
-            user_id: Some(user_id),
-            folder: &row.folder,
-            entry_type: &row.entry_type,
-            name: &row.name,
-            version: row.version,
-            action: "update",
-            tags: &row.tags,
-            metadata: &history_metadata,
-        },
-    )
-    .await
-    {
-        tracing::warn!(error = %e, "failed to snapshot entry history before web update");
-    }
-
-    let entry_type = params.entry_type.trim();
-
-    let res = sqlx::query(
-        "UPDATE entries SET folder = $1, type = $2, name = $3, notes = $4, tags = $5, metadata = $6, \
-         version = version + 1, updated_at = NOW() \
-         WHERE id = $7 AND version = $8",
-    )
-    .bind(params.folder)
-    .bind(entry_type)
-    .bind(params.name)
-    .bind(params.notes)
-    .bind(params.tags)
-    .bind(params.metadata)
-    .bind(row.id)
-    .bind(row.version)
-    .execute(&mut *tx)
-    .await
-    .map_err(|e| {
-        if let sqlx::Error::Database(ref d) = e
-            && d.code().as_deref() == Some("23505")
-        {
-            return AppError::ConflictEntryName {
-                folder: params.folder.to_string(),
-                name: params.name.to_string(),
-            };
-        }
-        AppError::Internal(e.into())
-    })?;
-
-    if res.rows_affected() == 0 {
-        tx.rollback().await?;
-        return Err(AppError::ConcurrentModification.into());
-    }
-
-    crate::audit::log_tx(
-        &mut tx,
-        Some(user_id),
-        "update",
-        params.folder,
-        entry_type,
-        params.name,
-        serde_json::json!({
-            "source": "web",
-            "entry_id": entry_id,
-            "fields": ["folder", "type", "name", "notes", "tags", "metadata"],
-        }),
-    )
-    .await;
-
-    tx.commit().await?;
-    Ok(())
-}

crates/secrets-core/src/service/user.rs

@@ -1,349 +0,0 @@
-use anyhow::Result;
-use serde_json::Value;
-use sqlx::PgPool;
-use uuid::Uuid;
-
-use crate::models::{OauthAccount, User};
-
-pub struct OAuthProfile {
-    pub provider: String,
-    pub provider_id: String,
-    pub email: Option<String>,
-    pub name: Option<String>,
-    pub avatar_url: Option<String>,
-}
-
-/// Find or create a user from an OAuth profile.
-/// Returns (user, is_new) where is_new indicates first-time registration.
-pub async fn find_or_create_user(pool: &PgPool, profile: OAuthProfile) -> Result<(User, bool)> {
-    // Use a transaction with FOR UPDATE to prevent TOCTOU race conditions
-    let mut tx = pool.begin().await?;
-
-    // Check if this OAuth account already exists (with row lock)
-    let existing: Option<OauthAccount> = sqlx::query_as(
-        "SELECT id, user_id, provider, provider_id, email, name, avatar_url, created_at \
-         FROM oauth_accounts WHERE provider = $1 AND provider_id = $2 FOR UPDATE",
-    )
-    .bind(&profile.provider)
-    .bind(&profile.provider_id)
-    .fetch_optional(&mut *tx)
-    .await?;
-
-    if let Some(oa) = existing {
-        let user: User = sqlx::query_as(
-            "SELECT id, email, name, avatar_url, key_salt, key_check, key_params, api_key, key_version, created_at, updated_at \
-             FROM users WHERE id = $1",
-        )
-        .bind(oa.user_id)
-        .fetch_one(&mut *tx)
-        .await?;
-        tx.commit().await?;
-        return Ok((user, false));
-    }
-
-    // New user — create records (no key yet; user sets passphrase on dashboard)
-    let display_name = profile
-        .name
-        .clone()
-        .unwrap_or_else(|| profile.email.clone().unwrap_or_else(|| "User".to_string()));
-
-    let user: User = sqlx::query_as(
-        "INSERT INTO users (email, name, avatar_url) \
-         VALUES ($1, $2, $3) \
-         RETURNING id, email, name, avatar_url, key_salt, key_check, key_params, api_key, key_version, created_at, updated_at",
-    )
-    .bind(&profile.email)
-    .bind(&display_name)
-    .bind(&profile.avatar_url)
-    .fetch_one(&mut *tx)
-    .await?;
-
-    sqlx::query(
-        "INSERT INTO oauth_accounts (user_id, provider, provider_id, email, name, avatar_url) \
-         VALUES ($1, $2, $3, $4, $5, $6)",
-    )
-    .bind(user.id)
-    .bind(&profile.provider)
-    .bind(&profile.provider_id)
-    .bind(&profile.email)
-    .bind(&profile.name)
-    .bind(&profile.avatar_url)
-    .execute(&mut *tx)
-    .await?;
-
-    tx.commit().await?;
-
-    Ok((user, true))
-}
-
-/// Re-encrypt all of a user's secrets from `old_key` to `new_key` and update the key metadata.
-///
-/// Runs entirely inside a single database transaction: if any secret fails to re-encrypt
-/// the whole operation is rolled back, leaving the database unchanged.
-pub async fn change_user_key(
-    pool: &PgPool,
-    user_id: Uuid,
-    old_key: &[u8; 32],
-    new_key: &[u8; 32],
-    new_salt: &[u8],
-    new_key_check: &[u8],
-    new_key_params: &Value,
-) -> Result<()> {
-    let mut tx = pool.begin().await?;
-
-    let secrets: Vec<(uuid::Uuid, Vec<u8>)> =
-        sqlx::query_as("SELECT id, encrypted FROM secrets WHERE user_id = $1 FOR UPDATE")
-            .bind(user_id)
-            .fetch_all(&mut *tx)
-            .await?;
-
-    for (id, encrypted) in &secrets {
-        let plaintext = crate::crypto::decrypt(old_key, encrypted)?;
-        let new_encrypted = crate::crypto::encrypt(new_key, &plaintext)?;
-        sqlx::query("UPDATE secrets SET encrypted = $1, updated_at = NOW() WHERE id = $2")
-            .bind(&new_encrypted)
-            .bind(id)
-            .execute(&mut *tx)
-            .await?;
-    }
-
-    sqlx::query(
-        "UPDATE users SET key_salt = $1, key_check = $2, key_params = $3, \
-         key_version = key_version + 1, updated_at = NOW() \
-         WHERE id = $4",
-    )
-    .bind(new_salt)
-    .bind(new_key_check)
-    .bind(new_key_params)
-    .bind(user_id)
-    .execute(&mut *tx)
-    .await?;
-
-    tx.commit().await?;
-    Ok(())
-}
-
-/// Store the PBKDF2 salt, key_check, and params for a user's passphrase setup.
-pub async fn update_user_key_setup(
-    pool: &PgPool,
-    user_id: Uuid,
-    key_salt: &[u8],
-    key_check: &[u8],
-    key_params: &Value,
-) -> Result<()> {
-    sqlx::query(
-        "UPDATE users SET key_salt = $1, key_check = $2, key_params = $3, updated_at = NOW() \
-         WHERE id = $4",
-    )
-    .bind(key_salt)
-    .bind(key_check)
-    .bind(key_params)
-    .bind(user_id)
-    .execute(pool)
-    .await?;
-    Ok(())
-}
-
-/// Fetch a user by ID.
-pub async fn get_user_by_id(pool: &PgPool, user_id: Uuid) -> Result<Option<User>> {
-    let user = sqlx::query_as(
-        "SELECT id, email, name, avatar_url, key_salt, key_check, key_params, api_key, key_version, created_at, updated_at \
-         FROM users WHERE id = $1",
-    )
-    .bind(user_id)
-    .fetch_optional(pool)
-    .await?;
-    Ok(user)
-}
-
-/// List all OAuth accounts linked to a user.
-pub async fn list_oauth_accounts(pool: &PgPool, user_id: Uuid) -> Result<Vec<OauthAccount>> {
-    let accounts = sqlx::query_as(
-        "SELECT id, user_id, provider, provider_id, email, name, avatar_url, created_at \
-         FROM oauth_accounts WHERE user_id = $1 ORDER BY created_at",
-    )
-    .bind(user_id)
-    .fetch_all(pool)
-    .await?;
-    Ok(accounts)
-}
-
-/// Bind an additional OAuth account to an existing user.
-pub async fn bind_oauth_account(
-    pool: &PgPool,
-    user_id: Uuid,
-    profile: OAuthProfile,
-) -> Result<OauthAccount> {
-    // Use a transaction with FOR UPDATE to prevent TOCTOU race conditions
-    let mut tx = pool.begin().await?;
-
-    // Check if this provider_id is already linked to someone else (with row lock)
-    let conflict: Option<(Uuid,)> = sqlx::query_as(
-        "SELECT user_id FROM oauth_accounts WHERE provider = $1 AND provider_id = $2 FOR UPDATE",
-    )
-    .bind(&profile.provider)
-    .bind(&profile.provider_id)
-    .fetch_optional(&mut *tx)
-    .await?;
-
-    if let Some((existing_user_id,)) = conflict {
-        if existing_user_id != user_id {
-            anyhow::bail!(
-                "This {} account is already linked to a different user",
-                profile.provider
-            );
-        }
-        anyhow::bail!(
-            "This {} account is already linked to your account",
-            profile.provider
-        );
-    }
-
-    let existing_provider_for_user: Option<(String,)> = sqlx::query_as(
-        "SELECT provider_id FROM oauth_accounts WHERE user_id = $1 AND provider = $2 FOR UPDATE",
-    )
-    .bind(user_id)
-    .bind(&profile.provider)
-    .fetch_optional(&mut *tx)
-    .await?;
-
-    if existing_provider_for_user.is_some() {
-        anyhow::bail!(
-            "You already linked a {} account. Unlink the other provider instead of binding multiple {} accounts.",
-            profile.provider,
-            profile.provider
-        );
-    }
-
-    let account: OauthAccount = sqlx::query_as(
-        "INSERT INTO oauth_accounts (user_id, provider, provider_id, email, name, avatar_url) \
-         VALUES ($1, $2, $3, $4, $5, $6) \
-         RETURNING id, user_id, provider, provider_id, email, name, avatar_url, created_at",
-    )
-    .bind(user_id)
-    .bind(&profile.provider)
-    .bind(&profile.provider_id)
-    .bind(&profile.email)
-    .bind(&profile.name)
-    .bind(&profile.avatar_url)
-    .fetch_one(&mut *tx)
-    .await?;
-
-    tx.commit().await?;
-    Ok(account)
-}
-
-/// Unbind an OAuth account. Ensures at least one remains and blocks unlinking the current login provider.
-pub async fn unbind_oauth_account(
-    pool: &PgPool,
-    user_id: Uuid,
-    provider: &str,
-    current_login_provider: Option<&str>,
-) -> Result<()> {
-    if current_login_provider == Some(provider) {
-        anyhow::bail!(
-            "Cannot unlink the {} account you are currently using to sign in",
-            provider
-        );
-    }
-
-    let mut tx = pool.begin().await?;
-
-    let locked_accounts: Vec<(String,)> =
-        sqlx::query_as("SELECT provider FROM oauth_accounts WHERE user_id = $1 FOR UPDATE")
-            .bind(user_id)
-            .fetch_all(&mut *tx)
-            .await?;
-    let count = locked_accounts.len();
-
-    if count <= 1 {
-        anyhow::bail!("Cannot unbind the last OAuth account. Please link another account first.");
-    }
-
-    sqlx::query("DELETE FROM oauth_accounts WHERE user_id = $1 AND provider = $2")
-        .bind(user_id)
-        .bind(provider)
-        .execute(&mut *tx)
-        .await?;
-
-    tx.commit().await?;
-
-    Ok(())
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    async fn maybe_test_pool() -> Option<PgPool> {
-        let database_url = match std::env::var("SECRETS_DATABASE_URL") {
-            Ok(v) => v,
-            Err(_) => {
-                eprintln!("skip user service tests: SECRETS_DATABASE_URL not set");
-                return None;
-            }
-        };
-        let pool = match sqlx::PgPool::connect(&database_url).await {
-            Ok(pool) => pool,
-            Err(e) => {
-                eprintln!("skip user service tests: cannot connect to database: {e}");
-                return None;
-            }
-        };
-        if let Err(e) = crate::db::migrate(&pool).await {
-            eprintln!("skip user service tests: migrate failed: {e}");
-            return None;
-        }
-        Some(pool)
-    }
-
-    async fn cleanup_user_rows(pool: &PgPool, user_id: Uuid) -> Result<()> {
-        sqlx::query("DELETE FROM oauth_accounts WHERE user_id = $1")
-            .bind(user_id)
-            .execute(pool)
-            .await?;
-        sqlx::query("DELETE FROM users WHERE id = $1")
-            .bind(user_id)
-            .execute(pool)
-            .await?;
-        Ok(())
-    }
-
-    #[tokio::test]
-    async fn unbind_oauth_account_removes_only_requested_provider() -> Result<()> {
-        let Some(pool) = maybe_test_pool().await else {
-            return Ok(());
-        };
-        let user_id = Uuid::from_u128(rand::random());
-
-        cleanup_user_rows(&pool, user_id).await?;
-
-        sqlx::query("INSERT INTO users (id, name) VALUES ($1, '')")
-            .bind(user_id)
-            .execute(&pool)
-            .await?;
-        sqlx::query(
-            "INSERT INTO oauth_accounts (user_id, provider, provider_id, email, name, avatar_url) \
-             VALUES ($1, 'google', $2, NULL, NULL, NULL), \
-                    ($1, 'github', $3, NULL, NULL, NULL)",
-        )
-        .bind(user_id)
-        .bind(format!("google-{user_id}"))
-        .bind(format!("github-{user_id}"))
-        .execute(&pool)
-        .await?;
-
-        unbind_oauth_account(&pool, user_id, "github", Some("google")).await?;
-
-        let remaining: Vec<(String,)> = sqlx::query_as(
-            "SELECT provider FROM oauth_accounts WHERE user_id = $1 ORDER BY provider",
-        )
-        .bind(user_id)
-        .fetch_all(&pool)
-        .await?;
-        assert_eq!(remaining, vec![("google".to_string(),)]);
-
-        cleanup_user_rows(&pool, user_id).await?;
-        Ok(())
-    }
-}

crates/secrets-core/src/service/util.rs

@@ -1,27 +0,0 @@
-use uuid::Uuid;
-
-/// Returns a WHERE condition fragment for user scope and advances `idx` if `user_id` is Some.
-///
-/// - `Some(uid)` → `"user_id = $N"` with idx incremented.
-/// - `None`      → `"user_id IS NULL"` with idx unchanged.
-///
-/// # Usage
-///
-/// ```rust,ignore
-/// let mut idx = 1i32;
-/// let user_cond = user_scope_condition(user_id, &mut idx);
-/// // idx is now 2 if user_id is Some, still 1 if None
-/// let sql = format!("SELECT ... FROM entries WHERE {user_cond} AND name = ${idx}");
-/// let mut q = sqlx::query_as::<_, Row>(&sql);
-/// if let Some(uid) = user_id { q = q.bind(uid); }
-/// q = q.bind(name);
-/// ```
-pub fn user_scope_condition(user_id: Option<Uuid>, idx: &mut i32) -> String {
-    if user_id.is_some() {
-        let s = format!("user_id = ${}", *idx);
-        *idx += 1;
-        s
-    } else {
-        "user_id IS NULL".to_string()
-    }
-}

crates/secrets-core/src/taxonomy.rs

@@ -1,4 +0,0 @@
-/// Canonical secret type options for UI dropdowns.
-pub const SECRET_TYPE_OPTIONS: &[&str] = &[
-    "text", "password", "token", "api-key", "ssh-key", "url", "phone", "id-card",
-];

crates/secrets-mcp-local/Cargo.toml

@@ -1,24 +0,0 @@
-[package]
-name = "secrets-mcp-local"
-version = "0.1.0"
-edition.workspace = true
-description = "Local MCP gateway for onboarding, unlock caching, and delegated target execution"
-license = "MIT OR Apache-2.0"
-
-[[bin]]
-name = "secrets-mcp-local"
-path = "src/main.rs"
-
-[dependencies]
-anyhow.workspace = true
-axum = "0.8"
-dotenvy.workspace = true
-reqwest = { workspace = true, features = ["stream"] }
-secrets-core = { path = "../secrets-core" }
-serde.workspace = true
-serde_json.workspace = true
-tokio.workspace = true
-tracing.workspace = true
-tracing-subscriber = { workspace = true, features = ["env-filter"] }
-url = "2"
-uuid.workspace = true

crates/secrets-mcp-local/src/bind.rs

@@ -1,212 +0,0 @@
-use axum::extract::State;
-use axum::http::StatusCode;
-use axum::response::IntoResponse;
-use serde::Deserialize;
-use serde_json::{Value, json};
-
-use crate::cache::{BoundState, PendingBindState};
-use crate::server::AppState;
-
-#[derive(Deserialize)]
-pub struct BindExchangeBody {
-    bind_id: Option<String>,
-    device_code: Option<String>,
-}
-
-fn bind_exchange_error_message(value: &Value) -> String {
-    value
-        .get("error")
-        .and_then(|v| v.as_str())
-        .map(ToOwned::to_owned)
-        .or_else(|| {
-            value
-                .get("message")
-                .and_then(|v| v.as_str())
-                .map(ToOwned::to_owned)
-        })
-        .unwrap_or_else(|| value.to_string())
-}
-
-pub async fn refresh_bound_state(state: &AppState) {
-    let api_key = {
-        let guard = state.cache.read().await;
-        guard.bound.as_ref().map(|bound| bound.api_key.clone())
-    };
-    let Some(api_key) = api_key else {
-        return;
-    };
-    if let Ok(refreshed) = state.remote.bind_refresh(&api_key).await {
-        let mut guard = state.cache.write().await;
-        if matches!(refreshed.status, 401 | 404) {
-            guard.clear_bound_and_unlock();
-            return;
-        }
-        if let Some(refreshed) = refreshed.body {
-            let clear_unlock = if let Some(bound) = guard.bound.as_mut() {
-                let changed = bound.key_version != refreshed.key_version;
-                bound.key_version = refreshed.key_version;
-                bound.key_salt_hex = refreshed.key_salt_hex.clone();
-                bound.key_check_hex = refreshed.key_check_hex.clone();
-                bound.key_params = refreshed.key_params.clone();
-                changed
-            } else {
-                false
-            };
-            if clear_unlock {
-                guard.clear_unlock_and_exec();
-            }
-        }
-    }
-}
-
-pub async fn start_bind(state: &AppState) -> Result<serde_json::Value, (StatusCode, String)> {
-    let res = state
-        .remote
-        .bind_start()
-        .await
-        .map_err(|e| (StatusCode::BAD_GATEWAY, format!("bind/start failed: {e}")))?;
-    let started_at = std::time::Instant::now();
-    let expires_at = started_at + std::time::Duration::from_secs(res.expires_in_secs);
-    let mut guard = state.cache.write().await;
-    guard.clear_bound_and_unlock();
-    guard.pending_bind = Some(PendingBindState {
-        bind_id: res.bind_id.clone(),
-        device_code: res.device_code.clone(),
-        approve_url: res.approve_url.clone(),
-        expires_at,
-        started_at,
-    });
-    Ok(json!({
-        "ok": true,
-        "bind_id": res.bind_id,
-        "device_code": res.device_code,
-        "approve_url": res.approve_url,
-        "expires_in_secs": res.expires_in_secs,
-        "onboarding_url": format!("http://{}/", state.config.bind),
-        "next_action": "在浏览器打开 approve_url 完成授权，然后继续轮询 local_bind_exchange",
-    }))
-}
-
-pub async fn exchange_bind(
-    state: &AppState,
-    bind_id: Option<String>,
-    device_code: Option<String>,
-) -> Result<(StatusCode, serde_json::Value), (StatusCode, String)> {
-    let (bind_id, device_code) = if let (Some(bind_id), Some(device_code)) = (bind_id, device_code)
-    {
-        (bind_id, device_code)
-    } else {
-        let guard = state.cache.read().await;
-        let pending = guard.pending_bind.as_ref().ok_or_else(|| {
-            (
-                StatusCode::BAD_REQUEST,
-                "missing bind session; call /local/bind/start first".to_string(),
-            )
-        })?;
-        (pending.bind_id.clone(), pending.device_code.clone())
-    };
-
-    let result = state
-        .remote
-        .bind_exchange(&bind_id, &device_code)
-        .await
-        .map_err(|e| {
-            (
-                StatusCode::BAD_GATEWAY,
-                format!("bind/exchange failed: {e}"),
-            )
-        })?;
-    let status = result.status;
-    let payload = result.body;
-
-    if status == 202 || payload.get("status").and_then(|v| v.as_str()) == Some("pending") {
-        let approve_url = {
-            let guard = state.cache.read().await;
-            guard
-                .pending_bind
-                .as_ref()
-                .filter(|pending| pending.bind_id == bind_id && pending.device_code == device_code)
-                .map(|pending| pending.approve_url.clone())
-        };
-        return Ok((
-            StatusCode::ACCEPTED,
-            json!({
-                "ok": false,
-                "status": "pending",
-                "bind_id": bind_id,
-                "device_code": device_code,
-                "approve_url": approve_url,
-                "next_action": "继续等待远端授权完成，或重新打开 approve_url",
-            }),
-        ));
-    }
-    if !(200..300).contains(&status) {
-        return Err((
-            StatusCode::from_u16(status).unwrap_or(StatusCode::BAD_GATEWAY),
-            bind_exchange_error_message(&payload),
-        ));
-    }
-    let payload: crate::remote::BindExchangeResponse =
-        serde_json::from_value(payload).map_err(|e| {
-            (
-                StatusCode::BAD_GATEWAY,
-                format!("invalid bind/exchange response: {e}"),
-            )
-        })?;
-    let api_key = payload.api_key.ok_or_else(|| {
-        (
-            StatusCode::BAD_GATEWAY,
-            "bind/exchange missing api_key".to_string(),
-        )
-    })?;
-    let user_id = payload.user_id.ok_or_else(|| {
-        (
-            StatusCode::BAD_GATEWAY,
-            "bind/exchange missing user_id".to_string(),
-        )
-    })?;
-    let mut guard = state.cache.write().await;
-    guard.clear_pending_bind();
-    guard.bound = Some(BoundState {
-        user_id,
-        api_key,
-        key_salt_hex: payload.key_salt_hex,
-        key_check_hex: payload.key_check_hex,
-        key_params: payload.key_params,
-        key_version: payload.key_version.unwrap_or(0),
-        bound_at: std::time::Instant::now(),
-    });
-    guard.clear_unlock_and_exec();
-
-    Ok((
-        StatusCode::OK,
-        json!({
-            "ok": true,
-            "status": "bound",
-            "unlock_url": format!("http://{}/unlock", state.config.bind),
-            "onboarding_url": format!("http://{}/", state.config.bind),
-            "next_action": "打开本地 unlock 页面完成 passphrase 解锁",
-        }),
-    ))
-}
-
-pub async fn bind_start(
-    State(state): State<AppState>,
-) -> Result<impl IntoResponse, (StatusCode, String)> {
-    let payload = start_bind(&state).await?;
-    Ok((StatusCode::OK, axum::Json(payload)))
-}
-
-pub async fn bind_exchange(
-    State(state): State<AppState>,
-    axum::Json(input): axum::Json<BindExchangeBody>,
-) -> Result<impl IntoResponse, (StatusCode, String)> {
-    let (status, payload) = exchange_bind(&state, input.bind_id, input.device_code).await?;
-    Ok((status, axum::Json(payload)))
-}
-
-pub async fn unbind(State(state): State<AppState>) -> impl IntoResponse {
-    let mut guard = state.cache.write().await;
-    guard.clear_bound_and_unlock();
-    (StatusCode::OK, axum::Json(json!({ "ok": true })))
-}

crates/secrets-mcp-local/src/cache.rs

@@ -1,234 +0,0 @@
-use std::collections::HashMap;
-use std::sync::Arc;
-use std::time::{Duration, Instant};
-
-use serde::{Deserialize, Serialize};
-use serde_json::Value;
-use tokio::sync::RwLock;
-use uuid::Uuid;
-
-use crate::target::ExecutionTarget;
-
-#[derive(Clone)]
-pub struct BoundState {
-    pub user_id: Uuid,
-    pub api_key: String,
-    pub key_salt_hex: Option<String>,
-    pub key_check_hex: Option<String>,
-    pub key_params: Option<Value>,
-    pub key_version: i64,
-    pub bound_at: Instant,
-}
-
-#[derive(Clone)]
-pub struct UnlockState {
-    pub encryption_key_hex: String,
-    pub expires_at: Instant,
-    pub last_used_at: Instant,
-}
-
-#[derive(Clone)]
-pub struct ExecContext {
-    pub target: ExecutionTarget,
-    pub expires_at: Instant,
-    pub last_used_at: Instant,
-}
-
-#[derive(Clone)]
-pub struct PendingBindState {
-    pub bind_id: String,
-    pub device_code: String,
-    pub approve_url: String,
-    pub expires_at: Instant,
-    pub started_at: Instant,
-}
-
-#[derive(Clone, Copy, Debug, Eq, PartialEq, Serialize, Deserialize)]
-#[serde(rename_all = "camelCase")]
-pub enum GatewayPhase {
-    Bootstrap,
-    PendingUnlock,
-    Ready,
-}
-
-#[derive(Default)]
-pub struct GatewayCache {
-    pub pending_bind: Option<PendingBindState>,
-    pub bound: Option<BoundState>,
-    pub unlock: Option<UnlockState>,
-    pub exec_contexts: HashMap<String, ExecContext>,
-}
-
-impl GatewayCache {
-    pub fn clear_bound_and_unlock(&mut self) {
-        self.pending_bind = None;
-        self.bound = None;
-        self.unlock = None;
-        self.exec_contexts.clear();
-    }
-
-    pub fn clear_pending_bind(&mut self) {
-        self.pending_bind = None;
-    }
-
-    pub fn clear_unlock_and_exec(&mut self) {
-        self.unlock = None;
-        self.exec_contexts.clear();
-    }
-
-    pub fn phase(&self, now: Instant) -> GatewayPhase {
-        if self.bound.is_none() {
-            return GatewayPhase::Bootstrap;
-        }
-        if self
-            .unlock
-            .as_ref()
-            .is_some_and(|unlock| unlock.expires_at > now && !unlock.encryption_key_hex.is_empty())
-        {
-            GatewayPhase::Ready
-        } else {
-            GatewayPhase::PendingUnlock
-        }
-    }
-}
-
-pub type SharedCache = Arc<RwLock<GatewayCache>>;
-
-pub fn new_cache() -> SharedCache {
-    Arc::new(RwLock::new(GatewayCache::default()))
-}
-
-fn cleanup_expired(cache: &mut GatewayCache, now: Instant) {
-    if cache
-        .pending_bind
-        .as_ref()
-        .is_some_and(|bind| bind.expires_at <= now)
-    {
-        cache.pending_bind = None;
-    }
-    if let Some(unlock) = cache.unlock.as_ref()
-        && unlock.expires_at <= now
-    {
-        cache.clear_unlock_and_exec();
-    }
-    cache.exec_contexts.retain(|_, ctx| ctx.expires_at > now);
-    if cache.unlock.is_none() {
-        cache.exec_contexts.clear();
-    }
-}
-
-pub fn spawn_cleanup_task(cache: SharedCache) -> tokio::task::JoinHandle<()> {
-    tokio::spawn(async move {
-        let mut interval = tokio::time::interval(Duration::from_secs(30));
-        interval.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Delay);
-        loop {
-            interval.tick().await;
-            let now = Instant::now();
-            let mut guard = cache.write().await;
-            cleanup_expired(&mut guard, now);
-        }
-    })
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use std::collections::BTreeMap;
-
-    use crate::target::ResolvedTarget;
-
-    #[tokio::test]
-    async fn cleanup_task_clears_expired_unlock() {
-        let mut cache = GatewayCache {
-            pending_bind: None,
-            bound: None,
-            unlock: Some(UnlockState {
-                encryption_key_hex: "11".repeat(32),
-                expires_at: Instant::now() - Duration::from_secs(1),
-                last_used_at: Instant::now(),
-            }),
-            exec_contexts: HashMap::new(),
-        };
-        cleanup_expired(&mut cache, Instant::now());
-        assert!(cache.unlock.is_none());
-        assert!(cache.exec_contexts.is_empty());
-    }
-
-    #[test]
-    fn clear_unlock_and_exec_drops_entry_contexts() {
-        let mut cache = GatewayCache {
-            pending_bind: None,
-            bound: None,
-            unlock: Some(UnlockState {
-                encryption_key_hex: "11".repeat(32),
-                expires_at: Instant::now() + Duration::from_secs(30),
-                last_used_at: Instant::now(),
-            }),
-            exec_contexts: HashMap::from([(
-                "entry-1".to_string(),
-                ExecContext {
-                    target: ExecutionTarget {
-                        resolved: ResolvedTarget {
-                            id: "entry-1".to_string(),
-                            folder: "refining".to_string(),
-                            name: "api".to_string(),
-                            entry_type: Some("service".to_string()),
-                        },
-                        env: BTreeMap::from([(
-                            "TARGET_API_KEY".to_string(),
-                            "sk_test".to_string(),
-                        )]),
-                    },
-                    expires_at: Instant::now() + Duration::from_secs(30),
-                    last_used_at: Instant::now(),
-                },
-            )]),
-        };
-        cache.clear_unlock_and_exec();
-        assert!(cache.unlock.is_none());
-        assert!(cache.exec_contexts.is_empty());
-    }
-
-    #[test]
-    fn cleanup_drops_expired_pending_bind() {
-        let mut cache = GatewayCache {
-            pending_bind: Some(PendingBindState {
-                bind_id: "bind-1".to_string(),
-                device_code: "device-1".to_string(),
-                approve_url: "http://example.com/approve".to_string(),
-                expires_at: Instant::now() - Duration::from_secs(1),
-                started_at: Instant::now() - Duration::from_secs(30),
-            }),
-            bound: None,
-            unlock: None,
-            exec_contexts: HashMap::new(),
-        };
-        cleanup_expired(&mut cache, Instant::now());
-        assert!(cache.pending_bind.is_none());
-    }
-
-    #[test]
-    fn phase_transitions_match_bound_and_unlock() {
-        let now = Instant::now();
-        let mut cache = GatewayCache::default();
-        assert_eq!(cache.phase(now), GatewayPhase::Bootstrap);
-
-        cache.bound = Some(BoundState {
-            user_id: Uuid::nil(),
-            api_key: "api-key".to_string(),
-            key_salt_hex: None,
-            key_check_hex: None,
-            key_params: None,
-            key_version: 0,
-            bound_at: now,
-        });
-        assert_eq!(cache.phase(now), GatewayPhase::PendingUnlock);
-
-        cache.unlock = Some(UnlockState {
-            encryption_key_hex: "11".repeat(32),
-            expires_at: now + Duration::from_secs(60),
-            last_used_at: now,
-        });
-        assert_eq!(cache.phase(now), GatewayPhase::Ready);
-    }
-}

crates/secrets-mcp-local/src/config.rs

@@ -1,46 +0,0 @@
-use anyhow::{Context, Result};
-use std::net::SocketAddr;
-use std::time::Duration;
-use url::Url;
-
-const DEFAULT_BIND: &str = "127.0.0.1:9316";
-const DEFAULT_UNLOCK_TTL_SECS: u64 = 3600;
-const DEFAULT_EXEC_CONTEXT_TTL_SECS: u64 = 3600;
-
-#[derive(Clone)]
-pub struct LocalConfig {
-    pub bind: SocketAddr,
-    pub remote_base_url: Url,
-    pub default_unlock_ttl: Duration,
-    pub default_exec_context_ttl: Duration,
-}
-
-fn load_env(name: &str) -> Option<String> {
-    std::env::var(name).ok().filter(|s| !s.is_empty())
-}
-
-pub fn load_config() -> Result<LocalConfig> {
-    let bind = load_env("SECRETS_MCP_LOCAL_BIND").unwrap_or_else(|| DEFAULT_BIND.to_string());
-    let bind: SocketAddr = bind
-        .parse()
-        .with_context(|| format!("invalid SECRETS_MCP_LOCAL_BIND: {bind}"))?;
-
-    let remote_base_url: Url = load_env("SECRETS_REMOTE_BASE_URL")
-        .context("SECRETS_REMOTE_BASE_URL is required")?
-        .parse()
-        .context("invalid SECRETS_REMOTE_BASE_URL")?;
-
-    let unlock_ttl_secs: u64 = load_env("SECRETS_LOCAL_UNLOCK_TTL_SECS")
-        .and_then(|s| s.parse().ok())
-        .unwrap_or(DEFAULT_UNLOCK_TTL_SECS);
-    let exec_context_ttl_secs: u64 = load_env("SECRETS_LOCAL_EXEC_CONTEXT_TTL_SECS")
-        .and_then(|s| s.parse().ok())
-        .unwrap_or(DEFAULT_EXEC_CONTEXT_TTL_SECS);
-
-    Ok(LocalConfig {
-        bind,
-        remote_base_url,
-        default_unlock_ttl: Duration::from_secs(unlock_ttl_secs.clamp(60, 86400 * 7)),
-        default_exec_context_ttl: Duration::from_secs(exec_context_ttl_secs.clamp(60, 86400 * 7)),
-    })
-}

crates/secrets-mcp-local/src/main.rs

@@ -1,55 +0,0 @@
-mod bind;
-mod cache;
-mod config;
-mod exec;
-mod mcp;
-mod remote;
-mod server;
-mod target;
-mod unlock;
-
-use anyhow::{Context, Result};
-use tracing_subscriber::EnvFilter;
-
-#[tokio::main]
-async fn main() -> Result<()> {
-    let _ = dotenvy::dotenv();
-
-    tracing_subscriber::fmt()
-        .with_env_filter(
-            EnvFilter::try_from_default_env()
-                .unwrap_or_else(|_| "secrets_mcp_local=info,tower_http=info".into()),
-        )
-        .init();
-
-    let config = config::load_config()?;
-    let remote = std::sync::Arc::new(remote::RemoteClient::new(config.remote_base_url.clone())?);
-    let cache = cache::new_cache();
-    let cleanup = cache::spawn_cleanup_task(cache.clone());
-
-    let app_state = server::AppState {
-        config: config.clone(),
-        cache,
-        remote,
-    };
-    let app = server::router(app_state);
-
-    tracing::info!(
-        bind = %config.bind,
-        remote = %config.remote_base_url,
-        "secrets-mcp-local service started"
-    );
-
-    let listener = tokio::net::TcpListener::bind(config.bind)
-        .await
-        .with_context(|| format!("failed to bind {}", config.bind))?;
-
-    let result = axum::serve(
-        listener,
-        app.into_make_service_with_connect_info::<std::net::SocketAddr>(),
-    )
-    .await
-    .context("server error");
-    cleanup.abort();
-    result
-}

crates/secrets-mcp-local/src/mcp.rs

@@ -1,828 +0,0 @@
-use std::convert::Infallible;
-use std::time::Instant;
-
-use axum::body::Body;
-use axum::extract::State;
-use axum::http::{StatusCode, header};
-use axum::response::Response;
-use serde::Deserialize;
-use serde_json::{Value, json};
-
-use crate::bind::{exchange_bind, start_bind};
-use crate::cache::{ExecContext, GatewayPhase};
-use crate::exec::{TargetExecInput, execute_command};
-use crate::server::AppState;
-use crate::target::{TargetSnapshot, build_execution_target};
-use crate::unlock::status_payload;
-
-const LOCAL_EXEC_TOOL: &str = "target_exec";
-
-#[derive(Deserialize, Default)]
-struct BindExchangeArgs {
-    bind_id: Option<String>,
-    device_code: Option<String>,
-}
-
-fn json_response(status: StatusCode, value: Value) -> Response {
-    Response::builder()
-        .status(status)
-        .header(header::CONTENT_TYPE, "application/json; charset=utf-8")
-        .body(Body::from(value.to_string()))
-        .unwrap()
-}
-
-fn jsonrpc_result_response(id: Value, result: Value) -> Response {
-    json_response(
-        StatusCode::OK,
-        json!({
-            "jsonrpc": "2.0",
-            "id": id,
-            "result": result,
-        }),
-    )
-}
-
-fn tool_success_response(id: Value, value: Value) -> Response {
-    let pretty = serde_json::to_string_pretty(&value).unwrap_or_else(|_| value.to_string());
-    jsonrpc_result_response(
-        id,
-        json!({
-            "content": [
-                {
-                    "type": "text",
-                    "text": pretty,
-                }
-            ],
-            "isError": false
-        }),
-    )
-}
-
-fn tool_error_response(id: Value, message: impl Into<String>) -> Response {
-    jsonrpc_result_response(
-        id,
-        json!({
-            "content": [
-                {
-                    "type": "text",
-                    "text": message.into(),
-                }
-            ],
-            "isError": true
-        }),
-    )
-}
-
-fn empty_notification_response() -> Response {
-    Response::builder()
-        .status(StatusCode::ACCEPTED)
-        .body(Body::empty())
-        .unwrap()
-}
-
-fn method_not_found(id: Value, method: &str) -> Response {
-    json_response(
-        StatusCode::OK,
-        json!({
-            "jsonrpc": "2.0",
-            "id": id,
-            "error": {
-                "code": -32601,
-                "message": format!("method `{method}` not supported by secrets-mcp-local"),
-            }
-        }),
-    )
-}
-
-fn invalid_request_response(message: impl Into<String>) -> Response {
-    json_response(
-        StatusCode::BAD_REQUEST,
-        json!({
-            "jsonrpc": "2.0",
-            "id": null,
-            "error": {
-                "code": -32600,
-                "message": message.into(),
-            }
-        }),
-    )
-}
-
-fn status_tool_definitions() -> Vec<Value> {
-    vec![
-        json!({
-            "name": "local_status",
-            "description": "Read the local gateway readiness state, onboarding URL, unlock URL, and any pending approval session.",
-            "inputSchema": { "type": "object", "properties": {} },
-            "annotations": { "title": "Local MCP Status" }
-        }),
-        json!({
-            "name": "local_unlock_status",
-            "description": "Return whether the local gateway is waiting for passphrase unlock or already ready.",
-            "inputSchema": { "type": "object", "properties": {} },
-            "annotations": { "title": "Local Unlock Status" }
-        }),
-        json!({
-            "name": "local_onboarding_info",
-            "description": "Return the local onboarding page URL, MCP URL, and current next-step guidance for the user.",
-            "inputSchema": { "type": "object", "properties": {} },
-            "annotations": { "title": "Local Onboarding Info" }
-        }),
-    ]
-}
-
-fn bind_tool_definitions() -> Vec<Value> {
-    vec![
-        json!({
-            "name": "local_bind_start",
-            "description": "Start a new remote authorization session and return the approve_url that the user should open in a browser.",
-            "inputSchema": { "type": "object", "properties": {} },
-            "annotations": { "title": "Start Local MCP Binding" }
-        }),
-        json!({
-            "name": "local_bind_exchange",
-            "description": "Poll the current bind session. When the user has approved in the browser, this moves the gateway into pendingUnlock and returns the local unlock URL.",
-            "inputSchema": {
-                "type": "object",
-                "properties": {
-                    "bind_id": { "type": ["string", "null"] },
-                    "device_code": { "type": ["string", "null"] }
-                }
-            },
-            "annotations": { "title": "Poll Binding State" }
-        }),
-    ]
-}
-
-fn ready_tool_definitions() -> Vec<Value> {
-    vec![
-        json!({
-            "name": "secrets_find",
-            "description": "Find entries in the secrets store and return target snapshots suitable for target_exec.",
-            "inputSchema": {
-                "type": "object",
-                "properties": {
-                    "query": { "type": ["string", "null"] },
-                    "metadata_query": { "type": ["string", "null"] },
-                    "folder": { "type": ["string", "null"] },
-                    "type": { "type": ["string", "null"] },
-                    "name": { "type": ["string", "null"] },
-                    "name_query": { "type": ["string", "null"] },
-                    "tags": { "type": ["array", "null"], "items": { "type": "string" } },
-                    "limit": { "type": ["integer", "null"] },
-                    "offset": { "type": ["integer", "null"] }
-                }
-            },
-            "annotations": { "title": "Find Secrets" }
-        }),
-        json!({
-            "name": "secrets_search",
-            "description": "Search entries with optional summary mode. Returns metadata and secret field names, not secret values.",
-            "inputSchema": {
-                "type": "object",
-                "properties": {
-                    "query": { "type": ["string", "null"] },
-                    "metadata_query": { "type": ["string", "null"] },
-                    "folder": { "type": ["string", "null"] },
-                    "type": { "type": ["string", "null"] },
-                    "name": { "type": ["string", "null"] },
-                    "name_query": { "type": ["string", "null"] },
-                    "tags": { "type": ["array", "null"], "items": { "type": "string" } },
-                    "summary": { "type": ["boolean", "null"] },
-                    "sort": { "type": ["string", "null"] },
-                    "limit": { "type": ["integer", "null"] },
-                    "offset": { "type": ["integer", "null"] }
-                }
-            },
-            "annotations": { "title": "Search Secrets" }
-        }),
-        json!({
-            "name": "secrets_history",
-            "description": "View change history for an entry by id or by name/folder.",
-            "inputSchema": {
-                "type": "object",
-                "properties": {
-                    "id": { "type": ["string", "null"] },
-                    "name": { "type": ["string", "null"] },
-                    "folder": { "type": ["string", "null"] },
-                    "limit": { "type": ["integer", "null"] }
-                }
-            },
-            "annotations": { "title": "View Secret History" }
-        }),
-        json!({
-            "name": "secrets_overview",
-            "description": "Get counts of entries per folder and per type.",
-            "inputSchema": { "type": "object", "properties": {} },
-            "annotations": { "title": "Secrets Overview" }
-        }),
-        json!({
-            "name": "secrets_delete",
-            "description": "Preview deletions only. dry_run must be true.",
-            "inputSchema": {
-                "type": "object",
-                "properties": {
-                    "id": { "type": ["string", "null"] },
-                    "name": { "type": ["string", "null"] },
-                    "folder": { "type": ["string", "null"] },
-                    "type": { "type": ["string", "null"] },
-                    "dry_run": { "type": ["boolean", "null"] }
-                }
-            },
-            "annotations": { "title": "Delete Secret Entry Preview", "destructiveHint": true }
-        }),
-        json!({
-            "name": LOCAL_EXEC_TOOL,
-            "description": "Execute a standard local command against a resolved secrets target. The local gateway injects target metadata and secret values as environment variables without exposing raw secret values to the AI.",
-            "inputSchema": {
-                "type": "object",
-                "properties": {
-                    "target_ref": {
-                        "type": ["string", "null"],
-                        "description": "Target entry id from secrets_find/secrets_search. Required on first use; later calls may reuse the cached execution context for the same entry id."
-                    },
-                    "target": {
-                        "type": ["object", "null"],
-                        "description": "Optional target snapshot copied from secrets_find/secrets_search. Required on first use when the local gateway has not cached this entry id yet."
-                    },
-                    "command": {
-                        "type": "string",
-                        "description": "Standard shell command to execute locally, such as ssh/curl/docker/http."
-                    },
-                    "timeout_secs": {
-                        "type": ["integer", "null"],
-                        "description": "Execution timeout in seconds."
-                    },
-                    "working_dir": {
-                        "type": ["string", "null"],
-                        "description": "Optional working directory for the command."
-                    },
-                    "env_overrides": {
-                        "type": ["object", "null"],
-                        "description": "Optional extra environment variables. Reserved TARGET_* names cannot be overridden."
-                    }
-                },
-                "required": ["command"]
-            },
-            "annotations": { "title": "Execute Against Target" }
-        }),
-    ]
-}
-
-fn tools_for_phase(phase: GatewayPhase) -> Vec<Value> {
-    let mut tools = status_tool_definitions();
-    if phase != GatewayPhase::Ready {
-        tools.extend(bind_tool_definitions());
-    }
-    if phase == GatewayPhase::Ready {
-        tools.extend(ready_tool_definitions());
-    }
-    tools
-}
-
-async fn current_phase_and_status(state: &AppState) -> (GatewayPhase, Value) {
-    let payload = status_payload(state).await;
-    let phase = payload
-        .get("state")
-        .cloned()
-        .and_then(|value| serde_json::from_value(value).ok())
-        .unwrap_or(GatewayPhase::Bootstrap);
-    (phase, payload)
-}
-
-fn instructions_for_phase(phase: GatewayPhase) -> &'static str {
-    match phase {
-        GatewayPhase::Bootstrap => {
-            "Use local_status and local_bind_start first. The user must open the approve_url in a browser before the local gateway can continue."
-        }
-        GatewayPhase::PendingUnlock => {
-            "Remote authorization is complete. Ask the user to open the local unlock page and finish passphrase unlock before calling business tools."
-        }
-        GatewayPhase::Ready => {
-            "The local gateway is ready. Use secrets_find/secrets_search for discovery and target_exec for delegated command execution against decrypted targets."
-        }
-    }
-}
-
-fn initialize_response(id: Value, phase: GatewayPhase) -> Response {
-    let session_id = format!(
-        "local-{}",
-        std::time::SystemTime::now()
-            .duration_since(std::time::UNIX_EPOCH)
-            .map(|duration| duration.as_nanos())
-            .unwrap_or(0)
-    );
-    let response = json!({
-        "jsonrpc": "2.0",
-        "id": id,
-        "result": {
-            "protocolVersion": "2025-06-18",
-            "capabilities": {
-                "tools": {}
-            },
-            "serverInfo": {
-                "name": "secrets-mcp-local",
-                "version": env!("CARGO_PKG_VERSION"),
-                "title": "Secrets MCP Local"
-            },
-            "instructions": instructions_for_phase(phase),
-        }
-    });
-    Response::builder()
-        .status(StatusCode::OK)
-        .header(header::CONTENT_TYPE, "application/json; charset=utf-8")
-        .header("mcp-session-id", session_id)
-        .body(Body::from(response.to_string()))
-        .unwrap()
-}
-
-async fn resolve_target_context(
-    state: &AppState,
-    api_key: &str,
-    unlock_key: &str,
-    unlock_expires_at: Instant,
-    input: &TargetExecInput,
-) -> anyhow::Result<crate::target::ExecutionTarget> {
-    let target_ref = input
-        .target_ref
-        .clone()
-        .or_else(|| input.target.as_ref().map(|t| t.id.clone()))
-        .ok_or_else(|| anyhow::anyhow!("target_ref is required"))?;
-
-    {
-        let mut guard = state.cache.write().await;
-        if let Some(ctx) = guard.exec_contexts.get_mut(&target_ref)
-            && ctx.expires_at > Instant::now()
-        {
-            ctx.last_used_at = Instant::now();
-            return Ok(ctx.target.clone());
-        }
-    }
-
-    let snapshot: TargetSnapshot = input.target.clone().ok_or_else(|| {
-        anyhow::anyhow!(
-            "target details required on first use for entry `{target_ref}`; pass the matching secrets_find/search result as `target`"
-        )
-    })?;
-    if snapshot.id != target_ref {
-        return Err(anyhow::anyhow!(
-            "target_ref `{target_ref}` does not match target.id `{}`",
-            snapshot.id
-        ));
-    }
-
-    let secrets = state
-        .remote
-        .get_entry_secrets_by_id(api_key, unlock_key, &target_ref)
-        .await?;
-    let target = build_execution_target(&snapshot, &secrets)?;
-    let expires_at = std::cmp::min(
-        Instant::now() + state.config.default_exec_context_ttl,
-        unlock_expires_at,
-    );
-    let mut guard = state.cache.write().await;
-    guard.exec_contexts.insert(
-        target_ref,
-        ExecContext {
-            target: target.clone(),
-            expires_at,
-            last_used_at: Instant::now(),
-        },
-    );
-    Ok(target)
-}
-
-async fn handle_target_exec(state: &AppState, id: Value, args: Option<Value>) -> Response {
-    let input: TargetExecInput = match args {
-        Some(value) => match serde_json::from_value(value) {
-            Ok(input) => input,
-            Err(err) => {
-                return tool_error_response(id, format!("invalid `{LOCAL_EXEC_TOOL}` args: {err}"));
-            }
-        },
-        None => {
-            return tool_error_response(id, format!("`{LOCAL_EXEC_TOOL}` arguments are required"));
-        }
-    };
-    if input.command.trim().is_empty() {
-        return tool_error_response(id, "command is required");
-    }
-
-    let api_key = {
-        let guard = state.cache.read().await;
-        match guard.bound.as_ref() {
-            Some(bound) => bound.api_key.clone(),
-            None => {
-                return tool_error_response(
-                    id,
-                    "local MCP is not bound; call local_bind_start first",
-                );
-            }
-        }
-    };
-    let (unlock_key, unlock_expires_at) = {
-        let mut guard = state.cache.write().await;
-        match guard.unlock.as_mut() {
-            Some(unlock) if unlock.expires_at > Instant::now() => {
-                unlock.last_used_at = Instant::now();
-                (unlock.encryption_key_hex.clone(), unlock.expires_at)
-            }
-            _ => {
-                guard.clear_unlock_and_exec();
-                return tool_error_response(
-                    id,
-                    "local MCP is not unlocked; ask the user to open the local unlock page first",
-                );
-            }
-        }
-    };
-    let target =
-        match resolve_target_context(state, &api_key, &unlock_key, unlock_expires_at, &input).await
-        {
-            Ok(target) => target,
-            Err(err) => return tool_error_response(id, format!("failed resolving target: {err}")),
-        };
-    let timeout_secs = input.timeout_secs.unwrap_or(120).clamp(1, 3600);
-    let result = match execute_command(&input, &target, timeout_secs).await {
-        Ok(result) => result,
-        Err(err) => return tool_error_response(id, format!("execution failed: {err}")),
-    };
-    tool_success_response(
-        id,
-        serde_json::to_value(result).unwrap_or_else(|_| json!({})),
-    )
-}
-
-async fn handle_bootstrap_tool(
-    state: &AppState,
-    tool_name: &str,
-    id: Value,
-    args: Option<Value>,
-) -> Response {
-    match tool_name {
-        "local_status" | "local_unlock_status" | "local_onboarding_info" => {
-            tool_success_response(id, status_payload(state).await)
-        }
-        "local_bind_start" => match start_bind(state).await {
-            Ok(payload) => tool_success_response(id, payload),
-            Err((_status, message)) => tool_error_response(id, message),
-        },
-        "local_bind_exchange" => {
-            let parsed = match args {
-                Some(value) => match serde_json::from_value::<BindExchangeArgs>(value) {
-                    Ok(parsed) => parsed,
-                    Err(err) => {
-                        return tool_error_response(
-                            id,
-                            format!("invalid local_bind_exchange args: {err}"),
-                        );
-                    }
-                },
-                None => BindExchangeArgs::default(),
-            };
-            match exchange_bind(state, parsed.bind_id, parsed.device_code).await {
-                Ok((_status, payload)) => tool_success_response(id, payload),
-                Err((_status, message)) => tool_error_response(id, message),
-            }
-        }
-        _ => tool_error_response(id, format!("unknown bootstrap tool `{tool_name}`")),
-    }
-}
-
-fn bootstrap_tool_allowed_in_phase(tool_name: &str, phase: GatewayPhase) -> bool {
-    is_status_tool(tool_name) || (phase != GatewayPhase::Ready && is_bind_tool(tool_name))
-}
-
-fn is_status_tool(tool_name: &str) -> bool {
-    matches!(
-        tool_name,
-        "local_status" | "local_unlock_status" | "local_onboarding_info"
-    )
-}
-
-fn is_bind_tool(tool_name: &str) -> bool {
-    matches!(tool_name, "local_bind_start" | "local_bind_exchange")
-}
-
-fn is_bootstrap_tool(tool_name: &str) -> bool {
-    is_status_tool(tool_name) || is_bind_tool(tool_name)
-}
-
-fn is_ready_tool(tool_name: &str) -> bool {
-    matches!(
-        tool_name,
-        "secrets_find"
-            | "secrets_search"
-            | "secrets_history"
-            | "secrets_overview"
-            | "secrets_delete"
-            | LOCAL_EXEC_TOOL
-    )
-}
-
-fn not_ready_message(status: &Value) -> String {
-    let onboarding_url = status
-        .get("onboarding_url")
-        .and_then(|v| v.as_str())
-        .unwrap_or("/");
-    let state_name = status
-        .get("state")
-        .and_then(|v| v.as_str())
-        .unwrap_or("bootstrap");
-    format!(
-        "local MCP is not ready (state: {state_name}). Use local_status/local_bind_start first and ask the user to complete onboarding at {onboarding_url}"
-    )
-}
-
-async fn handle_ready_tool(
-    state: &AppState,
-    tool_name: &str,
-    id: Value,
-    args: Option<Value>,
-) -> Response {
-    let api_key = {
-        let guard = state.cache.read().await;
-        match guard.bound.as_ref() {
-            Some(bound) => bound.api_key.clone(),
-            None => return tool_error_response(id, "local MCP is not bound"),
-        }
-    };
-    let args_value = args.unwrap_or_else(|| json!({}));
-    let result = match tool_name {
-        "secrets_find" => state.remote.entries_find(&api_key, &args_value).await,
-        "secrets_search" => state.remote.entries_search(&api_key, &args_value).await,
-        "secrets_history" => state.remote.entry_history(&api_key, &args_value).await,
-        "secrets_overview" => state.remote.entries_overview(&api_key).await,
-        "secrets_delete" => {
-            if args_value.get("dry_run").and_then(|value| value.as_bool()) != Some(true) {
-                return tool_error_response(
-                    id,
-                    "secrets_delete is exposed in local mode only for dry_run=true previews",
-                );
-            }
-            state.remote.delete_preview(&api_key, &args_value).await
-        }
-        LOCAL_EXEC_TOOL => return handle_target_exec(state, id, Some(args_value)).await,
-        _ => return tool_error_response(id, format!("unknown ready tool `{tool_name}`")),
-    };
-    match result {
-        Ok(value) => tool_success_response(id, value),
-        Err(err) => tool_error_response(id, err.to_string()),
-    }
-}
-
-pub async fn handle_mcp(State(state): State<AppState>, body: Body) -> Result<Response, Infallible> {
-    let body_bytes = match axum::body::to_bytes(body, 10 * 1024 * 1024).await {
-        Ok(bytes) => bytes,
-        Err(_) => return Ok(invalid_request_response("invalid request body")),
-    };
-    let request: Value = match serde_json::from_slice(&body_bytes) {
-        Ok(request) => request,
-        Err(err) => {
-            return Ok(invalid_request_response(format!(
-                "invalid json body: {err}"
-            )));
-        }
-    };
-    let method = request
-        .get("method")
-        .and_then(|value| value.as_str())
-        .unwrap_or_default();
-    let id = request.get("id").cloned().unwrap_or(json!(null));
-    let (phase, status) = current_phase_and_status(&state).await;
-
-    let response = match method {
-        "initialize" => initialize_response(id, phase),
-        "notifications/initialized" => empty_notification_response(),
-        "tools/list" => jsonrpc_result_response(id, json!({ "tools": tools_for_phase(phase) })),
-        "tools/call" => {
-            let params = request.get("params").cloned().unwrap_or_else(|| json!({}));
-            let tool_name = params
-                .get("name")
-                .and_then(|value| value.as_str())
-                .unwrap_or_default();
-            let args = params.get("arguments").cloned();
-            if is_bootstrap_tool(tool_name) {
-                if !bootstrap_tool_allowed_in_phase(tool_name, phase) {
-                    tool_error_response(
-                        id,
-                        "local MCP is already ready; binding tools are disabled until you explicitly unbind",
-                    )
-                } else {
-                    handle_bootstrap_tool(&state, tool_name, id, args).await
-                }
-            } else if phase != GatewayPhase::Ready {
-                tool_error_response(id, not_ready_message(&status))
-            } else if is_ready_tool(tool_name) {
-                handle_ready_tool(&state, tool_name, id, args).await
-            } else {
-                tool_error_response(
-                    id,
-                    format!("tool `{tool_name}` is not exposed by local policy"),
-                )
-            }
-        }
-        "ping" => jsonrpc_result_response(id, json!({})),
-        _ => method_not_found(id, method),
-    };
-    Ok(response)
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::cache::{BoundState, UnlockState, new_cache};
-    use crate::config::LocalConfig;
-    use crate::remote::RemoteClient;
-    use crate::server::AppState;
-    use std::sync::Arc;
-    use std::time::Duration;
-    use url::Url;
-    use uuid::Uuid;
-
-    fn test_state() -> AppState {
-        AppState {
-            config: LocalConfig {
-                bind: "127.0.0.1:9316".parse().unwrap(),
-                remote_base_url: Url::parse("https://example.com").unwrap(),
-                default_unlock_ttl: Duration::from_secs(3600),
-                default_exec_context_ttl: Duration::from_secs(3600),
-            },
-            cache: new_cache(),
-            remote: Arc::new(
-                RemoteClient::new(Url::parse("https://example.com").unwrap()).unwrap(),
-            ),
-        }
-    }
-
-    #[test]
-    fn bootstrap_phase_hides_ready_tools() {
-        let tools = tools_for_phase(GatewayPhase::Bootstrap);
-        let names: Vec<_> = tools
-            .iter()
-            .filter_map(|tool| tool.get("name").and_then(|value| value.as_str()))
-            .collect();
-        assert!(names.contains(&"local_status"));
-        assert!(names.contains(&"local_bind_start"));
-        assert!(!names.contains(&"secrets_find"));
-        assert!(!names.contains(&LOCAL_EXEC_TOOL));
-    }
-
-    #[tokio::test]
-    async fn initialize_succeeds_when_unbound() {
-        let response = handle_mcp(
-            State(test_state()),
-            Body::from(
-                json!({
-                    "jsonrpc": "2.0",
-                    "id": 1,
-                    "method": "initialize",
-                    "params": {}
-                })
-                .to_string(),
-            ),
-        )
-        .await
-        .unwrap();
-        assert_eq!(response.status(), StatusCode::OK);
-    }
-
-    #[tokio::test]
-    async fn tools_list_returns_bootstrap_tools_when_unbound() {
-        let response = handle_mcp(
-            State(test_state()),
-            Body::from(
-                json!({
-                    "jsonrpc": "2.0",
-                    "id": 2,
-                    "method": "tools/list",
-                    "params": {}
-                })
-                .to_string(),
-            ),
-        )
-        .await
-        .unwrap();
-        let bytes = axum::body::to_bytes(response.into_body(), 1024 * 1024)
-            .await
-            .unwrap();
-        let value: Value = serde_json::from_slice(&bytes).unwrap();
-        let names: Vec<_> = value["result"]["tools"]
-            .as_array()
-            .unwrap()
-            .iter()
-            .filter_map(|tool| tool.get("name").and_then(|name| name.as_str()))
-            .collect();
-        assert!(names.contains(&"local_status"));
-        assert!(names.contains(&"local_bind_exchange"));
-        assert!(!names.contains(&"secrets_find"));
-    }
-
-    #[tokio::test]
-    async fn tools_list_in_ready_phase_exposes_business_tools() {
-        let state = test_state();
-        {
-            let mut guard = state.cache.write().await;
-            guard.bound = Some(BoundState {
-                user_id: Uuid::nil(),
-                api_key: "api-key".to_string(),
-                key_salt_hex: None,
-                key_check_hex: None,
-                key_params: None,
-                key_version: 0,
-                bound_at: Instant::now(),
-            });
-            guard.unlock = Some(UnlockState {
-                encryption_key_hex: "11".repeat(32),
-                expires_at: Instant::now() + Duration::from_secs(600),
-                last_used_at: Instant::now(),
-            });
-        }
-        let response = handle_mcp(
-            State(state),
-            Body::from(
-                json!({
-                    "jsonrpc": "2.0",
-                    "id": 3,
-                    "method": "tools/list",
-                    "params": {}
-                })
-                .to_string(),
-            ),
-        )
-        .await
-        .unwrap();
-        let bytes = axum::body::to_bytes(response.into_body(), 1024 * 1024)
-            .await
-            .unwrap();
-        let value: Value = serde_json::from_slice(&bytes).unwrap();
-        let names: Vec<_> = value["result"]["tools"]
-            .as_array()
-            .unwrap()
-            .iter()
-            .filter_map(|tool| tool.get("name").and_then(|name| name.as_str()))
-            .collect();
-        assert!(names.contains(&"local_status"));
-        assert!(names.contains(&"secrets_find"));
-        assert!(names.contains(&LOCAL_EXEC_TOOL));
-        assert!(!names.contains(&"local_bind_start"));
-    }
-
-    #[tokio::test]
-    async fn tools_call_rejects_bind_start_when_ready() {
-        let state = test_state();
-        {
-            let mut guard = state.cache.write().await;
-            guard.bound = Some(BoundState {
-                user_id: Uuid::nil(),
-                api_key: "api-key".to_string(),
-                key_salt_hex: None,
-                key_check_hex: None,
-                key_params: None,
-                key_version: 0,
-                bound_at: Instant::now(),
-            });
-            guard.unlock = Some(UnlockState {
-                encryption_key_hex: "11".repeat(32),
-                expires_at: Instant::now() + Duration::from_secs(600),
-                last_used_at: Instant::now(),
-            });
-        }
-        let response = handle_mcp(
-            State(state),
-            Body::from(
-                json!({
-                    "jsonrpc": "2.0",
-                    "id": 4,
-                    "method": "tools/call",
-                    "params": {
-                        "name": "local_bind_start",
-                        "arguments": {}
-                    }
-                })
-                .to_string(),
-            ),
-        )
-        .await
-        .unwrap();
-        let bytes = axum::body::to_bytes(response.into_body(), 1024 * 1024)
-            .await
-            .unwrap();
-        let value: Value = serde_json::from_slice(&bytes).unwrap();
-        assert_eq!(value["result"]["isError"], Value::Bool(true));
-        assert!(value.get("error").is_none());
-    }
-
-    #[tokio::test]
-    async fn tool_error_response_uses_mcp_tool_result_shape() {
-        let response = tool_error_response(json!(9), "boom");
-        let bytes = axum::body::to_bytes(response.into_body(), 1024 * 1024)
-            .await
-            .unwrap();
-        let value: Value = serde_json::from_slice(&bytes).unwrap();
-        assert_eq!(value["id"], json!(9));
-        assert_eq!(value["result"]["isError"], Value::Bool(true));
-        assert_eq!(value["result"]["content"][0]["text"], json!("boom"));
-        assert!(value.get("error").is_none());
-    }
-}

crates/secrets-mcp-local/src/remote.rs

@@ -1,263 +0,0 @@
-use std::collections::HashMap;
-
-use anyhow::{Context, Result, anyhow};
-use serde::{Deserialize, Serialize};
-use serde_json::Value;
-use url::Url;
-use uuid::Uuid;
-
-#[derive(Clone)]
-pub struct RemoteClient {
-    pub http_client: reqwest::Client,
-    pub remote_base_url: Url,
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-pub struct BindStartResponse {
-    pub bind_id: String,
-    pub device_code: String,
-    pub approve_url: String,
-    pub expires_in_secs: u64,
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-pub struct BindExchangeResponse {
-    pub status: Option<String>,
-    pub user_id: Option<Uuid>,
-    pub api_key: Option<String>,
-    pub key_salt_hex: Option<String>,
-    pub key_check_hex: Option<String>,
-    pub key_params: Option<Value>,
-    pub key_version: Option<i64>,
-}
-
-#[derive(Debug)]
-pub struct BindExchangeResult {
-    pub status: u16,
-    pub body: Value,
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-pub struct BindRefreshResponse {
-    pub user_id: Uuid,
-    pub key_salt_hex: Option<String>,
-    pub key_check_hex: Option<String>,
-    pub key_params: Option<Value>,
-    pub key_version: i64,
-}
-
-#[derive(Debug)]
-pub struct BindRefreshResult {
-    pub status: u16,
-    pub body: Option<BindRefreshResponse>,
-}
-
-impl RemoteClient {
-    pub fn new(remote_base_url: Url) -> Result<Self> {
-        let http_client = reqwest::Client::builder()
-            .timeout(std::time::Duration::from_secs(120))
-            .build()
-            .context("failed to build HTTP client")?;
-        Ok(Self {
-            http_client,
-            remote_base_url,
-        })
-    }
-
-    fn authed_request(
-        &self,
-        method: reqwest::Method,
-        path: &str,
-        api_key: &str,
-        encryption_key_hex: Option<&str>,
-    ) -> reqwest::RequestBuilder {
-        let mut url = self.remote_base_url.clone();
-        url.set_path(path);
-        let mut req = self
-            .http_client
-            .request(method, url.as_str())
-            .bearer_auth(api_key)
-            .header(reqwest::header::ACCEPT, "application/json");
-        if let Some(key) = encryption_key_hex {
-            req = req.header("X-Encryption-Key", key);
-        }
-        req
-    }
-
-    async fn parse_json_response(
-        &self,
-        res: reqwest::Response,
-        label: &str,
-    ) -> Result<serde_json::Value> {
-        let status = res.status();
-        let bytes = res
-            .bytes()
-            .await
-            .with_context(|| format!("{label} body read failed"))?;
-        let value = if bytes.is_empty() {
-            Value::Null
-        } else {
-            serde_json::from_slice::<Value>(&bytes).unwrap_or_else(|_| {
-                Value::String(String::from_utf8_lossy(&bytes).trim().to_string())
-            })
-        };
-        if !status.is_success() {
-            let message = value
-                .get("error")
-                .and_then(|v| v.as_str())
-                .map(ToOwned::to_owned)
-                .unwrap_or_else(|| value.to_string());
-            return Err(anyhow!("{label} failed ({}): {message}", status));
-        }
-        Ok(value)
-    }
-
-    pub async fn bind_start(&self) -> Result<BindStartResponse> {
-        let mut url = self.remote_base_url.clone();
-        url.set_path("/api/local-mcp/bind/start");
-        let res = self
-            .http_client
-            .post(url.as_str())
-            .send()
-            .await
-            .context("bind/start request failed")?;
-        if !res.status().is_success() {
-            return Err(anyhow!("bind/start failed: {}", res.status()));
-        }
-        res.json::<BindStartResponse>()
-            .await
-            .context("invalid bind/start response")
-    }
-
-    pub async fn bind_exchange(
-        &self,
-        bind_id: &str,
-        device_code: &str,
-    ) -> Result<BindExchangeResult> {
-        let mut url = self.remote_base_url.clone();
-        url.set_path("/api/local-mcp/bind/exchange");
-        let res = self
-            .http_client
-            .post(url.as_str())
-            .json(&serde_json::json!({
-                "bind_id": bind_id,
-                "device_code": device_code,
-            }))
-            .send()
-            .await
-            .context("bind/exchange request failed")?;
-        let status = res.status().as_u16();
-        let bytes = res
-            .bytes()
-            .await
-            .context("bind/exchange body read failed")?;
-        let body = if bytes.is_empty() {
-            Value::Null
-        } else {
-            serde_json::from_slice::<Value>(&bytes).unwrap_or_else(|_| {
-                Value::String(String::from_utf8_lossy(&bytes).trim().to_string())
-            })
-        };
-        Ok(BindExchangeResult { status, body })
-    }
-
-    pub async fn bind_refresh(&self, api_key: &str) -> Result<BindRefreshResult> {
-        let mut url = self.remote_base_url.clone();
-        url.set_path("/api/local-mcp/bind/refresh");
-        let res = self
-            .http_client
-            .post(url.as_str())
-            .header(
-                axum::http::header::AUTHORIZATION,
-                format!("Bearer {api_key}"),
-            )
-            .send()
-            .await
-            .context("bind/refresh request failed")?;
-        let status = res.status().as_u16();
-        if !res.status().is_success() {
-            return Ok(BindRefreshResult { status, body: None });
-        }
-        let body = res
-            .json::<BindRefreshResponse>()
-            .await
-            .context("invalid bind/refresh response")?;
-        Ok(BindRefreshResult {
-            status,
-            body: Some(body),
-        })
-    }
-
-    async fn post_api_json(
-        &self,
-        api_key: &str,
-        encryption_key_hex: Option<&str>,
-        path: &str,
-        body: &Value,
-    ) -> Result<Value> {
-        let res = self
-            .authed_request(reqwest::Method::POST, path, api_key, encryption_key_hex)
-            .json(body)
-            .send()
-            .await
-            .with_context(|| format!("{path} request failed"))?;
-        self.parse_json_response(res, path).await
-    }
-
-    async fn get_api_json(
-        &self,
-        api_key: &str,
-        encryption_key_hex: Option<&str>,
-        path: &str,
-    ) -> Result<reqwest::Response> {
-        let req = self.authed_request(reqwest::Method::GET, path, api_key, encryption_key_hex);
-        let res = req
-            .send()
-            .await
-            .with_context(|| format!("{path} request failed"))?;
-        Ok(res)
-    }
-
-    pub async fn entries_find(&self, api_key: &str, args: &Value) -> Result<Value> {
-        self.post_api_json(api_key, None, "/api/local-mcp/entries/find", args)
-            .await
-    }
-
-    pub async fn entries_search(&self, api_key: &str, args: &Value) -> Result<Value> {
-        self.post_api_json(api_key, None, "/api/local-mcp/entries/search", args)
-            .await
-    }
-
-    pub async fn entry_history(&self, api_key: &str, args: &Value) -> Result<Value> {
-        self.post_api_json(api_key, None, "/api/local-mcp/entries/history", args)
-            .await
-    }
-
-    pub async fn entries_overview(&self, api_key: &str) -> Result<Value> {
-        let res = self
-            .get_api_json(api_key, None, "/api/local-mcp/entries/overview")
-            .await?;
-        self.parse_json_response(res, "/api/local-mcp/entries/overview")
-            .await
-    }
-
-    pub async fn delete_preview(&self, api_key: &str, args: &Value) -> Result<Value> {
-        self.post_api_json(api_key, None, "/api/local-mcp/entries/delete-preview", args)
-            .await
-    }
-
-    pub async fn get_entry_secrets_by_id(
-        &self,
-        api_key: &str,
-        encryption_key_hex: &str,
-        entry_id: &str,
-    ) -> Result<HashMap<String, Value>> {
-        let path = format!("/api/local-mcp/entries/{entry_id}/secrets");
-        let res = self
-            .get_api_json(api_key, Some(encryption_key_hex), &path)
-            .await?;
-        let value = self.parse_json_response(res, &path).await?;
-        serde_json::from_value::<HashMap<String, Value>>(value)
-            .context("invalid decrypt payload from remote HTTP API")
-    }
-}

crates/secrets-mcp-local/src/server.rs

@@ -1,157 +0,0 @@
-use std::sync::Arc;
-
-use axum::Router;
-use axum::extract::State;
-use axum::response::{Html, IntoResponse};
-use axum::routing::{get, post};
-
-use crate::cache::SharedCache;
-use crate::config::LocalConfig;
-use crate::remote::RemoteClient;
-
-#[derive(Clone)]
-pub struct AppState {
-    pub config: LocalConfig,
-    pub cache: SharedCache,
-    pub remote: Arc<RemoteClient>,
-}
-
-async fn index(State(state): State<AppState>) -> impl IntoResponse {
-    Html(format!(
-        r#"<!DOCTYPE html>
-<html lang="zh-CN">
-<head>
-  <meta charset="utf-8">
-  <title>secrets-mcp-local onboarding</title>
-  <style>
-    body {{ font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; max-width: 920px; margin: 24px auto; padding: 0 16px; line-height: 1.5; }}
-    code, pre {{ background: #f6f8fa; border-radius: 6px; }}
-    code {{ padding: 2px 6px; }}
-    pre {{ padding: 12px; overflow-x: auto; }}
-    .card {{ border: 1px solid #d0d7de; border-radius: 12px; padding: 16px; margin: 16px 0; }}
-    .row {{ display: flex; gap: 12px; flex-wrap: wrap; align-items: center; }}
-    button, a.button {{ border: 1px solid #1f2328; background: #1f2328; color: white; padding: 8px 14px; border-radius: 8px; text-decoration: none; cursor: pointer; }}
-    a.secondary, button.secondary {{ background: white; color: #1f2328; }}
-    iframe {{ width: 100%; min-height: 420px; border: 1px solid #d0d7de; border-radius: 12px; }}
-    .muted {{ color: #57606a; }}
-  </style>
-</head>
-<body>
-  <h1>secrets-mcp-local</h1>
-  <p class="muted">本地 MCP 地址：<code>http://{bind}/mcp</code></p>
-  <p class="muted">远端服务地址：<code>{remote}</code></p>
-
-  <div class="card">
-    <h2>当前状态</h2>
-    <pre id="status">loading...</pre>
-    <div class="row">
-      <button id="start-bind">开始绑定</button>
-      <button id="poll-bind" class="secondary">检查授权结果</button>
-      <a class="button secondary" href="/unlock" target="_blank" rel="noreferrer">打开解锁页</a>
-      <button id="refresh" class="secondary">刷新状态</button>
-    </div>
-  </div>
-
-  <div class="card">
-    <h2>步骤 1：远端授权</h2>
-    <p id="approve-hint" class="muted">点击“开始绑定”后，这里会显示授权地址。</p>
-    <div id="approve-actions" class="row"></div>
-  </div>
-
-  <div class="card">
-    <h2>步骤 2：本地解锁</h2>
-    <p class="muted">授权完成后，本页会自动切换到解锁阶段。你也可以直接在下方完成解锁。</p>
-    <iframe id="unlock-frame" src="/unlock"></iframe>
-  </div>
-
-  <div class="card">
-    <h2>接入 Cursor</h2>
-    <p>把 MCP 地址配置为 <code>http://{bind}/mcp</code>。在未就绪时，AI 只会看到 bootstrap 工具；完成授权和解锁后会自动暴露业务工具。</p>
-  </div>
-
-<script>
-const statusEl = document.getElementById('status');
-const approveHint = document.getElementById('approve-hint');
-const approveActions = document.getElementById('approve-actions');
-const unlockFrame = document.getElementById('unlock-frame');
-
-function renderApprove(info) {{
-  approveActions.innerHTML = '';
-  if (!info?.approve_url) return;
-  approveHint.textContent = '请先在浏览器完成远端授权，然后回到这里等待自动进入解锁状态。';
-  const link = document.createElement('a');
-  link.href = info.approve_url;
-  link.target = '_blank';
-  link.rel = 'noreferrer';
-  link.className = 'button';
-  link.textContent = '打开远端授权页';
-  approveActions.appendChild(link);
-}}
-
-async function refreshStatus() {{
-  const res = await fetch('/local/status');
-  const data = await res.json();
-  statusEl.textContent = JSON.stringify(data, null, 2);
-  if (data.pending_bind) renderApprove(data.pending_bind);
-  if (data.state === 'ready') {{
-    approveHint.textContent = '本地 MCP 已 ready，可以返回 Cursor 正常使用。';
-  }} else if (data.state === 'pendingUnlock') {{
-    approveHint.textContent = '远端授权已完成，继续在下方完成本地解锁。';
-  }}
-  return data;
-}}
-
-async function startBind() {{
-  const res = await fetch('/local/bind/start', {{ method: 'POST' }});
-  const data = await res.json();
-  statusEl.textContent = JSON.stringify(data, null, 2);
-  renderApprove(data);
-}}
-
-async function pollBind() {{
-  const res = await fetch('/local/bind/exchange', {{
-    method: 'POST',
-    headers: {{ 'content-type': 'application/json' }},
-    body: JSON.stringify({{}})
-  }});
-  const data = await res.json();
-  statusEl.textContent = JSON.stringify(data, null, 2);
-  await refreshStatus();
-  if (res.ok && data.status === 'bound') {{
-    unlockFrame.src = '/unlock';
-  }}
-}}
-
-document.getElementById('start-bind').onclick = startBind;
-document.getElementById('poll-bind').onclick = pollBind;
-document.getElementById('refresh').onclick = refreshStatus;
-window.addEventListener('message', (event) => {{
-  if (event?.data?.type === 'secrets-mcp-local-ready') refreshStatus();
-}});
-refreshStatus();
-setInterval(refreshStatus, 3000);
-</script>
-</body>
-</html>"#,
-        bind = state.config.bind,
-        remote = state.config.remote_base_url,
-    ))
-}
-
-pub fn router(state: AppState) -> Router {
-    Router::new()
-        .route("/", get(index))
-        .route("/mcp", axum::routing::any(crate::mcp::handle_mcp))
-        .route("/local/bind/start", post(crate::bind::bind_start))
-        .route("/local/bind/exchange", post(crate::bind::bind_exchange))
-        .route("/local/unbind", post(crate::bind::unbind))
-        .route("/unlock", get(crate::unlock::unlock_page))
-        .route(
-            "/local/unlock/complete",
-            post(crate::unlock::unlock_complete),
-        )
-        .route("/local/lock", post(crate::unlock::lock))
-        .route("/local/status", get(crate::unlock::status))
-        .layer(axum::extract::DefaultBodyLimit::max(10 * 1024 * 1024))
-        .with_state(state)
-}

crates/secrets-mcp-local/src/unlock.rs

@@ -1,265 +0,0 @@
-use std::time::Instant;
-
-use axum::extract::State;
-use axum::http::StatusCode;
-use axum::response::{Html, IntoResponse};
-use secrets_core::crypto::{decrypt, extract_key_from_hex, hex};
-use serde::Deserialize;
-use serde_json::json;
-
-use crate::bind::refresh_bound_state;
-use crate::cache::UnlockState;
-use crate::server::AppState;
-
-const KEY_CHECK_PLAINTEXT: &[u8] = b"secrets-mcp-key-check";
-
-fn verify_key_check_hex(key_hex: &str, key_check_hex: &str) -> Result<(), (StatusCode, String)> {
-    let key_check = hex::decode_hex(key_check_hex).map_err(|e| {
-        (
-            StatusCode::BAD_REQUEST,
-            format!("invalid key_check hex: {e}"),
-        )
-    })?;
-    let user_key = extract_key_from_hex(key_hex).map_err(|e| {
-        (
-            StatusCode::BAD_REQUEST,
-            format!("invalid encryption key: {e}"),
-        )
-    })?;
-    let plaintext = decrypt(&user_key, &key_check)
-        .map_err(|_| (StatusCode::UNAUTHORIZED, "wrong passphrase".to_string()))?;
-    if plaintext != KEY_CHECK_PLAINTEXT {
-        return Err((StatusCode::UNAUTHORIZED, "wrong passphrase".to_string()));
-    }
-    Ok(())
-}
-
-#[derive(Deserialize)]
-pub struct UnlockCompleteBody {
-    encryption_key: String,
-    ttl_secs: Option<u64>,
-}
-
-pub async fn unlock_page(State(state): State<AppState>) -> impl IntoResponse {
-    refresh_bound_state(&state).await;
-    let bound = {
-        let guard = state.cache.read().await;
-        guard.bound.clone()
-    };
-    let Some(mut bound) = bound else {
-        return Html(
-            "<h1>Not bound</h1><p>Run /local/bind/start and complete approve first.</p>"
-                .to_string(),
-        );
-    };
-    {
-        let guard = state.cache.read().await;
-        if let Some(updated) = guard.bound.clone() {
-            bound = updated;
-        }
-    }
-    let key_salt_hex = bound.key_salt_hex.as_deref().unwrap_or("");
-    let key_check_hex = bound.key_check_hex.as_deref().unwrap_or("");
-    let iterations = bound
-        .key_params
-        .as_ref()
-        .and_then(|v| v.get("iterations"))
-        .and_then(|n| n.as_u64())
-        .unwrap_or(600_000);
-
-    Html(format!(
-        r#"<!DOCTYPE html>
-<html lang="zh-CN">
-<head><meta charset="utf-8"><title>Local MCP Unlock</title></head>
-<body>
-  <h1>解锁本地 MCP</h1>
-  <p>用户：<code>{user_id}</code></p>
-  <label>Passphrase: <input id="pp" type="password" autocomplete="off"/></label>
-  <label>TTL(sec): <input id="ttl" type="number" value="{ttl}" min="60" max="604800"/></label>
-  <button id="go">Derive and Unlock</button>
-  <pre id="out"></pre>
-<script>
-const SALT_HEX = "{salt}";
-const KEY_CHECK_HEX = "{key_check}";
-const ITER = {iter};
-    function notifyParentReady() {{
-      try {{
-        window.parent?.postMessage({{type:'secrets-mcp-local-ready'}}, '*');
-      }} catch (_err) {{}}
-    }}
-function hexToBytes(hex) {{
-  const out = new Uint8Array(hex.length / 2);
-  for (let i = 0; i < out.length; i++) out[i] = parseInt(hex.substr(i*2,2), 16);
-  return out;
-}}
-function bytesToHex(bytes) {{
-  return Array.from(bytes).map(b => b.toString(16).padStart(2,'0')).join('');
-}}
-async function verifyKeyCheck(hexKey) {{
-  const keyBytes = hexToBytes(hexKey);
-  const cryptoKey = await crypto.subtle.importKey('raw', keyBytes, {{name:'AES-GCM'}}, false, ['decrypt']);
-  const payload = hexToBytes(KEY_CHECK_HEX);
-  const nonce = payload.slice(0, 12);
-  const ciphertext = payload.slice(12);
-  try {{
-    const plain = await crypto.subtle.decrypt({{name:'AES-GCM', iv: nonce}}, cryptoKey, ciphertext);
-    return new TextDecoder().decode(plain) === 'secrets-mcp-key-check';
-  }} catch {{
-    return false;
-  }}
-}}
-document.getElementById('go').onclick = async () => {{
-  const pp = document.getElementById('pp').value;
-  const ttl = Number(document.getElementById('ttl').value || {ttl});
-  const out = document.getElementById('out');
-  if (!SALT_HEX) {{ out.textContent = 'key_salt missing; set passphrase on remote first'; return; }}
-  if (!KEY_CHECK_HEX) {{ out.textContent = 'key_check missing; refresh bind first'; return; }}
-  if (!pp) {{ out.textContent = 'passphrase required'; return; }}
-  out.textContent = 'deriving...';
-  try {{
-    const keyMat = await crypto.subtle.importKey('raw', new TextEncoder().encode(pp), {{name:'PBKDF2'}}, false, ['deriveBits']);
-    const bits = await crypto.subtle.deriveBits({{name:'PBKDF2', salt: hexToBytes(SALT_HEX), iterations: ITER, hash: 'SHA-256'}}, keyMat, 256);
-    const hex = bytesToHex(new Uint8Array(bits));
-    const valid = await verifyKeyCheck(hex);
-    if (!valid) {{ out.textContent = 'wrong passphrase'; return; }}
-    const res = await fetch('/local/unlock/complete', {{
-      method:'POST', headers:{{'content-type':'application/json'}},
-      body: JSON.stringify({{encryption_key: hex, ttl_secs: ttl}})
-    }});
-    const txt = await res.text();
-    out.textContent = txt;
-    if (res.ok) notifyParentReady();
-  }} catch (e) {{
-    out.textContent = String(e);
-  }}
-}};
-</script>
-</body>
-</html>"#,
-        user_id = bound.user_id,
-        ttl = state.config.default_unlock_ttl.as_secs(),
-        salt = key_salt_hex,
-        key_check = key_check_hex,
-        iter = iterations
-    ))
-}
-
-pub async fn unlock_complete(
-    State(state): State<AppState>,
-    axum::Json(input): axum::Json<UnlockCompleteBody>,
-) -> Result<impl IntoResponse, (StatusCode, String)> {
-    let key = input.encryption_key.trim();
-    if key.len() != 64 || !key.chars().all(|c| c.is_ascii_hexdigit()) {
-        return Err((
-            StatusCode::BAD_REQUEST,
-            "encryption_key must be 64 hex chars".to_string(),
-        ));
-    }
-    let ttl = std::time::Duration::from_secs(
-        input
-            .ttl_secs
-            .unwrap_or(state.config.default_unlock_ttl.as_secs())
-            .clamp(60, 86400 * 7),
-    );
-    let mut guard = state.cache.write().await;
-    let Some(bound) = guard.bound.as_ref() else {
-        return Err((StatusCode::UNAUTHORIZED, "not bound".to_string()));
-    };
-    let key_check_hex = bound
-        .key_check_hex
-        .as_deref()
-        .ok_or((StatusCode::BAD_REQUEST, "key_check missing".to_string()))?;
-    verify_key_check_hex(key, key_check_hex)?;
-    guard.exec_contexts.clear();
-    guard.unlock = Some(UnlockState {
-        encryption_key_hex: key.to_string(),
-        expires_at: Instant::now() + ttl,
-        last_used_at: Instant::now(),
-    });
-    Ok((
-        StatusCode::OK,
-        axum::Json(json!({"ok": true, "ttl_secs": ttl.as_secs()})),
-    ))
-}
-
-pub async fn lock(State(state): State<AppState>) -> impl IntoResponse {
-    let mut guard = state.cache.write().await;
-    guard.clear_unlock_and_exec();
-    (StatusCode::OK, axum::Json(json!({"ok": true})))
-}
-
-pub async fn status(State(state): State<AppState>) -> impl IntoResponse {
-    let payload = status_payload(&state).await;
-    (StatusCode::OK, axum::Json(payload))
-}
-
-pub async fn status_payload(state: &AppState) -> serde_json::Value {
-    refresh_bound_state(state).await;
-    let now = Instant::now();
-    let mut guard = state.cache.write().await;
-    let unlocked = guard
-        .unlock
-        .as_ref()
-        .is_some_and(|u| u.expires_at > now && !u.encryption_key_hex.is_empty());
-    let expires_in_secs = guard
-        .unlock
-        .as_ref()
-        .and_then(|u| (u.expires_at > now).then_some(u.expires_at.duration_since(now).as_secs()));
-    if guard.unlock.as_ref().is_some_and(|u| u.expires_at <= now) {
-        guard.clear_unlock_and_exec();
-    }
-    let state_name = guard.phase(now);
-    let bound = guard.bound.as_ref().map(|b| {
-        json!({
-            "user_id": b.user_id,
-            "key_version": b.key_version,
-            "bound_for_secs": b.bound_at.elapsed().as_secs(),
-        })
-    });
-    let pending_bind = guard.pending_bind.as_ref().map(|pending| {
-        json!({
-            "bind_id": pending.bind_id,
-            "device_code": pending.device_code,
-            "approve_url": pending.approve_url,
-            "expires_in_secs": pending.expires_at.saturating_duration_since(now).as_secs(),
-            "started_for_secs": pending.started_at.elapsed().as_secs(),
-        })
-    });
-    json!({
-        "state": state_name,
-        "bound": bound,
-        "pending_bind": pending_bind,
-        "unlocked": unlocked,
-        "expires_in_secs": expires_in_secs,
-        "cached_targets": guard.exec_contexts.len(),
-        "onboarding_url": format!("http://{}/", state.config.bind),
-        "unlock_url": format!("http://{}/unlock", state.config.bind),
-        "mcp_url": format!("http://{}/mcp", state.config.bind),
-    })
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use secrets_core::crypto::encrypt;
-
-    #[test]
-    fn verify_key_check_accepts_matching_key() {
-        let key_hex = "11".repeat(32);
-        let key = extract_key_from_hex(&key_hex).unwrap();
-        let ciphertext = encrypt(&key, KEY_CHECK_PLAINTEXT).unwrap();
-        let ciphertext_hex = hex::encode_hex(&ciphertext);
-        assert!(verify_key_check_hex(&key_hex, &ciphertext_hex).is_ok());
-    }
-
-    #[test]
-    fn verify_key_check_rejects_wrong_key() {
-        let correct_key_hex = "11".repeat(32);
-        let wrong_key_hex = "22".repeat(32);
-        let key = extract_key_from_hex(&correct_key_hex).unwrap();
-        let ciphertext = encrypt(&key, KEY_CHECK_PLAINTEXT).unwrap();
-        let ciphertext_hex = hex::encode_hex(&ciphertext);
-        let err = verify_key_check_hex(&wrong_key_hex, &ciphertext_hex).unwrap_err();
-        assert_eq!(err.0, StatusCode::UNAUTHORIZED);
-    }
-}

crates/secrets-mcp/CHANGELOG.md

@@ -1,57 +0,0 @@
-本文档在构建时嵌入 Web 的 `/changelog` 页面，并由服务端渲染为 HTML。
-
-## [0.6.0] - 2026-04-12
-
-### Changed
-
-- 重构 `secrets-mcp-local` 为本地 MCP 服务：`initialize` / `tools/list` 在未绑定、未解锁时也始终成功，不再通过连接级 `401` 让 MCP 客户端误判为服务离线。
-- 本地 gateway 改为三态工具面：`bootstrap` / `pendingUnlock` / `ready`；未就绪时仅暴露 `local_status`、`local_bind_start`、`local_bind_exchange`、`local_unlock_status`、`local_onboarding_info` 等 bootstrap 工具。
-- 本地首页改为真实 onboarding 页面：可直接发起绑定、展示 `approve_url`、轮询授权结果，并衔接本地 unlock；不再要求用户手工拼 `curl` 请求。
-- 本地绑定闭环改为持久化短时会话：远程 `secrets-mcp` 新增 `local_mcp_bind_sessions` 存储绑定确认状态，避免仅靠单进程内存状态。
-- 本地解锁增加 `key_check` 校验与生命周期收敛：浏览器内先验证密码短语，再缓存本地 unlock；当远程 `key_version` 变化、API key 失效或绑定用户缺失时，本地自动失效 unlock 或清除 bound 状态。
-- 远程 `secrets-mcp` 新增 `/api/local-mcp/entries/find|search|history|overview|delete-preview|{id}/secrets` JSON API；local gateway 的发现、预览删除与解密读取已切到这些 HTTP API，不再依赖远程 `/mcp` 作为运行时后端。
-- 本地 gateway 新增 `target_exec` 通用代执行能力：AI 可先发现服务器或 API 服务条目，再由 local gateway 内部读取条目密钥并注入 `TARGET_*` 环境变量执行标准命令；执行上下文按 `entry_id` 本地缓存，可在 unlock 生命周期内复用。
-
-## [0.5.28] - 2026-04-12
-
-### Added
-
-- 工作区新增 **`secrets-mcp-local`** 并升级为本地 MCP 服务：支持 `bind/start -> approve -> bind/exchange -> /unlock` 闭环，复用远程 Web 会话完成本地绑定，浏览器内派生后按 TTL 缓存解锁状态。
-- 远程 `secrets-mcp` 新增本地绑定 API：`/api/local-mcp/bind/start`、`/api/local-mcp/bind/approve`、`/api/local-mcp/bind/exchange` 以及确认页 `/local-mcp/approve`。
-
-## [0.5.27] - 2026-04-11
-
-### Added
-
-- Web **`/entries`**：按 **tags** 筛选（逗号分隔、trim、多标签 **AND** 语义，与 `SearchParams` / MCP 一致）；folder 标签计数、分页与筛选栏状态同步保留 `tags`。
-
-## [0.5.26] - 2026-04-11
-
-### Fixed
-
-- **Google OAuth**：工作区 `reqwest` 此前关闭默认特性且未启用 **`system-proxy`**，进程不读取 macOS/Windows 系统代理，易出现与浏览器不一致（本机可上 Google 但换 token 超时）。已显式启用 `system-proxy`。
-
-## [0.5.25] - 2026-04-11
-
-### Changed
-
-- Google OAuth：token / userinfo 请求单独 **45s** 超时（避免仅触达默认客户端 15s）；失败时区分超时、连接错误，并在非 2xx 时记录/返回 Google 响应体片段（如 `invalid_grant`、`redirect_uri_mismatch`）。
-
-## [0.5.24] - 2026-04-11
-
-### Changed
-
-- 首页页脚将原「登录」入口改为「变更记录」（`/changelog`）；顶部导航仍保留登录 / 进入控制台。
-
-## [0.5.23] - 2026-04-11
-
-### Added
-
-- Changelog 页使用 **Markdown** 渲染（`pulldown-cmark`：表格、~~删除线~~、任务列表等）。
-
-## [0.5.22] - 2026-04-11
-
-### Added
-
-- Dashboard（MCP）页脚版本旁增加「变更记录」链接，打开本变更说明页。
-

crates/secrets-mcp/Cargo.toml

@@ -1,48 +0,0 @@
-[package]
-name = "secrets-mcp"
-version = "0.6.0"
-edition.workspace = true
-
-[[bin]]
-name = "secrets-mcp"
-path = "src/main.rs"
-
-[dependencies]
-secrets-core = { path = "../secrets-core" }
-
-# MCP
-rmcp = { version = "1", features = ["server", "macros", "transport-streamable-http-server", "schemars"] }
-
-# Web framework
-axum = "0.8"
-axum-extra = { version = "0.10", features = ["typed-header"] }
-tower = "0.5"
-tower-http = { version = "0.6", features = ["cors", "trace", "limit"] }
-tower-sessions = "0.14"
-tower-sessions-sqlx-store-chrono = { version = "0.14", features = ["postgres"] }
-governor = { version = "0.10", features = ["std", "jitter"] }
-time = "0.3"
-
-# OAuth (manual token exchange via reqwest)
-reqwest.workspace = true
-
-# Templating - render templates manually to avoid integration crate issues
-askama = "0.13"
-
-# Common
-anyhow.workspace = true
-chrono.workspace = true
-serde.workspace = true
-serde_json.workspace = true
-rand.workspace = true
-sqlx.workspace = true
-tokio.workspace = true
-tracing.workspace = true
-tracing-subscriber.workspace = true
-uuid.workspace = true
-dotenvy.workspace = true
-urlencoding = "2"
-schemars = "1"
-http = "1"
-url = "2"
-pulldown-cmark = "0.13.3"

crates/secrets-mcp/src/auth.rs

@@ -1,97 +0,0 @@
-use axum::{
-    extract::{Request, State},
-    http::StatusCode,
-    middleware::Next,
-    response::Response,
-};
-use sqlx::PgPool;
-use uuid::Uuid;
-
-use secrets_core::service::api_key::validate_api_key;
-
-use crate::client_ip;
-
-/// Injected into request extensions after Bearer token validation.
-#[derive(Clone, Debug)]
-pub struct AuthUser {
-    pub user_id: Uuid,
-}
-
-/// Axum middleware that validates Bearer API keys for the /mcp route.
-/// Passes all non-MCP paths through without authentication.
-pub async fn bearer_auth_middleware(
-    State(pool): State<PgPool>,
-    req: Request,
-    next: Next,
-) -> Result<Response, StatusCode> {
-    let path = req.uri().path();
-    let method = req.method().as_str();
-    let client_ip = client_ip::extract_client_ip(&req);
-
-    // Only authenticate /mcp paths
-    if !path.starts_with("/mcp") {
-        return Ok(next.run(req).await);
-    }
-
-    // Allow OPTIONS (CORS preflight) through
-    if req.method() == axum::http::Method::OPTIONS {
-        return Ok(next.run(req).await);
-    }
-
-    let auth_header = req
-        .headers()
-        .get(axum::http::header::AUTHORIZATION)
-        .and_then(|v| v.to_str().ok());
-
-    let raw_key = match auth_header {
-        Some(h) if h.starts_with("Bearer ") => h.trim_start_matches("Bearer ").trim(),
-        Some(_) => {
-            tracing::warn!(
-                method,
-                path,
-                %client_ip,
-                "invalid Authorization header format on /mcp (expected Bearer …)"
-            );
-            return Err(StatusCode::UNAUTHORIZED);
-        }
-        None => {
-            tracing::warn!(
-                method,
-                path,
-                %client_ip,
-                "missing Authorization header on /mcp"
-            );
-            return Err(StatusCode::UNAUTHORIZED);
-        }
-    };
-
-    match validate_api_key(&pool, raw_key).await {
-        Ok(Some(user_id)) => {
-            tracing::debug!(?user_id, "api key authenticated");
-            let mut req = req;
-            req.extensions_mut().insert(AuthUser { user_id });
-            Ok(next.run(req).await)
-        }
-        Ok(None) => {
-            tracing::warn!(
-                method,
-                path,
-                %client_ip,
-                key_prefix = %&raw_key.chars().take(12).collect::<String>(),
-                key_len = raw_key.len(),
-                "invalid api key (not found in database — e.g. revoked key or DB was reset; update MCP client Bearer token)"
-            );
-            Err(StatusCode::UNAUTHORIZED)
-        }
-        Err(e) => {
-            tracing::error!(
-                method,
-                path,
-                %client_ip,
-                error = %e,
-                "api key validation error"
-            );
-            Err(StatusCode::INTERNAL_SERVER_ERROR)
-        }
-    }
-}

crates/secrets-mcp/src/client_ip.rs

@@ -1,85 +0,0 @@
-use axum::extract::Request;
-use std::net::{IpAddr, SocketAddr};
-
-/// Extract the client IP from a request.
-///
-/// When the `TRUST_PROXY` environment variable is set to `1` or `true`, the
-/// `X-Forwarded-For` and `X-Real-IP` headers are consulted first, which is
-/// appropriate when the service runs behind a trusted reverse proxy (e.g.
-/// Caddy). Otherwise — or if those headers are absent/empty — the direct TCP
-/// connection address from `ConnectInfo` is used.
-///
-/// **Important**: only enable `TRUST_PROXY` when the application is guaranteed
-/// to receive traffic exclusively through a controlled reverse proxy. Enabling
-/// it on a directly-exposed port allows clients to spoof their IP address and
-/// bypass per-IP rate limiting.
-pub fn extract_client_ip(req: &Request) -> String {
-    if trust_proxy_enabled() {
-        if let Some(ip) = forwarded_for_ip(req.headers()) {
-            return ip;
-        }
-        if let Some(ip) = real_ip(req.headers()) {
-            return ip;
-        }
-    }
-
-    connect_info_ip(req).unwrap_or_else(|| "unknown".to_string())
-}
-
-/// Extract the client IP from individual header map and socket address components.
-///
-/// This variant is used by handlers that receive headers and connect info as
-/// separate axum extractor parameters (e.g. OAuth callback handlers).
-/// The same `TRUST_PROXY` logic applies.
-pub fn extract_client_ip_parts(
-    headers: &axum::http::HeaderMap,
-    addr: std::net::SocketAddr,
-) -> String {
-    if trust_proxy_enabled() {
-        if let Some(ip) = forwarded_for_ip(headers) {
-            return ip;
-        }
-        if let Some(ip) = real_ip(headers) {
-            return ip;
-        }
-    }
-    addr.ip().to_string()
-}
-
-fn trust_proxy_enabled() -> bool {
-    static CACHE: std::sync::OnceLock<bool> = std::sync::OnceLock::new();
-    *CACHE.get_or_init(|| {
-        matches!(
-            std::env::var("TRUST_PROXY").as_deref(),
-            Ok("1") | Ok("true") | Ok("yes")
-        )
-    })
-}
-
-fn forwarded_for_ip(headers: &axum::http::HeaderMap) -> Option<String> {
-    let value = headers.get("x-forwarded-for")?.to_str().ok()?;
-    let first = value.split(',').next()?.trim();
-    if first.is_empty() {
-        None
-    } else {
-        validate_ip(first)
-    }
-}
-
-fn real_ip(headers: &axum::http::HeaderMap) -> Option<String> {
-    let value = headers.get("x-real-ip")?.to_str().ok()?;
-    let ip = value.trim();
-    if ip.is_empty() { None } else { validate_ip(ip) }
-}
-
-/// Validate that a string is a valid IP address.
-/// Returns Some(ip) if valid, None otherwise.
-fn validate_ip(s: &str) -> Option<String> {
-    s.parse::<IpAddr>().ok().map(|ip| ip.to_string())
-}
-
-fn connect_info_ip(req: &Request) -> Option<String> {
-    req.extensions()
-        .get::<axum::extract::ConnectInfo<SocketAddr>>()
-        .map(|c| c.0.ip().to_string())
-}

crates/secrets-mcp/src/error.rs

@@ -1,54 +0,0 @@
-use secrets_core::error::AppError;
-
-/// Map a structured `AppError` to an MCP protocol error.
-///
-/// This replaces the previous pattern of swallowing all errors into `-32603`.
-pub fn app_error_to_mcp(err: &AppError) -> rmcp::ErrorData {
-    match err {
-        AppError::ConflictSecretName { secret_name } => rmcp::ErrorData::invalid_request(
-            format!(
-                "A secret with the name '{secret_name}' already exists for your account. \
-                 Secret names must be unique per user."
-            ),
-            None,
-        ),
-        AppError::ConflictEntryName { folder, name } => rmcp::ErrorData::invalid_request(
-            format!(
-                "An entry with folder='{folder}' and name='{name}' already exists. \
-                 The combination of folder and name must be unique."
-            ),
-            None,
-        ),
-        AppError::NotFoundEntry => rmcp::ErrorData::invalid_request(
-            "Entry not found. Use secrets_find to discover existing entries.",
-            None,
-        ),
-        AppError::NotFoundUser => rmcp::ErrorData::invalid_request("User not found.", None),
-        AppError::NotFoundSecret => rmcp::ErrorData::invalid_request("Secret not found.", None),
-        AppError::AuthenticationFailed => rmcp::ErrorData::invalid_request(
-            "Authentication failed. Please check your API key or login credentials.",
-            None,
-        ),
-        AppError::Unauthorized => rmcp::ErrorData::invalid_request(
-            "Unauthorized: you do not have permission to access this resource.",
-            None,
-        ),
-        AppError::Validation { message } => rmcp::ErrorData::invalid_request(message.clone(), None),
-        AppError::ConcurrentModification => rmcp::ErrorData::invalid_request(
-            "The entry was modified by another request. Please refresh and try again.",
-            None,
-        ),
-        AppError::DecryptionFailed => rmcp::ErrorData::invalid_request(
-            "Decryption failed — the encryption key may be incorrect or does not match the data.",
-            None,
-        ),
-        AppError::EncryptionKeyNotSet => rmcp::ErrorData::invalid_request(
-            "Encryption key not set. You must set a passphrase before using this feature.",
-            None,
-        ),
-        AppError::Internal(_) => rmcp::ErrorData::internal_error(
-            "Request failed due to a server error. Check service logs if you need details.",
-            None,
-        ),
-    }
-}

crates/secrets-mcp/src/logging.rs

@@ -1,381 +0,0 @@
-use std::time::Instant;
-
-use axum::{
-    body::{Body, Bytes, to_bytes},
-    extract::Request,
-    http::{
-        HeaderMap, Method, StatusCode,
-        header::{AUTHORIZATION, CONTENT_LENGTH, CONTENT_TYPE, USER_AGENT},
-    },
-    middleware::Next,
-    response::{IntoResponse, Response},
-};
-
-use crate::auth::AuthUser;
-
-/// Axum middleware that logs structured info for every HTTP request.
-///
-/// All requests: method, path, status, latency_ms, client_ip, user_agent.
-/// POST /mcp requests: additionally parses JSON-RPC body for jsonrpc_method,
-/// tool_name, jsonrpc_id, mcp_session, batch_size, tool_args (non-sensitive
-/// arguments only), plus masked auth_key / enc_key fingerprints and user_id
-/// for diagnosing header forwarding issues.
-///
-/// Sensitive headers (Authorization, X-Encryption-Key) are never logged in
-/// full — only short fingerprints are emitted.
-pub async fn request_logging_middleware(req: Request, next: Next) -> Response {
-    let method = req.method().clone();
-    let path = req.uri().path().to_string();
-    let ip = client_ip(&req);
-    let ua = header_str(req.headers(), USER_AGENT);
-    let content_len = header_str(req.headers(), CONTENT_LENGTH).and_then(|v| v.parse::<u64>().ok());
-    let mcp_session = req
-        .headers()
-        .get("mcp-session-id")
-        .or_else(|| req.headers().get("x-mcp-session"))
-        .and_then(|v| v.to_str().ok())
-        .map(|s| s.to_string());
-
-    // Capture header fingerprints before consuming the request.
-    let auth_key = mask_bearer(req.headers());
-    let enc_key = mask_enc_key(req.headers());
-
-    let is_mcp_post = path.starts_with("/mcp") && method == Method::POST;
-    let is_json = header_str(req.headers(), CONTENT_TYPE)
-        .map(|ct| ct.contains("application/json"))
-        .unwrap_or(false);
-
-    let start = Instant::now();
-
-    // For MCP JSON-RPC POST requests, buffer body to extract JSON-RPC metadata.
-    // We cap at 512 KiB to avoid buffering large payloads.
-    if is_mcp_post && is_json {
-        let cap = content_len.unwrap_or(0);
-        if cap <= 512 * 1024 {
-            let (parts, body) = req.into_parts();
-            // user_id is available after auth middleware has run (injected into extensions).
-            let user_id = parts
-                .extensions
-                .get::<AuthUser>()
-                .map(|a| a.user_id.to_string());
-            match to_bytes(body, 512 * 1024).await {
-                Ok(bytes) => {
-                    let rpc = parse_jsonrpc_meta(&bytes);
-                    let req = Request::from_parts(parts, Body::from(bytes));
-                    let resp = next.run(req).await;
-                    let status = resp.status().as_u16();
-                    let elapsed = start.elapsed().as_millis();
-                    log_mcp_request(
-                        &method,
-                        &path,
-                        status,
-                        elapsed,
-                        ip.as_deref(),
-                        ua.as_deref(),
-                        content_len,
-                        mcp_session.as_deref(),
-                        auth_key.as_deref(),
-                        &enc_key,
-                        user_id.as_deref(),
-                        &rpc,
-                    );
-                    return resp;
-                }
-                Err(e) => {
-                    tracing::warn!(path, error = %e, "failed to buffer MCP request body for logging");
-                    let elapsed = start.elapsed().as_millis();
-                    tracing::info!(
-                        method = method.as_str(),
-                        path,
-                        status = StatusCode::INTERNAL_SERVER_ERROR.as_u16(),
-                        elapsed_ms = elapsed,
-                        client_ip = ip.as_deref(),
-                        ua = ua.as_deref(),
-                        content_length = content_len,
-                        mcp_session = mcp_session.as_deref(),
-                        auth_key = auth_key.as_deref(),
-                        enc_key = enc_key.as_str(),
-                        user_id = user_id.as_deref(),
-                        "mcp request",
-                    );
-                    return (
-                        StatusCode::INTERNAL_SERVER_ERROR,
-                        "failed to read request body",
-                    )
-                        .into_response();
-                }
-            }
-        }
-    }
-
-    let resp = next.run(req).await;
-    let status = resp.status().as_u16();
-    let elapsed = start.elapsed().as_millis();
-
-    // Known client probe patterns that legitimately 404 — downgrade to debug to
-    // avoid noise in production logs.  These are:
-    //   • GET /.well-known/* — OAuth/OIDC discovery by MCP clients (RFC 8414 / RFC 9728)
-    //   • GET /mcp → 404    — old SSE-transport compatibility probe by clients
-    let is_expected_probe_404 = status == 404
-        && (path.starts_with("/.well-known/")
-            || (method == Method::GET && path.starts_with("/mcp")));
-
-    if is_expected_probe_404 {
-        tracing::debug!(
-            method = method.as_str(),
-            path,
-            status,
-            elapsed_ms = elapsed,
-            client_ip = ip.as_deref(),
-            ua = ua.as_deref(),
-            "probe request (not found — expected)",
-        );
-    } else {
-        log_http_request(
-            &method,
-            &path,
-            status,
-            elapsed,
-            ip.as_deref(),
-            ua.as_deref(),
-            content_len,
-        );
-    }
-
-    resp
-}
-
-// ── Logging helpers ───────────────────────────────────────────────────────────
-
-fn log_http_request(
-    method: &Method,
-    path: &str,
-    status: u16,
-    elapsed_ms: u128,
-    client_ip: Option<&str>,
-    ua: Option<&str>,
-    content_length: Option<u64>,
-) {
-    tracing::info!(
-        method = method.as_str(),
-        path,
-        status,
-        elapsed_ms,
-        client_ip,
-        ua,
-        content_length,
-        "http request",
-    );
-}
-
-#[allow(clippy::too_many_arguments)]
-fn log_mcp_request(
-    method: &Method,
-    path: &str,
-    status: u16,
-    elapsed_ms: u128,
-    client_ip: Option<&str>,
-    ua: Option<&str>,
-    content_length: Option<u64>,
-    mcp_session: Option<&str>,
-    auth_key: Option<&str>,
-    enc_key: &str,
-    user_id: Option<&str>,
-    rpc: &JsonRpcMeta,
-) {
-    tracing::info!(
-        method = method.as_str(),
-        path,
-        status,
-        elapsed_ms,
-        client_ip,
-        ua,
-        content_length,
-        mcp_session,
-        jsonrpc = rpc.rpc_method.as_deref(),
-        tool = rpc.tool_name.as_deref(),
-        jsonrpc_id = rpc.request_id.as_deref(),
-        batch_size = rpc.batch_size,
-        tool_args = rpc.tool_args.as_deref(),
-        auth_key,
-        enc_key,
-        user_id,
-        "mcp request",
-    );
-}
-
-// ── Sensitive header masking ──────────────────────────────────────────────────
-
-/// Mask a Bearer token: emit only the first 12 characters followed by `…`.
-/// Returns `None` if the Authorization header is absent or not a Bearer token.
-/// Example: `sk_90c88844e4e5…`
-fn mask_bearer(headers: &HeaderMap) -> Option<String> {
-    let val = headers.get(AUTHORIZATION)?.to_str().ok()?;
-    let token = val.strip_prefix("Bearer ")?.trim();
-    if token.is_empty() {
-        return None;
-    }
-    if token.len() > 12 {
-        Some(format!("{}…", &token[..12]))
-    } else {
-        Some(token.to_string())
-    }
-}
-
-/// Fingerprint the X-Encryption-Key header.
-///
-/// Emits first 4 chars, last 4 chars, and raw byte length, e.g. `146b…5516(64)`.
-/// Returns `"absent"` when the header is missing. Reveals enough to confirm
-/// which key arrived and whether it was truncated or padded, without revealing
-/// the full value.
-fn mask_enc_key(headers: &HeaderMap) -> String {
-    match headers
-        .get("x-encryption-key")
-        .and_then(|v| v.to_str().ok())
-    {
-        Some(val) => {
-            let raw_len = val.len();
-            let t = val.trim();
-            let len = t.len();
-            if len >= 8 {
-                let prefix = &t[..4];
-                let suffix = &t[len - 4..];
-                if raw_len != len {
-                    // Trailing/leading whitespace detected — extra diagnostic.
-                    format!("{prefix}…{suffix}({len}, raw={raw_len})")
-                } else {
-                    format!("{prefix}…{suffix}({len})")
-                }
-            } else {
-                format!("…({len})")
-            }
-        }
-        None => "absent".to_string(),
-    }
-}
-
-// ── JSON-RPC body parsing ─────────────────────────────────────────────────────
-
-/// Safe (non-sensitive) argument keys that may be included verbatim in logs.
-/// Keys NOT in this list (e.g. `secrets`, `secrets_obj`, `meta_obj`,
-/// `encryption_key`) are silently dropped.
-const SAFE_ARG_KEYS: &[&str] = &[
-    "id",
-    "name",
-    "name_query",
-    "folder",
-    "type",
-    "entry_type",
-    "field",
-    "query",
-    "tags",
-    "limit",
-    "offset",
-    "format",
-    "dry_run",
-    "prefix",
-];
-
-#[derive(Debug, Default)]
-struct JsonRpcMeta {
-    request_id: Option<String>,
-    rpc_method: Option<String>,
-    tool_name: Option<String>,
-    batch_size: Option<usize>,
-    /// Non-sensitive tool call arguments for diagnostic logging.
-    tool_args: Option<String>,
-}
-
-fn parse_jsonrpc_meta(bytes: &Bytes) -> JsonRpcMeta {
-    let Ok(value) = serde_json::from_slice::<serde_json::Value>(bytes) else {
-        return JsonRpcMeta::default();
-    };
-
-    if let Some(arr) = value.as_array() {
-        // Batch request: summarise method(s) from first element only
-        let first = arr.first().map(parse_single).unwrap_or_default();
-        return JsonRpcMeta {
-            batch_size: Some(arr.len()),
-            ..first
-        };
-    }
-
-    parse_single(&value)
-}
-
-fn parse_single(value: &serde_json::Value) -> JsonRpcMeta {
-    let request_id = value.get("id").and_then(json_to_string);
-    let rpc_method = value
-        .get("method")
-        .and_then(|v| v.as_str())
-        .map(|s| s.to_string());
-    let tool_name = value
-        .pointer("/params/name")
-        .and_then(|v| v.as_str())
-        .map(|s| s.to_string());
-    let tool_args = extract_tool_args(value);
-
-    JsonRpcMeta {
-        request_id,
-        rpc_method,
-        tool_name,
-        batch_size: None,
-        tool_args,
-    }
-}
-
-/// Extract a compact summary of non-sensitive tool arguments for logging.
-/// Only keys listed in `SAFE_ARG_KEYS` are included.
-fn extract_tool_args(value: &serde_json::Value) -> Option<String> {
-    let args = value.pointer("/params/arguments")?;
-    let obj = args.as_object()?;
-    let pairs: Vec<String> = obj
-        .iter()
-        .filter(|(k, v)| SAFE_ARG_KEYS.contains(&k.as_str()) && !v.is_null())
-        .map(|(k, v)| format!("{}={}", k, summarize_value(v)))
-        .collect();
-    if pairs.is_empty() {
-        None
-    } else {
-        Some(pairs.join(" "))
-    }
-}
-
-/// Produce a short, log-safe representation of a JSON value.
-fn summarize_value(v: &serde_json::Value) -> String {
-    match v {
-        serde_json::Value::String(s) => {
-            if s.len() > 64 {
-                format!("\"{}…\"", &s[..64])
-            } else {
-                format!("\"{s}\"")
-            }
-        }
-        serde_json::Value::Array(arr) => format!("[…{}]", arr.len()),
-        serde_json::Value::Object(_) => "{…}".to_string(),
-        other => other.to_string(),
-    }
-}
-
-fn json_to_string(value: &serde_json::Value) -> Option<String> {
-    match value {
-        serde_json::Value::Null => None,
-        serde_json::Value::String(s) => Some(s.clone()),
-        serde_json::Value::Number(n) => Some(n.to_string()),
-        serde_json::Value::Bool(b) => Some(b.to_string()),
-        other => Some(other.to_string()),
-    }
-}
-
-// ── Header helpers ────────────────────────────────────────────────────────────
-
-fn header_str(headers: &HeaderMap, name: impl axum::http::header::AsHeaderName) -> Option<String> {
-    headers
-        .get(name)
-        .and_then(|v| v.to_str().ok())
-        .map(|s| s.to_string())
-}
-
-fn client_ip(req: &Request) -> Option<String> {
-    crate::client_ip::extract_client_ip(req).into()
-}

crates/secrets-mcp/src/main.rs

@@ -1,366 +0,0 @@
-mod auth;
-mod client_ip;
-mod error;
-mod logging;
-mod oauth;
-mod rate_limit;
-mod tools;
-mod validation;
-mod web;
-
-use std::net::SocketAddr;
-
-use anyhow::{Context, Result};
-use axum::Router;
-use rmcp::transport::streamable_http_server::{
-    StreamableHttpService, session::local::LocalSessionManager,
-};
-use sqlx::PgPool;
-use tower_http::cors::{Any, CorsLayer};
-use tower_sessions::cookie::SameSite;
-use tower_sessions::session_store::ExpiredDeletion;
-use tower_sessions::{Expiry, SessionManagerLayer};
-use tower_sessions_sqlx_store_chrono::PostgresStore;
-use tracing_subscriber::EnvFilter;
-use tracing_subscriber::fmt::time::FormatTime;
-
-use secrets_core::config::resolve_db_config;
-use secrets_core::db::{create_pool, migrate};
-use secrets_core::service::delete::purge_expired_deleted_entries;
-
-use crate::oauth::OAuthConfig;
-use crate::tools::SecretsService;
-
-/// Shared application state injected into web routes and middleware.
-#[derive(Clone)]
-pub struct AppState {
-    pub pool: PgPool,
-    pub google_config: Option<OAuthConfig>,
-    pub base_url: String,
-    pub http_client: reqwest::Client,
-}
-
-fn load_env_var(name: &str) -> Option<String> {
-    std::env::var(name).ok().filter(|s| !s.is_empty())
-}
-
-/// Pretty-print bind address in logs (`127.0.0.1` → `localhost`); actual socket bind unchanged.
-fn listen_addr_log_display(bind_addr: &str) -> String {
-    bind_addr
-        .strip_prefix("127.0.0.1:")
-        .map(|port| format!("localhost:{port}"))
-        .unwrap_or_else(|| bind_addr.to_string())
-}
-
-fn load_oauth_config(prefix: &str, base_url: &str, path: &str) -> Option<OAuthConfig> {
-    let client_id = load_env_var(&format!("{}_CLIENT_ID", prefix))?;
-    let client_secret = load_env_var(&format!("{}_CLIENT_SECRET", prefix))?;
-    Some(OAuthConfig {
-        client_id,
-        client_secret,
-        redirect_uri: format!("{}{}", base_url, path),
-    })
-}
-
-/// Log line timestamps in the process local timezone (honors `TZ` / system zone).
-#[derive(Clone, Copy, Default)]
-struct LocalRfc3339Time;
-
-impl FormatTime for LocalRfc3339Time {
-    fn format_time(&self, w: &mut tracing_subscriber::fmt::format::Writer<'_>) -> std::fmt::Result {
-        write!(
-            w,
-            "{}",
-            chrono::Local::now().to_rfc3339_opts(chrono::SecondsFormat::Millis, false)
-        )
-    }
-}
-
-#[tokio::main]
-async fn main() -> Result<()> {
-    // Load .env if present
-    let _ = dotenvy::dotenv();
-
-    tracing_subscriber::fmt()
-        .with_timer(LocalRfc3339Time)
-        .with_env_filter(
-            EnvFilter::try_from_default_env()
-                .unwrap_or_else(|_| "secrets_mcp=info,tower_http=info".into()),
-        )
-        .init();
-
-    // ── Database ──────────────────────────────────────────────────────────────
-    let db_config = resolve_db_config("")
-        .context("Database not configured. Set SECRETS_DATABASE_URL environment variable.")?;
-    let pool = create_pool(&db_config)
-        .await
-        .context("failed to connect to database")?;
-    migrate(&pool)
-        .await
-        .context("failed to run database migrations")?;
-    tracing::info!("Database connected and migrated");
-
-    // ── Configuration ─────────────────────────────────────────────────────────
-    let base_url = load_env_var("BASE_URL").unwrap_or_else(|| "http://localhost:9315".to_string());
-    let bind_addr =
-        load_env_var("SECRETS_MCP_BIND").unwrap_or_else(|| "127.0.0.1:9315".to_string());
-
-    // ── OAuth providers ───────────────────────────────────────────────────────
-    let google_config = load_oauth_config("GOOGLE", &base_url, "/auth/google/callback");
-
-    if google_config.is_none() {
-        tracing::warn!(
-            "No OAuth providers configured. Set GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET to enable login."
-        );
-    }
-
-    // ── Session store (PostgreSQL-backed) ─────────────────────────────────────
-    let session_store = PostgresStore::new(pool.clone());
-    session_store
-        .migrate()
-        .await
-        .context("failed to run session table migration")?;
-    // Prune expired rows every hour; task is aborted when the server shuts down.
-    let session_cleanup = tokio::spawn(
-        session_store
-            .clone()
-            .continuously_delete_expired(tokio::time::Duration::from_secs(3600)),
-    );
-    // Strict would drop the session cookie on redirect from Google → our origin (cross-site nav).
-    let session_layer = SessionManagerLayer::new(session_store)
-        .with_secure(base_url.starts_with("https://"))
-        .with_same_site(SameSite::Lax)
-        .with_expiry(Expiry::OnInactivity(time::Duration::days(14)));
-
-    // ── App state ─────────────────────────────────────────────────────────────
-    let app_state = AppState {
-        pool: pool.clone(),
-        google_config,
-        base_url: base_url.clone(),
-        http_client: reqwest::Client::builder()
-            .timeout(std::time::Duration::from_secs(15))
-            .build()
-            .context("failed to build HTTP client")?,
-    };
-
-    // ── MCP service ───────────────────────────────────────────────────────────
-    let pool_for_mcp = pool.clone();
-
-    let mcp_service = StreamableHttpService::new(
-        move || {
-            let p = pool_for_mcp.clone();
-            Ok(SecretsService::new(p))
-        },
-        LocalSessionManager::default().into(),
-        Default::default(),
-    );
-
-    // ── Router ────────────────────────────────────────────────────────────────
-    // CORS: restrict origins in production, allow all in development
-    let is_production = matches!(
-        load_env_var("SECRETS_ENV")
-            .as_deref()
-            .map(|s| s.to_ascii_lowercase())
-            .as_deref(),
-        Some("prod" | "production")
-    );
-
-    let cors = build_cors_layer(&base_url, is_production);
-
-    // Rate limiting
-    let rate_limit_state = rate_limit::RateLimitState::new();
-    let rate_limit_cleanup = rate_limit::spawn_cleanup_task(rate_limit_state.ip_limiter.clone());
-    let recycle_bin_cleanup = tokio::spawn(start_recycle_bin_cleanup_task(pool.clone()));
-
-    let router = Router::new()
-        .merge(web::web_router())
-        .nest_service("/mcp", mcp_service)
-        .layer(axum::middleware::from_fn(
-            logging::request_logging_middleware,
-        ))
-        .layer(axum::middleware::from_fn_with_state(
-            pool,
-            auth::bearer_auth_middleware,
-        ))
-        .layer(axum::middleware::from_fn_with_state(
-            rate_limit_state.clone(),
-            rate_limit::rate_limit_middleware,
-        ))
-        .layer(session_layer)
-        .layer(cors)
-        .layer(tower_http::limit::RequestBodyLimitLayer::new(
-            10 * 1024 * 1024,
-        ))
-        .with_state(app_state);
-
-    // ── Start server ──────────────────────────────────────────────────────────
-    let listener = tokio::net::TcpListener::bind(&bind_addr)
-        .await
-        .with_context(|| format!("failed to bind to {}", bind_addr))?;
-
-    tracing::info!(
-        "Secrets MCP Server listening on http://{}",
-        listen_addr_log_display(&bind_addr)
-    );
-    tracing::info!("MCP endpoint: {}/mcp", base_url);
-
-    axum::serve(
-        listener,
-        router.into_make_service_with_connect_info::<SocketAddr>(),
-    )
-    .with_graceful_shutdown(shutdown_signal())
-    .await
-    .context("server error")?;
-
-    session_cleanup.abort();
-    rate_limit_cleanup.abort();
-    recycle_bin_cleanup.abort();
-    Ok(())
-}
-
-async fn start_recycle_bin_cleanup_task(pool: PgPool) {
-    let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(24 * 60 * 60));
-    interval.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Delay);
-
-    loop {
-        interval.tick().await;
-        match purge_expired_deleted_entries(&pool).await {
-            Ok(count) if count > 0 => {
-                tracing::info!(purged_count = count, "purged expired recycle bin entries");
-            }
-            Ok(_) => {}
-            Err(error) => {
-                tracing::warn!(error = %error, "failed to purge expired recycle bin entries");
-            }
-        }
-    }
-}
-
-async fn shutdown_signal() {
-    let ctrl_c = tokio::signal::ctrl_c();
-
-    #[cfg(unix)]
-    let terminate = async {
-        tokio::signal::unix::signal(tokio::signal::unix::SignalKind::terminate())
-            .expect("failed to install SIGTERM handler")
-            .recv()
-            .await;
-    };
-
-    #[cfg(not(unix))]
-    let terminate = std::future::pending::<()>();
-
-    tokio::select! {
-        _ = ctrl_c => {},
-        _ = terminate => {},
-    }
-
-    tracing::info!("Shutting down gracefully...");
-}
-
-/// Production CORS allowed headers.
-///
-/// When adding a new custom header to the MCP or Web API, this list must be
-/// updated accordingly — otherwise browsers will block the request during
-/// the CORS preflight check.
-fn production_allowed_headers() -> [axum::http::HeaderName; 5] {
-    [
-        axum::http::header::AUTHORIZATION,
-        axum::http::header::CONTENT_TYPE,
-        axum::http::HeaderName::from_static("x-encryption-key"),
-        axum::http::HeaderName::from_static("mcp-session-id"),
-        axum::http::HeaderName::from_static("x-mcp-session"),
-    ]
-}
-
-/// Production CORS allowed methods.
-///
-/// Keep this list explicit because tower-http rejects
-/// `allow_credentials(true)` together with `allow_methods(Any)`.
-fn production_allowed_methods() -> [axum::http::Method; 5] {
-    [
-        axum::http::Method::GET,
-        axum::http::Method::POST,
-        axum::http::Method::PATCH,
-        axum::http::Method::DELETE,
-        axum::http::Method::OPTIONS,
-    ]
-}
-
-/// Build the CORS layer for the application.
-///
-/// In production mode the origin is restricted to the BASE_URL origin
-/// (scheme://host:port, path stripped) and credentials are allowed.
-/// `allow_headers` and `allow_methods` use explicit whitelists to avoid the
-/// tower-http restriction on `allow_credentials(true)` + wildcards.
-///
-/// In development mode all origins, methods and headers are allowed.
-fn build_cors_layer(base_url: &str, is_production: bool) -> CorsLayer {
-    if is_production {
-        let allowed_origin = if let Ok(parsed) = base_url.parse::<url::Url>() {
-            let origin = parsed.origin().ascii_serialization();
-            origin
-                .parse::<axum::http::HeaderValue>()
-                .unwrap_or_else(|_| panic!("invalid BASE_URL origin: {}", origin))
-        } else {
-            base_url
-                .parse::<axum::http::HeaderValue>()
-                .unwrap_or_else(|_| panic!("invalid BASE_URL: {}", base_url))
-        };
-        CorsLayer::new()
-            .allow_origin(allowed_origin)
-            .allow_methods(production_allowed_methods())
-            .allow_headers(production_allowed_headers())
-            .allow_credentials(true)
-    } else {
-        CorsLayer::new()
-            .allow_origin(Any)
-            .allow_methods(Any)
-            .allow_headers(Any)
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn production_cors_does_not_panic() {
-        let layer = build_cors_layer("https://secrets.example.com/app", true);
-        let _ = layer;
-    }
-
-    #[test]
-    fn production_cors_headers_include_all_required() {
-        let headers = production_allowed_headers();
-        let names: Vec<&str> = headers.iter().map(|h| h.as_str()).collect();
-        assert!(names.contains(&"authorization"));
-        assert!(names.contains(&"content-type"));
-        assert!(names.contains(&"x-encryption-key"));
-        assert!(names.contains(&"mcp-session-id"));
-        assert!(names.contains(&"x-mcp-session"));
-    }
-
-    #[test]
-    fn production_cors_methods_include_all_required() {
-        let methods = production_allowed_methods();
-        assert!(methods.contains(&axum::http::Method::GET));
-        assert!(methods.contains(&axum::http::Method::POST));
-        assert!(methods.contains(&axum::http::Method::PATCH));
-        assert!(methods.contains(&axum::http::Method::DELETE));
-        assert!(methods.contains(&axum::http::Method::OPTIONS));
-    }
-
-    #[test]
-    fn production_cors_normalizes_base_url_with_path() {
-        let url = url::Url::parse("https://secrets.example.com/secrets/app").unwrap();
-        let origin = url.origin().ascii_serialization();
-        assert_eq!(origin, "https://secrets.example.com");
-    }
-
-    #[test]
-    fn development_cors_allows_everything() {
-        let layer = build_cors_layer("http://localhost:9315", false);
-        let _ = layer;
-    }
-}

crates/secrets-mcp/src/oauth/google.rs

@@ -1,116 +0,0 @@
-use std::time::Duration;
-
-use anyhow::{Context, Result};
-use serde::Deserialize;
-
-use super::{OAuthConfig, OAuthUserInfo};
-
-/// OAuth token / userinfo calls can be slow on poor routes; keep above client default if needed.
-const OAUTH_HTTP_TIMEOUT: Duration = Duration::from_secs(45);
-
-#[derive(Deserialize)]
-struct TokenResponse {
-    access_token: String,
-    #[allow(dead_code)]
-    token_type: String,
-    #[allow(dead_code)]
-    id_token: Option<String>,
-}
-
-#[derive(Deserialize)]
-struct UserInfo {
-    sub: String,
-    email: Option<String>,
-    name: Option<String>,
-    picture: Option<String>,
-}
-
-fn map_reqwest_send_err(e: reqwest::Error) -> anyhow::Error {
-    if e.is_timeout() {
-        anyhow::anyhow!(
-            "timeout reaching Google OAuth ({}s); ensure outbound HTTPS to oauth2.googleapis.com works (firewall/proxy/VPN if Google is unreachable)",
-            OAUTH_HTTP_TIMEOUT.as_secs()
-        )
-    } else if e.is_connect() {
-        anyhow::anyhow!("connection error to Google OAuth: {e}")
-    } else {
-        anyhow::Error::new(e)
-    }
-}
-
-/// Exchange authorization code for tokens and fetch user profile.
-pub async fn exchange_code(
-    client: &reqwest::Client,
-    config: &OAuthConfig,
-    code: &str,
-) -> Result<OAuthUserInfo> {
-    let token_http = client
-        .post("https://oauth2.googleapis.com/token")
-        .timeout(OAUTH_HTTP_TIMEOUT)
-        .form(&[
-            ("code", code),
-            ("client_id", &config.client_id),
-            ("client_secret", &config.client_secret),
-            ("redirect_uri", &config.redirect_uri),
-            ("grant_type", "authorization_code"),
-        ])
-        .send()
-        .await
-        .map_err(map_reqwest_send_err)
-        .context("Google token HTTP request failed")?;
-
-    let status = token_http.status();
-    let body_bytes = token_http
-        .bytes()
-        .await
-        .context("read Google token response body")?;
-
-    if !status.is_success() {
-        let body_lossy = String::from_utf8_lossy(&body_bytes);
-        tracing::warn!(%status, body = %body_lossy, "Google token endpoint error");
-        anyhow::bail!(
-            "Google token error {}: {}",
-            status,
-            body_lossy.chars().take(512).collect::<String>()
-        );
-    }
-
-    let token_resp: TokenResponse =
-        serde_json::from_slice(&body_bytes).context("failed to parse Google token JSON")?;
-
-    let user_http = client
-        .get("https://openidconnect.googleapis.com/v1/userinfo")
-        .timeout(OAUTH_HTTP_TIMEOUT)
-        .bearer_auth(&token_resp.access_token)
-        .send()
-        .await
-        .map_err(map_reqwest_send_err)
-        .context("Google userinfo HTTP request failed")?;
-
-    let status = user_http.status();
-    let body_bytes = user_http
-        .bytes()
-        .await
-        .context("read Google userinfo body")?;
-
-    if !status.is_success() {
-        let body_lossy = String::from_utf8_lossy(&body_bytes);
-        tracing::warn!(%status, body = %body_lossy, "Google userinfo endpoint error");
-        anyhow::bail!(
-            "Google userinfo error {}: {}",
-            status,
-            body_lossy.chars().take(512).collect::<String>()
-        );
-    }
-
-    let user: UserInfo =
-        serde_json::from_slice(&body_bytes).context("failed to parse Google userinfo JSON")?;
-
-    Ok(OAuthUserInfo {
-        provider: "google".to_string(),
-        provider_id: user.sub,
-        email: user.email,
-        name: user.name,
-        avatar_url: user.picture,
-    })
-}

crates/secrets-mcp/src/oauth/mod.rs

@@ -1,45 +0,0 @@
-pub mod google;
-pub mod wechat; // not yet implemented — placeholder for future WeChat integration
-
-use serde::{Deserialize, Serialize};
-
-/// Normalized OAuth user profile from any provider.
-#[derive(Debug, Clone)]
-pub struct OAuthUserInfo {
-    pub provider: String,
-    pub provider_id: String,
-    pub email: Option<String>,
-    pub name: Option<String>,
-    pub avatar_url: Option<String>,
-}
-
-/// OAuth provider configuration.
-#[derive(Clone, Debug, Deserialize, Serialize)]
-pub struct OAuthConfig {
-    pub client_id: String,
-    pub client_secret: String,
-    pub redirect_uri: String,
-}
-
-/// Build the Google authorization URL.
-pub fn google_auth_url(config: &OAuthConfig, state: &str) -> String {
-    format!(
-        "https://accounts.google.com/o/oauth2/v2/auth\
-         ?client_id={}\
-         &redirect_uri={}\
-         &response_type=code\
-         &scope=openid%20email%20profile\
-         &state={}\
-         &access_type=offline",
-        urlencoding::encode(&config.client_id),
-        urlencoding::encode(&config.redirect_uri),
-        urlencoding::encode(state),
-    )
-}
-
-pub fn random_state() -> String {
-    use rand::RngExt;
-    let mut bytes = [0u8; 16];
-    rand::rng().fill(&mut bytes);
-    secrets_core::crypto::hex::encode_hex(&bytes)
-}

crates/secrets-mcp/src/oauth/wechat.rs

@@ -1,18 +0,0 @@
-use super::{OAuthConfig, OAuthUserInfo};
-/// WeChat OAuth — not yet implemented.
-///
-/// This module is a placeholder for future WeChat Open Platform integration.
-/// When ready, implement `exchange_code` following the non-standard WeChat OAuth 2.0 flow:
-/// - Token exchange uses a GET request (not POST)
-/// - Preferred user identifier is `unionid` (cross-app), falling back to `openid`
-/// - Docs: https://developers.weixin.qq.com/doc/oplatform/Website_App/WeChat_Login/Wechat_Login.html
-use anyhow::{Result, bail};
-
-#[allow(dead_code)] // Placeholder — implement when WeChat login is needed.
-pub async fn exchange_code(
-    _client: &reqwest::Client,
-    _config: &OAuthConfig,
-    _code: &str,
-) -> Result<OAuthUserInfo> {
-    bail!("WeChat login is not yet implemented")
-}

crates/secrets-mcp/src/rate_limit.rs

@@ -1,160 +0,0 @@
-use std::num::NonZeroU32;
-use std::sync::Arc;
-use std::time::Duration;
-
-use axum::{
-    extract::{Request, State},
-    http::{HeaderMap, HeaderValue, StatusCode},
-    middleware::Next,
-    response::{IntoResponse, Response},
-};
-use governor::{
-    Quota, RateLimiter,
-    clock::{Clock, DefaultClock},
-    state::{InMemoryState, NotKeyed, keyed::DashMapStateStore},
-};
-use serde_json::json;
-
-use crate::client_ip;
-
-/// Per-IP rate limiter (keyed by client IP string)
-type IpRateLimiter = RateLimiter<String, DashMapStateStore<String>, DefaultClock>;
-
-/// Global rate limiter (not keyed)
-type GlobalRateLimiter = RateLimiter<NotKeyed, InMemoryState, DefaultClock>;
-
-/// Parse a u32 env value into NonZeroU32, logging a warning and falling back
-/// to the default if the value is zero.
-fn nz_or_log(value: u32, default: u32, name: &str) -> NonZeroU32 {
-    NonZeroU32::new(value).unwrap_or_else(|| {
-        tracing::warn!(
-            configured = value,
-            default,
-            "{name} must be non-zero, using default"
-        );
-        NonZeroU32::new(default).unwrap()
-    })
-}
-
-#[derive(Clone)]
-pub struct RateLimitState {
-    pub ip_limiter: Arc<IpRateLimiter>,
-    pub global_limiter: Arc<GlobalRateLimiter>,
-}
-
-impl RateLimitState {
-    /// Create a new RateLimitState with default limits.
-    ///
-    /// Default limits (can be overridden via environment variables):
-    /// - Global: 100 req/s, burst 200
-    /// - Per-IP: 20 req/s, burst 40
-    pub fn new() -> Self {
-        let global_rate = std::env::var("RATE_LIMIT_GLOBAL_PER_SECOND")
-            .ok()
-            .and_then(|v| v.parse::<u32>().ok())
-            .unwrap_or(100);
-
-        let global_burst = std::env::var("RATE_LIMIT_GLOBAL_BURST")
-            .ok()
-            .and_then(|v| v.parse::<u32>().ok())
-            .unwrap_or(200);
-
-        let ip_rate = std::env::var("RATE_LIMIT_IP_PER_SECOND")
-            .ok()
-            .and_then(|v| v.parse::<u32>().ok())
-            .unwrap_or(20);
-
-        let ip_burst = std::env::var("RATE_LIMIT_IP_BURST")
-            .ok()
-            .and_then(|v| v.parse::<u32>().ok())
-            .unwrap_or(40);
-
-        let global_rate_nz = nz_or_log(global_rate, 100, "RATE_LIMIT_GLOBAL_PER_SECOND");
-        let global_burst_nz = nz_or_log(global_burst, 200, "RATE_LIMIT_GLOBAL_BURST");
-        let ip_rate_nz = nz_or_log(ip_rate, 20, "RATE_LIMIT_IP_PER_SECOND");
-        let ip_burst_nz = nz_or_log(ip_burst, 40, "RATE_LIMIT_IP_BURST");
-
-        let global_quota = Quota::per_second(global_rate_nz).allow_burst(global_burst_nz);
-        let ip_quota = Quota::per_second(ip_rate_nz).allow_burst(ip_burst_nz);
-
-        tracing::info!(
-            global_rate = global_rate_nz.get(),
-            global_burst = global_burst_nz.get(),
-            ip_rate = ip_rate_nz.get(),
-            ip_burst = ip_burst_nz.get(),
-            "rate limiter initialized"
-        );
-
-        Self {
-            global_limiter: Arc::new(RateLimiter::direct(global_quota)),
-            ip_limiter: Arc::new(RateLimiter::dashmap(ip_quota)),
-        }
-    }
-}
-
-/// Rate limiting middleware function.
-///
-/// Checks both global and per-IP rate limits before allowing the request through.
-/// Returns 429 Too Many Requests if either limit is exceeded.
-pub async fn rate_limit_middleware(
-    State(rl): State<RateLimitState>,
-    req: Request,
-    next: Next,
-) -> Result<Response, Response> {
-    // Check global rate limit first
-    if let Err(negative) = rl.global_limiter.check() {
-        let retry_after = negative.wait_time_from(DefaultClock::default().now());
-        tracing::warn!(
-            retry_after_secs = retry_after.as_secs(),
-            "global rate limit exceeded"
-        );
-        return Err(too_many_requests_response(Some(retry_after)));
-    }
-
-    // Check per-IP rate limit
-    let key = client_ip::extract_client_ip(&req);
-    if let Err(negative) = rl.ip_limiter.check_key(&key) {
-        let retry_after = negative.wait_time_from(DefaultClock::default().now());
-        tracing::warn!(
-            client_ip = %key,
-            retry_after_secs = retry_after.as_secs(),
-            "per-IP rate limit exceeded"
-        );
-        return Err(too_many_requests_response(Some(retry_after)));
-    }
-
-    Ok(next.run(req).await)
-}
-
-/// Start a background task to clean up expired rate limiter entries.
-///
-/// This should be called once during application startup.
-/// The task runs every 60 seconds and will be aborted on shutdown.
-pub fn spawn_cleanup_task(ip_limiter: Arc<IpRateLimiter>) -> tokio::task::JoinHandle<()> {
-    tokio::spawn(async move {
-        let mut interval = tokio::time::interval(Duration::from_secs(60));
-        loop {
-            interval.tick().await;
-            ip_limiter.retain_recent();
-        }
-    })
-}
-
-/// Create a 429 Too Many Requests response.
-fn too_many_requests_response(retry_after: Option<Duration>) -> Response {
-    let mut headers = HeaderMap::new();
-    headers.insert("Content-Type", HeaderValue::from_static("application/json"));
-
-    if let Some(duration) = retry_after {
-        let secs = duration.as_secs().max(1);
-        if let Ok(value) = HeaderValue::from_str(&secs.to_string()) {
-            headers.insert("Retry-After", value);
-        }
-    }
-
-    let body = json!({
-        "error": "Too many requests, please try again later"
-    });
-
-    (StatusCode::TOO_MANY_REQUESTS, headers, body.to_string()).into_response()
-}

crates/secrets-mcp/src/validation.rs

@@ -1,149 +0,0 @@
-/// Validation constants for input field lengths.
-pub const MAX_NAME_LENGTH: usize = 256;
-pub const MAX_FOLDER_LENGTH: usize = 128;
-pub const MAX_ENTRY_TYPE_LENGTH: usize = 64;
-pub const MAX_NOTES_LENGTH: usize = 10000;
-pub const MAX_TAG_LENGTH: usize = 64;
-pub const MAX_TAG_COUNT: usize = 50;
-pub const MAX_META_KEY_LENGTH: usize = 128;
-pub const MAX_META_VALUE_LENGTH: usize = 4096;
-pub const MAX_META_COUNT: usize = 100;
-
-/// Validate input field lengths for MCP tools.
-///
-/// Returns an error if any field exceeds its maximum length.
-pub fn validate_input_lengths(
-    name: &str,
-    folder: Option<&str>,
-    entry_type: Option<&str>,
-    notes: Option<&str>,
-) -> Result<(), rmcp::ErrorData> {
-    if name.chars().count() > MAX_NAME_LENGTH {
-        return Err(rmcp::ErrorData::invalid_params(
-            format!("name must be at most {} characters", MAX_NAME_LENGTH),
-            None,
-        ));
-    }
-    if let Some(folder) = folder
-        && folder.chars().count() > MAX_FOLDER_LENGTH
-    {
-        return Err(rmcp::ErrorData::invalid_params(
-            format!("folder must be at most {} characters", MAX_FOLDER_LENGTH),
-            None,
-        ));
-    }
-    if let Some(entry_type) = entry_type
-        && entry_type.chars().count() > MAX_ENTRY_TYPE_LENGTH
-    {
-        return Err(rmcp::ErrorData::invalid_params(
-            format!("type must be at most {} characters", MAX_ENTRY_TYPE_LENGTH),
-            None,
-        ));
-    }
-    if let Some(notes) = notes
-        && notes.chars().count() > MAX_NOTES_LENGTH
-    {
-        return Err(rmcp::ErrorData::invalid_params(
-            format!("notes must be at most {} characters", MAX_NOTES_LENGTH),
-            None,
-        ));
-    }
-    Ok(())
-}
-
-/// Validate the tags list.
-///
-/// Checks total count and per-tag character length.
-pub fn validate_tags(tags: &[String]) -> Result<(), rmcp::ErrorData> {
-    if tags.len() > MAX_TAG_COUNT {
-        return Err(rmcp::ErrorData::invalid_params(
-            format!("at most {} tags are allowed", MAX_TAG_COUNT),
-            None,
-        ));
-    }
-    for tag in tags {
-        if tag.chars().count() > MAX_TAG_LENGTH {
-            return Err(rmcp::ErrorData::invalid_params(
-                format!(
-                    "tag '{}' exceeds the maximum length of {} characters",
-                    tag, MAX_TAG_LENGTH
-                ),
-                None,
-            ));
-        }
-    }
-    Ok(())
-}
-
-/// Validate metadata KV strings (key=value / key:=json format).
-///
-/// Checks total count and per-key/per-value character lengths.
-/// This is a best-effort check on the raw KV strings before parsing;
-/// keys containing `:` path separators are checked as a whole.
-pub fn validate_meta_entries(entries: &[String]) -> Result<(), rmcp::ErrorData> {
-    if entries.len() > MAX_META_COUNT {
-        return Err(rmcp::ErrorData::invalid_params(
-            format!("at most {} metadata entries are allowed", MAX_META_COUNT),
-            None,
-        ));
-    }
-    for entry in entries {
-        // key:=json — check both key and JSON value length
-        if let Some((key, value)) = entry.split_once(":=") {
-            if key.chars().count() > MAX_META_KEY_LENGTH {
-                return Err(rmcp::ErrorData::invalid_params(
-                    format!(
-                        "metadata key '{}' exceeds the maximum length of {} characters",
-                        key, MAX_META_KEY_LENGTH
-                    ),
-                    None,
-                ));
-            }
-            if value.chars().count() > MAX_META_VALUE_LENGTH {
-                return Err(rmcp::ErrorData::invalid_params(
-                    format!(
-                        "metadata JSON value for key '{}' exceeds the maximum length of {} characters",
-                        key, MAX_META_VALUE_LENGTH
-                    ),
-                    None,
-                ));
-            }
-            continue;
-        }
-        // key=value or key@path
-        if let Some((key, value)) = entry.split_once('=') {
-            if key.chars().count() > MAX_META_KEY_LENGTH {
-                return Err(rmcp::ErrorData::invalid_params(
-                    format!(
-                        "metadata key '{}' exceeds the maximum length of {} characters",
-                        key, MAX_META_KEY_LENGTH
-                    ),
-                    None,
-                ));
-            }
-            if value.chars().count() > MAX_META_VALUE_LENGTH {
-                return Err(rmcp::ErrorData::invalid_params(
-                    format!(
-                        "metadata value for key '{}' exceeds the maximum length of {} characters",
-                        key, MAX_META_VALUE_LENGTH
-                    ),
-                    None,
-                ));
-            }
-        } else {
-            // Fallback: entry without = or := — check total length
-            let max_total = MAX_META_KEY_LENGTH + MAX_META_VALUE_LENGTH;
-            if entry.chars().count() > max_total {
-                let preview = entry.chars().take(50).collect::<String>();
-                return Err(rmcp::ErrorData::invalid_params(
-                    format!(
-                        "metadata entry '{}' exceeds the maximum length of {} characters",
-                        preview, max_total
-                    ),
-                    None,
-                ));
-            }
-        }
-    }
-    Ok(())
-}

crates/secrets-mcp/src/web/account.rs

@@ -1,297 +0,0 @@
-use askama::Template;
-use axum::{Json, extract::State, http::StatusCode, response::Response};
-use serde::{Deserialize, Serialize};
-use tower_sessions::Session;
-
-use secrets_core::crypto::hex;
-use secrets_core::service::{
-    api_key::{ensure_api_key, regenerate_api_key},
-    user::{change_user_key, get_user_by_id, update_user_key_setup},
-};
-
-use crate::AppState;
-
-use super::{SESSION_KEY_VERSION, load_session_user_strict, render_template, require_valid_user};
-
-#[derive(Template)]
-#[template(path = "dashboard.html")]
-struct DashboardTemplate {
-    user_name: String,
-    user_email: String,
-    has_passphrase: bool,
-    base_url: String,
-    version: &'static str,
-}
-
-#[derive(Serialize)]
-pub(super) struct KeySaltResponse {
-    has_passphrase: bool,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    salt: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    key_check: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    params: Option<serde_json::Value>,
-}
-
-#[derive(Deserialize)]
-pub(super) struct KeySetupRequest {
-    /// Hex-encoded 32-byte random salt
-    salt: String,
-    /// Hex-encoded AES-256-GCM encryption of "secrets-mcp-key-check" with the derived key
-    key_check: String,
-    /// Key derivation parameters, e.g. {"alg":"pbkdf2-sha256","iterations":600000}
-    params: serde_json::Value,
-}
-
-#[derive(Serialize)]
-pub(super) struct KeySetupResponse {
-    ok: bool,
-}
-
-#[derive(Deserialize)]
-pub(super) struct KeyChangeRequest {
-    /// Old derived key as 64-char hex — used to decrypt existing secrets
-    old_key: String,
-    /// New derived key as 64-char hex — used to re-encrypt secrets
-    new_key: String,
-    /// New 32-byte hex salt
-    salt: String,
-    /// New key_check: AES-256-GCM of KEY_CHECK_PLAINTEXT with the new key (hex)
-    key_check: String,
-    /// New key derivation parameters
-    params: serde_json::Value,
-}
-
-#[derive(Serialize)]
-pub(super) struct ApiKeyResponse {
-    api_key: String,
-}
-
-pub(super) async fn dashboard(
-    State(state): State<AppState>,
-    session: Session,
-) -> Result<Response, StatusCode> {
-    let user = match require_valid_user(&state.pool, &session, "dashboard").await {
-        Ok(u) => u,
-        Err(r) => return Ok(r),
-    };
-
-    let tmpl = DashboardTemplate {
-        user_name: user.name.clone(),
-        user_email: user.email.clone().unwrap_or_default(),
-        has_passphrase: user.key_salt.is_some(),
-        base_url: state.base_url.clone(),
-        version: env!("CARGO_PKG_VERSION"),
-    };
-
-    render_template(tmpl)
-}
-
-pub(super) async fn api_key_salt(
-    State(state): State<AppState>,
-    session: Session,
-) -> Result<Json<KeySaltResponse>, StatusCode> {
-    let user = match load_session_user_strict(&state.pool, &session).await {
-        Ok(Some(u)) => u,
-        Ok(None) => return Err(StatusCode::UNAUTHORIZED),
-        Err(()) => return Err(StatusCode::INTERNAL_SERVER_ERROR),
-    };
-
-    if user.key_salt.is_none() {
-        return Ok(Json(KeySaltResponse {
-            has_passphrase: false,
-            salt: None,
-            key_check: None,
-            params: None,
-        }));
-    }
-
-    Ok(Json(KeySaltResponse {
-        has_passphrase: true,
-        salt: user.key_salt.as_deref().map(hex::encode_hex),
-        key_check: user.key_check.as_deref().map(hex::encode_hex),
-        params: user.key_params,
-    }))
-}
-
-pub(super) async fn api_key_setup(
-    State(state): State<AppState>,
-    session: Session,
-    Json(body): Json<KeySetupRequest>,
-) -> Result<Json<KeySetupResponse>, StatusCode> {
-    let user = match load_session_user_strict(&state.pool, &session).await {
-        Ok(Some(u)) => u,
-        Ok(None) => return Err(StatusCode::UNAUTHORIZED),
-        Err(()) => return Err(StatusCode::INTERNAL_SERVER_ERROR),
-    };
-    let user_id = user.id;
-
-    // Guard: if a passphrase is already configured, reject and direct to /api/key-change
-    if user.key_salt.is_some() {
-        tracing::warn!(%user_id, "key-setup called but passphrase already configured; use /api/key-change");
-        return Err(StatusCode::CONFLICT);
-    }
-
-    let salt = hex::decode_hex(&body.salt).map_err(|e| {
-        tracing::warn!(error = %e, "invalid hex in key-setup salt");
-        StatusCode::BAD_REQUEST
-    })?;
-    let key_check = hex::decode_hex(&body.key_check).map_err(|e| {
-        tracing::warn!(error = %e, "invalid hex in key-setup key_check");
-        StatusCode::BAD_REQUEST
-    })?;
-
-    if salt.len() != 32 {
-        tracing::warn!(salt_len = salt.len(), "key-setup salt must be 32 bytes");
-        return Err(StatusCode::BAD_REQUEST);
-    }
-
-    update_user_key_setup(&state.pool, user_id, &salt, &key_check, &body.params)
-        .await
-        .map_err(|e| {
-            tracing::error!(error = %e, "failed to update key setup");
-            StatusCode::INTERNAL_SERVER_ERROR
-        })?;
-
-    Ok(Json(KeySetupResponse { ok: true }))
-}
-
-// ── Change passphrase (re-encrypts all secrets) ───────────────────────────────
-
-pub(super) async fn api_key_change(
-    State(state): State<AppState>,
-    session: Session,
-    Json(body): Json<KeyChangeRequest>,
-) -> Result<Json<KeySetupResponse>, StatusCode> {
-    let user = match load_session_user_strict(&state.pool, &session).await {
-        Ok(Some(u)) => u,
-        Ok(None) => return Err(StatusCode::UNAUTHORIZED),
-        Err(()) => return Err(StatusCode::INTERNAL_SERVER_ERROR),
-    };
-    let user_id = user.id;
-
-    // Must have an existing passphrase to change
-    let existing_key_check = user.key_check.ok_or_else(|| {
-        tracing::warn!(%user_id, "key-change called but no passphrase configured; use /api/key-setup");
-        StatusCode::BAD_REQUEST
-    })?;
-
-    // Validate and decode old key
-    let old_key_bytes = secrets_core::crypto::extract_key_from_hex(&body.old_key).map_err(|e| {
-        tracing::warn!(error = %e, "invalid old_key hex in key-change");
-        StatusCode::BAD_REQUEST
-    })?;
-
-    // Verify old_key against the stored key_check
-    let plaintext = secrets_core::crypto::decrypt(&old_key_bytes, &existing_key_check).map_err(|_| {
-        tracing::warn!(%user_id, "key-change rejected: old_key does not match stored key_check");
-        StatusCode::UNAUTHORIZED
-    })?;
-    if plaintext != b"secrets-mcp-key-check" {
-        tracing::warn!(%user_id, "key-change rejected: decrypted key_check content mismatch");
-        return Err(StatusCode::UNAUTHORIZED);
-    }
-
-    // Validate and decode new key
-    let new_key_bytes = secrets_core::crypto::extract_key_from_hex(&body.new_key).map_err(|e| {
-        tracing::warn!(error = %e, "invalid new_key hex in key-change");
-        StatusCode::BAD_REQUEST
-    })?;
-
-    // Decode new salt and key_check
-    let new_salt = hex::decode_hex(&body.salt).map_err(|e| {
-        tracing::warn!(error = %e, "invalid hex in key-change salt");
-        StatusCode::BAD_REQUEST
-    })?;
-    if new_salt.len() != 32 {
-        tracing::warn!(
-            salt_len = new_salt.len(),
-            "key-change salt must be 32 bytes"
-        );
-        return Err(StatusCode::BAD_REQUEST);
-    }
-    let new_key_check = hex::decode_hex(&body.key_check).map_err(|e| {
-        tracing::warn!(error = %e, "invalid hex in key-change key_check");
-        StatusCode::BAD_REQUEST
-    })?;
-
-    change_user_key(
-        &state.pool,
-        user_id,
-        &old_key_bytes,
-        &new_key_bytes,
-        &new_salt,
-        &new_key_check,
-        &body.params,
-    )
-    .await
-    .map_err(|e| {
-        tracing::error!(error = %e, %user_id, "failed to change user key");
-        StatusCode::INTERNAL_SERVER_ERROR
-    })?;
-
-    // Refresh the session's key_version so the current session is not immediately
-    // invalidated by require_valid_user on the next page load.
-    match get_user_by_id(&state.pool, user_id).await {
-        Ok(Some(updated_user)) => {
-            if let Err(e) = session
-                .insert(SESSION_KEY_VERSION, updated_user.key_version)
-                .await
-            {
-                tracing::warn!(error = %e, %user_id, "failed to update key_version in session after key change");
-            }
-        }
-        Ok(None) => {
-            tracing::warn!(%user_id, "user not found after key change; session not updated");
-        }
-        Err(e) => {
-            tracing::warn!(error = %e, %user_id, "failed to reload user after key change; session not updated");
-        }
-    }
-
-    tracing::info!(%user_id, secrets_count = "(see service log)", "passphrase changed and secrets re-encrypted");
-    Ok(Json(KeySetupResponse { ok: true }))
-}
-
-// ── API Key management ────────────────────────────────────────────────────────
-
-pub(super) async fn api_apikey_get(
-    State(state): State<AppState>,
-    session: Session,
-) -> Result<Json<ApiKeyResponse>, StatusCode> {
-    let user = match load_session_user_strict(&state.pool, &session).await {
-        Ok(Some(u)) => u,
-        Ok(None) => return Err(StatusCode::UNAUTHORIZED),
-        Err(()) => return Err(StatusCode::INTERNAL_SERVER_ERROR),
-    };
-    let user_id = user.id;
-
-    let api_key = ensure_api_key(&state.pool, user_id).await.map_err(|e| {
-        tracing::error!(error = %e, %user_id, "ensure_api_key failed");
-        StatusCode::INTERNAL_SERVER_ERROR
-    })?;
-
-    Ok(Json(ApiKeyResponse { api_key }))
-}
-
-pub(super) async fn api_apikey_regenerate(
-    State(state): State<AppState>,
-    session: Session,
-) -> Result<Json<ApiKeyResponse>, StatusCode> {
-    let user = match load_session_user_strict(&state.pool, &session).await {
-        Ok(Some(u)) => u,
-        Ok(None) => return Err(StatusCode::UNAUTHORIZED),
-        Err(()) => return Err(StatusCode::INTERNAL_SERVER_ERROR),
-    };
-    let user_id = user.id;
-
-    let api_key = regenerate_api_key(&state.pool, user_id)
-        .await
-        .map_err(|e| {
-            tracing::error!(error = %e, %user_id, "regenerate_api_key failed");
-            StatusCode::INTERNAL_SERVER_ERROR
-        })?;
-
-    Ok(Json(ApiKeyResponse { api_key }))
-}

crates/secrets-mcp/src/web/assets.rs

@@ -1,73 +0,0 @@
-use axum::{
-    body::Body,
-    extract::State,
-    http::{StatusCode, header},
-    response::{IntoResponse, Response},
-};
-
-use crate::AppState;
-
-pub(super) fn text_asset_response(content: &'static str, content_type: &'static str) -> Response {
-    Response::builder()
-        .status(StatusCode::OK)
-        .header(header::CONTENT_TYPE, content_type)
-        .header(header::CACHE_CONTROL, "public, max-age=86400")
-        .body(Body::from(content))
-        .expect("text asset response")
-}
-
-pub(super) async fn robots_txt() -> Response {
-    text_asset_response(
-        include_str!("../../static/robots.txt"),
-        "text/plain; charset=utf-8",
-    )
-}
-
-pub(super) async fn llms_txt() -> Response {
-    text_asset_response(
-        include_str!("../../static/llms.txt"),
-        "text/markdown; charset=utf-8",
-    )
-}
-
-pub(super) async fn ai_txt() -> Response {
-    llms_txt().await
-}
-
-pub(super) async fn i18n_js() -> Response {
-    text_asset_response(
-        include_str!("../../templates/i18n.js"),
-        "application/javascript; charset=utf-8",
-    )
-}
-
-pub(super) async fn favicon_svg() -> Response {
-    Response::builder()
-        .status(StatusCode::OK)
-        .header(header::CONTENT_TYPE, "image/svg+xml")
-        .header(header::CACHE_CONTROL, "public, max-age=86400")
-        .body(Body::from(include_str!("../../static/favicon.svg")))
-        .expect("favicon response")
-}
-
-/// RFC 9728 — OAuth 2.0 Protected Resource Metadata.
-///
-/// Advertises that this server accepts Bearer tokens in the `Authorization`
-/// header.  We deliberately omit `authorization_servers` because this service
-/// issues its own API keys (no external OAuth AS is involved).  MCP clients
-/// that probe this endpoint will see the resource identifier and stop looking
-/// for a delegated OAuth flow.
-pub(super) async fn oauth_protected_resource_metadata(
-    State(state): State<AppState>,
-) -> impl IntoResponse {
-    let body = serde_json::json!({
-        "resource": state.base_url,
-        "bearer_methods_supported": ["header"],
-        "resource_documentation": format!("{}/dashboard", state.base_url),
-    });
-    (
-        StatusCode::OK,
-        [(header::CONTENT_TYPE, "application/json")],
-        axum::Json(body),
-    )
-}

crates/secrets-mcp/src/web/audit.rs

@@ -1,104 +0,0 @@
-use askama::Template;
-use axum::{
-    extract::{Query, State},
-    http::StatusCode,
-    response::Response,
-};
-use chrono::SecondsFormat;
-use serde::Deserialize;
-use tower_sessions::Session;
-
-use crate::AppState;
-
-use super::{AUDIT_PAGE_LIMIT, paginate, render_template, require_valid_user};
-
-#[derive(Template)]
-#[template(path = "audit.html")]
-struct AuditPageTemplate {
-    user_name: String,
-    user_email: String,
-    entries: Vec<AuditEntryView>,
-    current_page: u32,
-    total_pages: u32,
-    total_count: i64,
-    version: &'static str,
-}
-
-struct AuditEntryView {
-    /// RFC3339 UTC for `<time datetime>`; rendered as browser-local in audit.html.
-    created_at_iso: String,
-    action: String,
-    target: String,
-    detail: String,
-}
-
-#[derive(Deserialize)]
-pub(super) struct AuditQuery {
-    page: Option<u32>,
-}
-
-fn format_audit_target(folder: &str, entry_type: &str, name: &str) -> String {
-    // Auth events (folder="auth") use entry_type/name as provider-scoped target.
-    if folder == "auth" {
-        format!("{}/{}", entry_type, name)
-    } else if !folder.is_empty() && !entry_type.is_empty() {
-        format!("[{}/{}] {}", folder, entry_type, name)
-    } else if !folder.is_empty() {
-        format!("[{}] {}", folder, name)
-    } else {
-        name.to_string()
-    }
-}
-
-pub(super) async fn audit_page(
-    State(state): State<AppState>,
-    session: Session,
-    Query(aq): Query<AuditQuery>,
-) -> Result<Response, StatusCode> {
-    use secrets_core::service::audit_log::{count_for_user, list_for_user};
-
-    let user = match require_valid_user(&state.pool, &session, "audit_page").await {
-        Ok(u) => u,
-        Err(r) => return Ok(r),
-    };
-    let user_id = user.id;
-
-    let page = aq.page.unwrap_or(1).max(1);
-
-    let total_count = count_for_user(&state.pool, user_id).await.map_err(|e| {
-        tracing::error!(error = %e, "failed to count audit log for user");
-        StatusCode::INTERNAL_SERVER_ERROR
-    })?;
-
-    let (current_page, total_pages, offset) = paginate(page, total_count, AUDIT_PAGE_LIMIT as u32);
-    let actual_offset = i64::from(offset);
-
-    let rows = list_for_user(&state.pool, user_id, AUDIT_PAGE_LIMIT, actual_offset)
-        .await
-        .map_err(|e| {
-            tracing::error!(error = %e, "failed to load audit log for user");
-            StatusCode::INTERNAL_SERVER_ERROR
-        })?;
-
-    let entries = rows
-        .into_iter()
-        .map(|row| AuditEntryView {
-            created_at_iso: row.created_at.to_rfc3339_opts(SecondsFormat::Secs, true),
-            action: row.action,
-            target: format_audit_target(&row.folder, &row.entry_type, &row.name),
-            detail: serde_json::to_string_pretty(&row.detail).unwrap_or_else(|_| "{}".to_string()),
-        })
-        .collect();
-
-    let tmpl = AuditPageTemplate {
-        user_name: user.name.clone(),
-        user_email: user.email.clone().unwrap_or_default(),
-        entries,
-        current_page,
-        total_pages,
-        total_count,
-        version: env!("CARGO_PKG_VERSION"),
-    };
-
-    render_template(tmpl)
-}

crates/secrets-mcp/src/web/auth.rs

@@ -1,360 +0,0 @@
-use std::net::SocketAddr;
-
-use askama::Template;
-use axum::{
-    extract::{ConnectInfo, Path, Query, State},
-    http::{HeaderMap, StatusCode},
-    response::{IntoResponse, Redirect, Response},
-};
-use serde::Deserialize;
-use tower_sessions::Session;
-
-use secrets_core::audit::log_login;
-use secrets_core::service::user::{
-    OAuthProfile, bind_oauth_account, find_or_create_user, unbind_oauth_account,
-};
-
-use crate::AppState;
-use crate::oauth::{OAuthConfig, OAuthUserInfo, google_auth_url, random_state};
-
-use super::{
-    SESSION_KEY_VERSION, SESSION_LOGIN_PROVIDER, SESSION_OAUTH_BIND_MODE, SESSION_OAUTH_STATE,
-    SESSION_USER_ID, current_user_id, google_cfg, render_template, request_user_agent,
-};
-
-#[derive(Template)]
-#[template(path = "login.html")]
-struct LoginTemplate {
-    has_google: bool,
-    base_url: String,
-    version: &'static str,
-}
-
-#[derive(Template)]
-#[template(path = "home.html")]
-struct HomeTemplate {
-    is_logged_in: bool,
-    base_url: String,
-    version: &'static str,
-}
-
-// ── Home page (public) ───────────────────────────────────────────────────────
-
-pub(super) async fn home_page(
-    State(state): State<AppState>,
-    session: Session,
-) -> Result<Response, StatusCode> {
-    let is_logged_in = current_user_id(&session).await.is_some();
-    let tmpl = HomeTemplate {
-        is_logged_in,
-        base_url: state.base_url.clone(),
-        version: env!("CARGO_PKG_VERSION"),
-    };
-    render_template(tmpl)
-}
-
-// ── Login page ────────────────────────────────────────────────────────────────
-
-pub(super) async fn login_page(
-    State(state): State<AppState>,
-    session: Session,
-) -> Result<Response, StatusCode> {
-    if let Some(_uid) = current_user_id(&session).await {
-        return Ok(Redirect::to("/dashboard").into_response());
-    }
-
-    let tmpl = LoginTemplate {
-        has_google: state.google_config.is_some(),
-        base_url: state.base_url.clone(),
-        version: env!("CARGO_PKG_VERSION"),
-    };
-    render_template(tmpl)
-}
-
-// ── Google OAuth ──────────────────────────────────────────────────────────────
-
-pub(super) async fn auth_google(
-    State(state): State<AppState>,
-    session: Session,
-) -> Result<Response, StatusCode> {
-    let config = google_cfg(&state).ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
-
-    let oauth_state = random_state();
-    session
-        .insert(SESSION_OAUTH_STATE, &oauth_state)
-        .await
-        .map_err(|e| {
-            tracing::error!(error = %e, "failed to insert oauth_state into session");
-            StatusCode::INTERNAL_SERVER_ERROR
-        })?;
-
-    let url = google_auth_url(config, &oauth_state);
-    Ok(Redirect::to(&url).into_response())
-}
-
-#[derive(Deserialize)]
-pub(super) struct OAuthCallbackQuery {
-    code: Option<String>,
-    state: Option<String>,
-    error: Option<String>,
-}
-
-pub(super) async fn auth_google_callback(
-    State(state): State<AppState>,
-    connect_info: ConnectInfo<SocketAddr>,
-    headers: HeaderMap,
-    session: Session,
-    Query(params): Query<OAuthCallbackQuery>,
-) -> Result<Response, StatusCode> {
-    let client_ip = Some(crate::client_ip::extract_client_ip_parts(
-        &headers,
-        connect_info.0,
-    ));
-    let user_agent = request_user_agent(&headers);
-    handle_oauth_callback(
-        &state,
-        &session,
-        params,
-        "google",
-        client_ip.as_deref(),
-        user_agent.as_deref(),
-        |s, cfg, code| {
-            Box::pin(crate::oauth::google::exchange_code(
-                &s.http_client,
-                cfg,
-                code,
-            ))
-        },
-    )
-    .await
-}
-
-// ── Shared OAuth callback handler ─────────────────────────────────────────────
-
-async fn handle_oauth_callback<F>(
-    state: &AppState,
-    session: &Session,
-    params: OAuthCallbackQuery,
-    provider: &str,
-    client_ip: Option<&str>,
-    user_agent: Option<&str>,
-    exchange_fn: F,
-) -> Result<Response, StatusCode>
-where
-    F: for<'a> Fn(
-        &'a AppState,
-        &'a OAuthConfig,
-        &'a str,
-    ) -> std::pin::Pin<
-        Box<dyn std::future::Future<Output = anyhow::Result<OAuthUserInfo>> + Send + 'a>,
-    >,
-{
-    if let Some(err) = params.error {
-        tracing::warn!(provider, error = %err, "OAuth error");
-        return Ok(Redirect::to("/login?error=oauth_error").into_response());
-    }
-
-    let Some(code) = params.code else {
-        tracing::warn!(provider, "OAuth callback missing code");
-        return Ok(Redirect::to("/login?error=oauth_missing_code").into_response());
-    };
-    let Some(returned_state) = params.state.as_deref() else {
-        tracing::warn!(provider, "OAuth callback missing state");
-        return Ok(Redirect::to("/login?error=oauth_missing_state").into_response());
-    };
-
-    let expected_state: Option<String> = session.get(SESSION_OAUTH_STATE).await.map_err(|e| {
-        tracing::error!(provider, error = %e, "failed to read oauth_state from session");
-        StatusCode::INTERNAL_SERVER_ERROR
-    })?;
-    if expected_state.as_deref() != Some(returned_state) {
-        tracing::warn!(
-            provider,
-            expected_present = expected_state.is_some(),
-            "OAuth state mismatch (empty session often means SameSite=Strict or server restart)"
-        );
-        return Ok(Redirect::to("/login?error=oauth_state").into_response());
-    }
-    if let Err(e) = session.remove::<String>(SESSION_OAUTH_STATE).await {
-        tracing::warn!(provider, error = %e, "failed to remove oauth_state from session");
-    }
-
-    let config = match provider {
-        "google" => state
-            .google_config
-            .as_ref()
-            .ok_or(StatusCode::SERVICE_UNAVAILABLE)?,
-        _ => return Err(StatusCode::BAD_REQUEST),
-    };
-
-    let user_info = exchange_fn(state, config, code.as_str())
-        .await
-        .map_err(|e| {
-            tracing::error!(provider, error = %e, "failed to exchange OAuth code");
-            StatusCode::INTERNAL_SERVER_ERROR
-        })?;
-
-    let bind_mode: bool = match session.get::<bool>(SESSION_OAUTH_BIND_MODE).await {
-        Ok(v) => v.unwrap_or(false),
-        Err(e) => {
-            tracing::error!(
-                provider,
-                error = %e,
-                "failed to read oauth_bind_mode from session"
-            );
-            return Err(StatusCode::INTERNAL_SERVER_ERROR);
-        }
-    };
-
-    if bind_mode {
-        let user_id = current_user_id(session)
-            .await
-            .ok_or(StatusCode::UNAUTHORIZED)?;
-        if let Err(e) = session.remove::<bool>(SESSION_OAUTH_BIND_MODE).await {
-            tracing::warn!(provider, error = %e, "failed to remove oauth_bind_mode from session after bind");
-        }
-
-        let profile = OAuthProfile {
-            provider: user_info.provider,
-            provider_id: user_info.provider_id,
-            email: user_info.email,
-            name: user_info.name,
-            avatar_url: user_info.avatar_url,
-        };
-
-        bind_oauth_account(&state.pool, user_id, profile)
-            .await
-            .map_err(|e| {
-                tracing::error!(error = %e, "failed to bind OAuth account");
-                StatusCode::INTERNAL_SERVER_ERROR
-            })?;
-
-        return Ok(Redirect::to("/dashboard?bound=1").into_response());
-    }
-
-    let profile = OAuthProfile {
-        provider: user_info.provider,
-        provider_id: user_info.provider_id,
-        email: user_info.email,
-        name: user_info.name,
-        avatar_url: user_info.avatar_url,
-    };
-
-    let (user, _is_new) = find_or_create_user(&state.pool, profile)
-        .await
-        .map_err(|e| {
-            tracing::error!(error = %e, "failed to find or create user");
-            StatusCode::INTERNAL_SERVER_ERROR
-        })?;
-
-    session
-        .insert(SESSION_USER_ID, user.id.to_string())
-        .await
-        .map_err(|e| {
-            tracing::error!(
-                error = %e,
-                user_id = %user.id,
-                "failed to insert user_id into session after OAuth"
-            );
-            StatusCode::INTERNAL_SERVER_ERROR
-        })?;
-    session
-        .insert(SESSION_LOGIN_PROVIDER, &provider)
-        .await
-        .map_err(|e| {
-            tracing::error!(
-                provider,
-                error = %e,
-                "failed to insert login_provider into session after OAuth"
-            );
-            StatusCode::INTERNAL_SERVER_ERROR
-        })?;
-    if let Err(e) = session.insert(SESSION_KEY_VERSION, user.key_version).await {
-        tracing::warn!(error = %e, user_id = %user.id, "failed to insert key_version into session after OAuth");
-    }
-
-    log_login(
-        &state.pool,
-        "oauth",
-        provider,
-        user.id,
-        client_ip,
-        user_agent,
-    )
-    .await;
-
-    Ok(Redirect::to("/dashboard").into_response())
-}
-
-// ── Logout ────────────────────────────────────────────────────────────────────
-
-pub(super) async fn auth_logout(session: Session) -> impl IntoResponse {
-    if let Err(e) = session.flush().await {
-        tracing::warn!(error = %e, "failed to flush session on logout");
-    }
-    Redirect::to("/")
-}
-
-// ── Account bind/unbind ───────────────────────────────────────────────────────
-
-pub(super) async fn account_bind_google(
-    State(state): State<AppState>,
-    session: Session,
-) -> Result<Response, StatusCode> {
-    let _ = current_user_id(&session)
-        .await
-        .ok_or(StatusCode::UNAUTHORIZED)?;
-
-    session
-        .insert(SESSION_OAUTH_BIND_MODE, true)
-        .await
-        .map_err(|e| {
-            tracing::error!(error = %e, "failed to insert oauth_bind_mode into session");
-            StatusCode::INTERNAL_SERVER_ERROR
-        })?;
-
-    let config = google_cfg(&state).ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
-    let oauth_state = random_state();
-    if let Err(e) = session.insert(SESSION_OAUTH_STATE, &oauth_state).await {
-        tracing::error!(error = %e, "failed to insert oauth_state for account bind flow");
-        if let Err(rm) = session.remove::<bool>(SESSION_OAUTH_BIND_MODE).await {
-            tracing::warn!(error = %rm, "failed to roll back oauth_bind_mode after oauth_state insert failure");
-        }
-        return Err(StatusCode::INTERNAL_SERVER_ERROR);
-    }
-
-    let url = google_auth_url(config, &oauth_state);
-    Ok(Redirect::to(&url).into_response())
-}
-
-pub(super) async fn account_unbind(
-    State(state): State<AppState>,
-    Path(provider): Path<String>,
-    session: Session,
-) -> Result<Response, StatusCode> {
-    let user_id = current_user_id(&session)
-        .await
-        .ok_or(StatusCode::UNAUTHORIZED)?;
-
-    let current_login_provider = session
-        .get::<String>(SESSION_LOGIN_PROVIDER)
-        .await
-        .map_err(|e| {
-            tracing::error!(error = %e, "failed to read login_provider from session");
-            StatusCode::INTERNAL_SERVER_ERROR
-        })?;
-
-    unbind_oauth_account(
-        &state.pool,
-        user_id,
-        &provider,
-        current_login_provider.as_deref(),
-    )
-    .await
-    .map_err(|e| {
-        tracing::warn!(error = %e, "failed to unbind oauth account");
-        StatusCode::BAD_REQUEST
-    })?;
-
-    Ok(Redirect::to("/dashboard?unbound=1").into_response())
-}

crates/secrets-mcp/src/web/changelog.rs

@@ -1,48 +0,0 @@
-use askama::Template;
-use axum::{extract::State, http::StatusCode, response::Response};
-use pulldown_cmark::{Options, Parser, html};
-
-use crate::AppState;
-
-use super::render_template;
-
-#[derive(Template)]
-#[template(path = "changelog.html")]
-pub(super) struct ChangelogTemplate {
-    pub base_url: String,
-    pub version: &'static str,
-    pub changelog_html: String,
-}
-
-fn markdown_to_html(md: &str) -> String {
-    let mut opts = Options::empty();
-    opts.insert(Options::ENABLE_TABLES);
-    opts.insert(Options::ENABLE_STRIKETHROUGH);
-    opts.insert(Options::ENABLE_TASKLISTS);
-    let parser = Parser::new_ext(md, opts);
-    let mut out = String::new();
-    html::push_html(&mut out, parser);
-    out
-}
-
-pub(super) async fn changelog_page(State(state): State<AppState>) -> Result<Response, StatusCode> {
-    let md = include_str!(concat!(env!("CARGO_MANIFEST_DIR"), "/CHANGELOG.md"));
-    render_template(ChangelogTemplate {
-        base_url: state.base_url.clone(),
-        version: env!("CARGO_PKG_VERSION"),
-        changelog_html: markdown_to_html(md),
-    })
-}
-
-#[cfg(test)]
-mod tests {
-    use super::markdown_to_html;
-
-    #[test]
-    fn markdown_renders_heading_and_list() {
-        let html = markdown_to_html("# Title\n\n- a\n");
-        assert!(html.contains("<h1"));
-        assert!(html.contains("Title"));
-        assert!(html.contains("<ul") || html.contains("<li"));
-    }
-}

crates/secrets-mcp/src/web/local_mcp.rs

@@ -1,894 +0,0 @@
-use askama::Template;
-use axum::{
-    Json,
-    extract::{Path, Query, State},
-    http::{HeaderMap, StatusCode, header},
-    response::{IntoResponse, Response},
-};
-use serde::{Deserialize, Serialize};
-use serde_json::{Value, json};
-use sqlx::PgPool;
-use tower_sessions::Session;
-use uuid::Uuid;
-
-use secrets_core::crypto::hex;
-use secrets_core::service::api_key::validate_api_key;
-use secrets_core::service::delete::{DeleteParams, run as svc_delete};
-use secrets_core::service::get_secret::get_all_secrets_by_id;
-use secrets_core::service::history::run as svc_history;
-use secrets_core::service::relations::get_relations_for_entries;
-use secrets_core::service::search::{
-    SearchParams, count_entries, resolve_entry_by_id, run as svc_search,
-};
-use secrets_core::service::user::get_user_by_id;
-
-use crate::AppState;
-
-use super::{
-    UiLang, render_template, request_ui_lang, require_valid_user, require_valid_user_json,
-};
-
-const BIND_TTL_SECS: u64 = 600;
-
-#[derive(Clone, sqlx::FromRow)]
-struct BindRow {
-    device_code: String,
-    user_id: Option<Uuid>,
-    approved: bool,
-}
-
-enum ConsumeBindOutcome {
-    Pending,
-    Ready(BindRow),
-    NotFound,
-    DeviceMismatch,
-}
-
-#[derive(Serialize)]
-pub(super) struct BindStartOutput {
-    bind_id: String,
-    device_code: String,
-    approve_url: String,
-    expires_in_secs: u64,
-}
-
-#[derive(Deserialize)]
-pub(super) struct BindApproveInput {
-    bind_id: String,
-    device_code: String,
-}
-
-#[derive(Deserialize)]
-pub(super) struct BindExchangeInput {
-    bind_id: String,
-    device_code: String,
-}
-
-#[derive(Template)]
-#[template(
-    source = r#"<!DOCTYPE html>
-<html lang="zh-CN">
-<head><meta charset="utf-8"><title>Local MCP 绑定确认</title></head>
-<body>
-  <h1>确认绑定本地 MCP</h1>
-  {% if error.is_some() %}
-    <p style="color:#c00">{{ error.as_ref().unwrap() }}</p>
-  {% endif %}
-  {% if approved %}
-    <p>绑定已确认。你可以返回本地页面继续下一步。</p>
-  {% else %}
-    <p>Bind ID: <code>{{ bind_id }}</code></p>
-    <form method="post" action="/api/local-mcp/bind/approve">
-      <input type="hidden" name="bind_id" value="{{ bind_id }}"/>
-      <input type="hidden" name="device_code" value="{{ device_code }}"/>
-      <button type="submit">确认绑定</button>
-    </form>
-  {% endif %}
-</body>
-</html>"#,
-    ext = "html"
-)]
-struct ApproveTemplate {
-    bind_id: String,
-    device_code: String,
-    approved: bool,
-    error: Option<String>,
-}
-
-async fn cleanup_expired(pool: &PgPool) {
-    let _ = sqlx::query("DELETE FROM local_mcp_bind_sessions WHERE expires_at <= NOW()")
-        .execute(pool)
-        .await;
-}
-
-async fn fetch_bind(pool: &PgPool, bind_id: &str) -> Result<Option<BindRow>, StatusCode> {
-    sqlx::query_as::<_, BindRow>(
-        "SELECT device_code, user_id, approved
-         FROM local_mcp_bind_sessions
-         WHERE bind_id = $1 AND expires_at > NOW()",
-    )
-    .bind(bind_id)
-    .fetch_optional(pool)
-    .await
-    .map_err(|e| {
-        tracing::error!(error = %e, bind_id, "failed to fetch local MCP bind");
-        StatusCode::INTERNAL_SERVER_ERROR
-    })
-}
-
-async fn require_user_from_bearer(pool: &PgPool, headers: &HeaderMap) -> Result<Uuid, StatusCode> {
-    let auth_header = headers
-        .get(header::AUTHORIZATION)
-        .and_then(|v| v.to_str().ok())
-        .ok_or(StatusCode::UNAUTHORIZED)?;
-    let raw_key = auth_header
-        .strip_prefix("Bearer ")
-        .map(str::trim)
-        .filter(|s| !s.is_empty())
-        .ok_or(StatusCode::UNAUTHORIZED)?;
-    validate_api_key(pool, raw_key)
-        .await
-        .map_err(|e| {
-            tracing::error!(error = %e, "failed to validate api key for local MCP refresh");
-            StatusCode::INTERNAL_SERVER_ERROR
-        })?
-        .ok_or(StatusCode::UNAUTHORIZED)
-}
-
-async fn consume_bind_session(
-    pool: &PgPool,
-    bind_id: &str,
-    device_code: &str,
-) -> Result<ConsumeBindOutcome, (StatusCode, Json<serde_json::Value>)> {
-    let mut tx = pool.begin().await.map_err(|e| {
-        tracing::error!(error = %e, bind_id, "failed to start tx for bind exchange");
-        (
-            StatusCode::INTERNAL_SERVER_ERROR,
-            Json(json!({ "error": "failed to start bind exchange" })),
-        )
-    })?;
-    let stored = sqlx::query_as::<_, BindRow>(
-        "SELECT device_code, user_id, approved
-         FROM local_mcp_bind_sessions
-         WHERE bind_id = $1 AND expires_at > NOW()
-         FOR UPDATE",
-    )
-    .bind(bind_id)
-    .fetch_optional(&mut *tx)
-    .await
-    .map_err(|e| {
-        tracing::error!(error = %e, bind_id, "failed to lock bind session");
-        (
-            StatusCode::INTERNAL_SERVER_ERROR,
-            Json(json!({ "error": "failed to load bind session" })),
-        )
-    })?;
-    let Some(bind) = stored else {
-        tx.rollback().await.ok();
-        return Ok(ConsumeBindOutcome::NotFound);
-    };
-    if bind.device_code != device_code {
-        tx.rollback().await.ok();
-        return Ok(ConsumeBindOutcome::DeviceMismatch);
-    }
-    if !bind.approved {
-        tx.rollback().await.ok();
-        return Ok(ConsumeBindOutcome::Pending);
-    }
-    sqlx::query("DELETE FROM local_mcp_bind_sessions WHERE bind_id = $1")
-        .bind(bind_id)
-        .execute(&mut *tx)
-        .await
-        .map_err(|e| {
-            tracing::error!(error = %e, bind_id, "failed to consume bind session");
-            (
-                StatusCode::INTERNAL_SERVER_ERROR,
-                Json(json!({ "error": "failed to consume bind session" })),
-            )
-        })?;
-    tx.commit().await.map_err(|e| {
-        tracing::error!(error = %e, bind_id, "failed to commit bind exchange");
-        (
-            StatusCode::INTERNAL_SERVER_ERROR,
-            Json(json!({ "error": "failed to commit bind exchange" })),
-        )
-    })?;
-    Ok(ConsumeBindOutcome::Ready(bind))
-}
-
-pub(super) async fn api_bind_start(
-    State(state): State<AppState>,
-) -> Result<Json<BindStartOutput>, (StatusCode, Json<serde_json::Value>)> {
-    cleanup_expired(&state.pool).await;
-    let bind_id = Uuid::new_v4().to_string();
-    let device_code = Uuid::new_v4().simple().to_string();
-    sqlx::query(
-        "INSERT INTO local_mcp_bind_sessions (bind_id, device_code, expires_at)
-         VALUES ($1, $2, NOW() + ($3 * INTERVAL '1 second'))",
-    )
-    .bind(&bind_id)
-    .bind(&device_code)
-    .bind(BIND_TTL_SECS as i64)
-    .execute(&state.pool)
-    .await
-    .map_err(|e| {
-        tracing::error!(error = %e, bind_id, "failed to insert local MCP bind session");
-        (
-            StatusCode::INTERNAL_SERVER_ERROR,
-            Json(json!({ "error": "failed to create bind session" })),
-        )
-    })?;
-
-    let approve_url = format!(
-        "{}/local-mcp/approve?bind_id={}&device_code={}",
-        state.base_url, bind_id, device_code
-    );
-
-    Ok(Json(BindStartOutput {
-        bind_id,
-        device_code,
-        approve_url,
-        expires_in_secs: BIND_TTL_SECS,
-    }))
-}
-
-#[derive(Deserialize)]
-pub(super) struct ApproveQuery {
-    bind_id: String,
-    device_code: String,
-}
-
-pub(super) async fn approve_page(
-    State(state): State<AppState>,
-    session: Session,
-    Query(query): Query<ApproveQuery>,
-) -> Result<Response, Response> {
-    let _user = require_valid_user(&state.pool, &session, "local_mcp.approve_page").await?;
-
-    cleanup_expired(&state.pool).await;
-    let mut approved = false;
-    let mut error = None;
-
-    match fetch_bind(&state.pool, &query.bind_id).await {
-        Ok(Some(bind)) if bind.device_code == query.device_code => approved = bind.approved,
-        Ok(Some(_)) => error = Some("device_code 不匹配".to_string()),
-        Ok(None) => error = Some("绑定已过期或不存在".to_string()),
-        Err(status) => return Err(status.into_response()),
-    }
-
-    render_template(ApproveTemplate {
-        bind_id: query.bind_id,
-        device_code: query.device_code,
-        approved,
-        error,
-    })
-    .map_err(|status| status.into_response())
-}
-
-pub(super) async fn api_bind_approve(
-    State(state): State<AppState>,
-    session: Session,
-    headers: axum::http::HeaderMap,
-    axum::Form(input): axum::Form<BindApproveInput>,
-) -> Result<Response, (StatusCode, Json<serde_json::Value>)> {
-    let lang: UiLang = request_ui_lang(&headers);
-    let user = require_valid_user_json(&state.pool, &session, lang).await?;
-    cleanup_expired(&state.pool).await;
-
-    match fetch_bind(&state.pool, &input.bind_id).await {
-        Ok(Some(bind)) if bind.device_code == input.device_code => {
-            sqlx::query(
-                "UPDATE local_mcp_bind_sessions
-                 SET user_id = $1, approved = TRUE
-                 WHERE bind_id = $2 AND expires_at > NOW()",
-            )
-            .bind(user.id)
-            .bind(&input.bind_id)
-            .execute(&state.pool)
-            .await
-            .map_err(|e| {
-                tracing::error!(error = %e, bind_id = %input.bind_id, "failed to approve bind session");
-                (
-                    StatusCode::INTERNAL_SERVER_ERROR,
-                    Json(json!({ "error": "failed to approve bind session" })),
-                )
-            })?;
-            Ok(axum::response::Redirect::to(&format!(
-                "/local-mcp/approve?bind_id={}&device_code={}&approved=1",
-                input.bind_id, input.device_code
-            ))
-            .into_response())
-        }
-        Ok(Some(_)) => Err((
-            StatusCode::BAD_REQUEST,
-            Json(json!({ "error": "device_code mismatch" })),
-        )),
-        Ok(None) => Err((
-            StatusCode::NOT_FOUND,
-            Json(json!({ "error": "bind session not found or expired" })),
-        )),
-        Err(status) => Err((
-            status,
-            Json(json!({ "error": "failed to load bind session" })),
-        )),
-    }
-}
-
-pub(super) async fn api_bind_exchange(
-    State(state): State<AppState>,
-    Json(input): Json<BindExchangeInput>,
-) -> Result<Response, (StatusCode, Json<serde_json::Value>)> {
-    cleanup_expired(&state.pool).await;
-
-    let bind = match consume_bind_session(&state.pool, &input.bind_id, &input.device_code).await? {
-        ConsumeBindOutcome::Pending => {
-            return Ok((StatusCode::ACCEPTED, Json(json!({ "status": "pending" }))).into_response());
-        }
-        ConsumeBindOutcome::NotFound => {
-            return Err((
-                StatusCode::NOT_FOUND,
-                Json(json!({ "error": "bind session not found or expired" })),
-            ));
-        }
-        ConsumeBindOutcome::DeviceMismatch => {
-            return Err((
-                StatusCode::BAD_REQUEST,
-                Json(json!({ "error": "device_code mismatch" })),
-            ));
-        }
-        ConsumeBindOutcome::Ready(bind) => bind,
-    };
-    let user_id = bind.user_id.ok_or_else(|| {
-        (
-            StatusCode::INTERNAL_SERVER_ERROR,
-            Json(json!({ "error": "approved bind missing user_id" })),
-        )
-    })?;
-    let user = get_user_by_id(&state.pool, user_id)
-        .await
-        .map_err(|e| {
-            (
-                StatusCode::INTERNAL_SERVER_ERROR,
-                Json(json!({ "error": format!("failed to load user: {e}") })),
-            )
-        })?
-        .ok_or_else(|| {
-            (
-                StatusCode::NOT_FOUND,
-                Json(json!({ "error": "user not found" })),
-            )
-        })?;
-
-    let key_salt_hex = user.key_salt.as_ref().map(|bytes| {
-        bytes
-            .iter()
-            .map(|b| format!("{:02x}", b))
-            .collect::<String>()
-    });
-    let key_check_hex = user.key_check.as_deref().map(hex::encode_hex);
-
-    Ok((
-        StatusCode::OK,
-        Json(json!({
-            "status": "ok",
-            "user_id": user.id,
-            "api_key": user.api_key,
-            "key_salt_hex": key_salt_hex,
-            "key_check_hex": key_check_hex,
-            "key_params": user.key_params,
-            "key_version": user.key_version,
-        })),
-    )
-        .into_response())
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use secrets_core::{
-        config::resolve_db_config,
-        db::{create_pool, migrate},
-    };
-
-    async fn test_pool() -> Option<PgPool> {
-        let config = resolve_db_config("").ok()?;
-        let pool = create_pool(&config).await.ok()?;
-        migrate(&pool).await.ok()?;
-        Some(pool)
-    }
-
-    #[tokio::test]
-    async fn consume_bind_session_is_single_use() {
-        let Some(pool) = test_pool().await else {
-            return;
-        };
-        let bind_id = format!("test-{}", Uuid::new_v4());
-        let device_code = Uuid::new_v4().simple().to_string();
-        let user_id = Uuid::new_v4();
-        sqlx::query(
-            "INSERT INTO local_mcp_bind_sessions (bind_id, device_code, user_id, approved, expires_at)
-             VALUES ($1, $2, $3, TRUE, NOW() + INTERVAL '10 minutes')",
-        )
-        .bind(&bind_id)
-        .bind(&device_code)
-        .bind(user_id)
-        .execute(&pool)
-        .await
-        .unwrap();
-
-        let first = consume_bind_session(&pool, &bind_id, &device_code)
-            .await
-            .unwrap();
-        assert!(matches!(first, ConsumeBindOutcome::Ready(_)));
-        let second = consume_bind_session(&pool, &bind_id, &device_code)
-            .await
-            .unwrap();
-        assert!(matches!(second, ConsumeBindOutcome::NotFound));
-    }
-}
-
-pub(super) async fn api_bind_refresh(
-    State(state): State<AppState>,
-    headers: HeaderMap,
-) -> Result<Response, (StatusCode, Json<serde_json::Value>)> {
-    let user_id = require_user_from_bearer(&state.pool, &headers)
-        .await
-        .map_err(|status| (status, Json(json!({ "error": "unauthorized" }))))?;
-    let user = get_user_by_id(&state.pool, user_id)
-        .await
-        .map_err(|e| {
-            (
-                StatusCode::INTERNAL_SERVER_ERROR,
-                Json(json!({ "error": format!("failed to load user: {e}") })),
-            )
-        })?
-        .ok_or_else(|| {
-            (
-                StatusCode::NOT_FOUND,
-                Json(json!({ "error": "user not found" })),
-            )
-        })?;
-    Ok((
-        StatusCode::OK,
-        Json(json!({
-            "user_id": user.id,
-            "key_salt_hex": user.key_salt.as_deref().map(hex::encode_hex),
-            "key_check_hex": user.key_check.as_deref().map(hex::encode_hex),
-            "key_params": user.key_params,
-            "key_version": user.key_version,
-        })),
-    )
-        .into_response())
-}
-
-#[derive(Deserialize)]
-pub(super) struct LocalSearchInput {
-    query: Option<String>,
-    metadata_query: Option<String>,
-    folder: Option<String>,
-    #[serde(rename = "type")]
-    entry_type: Option<String>,
-    name: Option<String>,
-    name_query: Option<String>,
-    tags: Option<Vec<String>>,
-    summary: Option<bool>,
-    sort: Option<String>,
-    limit: Option<u32>,
-    offset: Option<u32>,
-}
-
-#[derive(Deserialize)]
-pub(super) struct LocalHistoryInput {
-    name: Option<String>,
-    folder: Option<String>,
-    id: Option<Uuid>,
-    limit: Option<u32>,
-}
-
-#[derive(Deserialize)]
-pub(super) struct LocalDeleteInput {
-    id: Option<Uuid>,
-    name: Option<String>,
-    folder: Option<String>,
-    #[serde(rename = "type")]
-    entry_type: Option<String>,
-    dry_run: Option<bool>,
-}
-
-fn require_encryption_key_local(
-    headers: &HeaderMap,
-) -> Result<[u8; 32], (StatusCode, Json<serde_json::Value>)> {
-    let enc_key_hex = headers
-        .get("x-encryption-key")
-        .and_then(|v| v.to_str().ok())
-        .ok_or_else(|| {
-            (
-                StatusCode::BAD_REQUEST,
-                Json(json!({ "error": "Missing X-Encryption-Key header" })),
-            )
-        })?;
-    secrets_core::crypto::extract_key_from_hex(enc_key_hex).map_err(|_| {
-        (
-            StatusCode::BAD_REQUEST,
-            Json(json!({ "error": "Invalid X-Encryption-Key format" })),
-        )
-    })
-}
-
-fn render_entry_json(
-    entry: &secrets_core::models::Entry,
-    relations: secrets_core::service::relations::EntryRelations,
-    secret_fields: &[secrets_core::models::SecretField],
-    summary: bool,
-) -> Value {
-    if summary {
-        json!({
-            "name": entry.name,
-            "folder": entry.folder,
-            "type": entry.entry_type,
-            "tags": entry.tags,
-            "notes": entry.notes,
-            "parents": relations.parents,
-            "children": relations.children,
-            "updated_at": entry.updated_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
-        })
-    } else {
-        let schema: Vec<_> = secret_fields
-            .iter()
-            .map(|field| {
-                json!({
-                    "id": field.id,
-                    "name": field.name,
-                    "type": field.secret_type,
-                })
-            })
-            .collect();
-        json!({
-            "id": entry.id,
-            "name": entry.name,
-            "folder": entry.folder,
-            "type": entry.entry_type,
-            "notes": entry.notes,
-            "tags": entry.tags,
-            "metadata": entry.metadata,
-            "parents": relations.parents,
-            "children": relations.children,
-            "secret_fields": schema,
-            "version": entry.version,
-            "updated_at": entry.updated_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
-        })
-    }
-}
-
-pub(super) async fn api_entries_find(
-    State(state): State<AppState>,
-    headers: HeaderMap,
-    Json(input): Json<LocalSearchInput>,
-) -> Result<Json<Value>, (StatusCode, Json<Value>)> {
-    let user_id = require_user_from_bearer(&state.pool, &headers)
-        .await
-        .map_err(|status| (status, Json(json!({ "error": "unauthorized" }))))?;
-    let tags = input.tags.unwrap_or_default();
-    let result = svc_search(
-        &state.pool,
-        SearchParams {
-            folder: input.folder.as_deref(),
-            entry_type: input.entry_type.as_deref(),
-            name: input.name.as_deref(),
-            name_query: input.name_query.as_deref(),
-            tags: &tags,
-            query: input.query.as_deref(),
-            metadata_query: input.metadata_query.as_deref(),
-            sort: "name",
-            limit: input.limit.unwrap_or(20),
-            offset: input.offset.unwrap_or(0),
-            user_id: Some(user_id),
-        },
-    )
-    .await
-    .map_err(|e| {
-        tracing::error!(error = %e, %user_id, "local mcp find failed");
-        (
-            StatusCode::INTERNAL_SERVER_ERROR,
-            Json(json!({ "error": "find failed" })),
-        )
-    })?;
-    let total_count = count_entries(
-        &state.pool,
-        &SearchParams {
-            folder: input.folder.as_deref(),
-            entry_type: input.entry_type.as_deref(),
-            name: input.name.as_deref(),
-            name_query: input.name_query.as_deref(),
-            tags: &tags,
-            query: input.query.as_deref(),
-            metadata_query: input.metadata_query.as_deref(),
-            sort: "name",
-            limit: 0,
-            offset: 0,
-            user_id: Some(user_id),
-        },
-    )
-    .await
-    .map_err(|e| {
-        tracing::error!(error = %e, %user_id, "local mcp find count failed");
-        (
-            StatusCode::INTERNAL_SERVER_ERROR,
-            Json(json!({ "error": "find count failed" })),
-        )
-    })?;
-    let entry_ids: Vec<_> = result.entries.iter().map(|entry| entry.id).collect();
-    let relation_map = get_relations_for_entries(&state.pool, &entry_ids, Some(user_id))
-        .await
-        .map_err(|e| {
-            tracing::error!(error = %e, %user_id, "local mcp find relations failed");
-            (
-                StatusCode::INTERNAL_SERVER_ERROR,
-                Json(json!({ "error": "find relations failed" })),
-            )
-        })?;
-    let entries = result
-        .entries
-        .iter()
-        .map(|entry| {
-            let relations = relation_map.get(&entry.id).cloned().unwrap_or_default();
-            let secret_fields = result
-                .secret_schemas
-                .get(&entry.id)
-                .map(Vec::as_slice)
-                .unwrap_or(&[]);
-            render_entry_json(entry, relations, secret_fields, false)
-        })
-        .collect::<Vec<_>>();
-    Ok(Json(json!({
-        "total_count": total_count,
-        "entries": entries,
-    })))
-}
-
-pub(super) async fn api_entries_search(
-    State(state): State<AppState>,
-    headers: HeaderMap,
-    Json(input): Json<LocalSearchInput>,
-) -> Result<Json<Value>, (StatusCode, Json<Value>)> {
-    let user_id = require_user_from_bearer(&state.pool, &headers)
-        .await
-        .map_err(|status| (status, Json(json!({ "error": "unauthorized" }))))?;
-    let tags = input.tags.unwrap_or_default();
-    let result = svc_search(
-        &state.pool,
-        SearchParams {
-            folder: input.folder.as_deref(),
-            entry_type: input.entry_type.as_deref(),
-            name: input.name.as_deref(),
-            name_query: input.name_query.as_deref(),
-            tags: &tags,
-            query: input.query.as_deref(),
-            metadata_query: input.metadata_query.as_deref(),
-            sort: input.sort.as_deref().unwrap_or("name"),
-            limit: input.limit.unwrap_or(20),
-            offset: input.offset.unwrap_or(0),
-            user_id: Some(user_id),
-        },
-    )
-    .await
-    .map_err(|e| {
-        tracing::error!(error = %e, %user_id, "local mcp search failed");
-        (
-            StatusCode::INTERNAL_SERVER_ERROR,
-            Json(json!({ "error": "search failed" })),
-        )
-    })?;
-    let entry_ids: Vec<_> = result.entries.iter().map(|entry| entry.id).collect();
-    let relation_map = get_relations_for_entries(&state.pool, &entry_ids, Some(user_id))
-        .await
-        .map_err(|e| {
-            tracing::error!(error = %e, %user_id, "local mcp search relations failed");
-            (
-                StatusCode::INTERNAL_SERVER_ERROR,
-                Json(json!({ "error": "search relations failed" })),
-            )
-        })?;
-    let summary = input.summary.unwrap_or(false);
-    let entries = result
-        .entries
-        .iter()
-        .map(|entry| {
-            let relations = relation_map.get(&entry.id).cloned().unwrap_or_default();
-            let secret_fields = result
-                .secret_schemas
-                .get(&entry.id)
-                .map(Vec::as_slice)
-                .unwrap_or(&[]);
-            render_entry_json(entry, relations, secret_fields, summary)
-        })
-        .collect::<Vec<_>>();
-    Ok(Json(Value::Array(entries)))
-}
-
-pub(super) async fn api_entry_history(
-    State(state): State<AppState>,
-    headers: HeaderMap,
-    Json(input): Json<LocalHistoryInput>,
-) -> Result<Json<Value>, (StatusCode, Json<Value>)> {
-    let user_id = require_user_from_bearer(&state.pool, &headers)
-        .await
-        .map_err(|status| (status, Json(json!({ "error": "unauthorized" }))))?;
-    let (name, folder) = if let Some(id) = input.id {
-        let entry = resolve_entry_by_id(&state.pool, id, Some(user_id))
-            .await
-            .map_err(|e| {
-                tracing::warn!(error = %e, %user_id, %id, "local mcp history missing entry");
-                (
-                    StatusCode::NOT_FOUND,
-                    Json(json!({ "error": "entry not found" })),
-                )
-            })?;
-        (entry.name, Some(entry.folder))
-    } else {
-        let name = input.name.ok_or_else(|| {
-            (
-                StatusCode::BAD_REQUEST,
-                Json(json!({ "error": "name or id is required" })),
-            )
-        })?;
-        (name, input.folder)
-    };
-    let result = svc_history(
-        &state.pool,
-        &name,
-        folder.as_deref(),
-        input.limit.unwrap_or(20),
-        Some(user_id),
-    )
-    .await
-    .map_err(|e| {
-        tracing::warn!(error = %e, %user_id, name = %name, "local mcp history failed");
-        (
-            StatusCode::BAD_REQUEST,
-            Json(json!({ "error": e.to_string() })),
-        )
-    })?;
-    Ok(Json(
-        serde_json::to_value(result).unwrap_or_else(|_| json!([])),
-    ))
-}
-
-pub(super) async fn api_entries_overview(
-    State(state): State<AppState>,
-    headers: HeaderMap,
-) -> Result<Json<Value>, (StatusCode, Json<Value>)> {
-    #[derive(sqlx::FromRow)]
-    struct CountRow {
-        name: String,
-        count: i64,
-    }
-
-    let user_id = require_user_from_bearer(&state.pool, &headers)
-        .await
-        .map_err(|status| (status, Json(json!({ "error": "unauthorized" }))))?;
-    let folder_rows: Vec<CountRow> = sqlx::query_as::<_, CountRow>(
-        "SELECT folder AS name, COUNT(*) AS count FROM entries \
-         WHERE user_id = $1 GROUP BY folder ORDER BY folder",
-    )
-    .bind(user_id)
-    .fetch_all(&state.pool)
-    .await
-    .map_err(|e| {
-        tracing::error!(error = %e, %user_id, "local mcp overview folders failed");
-        (
-            StatusCode::INTERNAL_SERVER_ERROR,
-            Json(json!({ "error": "overview failed" })),
-        )
-    })?;
-    let type_rows: Vec<CountRow> = sqlx::query_as::<_, CountRow>(
-        "SELECT type AS name, COUNT(*) AS count FROM entries \
-         WHERE user_id = $1 GROUP BY type ORDER BY type",
-    )
-    .bind(user_id)
-    .fetch_all(&state.pool)
-    .await
-    .map_err(|e| {
-        tracing::error!(error = %e, %user_id, "local mcp overview types failed");
-        (
-            StatusCode::INTERNAL_SERVER_ERROR,
-            Json(json!({ "error": "overview failed" })),
-        )
-    })?;
-    let total: i64 = folder_rows.iter().map(|row| row.count).sum();
-    Ok(Json(json!({
-        "total": total,
-        "folders": folder_rows.iter().map(|row| json!({"name": row.name, "count": row.count})).collect::<Vec<_>>(),
-        "types": type_rows.iter().map(|row| json!({"name": row.name, "count": row.count})).collect::<Vec<_>>(),
-    })))
-}
-
-pub(super) async fn api_entries_delete_preview(
-    State(state): State<AppState>,
-    headers: HeaderMap,
-    Json(input): Json<LocalDeleteInput>,
-) -> Result<Json<Value>, (StatusCode, Json<Value>)> {
-    let user_id = require_user_from_bearer(&state.pool, &headers)
-        .await
-        .map_err(|status| (status, Json(json!({ "error": "unauthorized" }))))?;
-    if !input.dry_run.unwrap_or(false) {
-        return Err((
-            StatusCode::BAD_REQUEST,
-            Json(json!({ "error": "dry_run=true is required" })),
-        ));
-    }
-    let (effective_name, effective_folder) =
-        if let Some(id) = input.id {
-            let entry = resolve_entry_by_id(&state.pool, id, Some(user_id))
-            .await
-            .map_err(|e| {
-                tracing::warn!(error = %e, %user_id, %id, "local mcp delete preview missing entry");
-                (StatusCode::NOT_FOUND, Json(json!({ "error": "entry not found" })))
-            })?;
-            (Some(entry.name), Some(entry.folder))
-        } else {
-            (input.name, input.folder)
-        };
-    let result = svc_delete(
-        &state.pool,
-        DeleteParams {
-            name: effective_name.as_deref(),
-            folder: effective_folder.as_deref(),
-            entry_type: input.entry_type.as_deref(),
-            dry_run: true,
-            user_id: Some(user_id),
-        },
-    )
-    .await
-    .map_err(|e| {
-        tracing::warn!(error = %e, %user_id, "local mcp delete preview failed");
-        (
-            StatusCode::BAD_REQUEST,
-            Json(json!({ "error": e.to_string() })),
-        )
-    })?;
-    Ok(Json(
-        serde_json::to_value(result).unwrap_or_else(|_| json!({})),
-    ))
-}
-
-pub(super) async fn api_entry_secrets_decrypt_bearer(
-    State(state): State<AppState>,
-    headers: HeaderMap,
-    Path(entry_id): Path<Uuid>,
-) -> Result<Json<Value>, (StatusCode, Json<Value>)> {
-    let user_id = require_user_from_bearer(&state.pool, &headers)
-        .await
-        .map_err(|status| (status, Json(json!({ "error": "unauthorized" }))))?;
-    let master_key = require_encryption_key_local(&headers)?;
-    let secrets = get_all_secrets_by_id(&state.pool, entry_id, &master_key, Some(user_id))
-        .await
-        .map_err(|e| {
-            tracing::warn!(error = %e, %user_id, %entry_id, "local mcp decrypt failed");
-            if let Some(app_err) = e.downcast_ref::<secrets_core::error::AppError>() {
-                return match app_err {
-                    secrets_core::error::AppError::DecryptionFailed => (
-                        StatusCode::UNPROCESSABLE_ENTITY,
-                        Json(json!({ "error": "Decryption failed, verify passphrase" })),
-                    ),
-                    secrets_core::error::AppError::NotFoundEntry
-                    | secrets_core::error::AppError::NotFoundUser
-                    | secrets_core::error::AppError::NotFoundSecret => (
-                        StatusCode::NOT_FOUND,
-                        Json(json!({ "error": "entry not found" })),
-                    ),
-                    _ => (
-                        StatusCode::INTERNAL_SERVER_ERROR,
-                        Json(json!({ "error": "decrypt failed" })),
-                    ),
-                };
-            }
-            (
-                StatusCode::INTERNAL_SERVER_ERROR,
-                Json(json!({ "error": "decrypt failed" })),
-            )
-        })?;
-    Ok(Json(
-        serde_json::to_value(secrets).unwrap_or_else(|_| json!({})),
-    ))
-}

crates/secrets-mcp/src/web/mod.rs

@@ -1,420 +0,0 @@
-use askama::Template;
-use axum::{
-    Json, Router,
-    http::{HeaderMap, StatusCode, header},
-    response::{Html, IntoResponse, Redirect, Response},
-    routing::{get, patch, post},
-};
-use serde_json::json;
-use tower_sessions::Session;
-use uuid::Uuid;
-
-use crate::AppState;
-use crate::oauth::OAuthConfig;
-
-mod account;
-mod assets;
-mod audit;
-mod auth;
-mod changelog;
-mod entries;
-mod local_mcp;
-
-// ── Session keys ──────────────────────────────────────────────────────────────
-
-const SESSION_USER_ID: &str = "user_id";
-const SESSION_OAUTH_STATE: &str = "oauth_state";
-const SESSION_OAUTH_BIND_MODE: &str = "oauth_bind_mode";
-const SESSION_LOGIN_PROVIDER: &str = "login_provider";
-const SESSION_KEY_VERSION: &str = "key_version";
-
-// ── Page limits ───────────────────────────────────────────────────────────────
-
-/// Cap for HTML list (avoids loading unbounded rows into memory).
-const ENTRIES_PAGE_LIMIT: u32 = 50;
-const AUDIT_PAGE_LIMIT: i64 = 10;
-
-// ── UI language ───────────────────────────────────────────────────────────────
-
-#[derive(Clone, Copy)]
-pub(super) enum UiLang {
-    ZhCn,
-    ZhTw,
-    En,
-}
-
-fn request_ui_lang(headers: &HeaderMap) -> UiLang {
-    let Some(raw) = headers
-        .get(header::ACCEPT_LANGUAGE)
-        .and_then(|v| v.to_str().ok())
-    else {
-        return UiLang::ZhCn;
-    };
-    let lower = raw.to_ascii_lowercase();
-    if lower.contains("zh-tw") || lower.contains("zh-hk") || lower.contains("zh-hant") {
-        UiLang::ZhTw
-    } else if lower.contains("zh") {
-        UiLang::ZhCn
-    } else if lower.contains("en") {
-        UiLang::En
-    } else {
-        UiLang::ZhCn
-    }
-}
-
-fn tr(lang: UiLang, zh_cn: &'static str, zh_tw: &'static str, en: &'static str) -> &'static str {
-    match lang {
-        UiLang::ZhCn => zh_cn,
-        UiLang::ZhTw => zh_tw,
-        UiLang::En => en,
-    }
-}
-
-// ── App state helpers ─────────────────────────────────────────────────────────
-
-fn google_cfg(state: &AppState) -> Option<&OAuthConfig> {
-    state.google_config.as_ref()
-}
-
-async fn current_user_id(session: &Session) -> Option<Uuid> {
-    match session.get::<String>(SESSION_USER_ID).await {
-        Ok(opt) => match opt {
-            Some(s) => match Uuid::parse_str(&s) {
-                Ok(id) => Some(id),
-                Err(e) => {
-                    tracing::warn!(error = %e, user_id_str = %s, "invalid user_id UUID in session");
-                    None
-                }
-            },
-            None => None,
-        },
-        Err(e) => {
-            tracing::warn!(error = %e, "failed to read user_id from session");
-            None
-        }
-    }
-}
-
-/// Load and validate the current user from session and DB.
-///
-/// Returns the user if the session is valid.  Flushes the session and returns
-/// `Err(Redirect::to("/login"))` when:
-/// - the session has no `user_id`,
-/// - the user no longer exists in the database, or
-/// - the stored `key_version` does not match the DB value (passphrase changed on
-///   another device since this session was created).
-async fn require_valid_user(
-    pool: &sqlx::PgPool,
-    session: &Session,
-    context: &str,
-) -> Result<secrets_core::models::User, Response> {
-    let Some(user_id) = current_user_id(session).await else {
-        return Err(Redirect::to("/login").into_response());
-    };
-
-    let user = match secrets_core::service::user::get_user_by_id(pool, user_id).await {
-        Err(e) => {
-            tracing::error!(error = %e, %user_id, context, "failed to load user");
-            return Err(StatusCode::INTERNAL_SERVER_ERROR.into_response());
-        }
-        Ok(None) => {
-            if let Err(e) = session.flush().await {
-                tracing::warn!(error = %e, "failed to flush stale session");
-            }
-            return Err(Redirect::to("/login").into_response());
-        }
-        Ok(Some(u)) => u,
-    };
-
-    let session_kv: Option<i64> = match session.get::<i64>(SESSION_KEY_VERSION).await {
-        Ok(v) => v,
-        Err(e) => {
-            tracing::warn!(error = %e, "failed to read key_version from session; treating as missing");
-            None
-        }
-    };
-    if let Some(kv) = session_kv
-        && kv != user.key_version
-    {
-        tracing::info!(%user_id, session_kv = kv, db_kv = user.key_version, "key_version mismatch; invalidating session");
-        if let Err(e) = session.flush().await {
-            tracing::warn!(error = %e, "failed to flush outdated session");
-        }
-        return Err(Redirect::to("/login").into_response());
-    }
-
-    Ok(user)
-}
-
-/// `Ok(None)` — unauthenticated or session invalidated (including `key_version` mismatch).  
-/// `Err(())` — database error loading the user.
-pub(super) async fn load_session_user_strict(
-    pool: &sqlx::PgPool,
-    session: &Session,
-) -> Result<Option<secrets_core::models::User>, ()> {
-    let Some(user_id) = current_user_id(session).await else {
-        return Ok(None);
-    };
-
-    let user = match secrets_core::service::user::get_user_by_id(pool, user_id).await {
-        Err(e) => {
-            tracing::error!(error = %e, %user_id, "load_session_user_strict: failed to load user");
-            return Err(());
-        }
-        Ok(None) => {
-            if let Err(e) = session.flush().await {
-                tracing::warn!(error = %e, "failed to flush stale session");
-            }
-            return Ok(None);
-        }
-        Ok(Some(u)) => u,
-    };
-
-    let session_kv: Option<i64> = match session.get::<i64>(SESSION_KEY_VERSION).await {
-        Ok(v) => v,
-        Err(e) => {
-            tracing::warn!(error = %e, "failed to read key_version from session; treating as missing");
-            None
-        }
-    };
-    if let Some(kv) = session_kv
-        && kv != user.key_version
-    {
-        tracing::info!(%user_id, session_kv = kv, db_kv = user.key_version, "key_version mismatch; invalidating session (API)");
-        if let Err(e) = session.flush().await {
-            tracing::warn!(error = %e, "failed to flush outdated session");
-        }
-        return Ok(None);
-    }
-
-    Ok(Some(user))
-}
-
-/// JSON API equivalent of [`require_valid_user`]: returns `401` with a JSON body instead of redirecting.
-pub(super) async fn require_valid_user_json(
-    pool: &sqlx::PgPool,
-    session: &Session,
-    lang: UiLang,
-) -> Result<secrets_core::models::User, (StatusCode, Json<serde_json::Value>)> {
-    match load_session_user_strict(pool, session).await {
-        Ok(Some(user)) => Ok(user),
-        Ok(None) => Err((
-            StatusCode::UNAUTHORIZED,
-            Json(json!({ "error": tr(lang, "未登录", "尚未登入", "Not logged in") })),
-        )),
-        Err(()) => Err((
-            StatusCode::INTERNAL_SERVER_ERROR,
-            Json(
-                json!({ "error": tr(lang, "操作失败，请稍后重试", "操作失敗，請稍後重試", "Operation failed, please try again later") }),
-            ),
-        )),
-    }
-}
-
-fn request_user_agent(headers: &HeaderMap) -> Option<String> {
-    headers
-        .get(header::USER_AGENT)
-        .and_then(|value| value.to_str().ok())
-        .map(str::trim)
-        .filter(|value| !value.is_empty())
-        .map(ToOwned::to_owned)
-}
-
-fn paginate(page: u32, total_count: i64, page_size: u32) -> (u32, u32, u32) {
-    let page_size = page_size.max(1);
-    let safe_total_count = u32::try_from(total_count.max(0)).unwrap_or(u32::MAX);
-    let total_pages = safe_total_count.div_ceil(page_size).max(1);
-    let current_page = page.max(1).min(total_pages);
-    let offset = (current_page - 1).saturating_mul(page_size);
-    (current_page, total_pages, offset)
-}
-
-fn render_template<T: Template>(tmpl: T) -> Result<Response, StatusCode> {
-    let html = tmpl.render().map_err(|e| {
-        tracing::error!(error = %e, "template render error");
-        StatusCode::INTERNAL_SERVER_ERROR
-    })?;
-    Ok(Html(html).into_response())
-}
-
-// ── Routes ────────────────────────────────────────────────────────────────────
-
-pub fn web_router() -> Router<AppState> {
-    Router::new()
-        .route("/robots.txt", get(assets::robots_txt))
-        .route("/llms.txt", get(assets::llms_txt))
-        .route("/ai.txt", get(assets::ai_txt))
-        .route("/static/i18n.js", get(assets::i18n_js))
-        .route("/favicon.svg", get(assets::favicon_svg))
-        .route(
-            "/favicon.ico",
-            get(|| async { Redirect::permanent("/favicon.svg") }),
-        )
-        .route(
-            "/.well-known/oauth-protected-resource",
-            get(assets::oauth_protected_resource_metadata),
-        )
-        .route("/", get(auth::home_page))
-        .route("/changelog", get(changelog::changelog_page))
-        .route("/login", get(auth::login_page))
-        .route("/auth/google", get(auth::auth_google))
-        .route("/auth/google/callback", get(auth::auth_google_callback))
-        .route("/auth/logout", post(auth::auth_logout))
-        .route("/local-mcp/approve", get(local_mcp::approve_page))
-        .route("/dashboard", get(account::dashboard))
-        .route("/entries", get(entries::entries_page))
-        .route("/trash", get(entries::trash_page))
-        .route("/audit", get(audit::audit_page))
-        .route("/account/bind/google", get(auth::account_bind_google))
-        .route("/account/unbind/{provider}", post(auth::account_unbind))
-        .route("/api/key-salt", get(account::api_key_salt))
-        .route("/api/local-mcp/bind/start", post(local_mcp::api_bind_start))
-        .route(
-            "/api/local-mcp/bind/approve",
-            post(local_mcp::api_bind_approve),
-        )
-        .route(
-            "/api/local-mcp/bind/exchange",
-            post(local_mcp::api_bind_exchange),
-        )
-        .route(
-            "/api/local-mcp/bind/refresh",
-            post(local_mcp::api_bind_refresh),
-        )
-        .route(
-            "/api/local-mcp/entries/find",
-            post(local_mcp::api_entries_find),
-        )
-        .route(
-            "/api/local-mcp/entries/search",
-            post(local_mcp::api_entries_search),
-        )
-        .route(
-            "/api/local-mcp/entries/history",
-            post(local_mcp::api_entry_history),
-        )
-        .route(
-            "/api/local-mcp/entries/overview",
-            get(local_mcp::api_entries_overview),
-        )
-        .route(
-            "/api/local-mcp/entries/delete-preview",
-            post(local_mcp::api_entries_delete_preview),
-        )
-        .route(
-            "/api/local-mcp/entries/{id}/secrets",
-            get(local_mcp::api_entry_secrets_decrypt_bearer),
-        )
-        .route("/api/key-setup", post(account::api_key_setup))
-        .route("/api/key-change", post(account::api_key_change))
-        .route("/api/apikey", get(account::api_apikey_get))
-        .route("/api/entries/options", get(entries::api_entry_options))
-        .route(
-            "/api/apikey/regenerate",
-            post(account::api_apikey_regenerate),
-        )
-        .route(
-            "/api/entries/{id}",
-            patch(entries::api_entry_patch).delete(entries::api_entry_delete),
-        )
-        .route("/api/trash/{id}/restore", post(entries::api_trash_restore))
-        .route(
-            "/api/trash/{id}",
-            axum::routing::delete(entries::api_trash_purge),
-        )
-        .route(
-            "/api/entries/{entry_id}/secrets/{secret_id}",
-            axum::routing::delete(entries::api_entry_secret_unlink),
-        )
-        .route(
-            "/api/entries/{id}/secrets/decrypt",
-            get(entries::api_entry_secrets_decrypt),
-        )
-        .route("/api/secrets/{secret_id}", patch(entries::api_secret_patch))
-        .route(
-            "/api/secrets/check-name",
-            get(entries::api_secret_check_name),
-        )
-}
-
-#[cfg(test)]
-mod tests {
-    use std::net::SocketAddr;
-
-    use super::*;
-
-    #[test]
-    fn client_ip_ignores_forwarded_headers_without_trusted_proxy() {
-        let mut headers = HeaderMap::new();
-        headers.insert("x-forwarded-for", "203.0.113.10".parse().unwrap());
-
-        let ip = crate::client_ip::extract_client_ip_parts(
-            &headers,
-            SocketAddr::from(([127, 0, 0, 1], 9315)),
-        );
-
-        assert_eq!(ip, "127.0.0.1");
-    }
-
-    #[test]
-    fn client_ip_uses_valid_forwarded_header_with_trusted_proxy() {
-        // This test relies on TRUST_PROXY being unset (default); skip if set in env
-        if std::env::var("TRUST_PROXY").is_ok() {
-            return;
-        }
-        let mut headers = HeaderMap::new();
-        headers.insert("x-forwarded-for", "203.0.113.10, 10.0.0.1".parse().unwrap());
-
-        // Direct connection IP is used when TRUST_PROXY is not set
-        let ip = crate::client_ip::extract_client_ip_parts(
-            &headers,
-            SocketAddr::from(([127, 0, 0, 1], 9315)),
-        );
-
-        assert_eq!(ip, "127.0.0.1");
-    }
-
-    #[test]
-    fn request_ui_lang_prefers_zh_cn_over_en_fallback() {
-        let mut headers = HeaderMap::new();
-        headers.insert(header::ACCEPT_LANGUAGE, "zh-CN, en;q=0.5".parse().unwrap());
-
-        assert!(matches!(request_ui_lang(&headers), UiLang::ZhCn));
-    }
-
-    #[test]
-    fn request_ui_lang_detects_traditional_chinese_variants() {
-        let mut headers = HeaderMap::new();
-        headers.insert(
-            header::ACCEPT_LANGUAGE,
-            "zh-Hant, en;q=0.5".parse().unwrap(),
-        );
-
-        assert!(matches!(request_ui_lang(&headers), UiLang::ZhTw));
-    }
-
-    #[test]
-    fn paginate_clamps_page_before_computing_offset() {
-        let (current_page, total_pages, offset) = paginate(100, 12, 10);
-
-        assert_eq!(current_page, 2);
-        assert_eq!(total_pages, 2);
-        assert_eq!(offset, 10);
-    }
-
-    #[test]
-    fn paginate_handles_large_page_without_overflow() {
-        let (current_page, total_pages, offset) = paginate(u32::MAX, 1, ENTRIES_PAGE_LIMIT);
-
-        assert_eq!(current_page, 1);
-        assert_eq!(total_pages, 1);
-        assert_eq!(offset, 0);
-    }
-
-    #[test]
-    fn paginate_saturates_large_total_count() {
-        let (_, total_pages, _) = paginate(1, i64::MAX, ENTRIES_PAGE_LIMIT);
-
-        assert_eq!(total_pages, u32::MAX.div_ceil(ENTRIES_PAGE_LIMIT));
-    }
-}

crates/secrets-mcp/static/favicon.svg

@@ -1,3 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32">
-  <text x="16" y="23" text-anchor="middle" font-family="system-ui,Segoe UI,sans-serif" font-size="22" font-weight="700" fill="#58a6ff">S</text>
-</svg>

crates/secrets-mcp/static/llms.txt

@@ -1,28 +0,0 @@
-# Secrets MCP
-
-> 给 AI 与自动化工具的简要说明。本站是 **secrets-mcp**：Streamable HTTP **MCP**（Model Context Protocol）与 **Web 控制台** 的组合，用于在多租户场景下存储条目元数据与加密后的秘密字段；持久化在 PostgreSQL。用户通过 OAuth（如已配置）登录 Web；MCP 调用使用 API Key 与加密相关请求头。
-
-## 公开页面
-
-- **`/`**：公开首页，说明安全架构（客户端密钥派生、密文存储、多租户与审计等），无需登录。
-
-## 不应抓取或索引的内容
-
-- **`/mcp`**：MCP 流式 HTTP 端点（JSON-RPC 等），**不是** HTML 文档，也不适合作为公开知识库来源。
-- **`/api/*`**：会话或 API Key 相关的 HTTP API。
-- **`/login`**：登录入口页（`noindex` / robots 通常 disallow）。
-- **`/dashboard`、`/audit`、`/auth/*`、`/account/*`**：需浏览器会话，属于用户私有界面与 OAuth 流程。
-
-## 给 AI 助手的实用提示
-
-- 向用户说明连接方式时：MCP 基址为 `{BASE_URL}/mcp`（`BASE_URL` 由部署方设置），通常需要 `Authorization: Bearer <api_key>`；读写加密秘密时还需按部署文档传递 `X-Encryption-Key` 等头（与客户端模式有关）。
-- **不要编造**本实例的数据库 URL、OAuth 密钥、回调地址或任何凭据；一律以用户环境变量与运维文档为准。
-- Web 端在浏览器内用密码短语派生密钥完成端到端加密；MCP 路径下服务端可能在请求周期内临时使用客户端提供的密钥处理密文（架构细节见项目 README「加密架构」）。
-
-## 延伸阅读
-
-- 源码仓库：<https://gitea.refining.dev/refining/secrets>（`README.md`、`AGENTS.md` 含环境变量、表结构与运维约定）。
-
-## 关于本文件
-
-- 遵循常见的 **`/llms.txt`** 约定，便于人类与 LLM 快速了解站点性质与抓取边界；同文可在 **`/ai.txt`** 获取。

crates/secrets-mcp/static/robots.txt

@@ -1,31 +0,0 @@
-# Secrets MCP — robots.txt
-# 本站为需登录的私密控制台与 MCP API；以下路径请勿抓取，以免浪费配额并避免误索引敏感端点。
-# This host serves an authenticated dashboard and machine APIs; please skip crawling the paths below.
-
-User-agent: *
-Disallow: /mcp
-Disallow: /api/
-Disallow: /dashboard
-Disallow: /audit
-Disallow: /auth/
-Disallow: /login
-Disallow: /account/
-
-# 首页 `/` 为公开安全说明页，允许抓取。
-
-# 面向 AI / LLM 的机器可读站点说明（Markdown）：/llms.txt
-# Human & AI-readable site summary: /llms.txt (also /ai.txt)
-
-User-agent: GPTBot
-User-agent: Google-Extended
-User-agent: anthropic-ai
-User-agent: Claude-Web
-User-agent: PerplexityBot
-User-agent: Bytespider
-Disallow: /mcp
-Disallow: /api/
-Disallow: /dashboard
-Disallow: /audit
-Disallow: /auth/
-Disallow: /login
-Disallow: /account/

crates/secrets-mcp/templates/audit.html

@@ -1,247 +0,0 @@
-<!DOCTYPE html>
-<html lang="zh-CN">
-<head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <link rel="icon" href="/favicon.svg?v={{ version }}" type="image/svg+xml">
-    <title>Secrets — Audit</title>
-    <style>
-        *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
-        @import url('https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;600&family=Inter:wght@400;500;600&display=swap');
-        :root {
-            --bg: #0d1117; --surface: #161b22; --surface2: #21262d;
-            --border: #30363d; --text: #e6edf3; --text-muted: #8b949e;
-            --accent: #58a6ff; --accent-hover: #79b8ff;
-        }
-        body { background: #0d1117; color: #c9d1d9; font-family: 'Inter', sans-serif; min-height: 100vh; }
-        .layout { display: flex; min-height: 100vh; }
-        .sidebar {
-            width: 200px; flex-shrink: 0; background: #0b1220; border-right: 1px solid rgba(240,246,252,0.08);
-            padding: 20px 12px; display: flex; flex-direction: column; gap: 20px;
-        }
-        .sidebar-logo { font-family: 'Inter', sans-serif; font-size: 16px; font-weight: 700;
-                        color: #fff; text-decoration: none; padding: 0 10px; }
-        .sidebar-menu { display: grid; gap: 6px; }
-        .sidebar-link {
-            padding: 10px 12px; border-radius: 10px; color: #8b949e; text-decoration: none;
-            font-size: 13px; font-weight: 500;
-        }
-        .sidebar-link:hover { background: rgba(56,139,253,0.14); color: #fff; }
-        .sidebar-link.active {
-            background: rgba(56,139,253,0.14); color: #fff;
-        }
-        .content-shell { flex: 1; min-width: 0; display: flex; flex-direction: column; }
-        .topbar {
-            background: transparent; border-bottom: none; padding: 0 24px;
-            display: flex; align-items: center; gap: 12px; min-height: 44px;
-        }
-        .topbar-spacer { flex: 1; }
-        .nav-user { font-size: 14px; color: #8b949e; }
-        .lang-bar { display: flex; gap: 2px; background: rgba(240,246,252,0.06); border-radius: 8px; padding: 2px; }
-        .lang-btn { padding: 4px 10px; border: none; background: none; color: #8b949e;
-                    font-size: 12px; cursor: pointer; border-radius: 6px; }
-        .lang-btn.active { background: rgba(240,246,252,0.1); color: #fff; }
-        .btn-sign-out {
-            padding: 6px 14px; border-radius: 10px; border: 1px solid rgba(240,246,252,0.12);
-            background: #161b22; color: #c9d1d9; font-size: 13px; text-decoration: none; cursor: pointer;
-        }
-        .btn-sign-out:hover { border-color: rgba(56,139,253,0.45); color: #fff; }
-        .main { padding: 16px 16px 24px; flex: 1; }
-        .card { background: #111827; border: 1px solid rgba(240,246,252,0.08); border-radius: 18px;
-                padding: 20px; width: 100%; }
-        .card-title-row {
-            display: flex; align-items: center; flex-wrap: wrap; gap: 8px;
-            margin-bottom: 18px;
-        }
-        .card-title { font-size: 22px; font-weight: 700; margin: 0; color: #fff; }
-        .card-title-count {
-            display: inline-flex;
-            align-items: center;
-            min-height: 24px;
-            padding: 0 8px;
-            border: 1px solid rgba(240,246,252,0.08);
-            border-radius: 999px;
-            background: #0d1117;
-            color: #8b949e;
-            font-size: 12px;
-            font-weight: 600;
-            line-height: 1;
-            font-family: 'JetBrains Mono', monospace;
-        }
-        .empty { color: #8b949e; font-size: 14px; padding: 20px 0; }
-        table { width: 100%; border-collapse: collapse; }
-        th, td { text-align: left; vertical-align: top; padding: 14px 12px; border-top: 1px solid rgba(240,246,252,0.08); }
-        th { color: #8b949e; font-size: 12px; font-weight: 600; }
-        td { font-size: 13px; color: #c9d1d9; }
-        .mono { font-family: 'JetBrains Mono', monospace; }
-        .col-detail { min-width: 260px; max-width: 460px; }
-        .detail-scroll {
-            height: calc(1.5em * 3 + 20px);
-            min-height: calc(1.5em * 3 + 20px);
-            overflow: auto;
-            resize: vertical;
-            white-space: pre-wrap;
-            word-break: break-word;
-            padding: 10px;
-            background: #0d1117;
-            border: 1px solid rgba(240,246,252,0.08);
-            border-radius: 10px;
-            font-size: 12px;
-            font-family: 'JetBrains Mono', monospace;
-            margin: 0;
-        }
-        @media (max-width: 900px) {
-            .layout { flex-direction: column; }
-            .sidebar {
-                width: 100%; border-right: none; border-bottom: 1px solid rgba(240,246,252,0.08);
-                padding: 16px; gap: 14px;
-            }
-            .sidebar-menu { flex-direction: row; }
-            .sidebar-link { flex: 1; text-align: center; }
-            .main { padding: 20px 12px 28px; }
-            .card { padding: 16px; }
-            .topbar { padding: 12px 16px; flex-wrap: wrap; }
-            table, thead, tbody, th, td, tr { display: block; }
-            thead { display: none; }
-            tr { border-top: 1px solid rgba(240,246,252,0.08); padding: 12px 0; }
-            td { border-top: none; padding: 6px 0; }
-            td::before {
-                display: block; color: #8b949e; font-size: 11px;
-                margin-bottom: 4px; text-transform: uppercase;
-                content: attr(data-label);
-            }
-            .detail { max-width: none; }
-        }
-        .pagination {
-            display: flex; align-items: center; gap: 12px; margin-top: 18px;
-            justify-content: center; padding: 12px 0;
-        }
-        .page-btn {
-            padding: 8px 12px; border-radius: 10px; border: 1px solid rgba(240,246,252,0.12);
-            background: #161b22; color: #c9d1d9; text-decoration: none;
-            font-size: 13px; cursor: pointer;
-        }
-        .page-btn:hover { border-color: rgba(56,139,253,0.45); color: #fff; }
-        .page-btn-disabled {
-            padding: 8px 12px; border-radius: 10px; border: 1px solid rgba(240,246,252,0.12);
-            background: #161b22; color: #6e7681; font-size: 13px;
-            opacity: 0.5; cursor: not-allowed;
-        }
-        .page-info {
-            color: #8b949e; font-size: 13px; font-family: 'JetBrains Mono', monospace;
-        }
-    </style>
-</head>
-<body>
-<div class="layout">
-<aside class="sidebar">
-    <a href="/dashboard" class="sidebar-logo">secrets</a>
-    <nav class="sidebar-menu">
-        <a href="/dashboard" class="sidebar-link" data-i18n="navMcp">MCP</a>
-        <a href="/entries" class="sidebar-link" data-i18n="navEntries">条目</a>
-        <a href="/trash" class="sidebar-link" data-i18n="navTrash">回收站</a>
-        <a href="/audit" class="sidebar-link active" data-i18n="navAudit">审计</a>
-    </nav>
-</aside>
-
-<div class="content-shell">
-<div class="topbar">
-    <span class="topbar-spacer"></span>
-    <span class="nav-user">{{ user_name }}{% if !user_email.is_empty() %} · {{ user_email }}{% endif %}</span>
-    <div class="lang-bar">
-        <button class="lang-btn" onclick="setLang('zh-CN')">简</button>
-        <button class="lang-btn" onclick="setLang('zh-TW')">繁</button>
-        <button class="lang-btn" onclick="setLang('en')">EN</button>
-    </div>
-    <form action="/auth/logout" method="post" style="display:inline">
-        <button type="submit" class="btn-sign-out" data-i18n="signOut">退出</button>
-    </form>
-</div>
-
-<main class="main">
-    <section class="card">
-        <div class="card-title-row">
-            <div class="card-title" data-i18n="auditTitle">我的审计</div>
-            <span class="card-title-count">{{ total_count }}</span>
-        </div>
-
-        {% if entries.is_empty() %}
-        <div class="empty" data-i18n="emptyAudit">暂无审计记录。</div>
-        {% else %}
-        <table>
-            <thead>
-                <tr>
-                    <th data-i18n="colTime">时间</th>
-                    <th data-i18n="colAction">动作</th>
-                    <th data-i18n="colTarget">目标</th>
-                    <th data-i18n="colDetail">详情</th>
-                </tr>
-            </thead>
-            <tbody>
-                {% for entry in entries %}
-                <tr>
-                    <td class="col-time mono" data-label="时间"><time class="audit-local-time" datetime="{{ entry.created_at_iso }}">{{ entry.created_at_iso }}</time></td>
-                    <td class="col-action mono" data-label="动作">{{ entry.action }}</td>
-                    <td class="col-target mono" data-label="目标">{{ entry.target }}</td>
-                    <td class="col-detail" data-label="详情">{% if !entry.detail.is_empty() %}<pre class="detail-scroll">{{ entry.detail }}</pre>{% endif %}</td>
-                </tr>
-                {% endfor %}
-            </tbody>
-        </table>
-
-        {% if total_count > 0 %}
-        <div class="pagination">
-            {% if current_page > 1 %}
-            <a href="?page={{ current_page - 1 }}" class="page-btn" data-i18n="prevPage">上一页</a>
-            {% else %}
-            <span class="page-btn page-btn-disabled" data-i18n="prevPage">上一页</span>
-            {% endif %}
-            <span class="page-info">{{ current_page }} / {{ total_pages }}</span>
-            {% if current_page < total_pages %}
-            <a href="?page={{ current_page + 1 }}" class="page-btn" data-i18n="nextPage">下一页</a>
-            {% else %}
-            <span class="page-btn page-btn-disabled" data-i18n="nextPage">下一页</span>
-            {% endif %}
-        </div>
-        {% endif %}
-        {% endif %}
-    </section>
-</main>
-</div>
-</div>
-<script src="/static/i18n.js?v={{ version }}"></script>
-<script>
-(function () {
-  I18N_PAGE = {
-    'zh-CN': { pageTitle: 'Secrets — 审计', auditTitle: '我的审计', emptyAudit: '暂无审计记录。', colTime: '时间', colAction: '动作', colTarget: '目标', colDetail: '详情', prevPage: '上一页', nextPage: '下一页' },
-    'zh-TW': { pageTitle: 'Secrets — 審計', auditTitle: '我的審計', emptyAudit: '暫無審計記錄。', colTime: '時間', colAction: '動作', colTarget: '目標', colDetail: '詳情', prevPage: '上一頁', nextPage: '下一頁' },
-    en: { pageTitle: 'Secrets — Audit', auditTitle: 'My audit', emptyAudit: 'No audit records.', colTime: 'Time', colAction: 'Action', colTarget: 'Target', colDetail: 'Detail', prevPage: 'Previous', nextPage: 'Next' }
-  };
-
-  window.applyPageLang = function () {
-    document.querySelectorAll('tbody tr').forEach(function (tr) {
-      var time = tr.querySelector('.col-time');
-      var action = tr.querySelector('.col-action');
-      var target = tr.querySelector('.col-target');
-      var detail = tr.querySelector('.col-detail');
-      if (time) time.setAttribute('data-label', t('mobileLabelTime'));
-      if (action) action.setAttribute('data-label', t('mobileLabelAction'));
-      if (target) target.setAttribute('data-label', t('mobileLabelTarget'));
-      if (detail) detail.setAttribute('data-label', t('mobileLabelDetail'));
-    });
-  };
-
-  document.querySelectorAll('time.audit-local-time[datetime]').forEach(function (el) {
-    var raw = el.getAttribute('datetime');
-    var d = raw ? new Date(raw) : null;
-    if (d && !isNaN(d.getTime())) {
-      el.textContent = d.toLocaleString(undefined, { dateStyle: 'medium', timeStyle: 'medium' });
-      el.title = raw + ' (UTC)';
-    }
-  });
-
-  applyLang();
-})();
-</script>
-</body>
-</html>

crates/secrets-mcp/templates/changelog.html

@@ -1,185 +0,0 @@
-<!DOCTYPE html>
-<html lang="zh-CN">
-<head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <link rel="canonical" href="{{ base_url }}/changelog">
-    <link rel="icon" href="/favicon.svg?v={{ version }}" type="image/svg+xml">
-    <title data-i18n="docTitle">变更记录 — Secrets</title>
-    <style>
-        *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
-        @import url('https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;600&family=Inter:wght@400;500;600&display=swap');
-        :root {
-            --bg: #0d1117; --surface: #161b22;
-            --border: #30363d; --text: #e6edf3; --text-muted: #8b949e;
-            --accent: #58a6ff; --accent-hover: #79b8ff;
-        }
-        body { background: var(--bg); color: var(--text); font-family: 'Inter', sans-serif; min-height: 100vh; }
-        .wrap { max-width: 880px; margin: 0 auto; padding: 24px 20px 48px; }
-        .top {
-            display: flex; align-items: center; flex-wrap: wrap; gap: 12px 16px;
-            margin-bottom: 24px; padding-bottom: 16px;
-            border-bottom: 1px solid rgba(240,246,252,0.08);
-        }
-        .brand {
-            font-size: 18px; font-weight: 700; color: #fff; text-decoration: none;
-        }
-        .brand:hover { color: var(--accent); }
-        .top-actions { margin-left: auto; display: flex; align-items: center; gap: 12px; flex-wrap: wrap; }
-        .lang-bar { display: flex; gap: 2px; background: rgba(240,246,252,0.06); border-radius: 8px; padding: 2px; }
-        .lang-btn { padding: 4px 10px; border: none; background: none; color: #8b949e;
-                    font-size: 12px; cursor: pointer; border-radius: 6px; }
-        .lang-btn.active { background: rgba(240,246,252,0.1); color: #fff; }
-        .link-dash {
-            font-size: 13px; color: var(--accent); text-decoration: none;
-        }
-        .link-dash:hover { text-decoration: underline; }
-        h1 { font-size: 22px; font-weight: 700; margin-bottom: 16px; color: #fff; }
-        .card {
-            background: #111827; border: 1px solid rgba(240,246,252,0.08); border-radius: 18px;
-            padding: 20px 22px;
-        }
-        /* Rendered Markdown (pulldown-cmark) */
-        .changelog-md {
-            font-size: 14px;
-            line-height: 1.65;
-            color: #c9d1d9;
-        }
-        .changelog-md > :first-child { margin-top: 0; }
-        .changelog-md > :last-child { margin-bottom: 0; }
-        .changelog-md h1 {
-            font-size: 1.5rem; font-weight: 700; color: #fff;
-            margin: 1.25em 0 0.5em; padding-bottom: 0.35em;
-            border-bottom: 1px solid rgba(240,246,252,0.1);
-        }
-        .changelog-md h2 {
-            font-size: 1.2rem; font-weight: 650; color: #f0f6fc;
-            margin: 1.35em 0 0.5em;
-        }
-        .changelog-md h3 { font-size: 1.05rem; font-weight: 600; color: #e6edf3; margin: 1.1em 0 0.45em; }
-        .changelog-md h4, .changelog-md h5, .changelog-md h6 { font-size: 1rem; font-weight: 600; color: #e6edf3; margin: 1em 0 0.4em; }
-        .changelog-md p { margin: 0.65em 0; }
-        .changelog-md ul, .changelog-md ol { margin: 0.65em 0; padding-left: 1.35em; }
-        .changelog-md li { margin: 0.3em 0; }
-        .changelog-md li > p { margin: 0.35em 0; }
-        .changelog-md a { color: var(--accent); text-decoration: none; }
-        .changelog-md a:hover { text-decoration: underline; }
-        .changelog-md code {
-            font-family: 'JetBrains Mono', ui-monospace, monospace;
-            font-size: 0.88em;
-            background: rgba(240,246,252,0.08);
-            padding: 0.12em 0.4em;
-            border-radius: 5px;
-        }
-        .changelog-md pre {
-            margin: 0.85em 0;
-            padding: 12px 14px;
-            overflow-x: auto;
-            background: #0d1117;
-            border: 1px solid rgba(240,246,252,0.1);
-            border-radius: 10px;
-            font-size: 12px;
-            line-height: 1.5;
-        }
-        .changelog-md pre code {
-            background: none;
-            padding: 0;
-            font-size: inherit;
-            border-radius: 0;
-        }
-        .changelog-md blockquote {
-            margin: 0.75em 0;
-            padding-left: 1em;
-            border-left: 3px solid rgba(56,139,253,0.45);
-            color: var(--text-muted);
-        }
-        .changelog-md hr {
-            margin: 1.25em 0;
-            border: none;
-            border-top: 1px solid rgba(240,246,252,0.1);
-        }
-        .changelog-md table {
-            width: 100%;
-            border-collapse: collapse;
-            margin: 0.85em 0;
-            font-size: 13px;
-        }
-        .changelog-md th, .changelog-md td {
-            border: 1px solid var(--border);
-            padding: 8px 10px;
-            text-align: left;
-        }
-        .changelog-md th { background: rgba(240,246,252,0.06); color: #f0f6fc; }
-        .changelog-md input[type="checkbox"] { margin-right: 0.35em; vertical-align: middle; }
-        .foot {
-            margin-top: 28px; text-align: center; font-size: 11px; color: var(--text-muted);
-            font-family: 'JetBrains Mono', monospace;
-        }
-        .foot a { color: var(--accent); text-decoration: none; }
-        .foot a:hover { text-decoration: underline; }
-    </style>
-</head>
-<body>
-<div class="wrap">
-    <header class="top">
-        <a href="/" class="brand">secrets</a>
-        <div class="top-actions">
-            <a href="/dashboard" class="link-dash" data-i18n="backDash">控制台</a>
-            <div class="lang-bar" role="group" aria-label="Language">
-                <button type="button" class="lang-btn" onclick="setLang('zh-CN')">简</button>
-                <button type="button" class="lang-btn" onclick="setLang('zh-TW')">繁</button>
-                <button type="button" class="lang-btn" onclick="setLang('en')">EN</button>
-            </div>
-        </div>
-    </header>
-    <h1 data-i18n="pageTitle">变更记录</h1>
-    <div class="card changelog-md">
-        {{ changelog_html|safe }}
-    </div>
-    <footer class="foot">
-        <span data-i18n="versionLabel">版本</span> {{ version }}
-    </footer>
-</div>
-<script>
-const T = {
-    'zh-CN': {
-        docTitle: '变更记录 — Secrets',
-        pageTitle: '变更记录',
-        backDash: '控制台',
-        versionLabel: '版本',
-    },
-    'zh-TW': {
-        docTitle: '變更記錄 — Secrets',
-        pageTitle: '變更記錄',
-        backDash: '控制台',
-        versionLabel: '版本',
-    },
-    'en': {
-        docTitle: 'Changelog — Secrets',
-        pageTitle: 'Changelog',
-        backDash: 'Dashboard',
-        versionLabel: 'Version',
-    }
-};
-let currentLang = localStorage.getItem('lang') || 'zh-CN';
-function t(key) { return (T[currentLang] && T[currentLang][key]) || T['en'][key] || key; }
-function applyLang() {
-    document.documentElement.lang = currentLang;
-    document.title = t('docTitle');
-    document.querySelectorAll('[data-i18n]').forEach(el => {
-        el.textContent = t(el.getAttribute('data-i18n'));
-    });
-    document.querySelectorAll('.lang-btn').forEach(btn => {
-        const map = { 'zh-CN': '简', 'zh-TW': '繁', 'en': 'EN' };
-        btn.classList.toggle('active', btn.textContent === map[currentLang]);
-    });
-}
-function setLang(lang) {
-    currentLang = lang;
-    localStorage.setItem('lang', lang);
-    applyLang();
-}
-applyLang();
-</script>
-</body>
-</html>

crates/secrets-mcp/templates/dashboard.html

@@ -1,975 +0,0 @@
-<!DOCTYPE html>
-<html lang="zh-CN">
-<head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <link rel="icon" href="/favicon.svg?v={{ version }}" type="image/svg+xml">
-    <title>Secrets</title>
-    <style>
-        *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
-        @import url('https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;600&family=Inter:wght@400;500;600&display=swap');
-        :root {
-            --bg: #0d1117; --surface: #161b22; --surface2: #21262d;
-            --border: #30363d; --text: #e6edf3; --text-muted: #8b949e;
-            --accent: #58a6ff; --accent-hover: #79b8ff;
-            --danger: #f85149; --success: #3fb950; --warn: #d29922;
-        }
-        body { background: var(--bg); color: var(--text); font-family: 'Inter', sans-serif; min-height: 100vh; }
-
-        .layout { display: flex; min-height: 100vh; }
-        .sidebar {
-            width: 200px; flex-shrink: 0; background: #0b1220; border-right: 1px solid rgba(240,246,252,0.08);
-            padding: 20px 12px; display: flex; flex-direction: column; gap: 20px;
-        }
-        .sidebar-logo { font-family: 'Inter', sans-serif; font-size: 16px; font-weight: 700;
-                        color: #fff; text-decoration: none; padding: 0 10px; }
-        .sidebar-menu { display: grid; gap: 6px; }
-        .sidebar-link {
-            padding: 10px 12px; border-radius: 10px; color: #8b949e; text-decoration: none;
-            font-size: 13px; font-weight: 500;
-        }
-        .sidebar-link:hover { background: rgba(56,139,253,0.14); color: #fff; }
-        .sidebar-link.active { background: rgba(56,139,253,0.14); color: #fff; }
-        .content-shell { flex: 1; min-width: 0; display: flex; flex-direction: column; }
-        .topbar {
-            background: transparent; border-bottom: none; padding: 0 24px;
-            display: flex; align-items: center; gap: 12px; min-height: 44px;
-        }
-        .topbar-spacer { flex: 1; }
-        .nav-user { font-size: 14px; color: #8b949e; }
-        .lang-bar { display: flex; gap: 2px; background: rgba(240,246,252,0.06); border-radius: 8px; padding: 2px; }
-        .lang-btn { padding: 4px 10px; border: none; background: none; color: #8b949e;
-                    font-size: 12px; cursor: pointer; border-radius: 6px; }
-        .lang-btn.active { background: rgba(240,246,252,0.1); color: #fff; }
-        .btn-sign-out {
-            padding: 6px 14px; border-radius: 10px; border: 1px solid rgba(240,246,252,0.12);
-            background: #161b22; color: #c9d1d9; font-size: 13px; text-decoration: none; cursor: pointer;
-        }
-        .btn-sign-out:hover { border-color: rgba(56,139,253,0.45); color: #fff; }
-
-        /* Main content column */
-        .main { padding: 16px 16px 0; flex: 1; min-height: 0; display: flex; flex-direction: column; }
-        .app-footer {
-            text-align: center;
-            padding: 12px 0;
-            font-size: 11px;
-            color: var(--text-muted);
-            font-family: 'JetBrains Mono', monospace;
-            margin-top: auto;
-        }
-        .app-footer a { color: var(--accent); text-decoration: none; }
-        .app-footer a:hover { text-decoration: underline; }
-        .card { background: #111827; border: 1px solid rgba(240,246,252,0.08); border-radius: 18px;
-                padding: 20px; width: 100%; }
-        .card-title { font-size: 22px; font-weight: 700; margin-bottom: 24px; color: #fff; }
-        /* Form */
-        .field { margin-bottom: 12px; }
-        .field label { display: block; font-size: 12px; color: #8b949e; margin-bottom: 5px; }
-        .field input { width: 100%; background: #0d1117; border: 1px solid rgba(240,246,252,0.08);
-                       color: #c9d1d9; padding: 9px 12px; border-radius: 10px;
-                       font-size: 13px; outline: none; }
-        .field input:focus { border-color: rgba(56,139,253,0.5); }
-        .pw-field { position: relative; }
-        .pw-field > input { padding-right: 42px; }
-        .pw-toggle {
-            position: absolute; right: 6px; top: 50%; transform: translateY(-50%);
-            display: flex; align-items: center; justify-content: center;
-            width: 32px; height: 32px; border: none; border-radius: 8px;
-            background: transparent; color: #8b949e; cursor: pointer;
-        }
-        .pw-toggle:hover { color: #c9d1d9; background: rgba(240,246,252,0.06); }
-        .pw-toggle:focus-visible { outline: 2px solid rgba(56,139,253,0.5); outline-offset: 2px; }
-        .pw-icon svg { display: block; }
-        .pw-icon.hidden { display: none; }
-        .error-msg { color: #f85149; font-size: 12px; margin-top: 6px; display: none; }
-
-        /* Buttons */
-        .btn-primary { display: inline-flex; align-items: center; gap: 6px; width: 100%;
-                       justify-content: center; padding: 10px 20px; border-radius: 10px;
-                       border: none; background: #388bfd; color: #fff;
-                       font-size: 14px; font-weight: 600; cursor: pointer; transition: background 0.15s; }
-        .btn-primary:hover { background: #58a6ff; }
-        .btn-primary:disabled { opacity: 0.5; cursor: not-allowed; }
-        .btn-sm { display: inline-flex; align-items: center; gap: 4px; padding: 8px 12px;
-                  border-radius: 10px; border: 1px solid rgba(240,246,252,0.12); background: #161b22;
-                  color: #8b949e; font-size: 13px; cursor: pointer; font-family: inherit; }
-        .btn-sm:hover { border-color: rgba(56,139,253,0.45); color: #fff; }
-        .btn-copy { display: flex; align-items: center; gap: 8px; width: 100%; justify-content: center;
-                    padding: 11px 20px; border-radius: 10px; border: 1px solid #3fb950;
-                    background: rgba(63,185,80,0.1); color: #3fb950;
-                    font-size: 14px; font-weight: 600; cursor: pointer; transition: all 0.15s; font-family: inherit; }
-        .btn-copy:hover { background: rgba(63,185,80,0.2); }
-        .btn-copy.copied { background: #3fb950; color: #0d1117; border-color: #3fb950; }
-
-        /* Config format switcher */
-        .config-tabs { display: grid; grid-template-columns: repeat(2, minmax(0, 1fr)); gap: 10px; margin-bottom: 12px; }
-        .config-tab { padding: 12px 14px; border-radius: 10px; border: 1px solid rgba(240,246,252,0.08);
-                      background: #161b22; color: #8b949e; cursor: pointer;
-                      font-family: inherit; text-align: left; transition: border-color 0.15s, background 0.15s, transform 0.15s; }
-        .config-tab:hover { color: #c9d1d9; border-color: rgba(56,139,253,0.45); transform: translateY(-1px); }
-        .config-tab.active { background: rgba(56,139,253,0.14); color: #fff; border-color: rgba(56,139,253,0.3); }
-        .config-tab-title { display: block; font-size: 13px; font-weight: 600; color: inherit; }
-        /* Config box */
-        .config-wrap { position: relative; margin-bottom: 14px; }
-        .config-box { background: #0d1117; border: 1px solid rgba(240,246,252,0.08); border-radius: 10px;
-                      padding: 16px; font-family: 'JetBrains Mono', monospace; font-size: 11px;
-                      line-height: 1.7; color: #c9d1d9; overflow-x: auto; white-space: pre; }
-        .config-box.locked { color: #8b949e; filter: blur(3px); user-select: none;
-                             pointer-events: none; }
-        .config-key { color: #79c0ff; }
-        .config-str { color: #a5d6ff; }
-        .config-val { color: #58a6ff; }
-
-        /* Divider */
-        .divider { border: none; border-top: 1px solid rgba(240,246,252,0.08); margin: 20px 0; }
-
-        /* Actions row */
-        .actions-row { display: flex; gap: 8px; flex-wrap: wrap; justify-content: center; }
-
-        /* Spinner */
-        .spinner { display: inline-block; width: 14px; height: 14px; border: 2px solid rgba(13,17,23,0.3);
-                   border-top-color: #0d1117; border-radius: 50%; animation: spin 0.7s linear infinite; }
-        @keyframes spin { to { transform: rotate(360deg); } }
-
-        /* Modal */
-        .modal-bd { display: none; position: fixed; inset: 0; background: rgba(0,0,0,0.75);
-                    z-index: 100; align-items: center; justify-content: center; }
-        .modal-bd.open { display: flex; }
-        .modal { background: #111827; border: 1px solid rgba(240,246,252,0.08); border-radius: 18px;
-                 padding: 28px; width: 100%; max-width: 420px; }
-        .modal h3 { font-size: 18px; font-weight: 700; margin-bottom: 16px; color: #fff; }
-        .modal-actions { display: flex; gap: 8px; margin-top: 16px; }
-        .btn-modal-ok { flex: 1; padding: 8px; border-radius: 10px; border: none;
-                        background: #388bfd; color: #fff; font-size: 13px;
-                        font-weight: 600; cursor: pointer; font-family: inherit; }
-        .btn-modal-ok:hover { background: #58a6ff; }
-        .btn-modal-cancel { padding: 8px 16px; border-radius: 10px; border: 1px solid rgba(240,246,252,0.12);
-                            background: #161b22; color: #c9d1d9; font-size: 13px; cursor: pointer; font-family: inherit; }
-        .btn-modal-cancel:hover { border-color: rgba(56,139,253,0.45); color: #fff; }
-
-        @media (max-width: 900px) {
-            .layout { flex-direction: column; }
-            .sidebar {
-                width: 100%; border-right: none; border-bottom: 1px solid rgba(240,246,252,0.08);
-                padding: 16px; gap: 14px;
-            }
-            .sidebar-menu { flex-direction: row; flex-wrap: wrap; }
-            .sidebar-link { flex: 1; text-align: center; min-width: 72px; }
-            .main { padding: 20px 12px 28px; }
-            .card { padding: 16px; }
-            .topbar { padding: 12px 16px; flex-wrap: wrap; }
-        }
-
-    </style>
-</head>
-<body data-has-passphrase="{{ has_passphrase }}" data-base-url="{{ base_url }}">
-
-<div class="layout">
-<aside class="sidebar">
-    <a href="/dashboard" class="sidebar-logo">secrets</a>
-    <nav class="sidebar-menu">
-        <a href="/dashboard" class="sidebar-link active" data-i18n="navMcp">MCP</a>
-        <a href="/entries" class="sidebar-link" data-i18n="navEntries">条目</a>
-        <a href="/trash" class="sidebar-link" data-i18n="navTrash">回收站</a>
-        <a href="/audit" class="sidebar-link" data-i18n="navAudit">审计</a>
-    </nav>
-</aside>
-
-<div class="content-shell">
-<div class="topbar">
-    <span class="topbar-spacer"></span>
-    <span class="nav-user">{{ user_name }}{% if !user_email.is_empty() %} · {{ user_email }}{% endif %}</span>
-    <div class="lang-bar">
-        <button class="lang-btn" onclick="setLang('zh-CN')">简</button>
-        <button class="lang-btn" onclick="setLang('zh-TW')">繁</button>
-        <button class="lang-btn" onclick="setLang('en')">EN</button>
-    </div>
-    <form action="/auth/logout" method="post" style="display:inline">
-        <button type="submit" class="btn-sign-out" data-i18n="signOut">退出</button>
-    </form>
-</div>
-
-<div class="main">
-<div class="card">
-
-    <!-- ── Locked state ──────────────────────────────────────────────────── -->
-    <div id="locked-view">
-        <div class="card-title" data-i18n="lockedTitle">获取 MCP 配置</div>
-
-        <!-- placeholder config -->
-        <div class="config-wrap">
-            <div class="config-box locked" id="placeholder-config"></div>
-        </div>
-
-        <!-- Setup form (no passphrase yet) -->
-        <div id="setup-form" style="display:none">
-            <div class="field">
-                <label data-i18n="labelPassphrase">加密密码</label>
-                <div class="pw-field">
-                    <input type="password" id="setup-pass1" data-i18n-ph="phPassphrase" autocomplete="new-password">
-                    <button type="button" class="pw-toggle" data-target="setup-pass1" aria-pressed="false"
-                            onclick="togglePwVisibility(this)" aria-label="">
-                        <span class="pw-icon pw-icon-show" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M1 12s4-8 11-8 11 8 11 8-4 8-11 8-11-8-11-8z"/><circle cx="12" cy="12" r="3"/></svg></span>
-                        <span class="pw-icon pw-icon-hide hidden" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M17.94 17.94A10.07 10.07 0 0 1 12 20c-7 0-11-8-11-8a18.45 18.45 0 0 1 5.06-5.94M9.9 4.24A9.12 9.12 0 0 1 12 4c7 0 11 8 11 8a18.5 18.5 0 0 1-2.16 3.19m-6.72-1.07a3 3 0 1 1-4.24-4.24"/><line x1="1" y1="1" x2="23" y2="23"/></svg></span>
-                    </button>
-                </div>
-            </div>
-            <div class="field">
-                <label data-i18n="labelConfirm">确认密码</label>
-                <div class="pw-field">
-                    <input type="password" id="setup-pass2" data-i18n-ph="phConfirm" autocomplete="new-password">
-                    <button type="button" class="pw-toggle" data-target="setup-pass2" aria-pressed="false"
-                            onclick="togglePwVisibility(this)" aria-label="">
-                        <span class="pw-icon pw-icon-show" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M1 12s4-8 11-8 11 8 11 8-4 8-11 8-11-8-11-8z"/><circle cx="12" cy="12" r="3"/></svg></span>
-                        <span class="pw-icon pw-icon-hide hidden" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M17.94 17.94A10.07 10.07 0 0 1 12 20c-7 0-11-8-11-8a18.45 18.45 0 0 1 5.06-5.94M9.9 4.24A9.12 9.12 0 0 1 12 4c7 0 11 8 11 8a18.5 18.5 0 0 1-2.16 3.19m-6.72-1.07a3 3 0 1 1-4.24-4.24"/><line x1="1" y1="1" x2="23" y2="23"/></svg></span>
-                    </button>
-                </div>
-            </div>
-            <div class="error-msg" id="setup-error"></div>
-            <button class="btn-primary" id="setup-btn" onclick="doSetup()">
-                <span data-i18n="btnSetup">设置并获取配置</span>
-            </button>
-            <p style="font-size:11px;color:var(--text-muted);text-align:center;margin-top:10px" data-i18n="setupNote">
-                密码不会上传服务器。遗忘后数据将无法恢复。
-            </p>
-        </div>
-
-        <!-- Unlock form (passphrase already set) -->
-        <div id="unlock-form" style="display:none">
-            <div class="field">
-                <label data-i18n="labelPassphrase">加密密码</label>
-                <div class="pw-field">
-                    <input type="password" id="unlock-pass" data-i18n-ph="phPassphrase" autocomplete="current-password">
-                    <button type="button" class="pw-toggle" data-target="unlock-pass" aria-pressed="false"
-                            onclick="togglePwVisibility(this)" aria-label="">
-                        <span class="pw-icon pw-icon-show" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M1 12s4-8 11-8 11 8 11 8-4 8-11 8-11-8-11-8z"/><circle cx="12" cy="12" r="3"/></svg></span>
-                        <span class="pw-icon pw-icon-hide hidden" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M17.94 17.94A10.07 10.07 0 0 1 12 20c-7 0-11-8-11-8a18.45 18.45 0 0 1 5.06-5.94M9.9 4.24A9.12 9.12 0 0 1 12 4c7 0 11 8 11 8a18.5 18.5 0 0 1-2.16 3.19m-6.72-1.07a3 3 0 1 1-4.24-4.24"/><line x1="1" y1="1" x2="23" y2="23"/></svg></span>
-                    </button>
-                </div>
-            </div>
-            <div class="error-msg" id="unlock-error"></div>
-            <button class="btn-primary" id="unlock-btn" onclick="doUnlock()">
-                <span data-i18n="btnUnlock">解锁并获取配置</span>
-            </button>
-        </div>
-    </div>
-
-    <!-- ── Unlocked state ────────────────────────────────────────────────── -->
-    <div id="unlocked-view" style="display:none">
-        <div class="card-title" data-i18n="unlockedTitle" style="margin-bottom:16px">MCP 配置</div>
-
-        <div class="config-tabs" role="tablist" aria-label="Config format">
-            <button type="button" class="config-tab active" role="tab" id="tab-mcp" aria-selected="true"
-                    onclick="setConfigFormat('mcp')">
-                <span class="config-tab-title" data-i18n="tabMcp">Cursor、Claude Code、Codex、Gemini CLI</span>
-            </button>
-            <button type="button" class="config-tab" role="tab" id="tab-opencode" aria-selected="false"
-                    onclick="setConfigFormat('opencode')">
-                <span class="config-tab-title" data-i18n="tabOpencode">OpenCode</span>
-            </button>
-        </div>
-        <div class="config-wrap">
-            <pre class="config-box" id="real-config"></pre>
-        </div>
-
-        <div style="display:flex;gap:10px;flex-wrap:wrap">
-            <button class="btn-copy" id="copy-full-btn" onclick="copyFullConfig()" style="flex:1">
-                <span id="copy-full-text">复制完整 mcp.json</span>
-            </button>
-            <button class="btn-copy" id="copy-secrets-btn" onclick="copySecretsConfig()" style="flex:1">
-                <span id="copy-secrets-text">仅复制 secrets 节点</span>
-            </button>
-        </div>
-
-        <hr class="divider">
-
-        <div class="actions-row">
-            <button class="btn-sm" onclick="clearAndLock()" data-i18n="btnClear">清除密钥</button>
-            <button class="btn-sm" onclick="openChangeModal()" data-i18n="btnChangePass">更换密码</button>
-            <button class="btn-sm" onclick="confirmRegenerate()" data-i18n="btnRegen">重置 API Key</button>
-        </div>
-    </div>
-</div>
-<footer class="app-footer">{{ version }} · <a href="/changelog" data-i18n="changelogLink">变更记录</a></footer>
-</div><!-- /main -->
-</div><!-- /content-shell -->
-</div><!-- /layout -->
-
-<!-- ── Change passphrase modal ──────────────────────────────────────────────── -->
-<div class="modal-bd" id="change-modal">
-    <div class="modal">
-        <h3 data-i18n="changeTitle">更换密码</h3>
-        <div class="field">
-            <label data-i18n="labelCurrent">当前密码</label>
-            <div class="pw-field">
-                <input type="password" id="change-pass-old" data-i18n-ph="phCurrent" autocomplete="current-password">
-                <button type="button" class="pw-toggle" data-target="change-pass-old" aria-pressed="false"
-                        onclick="togglePwVisibility(this)" aria-label="">
-                    <span class="pw-icon pw-icon-show" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M1 12s4-8 11-8 11 8 11 8-4 8-11 8-11-8-11-8z"/><circle cx="12" cy="12" r="3"/></svg></span>
-                    <span class="pw-icon pw-icon-hide hidden" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M17.94 17.94A10.07 10.07 0 0 1 12 20c-7 0-11-8-11-8a18.45 18.45 0 0 1 5.06-5.94M9.9 4.24A9.12 9.12 0 0 1 12 4c7 0 11 8 11 8a18.5 18.5 0 0 1-2.16 3.19m-6.72-1.07a3 3 0 1 1-4.24-4.24"/><line x1="1" y1="1" x2="23" y2="23"/></svg></span>
-                </button>
-            </div>
-        </div>
-        <div class="field">
-            <label data-i18n="labelNew">新密码</label>
-            <div class="pw-field">
-                <input type="password" id="change-pass1" data-i18n-ph="phPassphrase" autocomplete="new-password">
-                <button type="button" class="pw-toggle" data-target="change-pass1" aria-pressed="false"
-                        onclick="togglePwVisibility(this)" aria-label="">
-                    <span class="pw-icon pw-icon-show" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M1 12s4-8 11-8 11 8 11 8-4 8-11 8-11-8-11-8z"/><circle cx="12" cy="12" r="3"/></svg></span>
-                    <span class="pw-icon pw-icon-hide hidden" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M17.94 17.94A10.07 10.07 0 0 1 12 20c-7 0-11-8-11-8a18.45 18.45 0 0 1 5.06-5.94M9.9 4.24A9.12 9.12 0 0 1 12 4c7 0 11 8 11 8a18.5 18.5 0 0 1-2.16 3.19m-6.72-1.07a3 3 0 1 1-4.24-4.24"/><line x1="1" y1="1" x2="23" y2="23"/></svg></span>
-                </button>
-            </div>
-        </div>
-        <div class="field">
-            <label data-i18n="labelConfirm">确认</label>
-            <div class="pw-field">
-                <input type="password" id="change-pass2" data-i18n-ph="phConfirm" autocomplete="new-password">
-                <button type="button" class="pw-toggle" data-target="change-pass2" aria-pressed="false"
-                        onclick="togglePwVisibility(this)" aria-label="">
-                    <span class="pw-icon pw-icon-show" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M1 12s4-8 11-8 11 8 11 8-4 8-11 8-11-8-11-8z"/><circle cx="12" cy="12" r="3"/></svg></span>
-                    <span class="pw-icon pw-icon-hide hidden" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M17.94 17.94A10.07 10.07 0 0 1 12 20c-7 0-11-8-11-8a18.45 18.45 0 0 1 5.06-5.94M9.9 4.24A9.12 9.12 0 0 1 12 4c7 0 11 8 11 8a18.5 18.5 0 0 1-2.16 3.19m-6.72-1.07a3 3 0 1 1-4.24-4.24"/><line x1="1" y1="1" x2="23" y2="23"/></svg></span>
-                </button>
-            </div>
-        </div>
-        <div class="error-msg" id="change-error"></div>
-        <div class="modal-actions">
-            <button class="btn-modal-ok" id="change-btn" onclick="doChange()" data-i18n="btnChange">确认更换</button>
-            <button class="btn-modal-cancel" onclick="closeChangeModal()" data-i18n="btnCancel">取消</button>
-        </div>
-    </div>
-</div>
-
-<script>
-// ── i18n ───────────────────────────────────────────────────────────────────────
-
-const T = {
-    'zh-CN': {
-        navMcp: 'MCP', navEntries: '条目', navTrash: '回收站', navAudit: '审计',
-        signOut: '退出',
-        lockedTitle: '获取 MCP 配置',
-        labelPassphrase: '加密密码',
-        labelConfirm: '确认密码',
-        labelNew: '新密码',
-        labelCurrent: '当前密码',
-        phPassphrase: '输入密码…',
-        phConfirm: '再次输入…',
-        phCurrent: '输入当前密码…',
-        btnSetup: '设置并获取配置',
-        btnUnlock: '解锁并获取配置',
-        setupNote: '密码不会上传服务器。遗忘后数据将无法恢复。',
-        errEmpty: '密码不能为空。',
-        errShort: '密码至少需要 8 个字符。',
-        errMismatch: '两次输入不一致。',
-        errWrong: '密码错误，请重试。',
-        errWrongOld: '当前密码错误，请重试。',
-        unlockedTitle: 'MCP 配置',
-        tabMcp: 'Cursor、Claude Code、Codex、Gemini CLI',
-        tabOpencode: 'OpenCode',
-        btnCopyFull: '复制完整 mcp.json',
-        btnCopySecrets: '仅复制 secrets 节点',
-        btnCopyFullOpencode: '复制完整 mcp.json',
-        btnCopySecretsOpencode: '仅复制 secrets 节点',
-        btnCopied: '已复制！',
-        btnClear: '清除密钥',
-        btnChangePass: '更换密码',
-        btnRegen: '重置 API Key',
-        changeTitle: '更换密码',
-        btnChange: '确认更换',
-        btnCancel: '取消',
-        regenConfirm: '重置 API Key 后，当前 Key 立即失效，需同步更新 AI 客户端配置。确认继续？',
-        regenFailed: '重置失败，请刷新页面重试。',
-        ariaShowPw: '显示密码',
-        ariaHidePw: '隐藏密码',
-        changelogLink: '变更记录',
-    },
-    'zh-TW': {
-        navMcp: 'MCP', navEntries: '條目', navTrash: '回收站', navAudit: '審計',
-        signOut: '登出',
-        lockedTitle: '取得 MCP 設定',
-        labelPassphrase: '加密密碼',
-        labelConfirm: '確認密碼',
-        labelNew: '新密碼',
-        labelCurrent: '目前密碼',
-        phPassphrase: '輸入密碼…',
-        phConfirm: '再次輸入…',
-        phCurrent: '輸入目前密碼…',
-        btnSetup: '設定並取得設定',
-        btnUnlock: '解鎖並取得設定',
-        setupNote: '密碼不會上傳伺服器。遺忘後資料將無法復原。',
-        errEmpty: '密碼不能為空。',
-        errShort: '密碼至少需要 8 個字元。',
-        errMismatch: '兩次輸入不一致。',
-        errWrong: '密碼錯誤，請重試。',
-        errWrongOld: '目前密碼錯誤，請重試。',
-        unlockedTitle: 'MCP 設定',
-        tabMcp: 'Cursor、Claude Code、Codex、Gemini CLI',
-        tabOpencode: 'OpenCode',
-        btnCopyFull: '複製完整 mcp.json',
-        btnCopySecrets: '僅複製 secrets 節點',
-        btnCopyFullOpencode: '複製完整 mcp.json',
-        btnCopySecretsOpencode: '僅複製 secrets 節點',
-        btnCopied: '已複製！',
-        btnClear: '清除密鑰',
-        btnChangePass: '更換密碼',
-        btnRegen: '重置 API Key',
-        changeTitle: '更換密碼',
-        btnChange: '確認更換',
-        btnCancel: '取消',
-        regenConfirm: '重置 API Key 後，目前 Key 立即失效，需同步更新 AI 用戶端設定。確認繼續？',
-        regenFailed: '重置失敗，請重新整理頁面再試。',
-        ariaShowPw: '顯示密碼',
-        ariaHidePw: '隱藏密碼',
-        changelogLink: '變更記錄',
-    },
-    'en': {
-        navMcp: 'MCP', navEntries: 'Entries', navTrash: 'Trash', navAudit: 'Audit',
-        signOut: 'Sign out',
-        lockedTitle: 'Get MCP Config',
-        labelPassphrase: 'Encryption password',
-        labelConfirm: 'Confirm password',
-        labelNew: 'New password',
-        labelCurrent: 'Current password',
-        phPassphrase: 'Enter password…',
-        phConfirm: 'Repeat password…',
-        phCurrent: 'Enter current password…',
-        btnSetup: 'Set up & get config',
-        btnUnlock: 'Unlock & get config',
-        setupNote: 'Your password never leaves this device. If forgotten, encrypted data cannot be recovered.',
-        errEmpty: 'Password cannot be empty.',
-        errShort: 'Password must be at least 8 characters.',
-        errMismatch: 'Passwords do not match.',
-        errWrong: 'Incorrect password, please try again.',
-        errWrongOld: 'Current password is incorrect, please try again.',
-        unlockedTitle: 'MCP Config',
-        tabMcp: 'Cursor, Claude Code, Codex, Gemini CLI',
-        tabOpencode: 'OpenCode',
-        btnCopyFull: 'Copy full mcp.json',
-        btnCopySecrets: 'Copy only secrets node',
-        btnCopyFullOpencode: 'Copy full mcp.json',
-        btnCopySecretsOpencode: 'Copy only secrets node',
-        btnCopied: 'Copied!',
-        btnClear: 'Clear key',
-        btnChangePass: 'Change password',
-        btnRegen: 'Reset API key',
-        changeTitle: 'Change password',
-        btnChange: 'Confirm',
-        btnCancel: 'Cancel',
-        regenConfirm: 'Resetting will immediately invalidate your current API key. You will need to update your AI client config. Continue?',
-        regenFailed: 'Reset failed. Please refresh and try again.',
-        ariaShowPw: 'Show password',
-        ariaHidePw: 'Hide password',
-        changelogLink: 'Changelog',
-    }
-};
-
-let currentLang = localStorage.getItem('lang') || 'zh-CN';
-
-function t(key) { return T[currentLang][key] || T['en'][key] || key; }
-
-function applyLang() {
-    document.documentElement.lang = currentLang;
-    document.querySelectorAll('[data-i18n]').forEach(el => {
-        const key = el.getAttribute('data-i18n');
-        el.textContent = t(key);
-    });
-    document.querySelectorAll('[data-i18n-ph]').forEach(el => {
-        el.placeholder = t(el.getAttribute('data-i18n-ph'));
-    });
-    document.querySelectorAll('.lang-btn').forEach(btn => {
-        const map = { 'zh-CN': '简', 'zh-TW': '繁', 'en': 'EN' };
-        btn.classList.toggle('active', btn.textContent === map[currentLang]);
-    });
-    // Rebuild placeholder config (language affects nothing but triggers re-render)
-    renderPlaceholderConfig();
-    // Rebuild real config if unlocked
-    if (currentEncKey && currentApiKey) renderRealConfig();
-    syncPwToggleI18n();
-    syncConfigFormatUi();
-}
-
-function setLang(lang) {
-    currentLang = lang;
-    localStorage.setItem('lang', lang);
-    applyLang();
-}
-
-function syncPwToggleI18n() {
-    document.querySelectorAll('.pw-toggle').forEach(btn => {
-        const input = document.getElementById(btn.getAttribute('data-target'));
-        if (!input) return;
-        const visible = input.type === 'text';
-        btn.setAttribute('aria-pressed', visible ? 'true' : 'false');
-        btn.setAttribute('aria-label', visible ? t('ariaHidePw') : t('ariaShowPw'));
-        const showIc = btn.querySelector('.pw-icon-show');
-        const hideIc = btn.querySelector('.pw-icon-hide');
-        if (showIc) showIc.classList.toggle('hidden', visible);
-        if (hideIc) hideIc.classList.toggle('hidden', !visible);
-    });
-}
-
-function togglePwVisibility(btn) {
-    const input = document.getElementById(btn.getAttribute('data-target'));
-    if (!input) return;
-    input.type = input.type === 'password' ? 'text' : 'password';
-    syncPwToggleI18n();
-}
-
-// ── Constants ──────────────────────────────────────────────────────────────────
-
-const HAS_PASSPHRASE = document.body.dataset.hasPassphrase === 'true';
-const BASE_URL = document.body.dataset.baseUrl;
-const KEY_CHECK_PLAINTEXT = 'secrets-mcp-key-check';
-const PBKDF2_ITERATIONS = 600000;
-const ENC = new TextEncoder();
-let currentEncKey = null;
-let currentApiKey = null;
-/** @type {'mcp' | 'opencode'} */
-let configFormat = 'mcp';
-
-function redirectLoginExpired() {
-    sessionStorage.removeItem('enc_key');
-    currentEncKey = null;
-    currentApiKey = null;
-    window.location.replace('/');
-}
-
-/** Like fetch; on 401 clears local state and navigates to login (await does not complete). */
-async function fetchAuth(input, init) {
-    const resp = await fetch(input, init);
-    if (resp.status === 401) {
-        redirectLoginExpired();
-        await new Promise(() => {});
-    }
-    return resp;
-}
-
-// ── Placeholder config ─────────────────────────────────────────────────────────
-
-function renderPlaceholderConfig() {
-    document.getElementById('placeholder-config').textContent =
-        buildConfigText('sk_' + '•'.repeat(64), '•'.repeat(64));
-}
-
-function buildBaseServerConfig(apiKey, encKey) {
-    return {
-        url: BASE_URL + '/mcp',
-        headers: {
-            Authorization: 'Bearer ' + apiKey,
-            'X-Encryption-Key': encKey
-        }
-    };
-}
-
-function buildSecretsEntryObject(apiKey, encKey) {
-    return buildBaseServerConfig(apiKey, encKey);
-}
-
-function buildConfigText(apiKey, encKey) {
-    return JSON.stringify({ mcpServers: { secrets: buildSecretsEntryObject(apiKey, encKey) } }, null, 2);
-}
-
-function buildSecretsConfigText(apiKey, encKey) {
-    const wrapped = JSON.stringify({
-        secrets: buildSecretsEntryObject(apiKey, encKey)
-    }, null, 2);
-    const lines = wrapped.split('\n');
-    return lines.length < 3 ? wrapped : lines.slice(1, -1).join('\n');
-}
-
-/** OpenCode: native Streamable HTTP transport (no mcp-remote bridge needed). */
-function buildOpencodeEntry(apiKey, encKey) {
-    return {
-        type: 'remote',
-        url: BASE_URL + '/mcp',
-        headers: {
-            'Authorization': 'Bearer ' + apiKey,
-            'X-Encryption-Key': encKey
-        },
-        oauth: false
-    };
-}
-
-/** Full OpenCode config: MCP servers live under top-level `mcp`. */
-function buildOpencodeConfigText(apiKey, encKey) {
-    return JSON.stringify({ mcp: { secrets: buildOpencodeEntry(apiKey, encKey) } }, null, 2);
-}
-
-/** Strip outer `{` `}` so user can paste `secrets` under an existing `mcp` object. */
-function buildOpencodeMergeSnippet(apiKey, encKey) {
-    const wrapped = JSON.stringify({ secrets: buildOpencodeEntry(apiKey, encKey) }, null, 2);
-    const lines = wrapped.split('\n');
-    return lines.length < 3 ? wrapped : lines.slice(1, -1).join('\n');
-}
-
-function getCopyFullKey() {
-    return 'btnCopyFull';
-}
-
-function getCopySecretsKey() {
-    return 'btnCopySecrets';
-}
-
-const CONFIG_FORMAT_STORAGE = 'dash_config_format';
-
-function setConfigFormat(fmt) {
-    configFormat = fmt;
-    try { sessionStorage.setItem(CONFIG_FORMAT_STORAGE, fmt); } catch (_) {}
-    syncConfigFormatUi();
-    if (currentEncKey && currentApiKey) renderRealConfig();
-}
-
-/** Refresh tabs, format hint, and copy button labels (after language change or tab switch). */
-function syncConfigFormatUi() {
-    const uv = document.getElementById('unlocked-view');
-    if (!uv || uv.style.display === 'none') return;
-    const tabMcp = document.getElementById('tab-mcp');
-    const tabOc = document.getElementById('tab-opencode');
-    if (tabMcp && tabOc) {
-        tabMcp.classList.toggle('active', configFormat === 'mcp');
-        tabOc.classList.toggle('active', configFormat === 'opencode');
-        tabMcp.setAttribute('aria-selected', configFormat === 'mcp' ? 'true' : 'false');
-        tabOc.setAttribute('aria-selected', configFormat === 'opencode' ? 'true' : 'false');
-    }
-    const cf = document.getElementById('copy-full-text');
-    const cs = document.getElementById('copy-secrets-text');
-    if (cf) cf.textContent = t(getCopyFullKey());
-    if (cs) cs.textContent = t(getCopySecretsKey());
-}
-
-// ── Unlock / Setup flow ───────────────────────────────────────────────────────
-
-function showLockedView() {
-    document.getElementById('locked-view').style.display = '';
-    document.getElementById('unlocked-view').style.display = 'none';
-    if (HAS_PASSPHRASE) {
-        document.getElementById('setup-form').style.display = 'none';
-        document.getElementById('unlock-form').style.display = '';
-        setTimeout(() => document.getElementById('unlock-pass').focus(), 50);
-    } else {
-        document.getElementById('setup-form').style.display = '';
-        document.getElementById('unlock-form').style.display = 'none';
-        setTimeout(() => document.getElementById('setup-pass1').focus(), 50);
-    }
-}
-
-async function showUnlockedView(encKeyHex, apiKey) {
-    currentEncKey = encKeyHex;
-    currentApiKey = apiKey;
-    sessionStorage.setItem('enc_key', encKeyHex);
-    renderRealConfig();
-    document.getElementById('locked-view').style.display = 'none';
-    document.getElementById('unlocked-view').style.display = '';
-    syncConfigFormatUi();
-}
-
-function renderRealConfig() {
-    if (!currentApiKey || !currentEncKey) return;
-    const text = configFormat === 'mcp'
-        ? buildConfigText(currentApiKey, currentEncKey)
-        : buildOpencodeConfigText(currentApiKey, currentEncKey);
-    document.getElementById('real-config').textContent = text;
-}
-
-function clearAndLock() {
-    sessionStorage.removeItem('enc_key');
-    currentEncKey = null;
-    currentApiKey = null;
-    showLockedView();
-}
-
-// ── Web Crypto helpers ─────────────────────────────────────────────────────────
-
-async function deriveKey(passphrase, saltBytes, extractable = false) {
-    const km = await crypto.subtle.importKey('raw', ENC.encode(passphrase), 'PBKDF2', false, ['deriveKey']);
-    return crypto.subtle.deriveKey(
-        { name: 'PBKDF2', salt: saltBytes, iterations: PBKDF2_ITERATIONS, hash: 'SHA-256' },
-        km, { name: 'AES-GCM', length: 256 }, extractable, ['encrypt', 'decrypt']
-    );
-}
-
-async function exportKeyHex(cryptoKey) {
-    const raw = await crypto.subtle.exportKey('raw', cryptoKey);
-    return Array.from(new Uint8Array(raw)).map(b => b.toString(16).padStart(2, '0')).join('');
-}
-
-function hexToBytes(hex) {
-    const b = new Uint8Array(hex.length / 2);
-    for (let i = 0; i < hex.length; i += 2) b[i / 2] = parseInt(hex.slice(i, i + 2), 16);
-    return b;
-}
-
-function bytesToHex(bytes) {
-    return Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
-}
-
-async function encryptKeyCheck(cryptoKey) {
-    const nonce = crypto.getRandomValues(new Uint8Array(12));
-    const ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv: nonce }, cryptoKey, ENC.encode(KEY_CHECK_PLAINTEXT));
-    const out = new Uint8Array(12 + ct.byteLength);
-    out.set(nonce); out.set(new Uint8Array(ct), 12);
-    return bytesToHex(out);
-}
-
-async function verifyKeyCheck(cryptoKey, keyCheckHex) {
-    try {
-        const b = hexToBytes(keyCheckHex);
-        const plain = await crypto.subtle.decrypt({ name: 'AES-GCM', iv: b.slice(0, 12) }, cryptoKey, b.slice(12));
-        return new TextDecoder().decode(plain) === KEY_CHECK_PLAINTEXT;
-    } catch { return false; }
-}
-
-// ── Passphrase setup (first time) ─────────────────────────────────────────────
-
-function setBtnLoading(id, loading, labelKey) {
-    const btn = document.getElementById(id);
-    btn.disabled = loading;
-    btn.innerHTML = loading
-        ? '<span class="spinner"></span>'
-        : `<span data-i18n="${labelKey}">${t(labelKey)}</span>`;
-}
-
-async function doSetup() {
-    const pass1 = document.getElementById('setup-pass1').value;
-    const pass2 = document.getElementById('setup-pass2').value;
-    const errEl = document.getElementById('setup-error');
-    errEl.style.display = 'none';
-
-    if (!pass1) { showErr(errEl, t('errEmpty')); return; }
-    if (pass1.length < 8) { showErr(errEl, t('errShort')); return; }
-    if (pass1 !== pass2) { showErr(errEl, t('errMismatch')); return; }
-
-    setBtnLoading('setup-btn', true, 'btnSetup');
-    try {
-        const salt = crypto.getRandomValues(new Uint8Array(32));
-        const cryptoKey = await deriveKey(pass1, salt, true);
-        const keyCheckHex = await encryptKeyCheck(cryptoKey);
-        const hexKey = await exportKeyHex(cryptoKey);
-
-        const resp = await fetchAuth('/api/key-setup', {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-                salt: bytesToHex(salt),
-                key_check: keyCheckHex,
-                params: { alg: 'pbkdf2-sha256', iterations: PBKDF2_ITERATIONS }
-            })
-        });
-        if (!resp.ok) throw new Error('HTTP ' + resp.status);
-
-        const apiKey = await fetchApiKey();
-        await showUnlockedView(hexKey, apiKey);
-    } catch (e) {
-        showErr(errEl, 'Error: ' + e.message);
-    } finally {
-        setBtnLoading('setup-btn', false, 'btnSetup');
-    }
-}
-
-// ── Passphrase unlock ──────────────────────────────────────────────────────────
-
-async function doUnlock() {
-    const pass = document.getElementById('unlock-pass').value;
-    const errEl = document.getElementById('unlock-error');
-    errEl.style.display = 'none';
-
-    if (!pass) { showErr(errEl, t('errEmpty')); return; }
-
-    setBtnLoading('unlock-btn', true, 'btnUnlock');
-    try {
-        const saltResp = await fetchAuth('/api/key-salt');
-        if (!saltResp.ok) throw new Error('HTTP ' + saltResp.status);
-        const saltData = await saltResp.json();
-
-        const cryptoKey = await deriveKey(pass, hexToBytes(saltData.salt), true);
-        const valid = await verifyKeyCheck(cryptoKey, saltData.key_check);
-        if (!valid) { showErr(errEl, t('errWrong')); return; }
-
-        const hexKey = await exportKeyHex(cryptoKey);
-        const apiKey = await fetchApiKey();
-        await showUnlockedView(hexKey, apiKey);
-    } catch (e) {
-        showErr(errEl, 'Error: ' + e.message);
-    } finally {
-        setBtnLoading('unlock-btn', false, 'btnUnlock');
-    }
-}
-
-// ── Copy config ────────────────────────────────────────────────────────────────
-
-async function copyFullConfig() {
-    await copyWithFeedback(
-        document.getElementById('real-config').textContent,
-        'copy-full-btn',
-        'copy-full-text',
-        getCopyFullKey()
-    );
-}
-
-async function copySecretsConfig() {
-    const snippet = configFormat === 'mcp'
-        ? buildSecretsConfigText(currentApiKey, currentEncKey)
-        : buildOpencodeMergeSnippet(currentApiKey, currentEncKey);
-    await copyWithFeedback(
-        snippet,
-        'copy-secrets-btn',
-        'copy-secrets-text',
-        getCopySecretsKey()
-    );
-}
-
-async function copyWithFeedback(text, btnId, textId, resetLabelKey) {
-    await navigator.clipboard.writeText(text);
-    const btn = document.getElementById(btnId);
-    const textEl = document.getElementById(textId);
-    btn.classList.add('copied');
-    textEl.textContent = t('btnCopied');
-    setTimeout(() => {
-        btn.classList.remove('copied');
-        textEl.textContent = t(resetLabelKey);
-    }, 2500);
-}
-
-// ── Reset API key ──────────────────────────────────────────────────────────────
-
-async function confirmRegenerate() {
-    if (!confirm(t('regenConfirm'))) return;
-    try {
-        const resp = await fetchAuth('/api/apikey/regenerate', { method: 'POST' });
-        if (!resp.ok) throw new Error();
-        const data = await resp.json();
-        currentApiKey = data.api_key;
-        renderRealConfig();
-    } catch {
-        alert(t('regenFailed'));
-    }
-}
-
-// ── Change passphrase modal ────────────────────────────────────────────────────
-
-function openChangeModal() {
-    document.getElementById('change-pass-old').value = '';
-    document.getElementById('change-pass1').value = '';
-    document.getElementById('change-pass2').value = '';
-    document.getElementById('change-pass-old').type = 'password';
-    document.getElementById('change-pass1').type = 'password';
-    document.getElementById('change-pass2').type = 'password';
-    document.getElementById('change-error').style.display = 'none';
-    document.getElementById('change-modal').classList.add('open');
-    syncPwToggleI18n();
-    setTimeout(() => document.getElementById('change-pass-old').focus(), 50);
-}
-
-function closeChangeModal() {
-    document.getElementById('change-modal').classList.remove('open');
-}
-
-async function doChange() {
-    const passOld = document.getElementById('change-pass-old').value;
-    const pass1 = document.getElementById('change-pass1').value;
-    const pass2 = document.getElementById('change-pass2').value;
-    const errEl = document.getElementById('change-error');
-    errEl.style.display = 'none';
-
-    if (!passOld) { showErr(errEl, t('errEmpty')); return; }
-    if (!pass1) { showErr(errEl, t('errEmpty')); return; }
-    if (pass1.length < 8) { showErr(errEl, t('errShort')); return; }
-    if (pass1 !== pass2) { showErr(errEl, t('errMismatch')); return; }
-
-    const btn = document.getElementById('change-btn');
-    btn.disabled = true;
-    btn.innerHTML = '<span class="spinner" style="border-top-color:#0d1117"></span>';
-    try {
-        // Fetch current salt to derive old key for verification
-        const saltResp = await fetchAuth('/api/key-salt');
-        if (!saltResp.ok) throw new Error('HTTP ' + saltResp.status);
-        const saltData = await saltResp.json();
-        if (!saltData.has_passphrase) throw new Error('No passphrase configured');
-
-        // Derive old key and verify it
-        const oldCryptoKey = await deriveKey(passOld, hexToBytes(saltData.salt), true);
-        const validOld = await verifyKeyCheck(oldCryptoKey, saltData.key_check);
-        if (!validOld) { showErr(errEl, t('errWrongOld')); return; }
-        const oldHexKey = await exportKeyHex(oldCryptoKey);
-
-        // Derive new key
-        const newSalt = crypto.getRandomValues(new Uint8Array(32));
-        const newCryptoKey = await deriveKey(pass1, newSalt, true);
-        const newKeyCheckHex = await encryptKeyCheck(newCryptoKey);
-        const newHexKey = await exportKeyHex(newCryptoKey);
-
-        const resp = await fetchAuth('/api/key-change', {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-                old_key: oldHexKey,
-                new_key: newHexKey,
-                salt: bytesToHex(newSalt),
-                key_check: newKeyCheckHex,
-                params: { alg: 'pbkdf2-sha256', iterations: PBKDF2_ITERATIONS }
-            })
-        });
-        if (!resp.ok) throw new Error('HTTP ' + resp.status);
-
-        currentEncKey = newHexKey;
-        sessionStorage.setItem('enc_key', newHexKey);
-        renderRealConfig();
-        closeChangeModal();
-    } catch (e) {
-        showErr(errEl, 'Error: ' + e.message);
-    } finally {
-        btn.disabled = false;
-        btn.textContent = t('btnChange');
-    }
-}
-
-// ── Fetch API key ──────────────────────────────────────────────────────────────
-
-async function fetchApiKey() {
-    const resp = await fetchAuth('/api/apikey');
-    if (!resp.ok) throw new Error('Failed to load API key');
-    const data = await resp.json();
-    return data.api_key;
-}
-
-// ── Helpers ────────────────────────────────────────────────────────────────────
-
-function showErr(el, msg) {
-    el.textContent = msg;
-    el.style.display = 'block';
-}
-
-// ── Keyboard shortcuts ─────────────────────────────────────────────────────────
-
-document.addEventListener('keydown', e => {
-    if (e.key === 'Escape') closeChangeModal();
-    if (e.key === 'Enter') {
-        if (document.getElementById('change-modal').classList.contains('open')) { doChange(); return; }
-        if (document.getElementById('unlock-form').style.display !== 'none' &&
-            document.getElementById('locked-view').style.display !== 'none') { doUnlock(); return; }
-        if (document.getElementById('setup-form').style.display !== 'none' &&
-            document.getElementById('locked-view').style.display !== 'none') { doSetup(); return; }
-    }
-});
-
-// ── Init ───────────────────────────────────────────────────────────────────────
-
-(async function init() {
-    applyLang();
-    try {
-        const sf = sessionStorage.getItem(CONFIG_FORMAT_STORAGE);
-        if (sf === 'mcp' || sf === 'opencode') configFormat = sf;
-    } catch (_) { /* ignore */ }
-    const savedKey = sessionStorage.getItem('enc_key');
-    if (savedKey) {
-        try {
-            const apiKey = await fetchApiKey();
-            await showUnlockedView(savedKey, apiKey);
-            return;
-        } catch { /* fall through to locked */ }
-    }
-    showLockedView();
-})();
-</script>
-</body>
-</html>

crates/secrets-mcp/templates/home.html

@@ -1,267 +0,0 @@
-<!DOCTYPE html>
-<html lang="zh-CN">
-<head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <meta name="description" content="Secrets MCP：基于 Model Context Protocol 的密钥与配置管理。密码短语在浏览器本地 PBKDF2 派生，密文 AES-GCM 存储，完整审计与历史版本。">
-    <meta name="keywords" content="secrets management,MCP,Model Context Protocol,end-to-end encryption,AES-GCM,PBKDF2,API key,密钥管理">
-    <meta name="robots" content="index, follow">
-    <link rel="canonical" href="{{ base_url }}/">
-    <link rel="icon" href="/favicon.svg?v={{ version }}" type="image/svg+xml">
-    <title>Secrets MCP — 端到端加密的密钥管理</title>
-    <meta property="og:type" content="website">
-    <meta property="og:url" content="{{ base_url }}/">
-    <meta property="og:title" content="Secrets MCP — 端到端加密的密钥管理">
-    <meta property="og:description" content="密码短语客户端派生，密文存储；MCP API 与 Web 控制台，多租户与审计。">
-    <meta name="twitter:card" content="summary">
-    <meta name="twitter:title" content="Secrets MCP — 端到端加密的密钥管理">
-    <meta name="twitter:description" content="密码短语客户端派生，密文存储；MCP API 与 Web 控制台，多租户与审计。">
-    <style>
-        *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
-        @import url('https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@500;600&family=Inter:wght@400;500;600&display=swap');
-        :root {
-            --bg: #0d1117;
-            --surface: #161b22;
-            --surface2: #21262d;
-            --border: #30363d;
-            --text: #e6edf3;
-            --text-muted: #8b949e;
-            --accent: #58a6ff;
-            --accent-hover: #79b8ff;
-        }
-        html, body { height: 100%; overflow: hidden; }
-        @supports (height: 100dvh) {
-            html, body { height: 100dvh; }
-        }
-        body {
-            background: var(--bg);
-            color: var(--text);
-            font-family: 'Inter', sans-serif;
-            display: flex;
-            flex-direction: column;
-        }
-        .nav {
-            flex-shrink: 0;
-            display: flex;
-            align-items: center;
-            justify-content: space-between;
-            padding: 14px 24px;
-            border-bottom: 1px solid var(--border);
-            background: var(--surface);
-        }
-        .brand {
-            font-family: 'JetBrains Mono', monospace;
-            font-size: 15px;
-            font-weight: 600;
-            color: var(--text);
-            text-decoration: none;
-        }
-        .brand span { color: var(--accent); }
-        .nav-right { display: flex; align-items: center; gap: 14px; }
-        .lang-bar { display: flex; gap: 2px; background: rgba(255,255,255,0.04); border-radius: 6px; padding: 2px; }
-        .lang-btn {
-            padding: 4px 10px; border: none; background: none; color: var(--text-muted);
-            font-size: 12px; cursor: pointer; border-radius: 4px;
-        }
-        .lang-btn.active { background: var(--border); color: var(--text); }
-        .cta {
-            display: inline-flex; align-items: center; justify-content: center;
-            padding: 8px 18px; border-radius: 8px; font-size: 13px; font-weight: 600;
-            text-decoration: none; border: 1px solid var(--accent);
-            background: rgba(88, 166, 255, 0.12); color: var(--accent);
-            transition: background 0.15s, color 0.15s;
-        }
-        .cta:hover { background: var(--accent); color: var(--bg); }
-        .main {
-            flex: 1;
-            min-height: 0;
-            display: flex;
-            flex-direction: column;
-            align-items: center;
-            justify-content: center;
-            padding: 16px 24px 12px;
-            gap: 20px;
-        }
-        .hero { text-align: center; max-width: 720px; }
-        .hero h1 { font-size: clamp(20px, 4vw, 28px); font-weight: 600; margin-bottom: 8px; line-height: 1.25; }
-        .hero .tagline { color: var(--text-muted); font-size: clamp(13px, 2vw, 15px); line-height: 1.5; }
-        .grid {
-            display: grid;
-            grid-template-columns: repeat(3, 1fr);
-            gap: 12px;
-            width: 100%;
-            max-width: 900px;
-        }
-        @media (max-width: 900px) {
-            .grid { grid-template-columns: repeat(2, 1fr); }
-        }
-        @media (max-width: 480px) {
-            .grid { grid-template-columns: 1fr; gap: 8px; }
-            .main { justify-content: flex-start; padding-top: 12px; }
-        }
-        .card {
-            background: var(--surface);
-            border: 1px solid var(--border);
-            border-radius: 10px;
-            padding: 14px 14px 12px;
-            min-height: 0;
-        }
-        .card-icon {
-            width: 32px; height: 32px; border-radius: 8px;
-            background: var(--surface2);
-            display: flex; align-items: center; justify-content: center;
-            margin-bottom: 10px; color: var(--accent);
-        }
-        .card-icon svg { width: 18px; height: 18px; }
-        .card h2 { font-size: 13px; font-weight: 600; margin-bottom: 6px; line-height: 1.3; }
-        .card p { font-size: 12px; color: var(--text-muted); line-height: 1.45; }
-        .foot {
-            flex-shrink: 0;
-            text-align: center;
-            padding: 8px 16px 12px;
-            font-size: 11px;
-            color: var(--text-muted);
-            border-top: 1px solid var(--border);
-            background: var(--surface);
-        }
-        .foot a { color: var(--accent); text-decoration: none; }
-        .foot a:hover { text-decoration: underline; }
-    </style>
-</head>
-<body>
-    <header class="nav">
-        <a class="brand" href="/">secrets<span>-mcp</span></a>
-        <div class="nav-right">
-            <div class="lang-bar">
-                <button type="button" class="lang-btn" onclick="setLang('zh-CN')">简</button>
-                <button type="button" class="lang-btn" onclick="setLang('zh-TW')">繁</button>
-                <button type="button" class="lang-btn" onclick="setLang('en')">EN</button>
-            </div>
-            {% if is_logged_in %}
-            <a class="cta" href="/dashboard" data-i18n="ctaDashboard">进入控制台</a>
-            {% else %}
-            <a class="cta" href="/login" data-i18n="ctaLogin">登录</a>
-            {% endif %}
-        </div>
-    </header>
-    <main class="main">
-        <div class="hero">
-            <h1 data-i18n="heroTitle">端到端加密的密钥与配置管理</h1>
-            <p class="tagline" data-i18n="heroTagline">Streamable HTTP MCP 与 Web 控制台：元数据与密文分库存储，密钥永不离开你的客户端逻辑。</p>
-        </div>
-        <div class="grid">
-            <article class="card">
-                <div class="card-icon" aria-hidden="true">
-                    <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M12 11c1.66 0 3-1.34 3-3V5c0-1.66-1.34-3-3-3S9 3.34 9 5v3c0 1.66 1.34 3 3 3z"/><path d="M19 10v1a7 7 0 01-14 0v-1"/><path d="M12 14v7M9 18h6"/></svg>
-                </div>
-                <h2 data-i18n="c1t">客户端密钥派生</h2>
-                <p data-i18n="c1d">PBKDF2-SHA256（约 60 万次）在浏览器本地从密码短语派生密钥；服务端仅保存盐与校验值，不持有密码或明文主密钥。</p>
-            </article>
-            <article class="card">
-                <div class="card-icon" aria-hidden="true">
-                    <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><rect x="3" y="11" width="18" height="11" rx="2"/><path d="M7 11V7a5 5 0 0110 0v4"/></svg>
-                </div>
-                <h2 data-i18n="c2t">AES-256-GCM 加密</h2>
-                <p data-i18n="c2d">敏感字段以 AES-GCM 密文落库；Web 端在本地加解密，明文默认不经过服务端持久化。</p>
-            </article>
-            <article class="card">
-                <div class="card-icon" aria-hidden="true">
-                    <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M14 2H6a2 2 0 00-2 2v16a2 2 0 002 2h12a2 2 0 002-2V8z"/><path d="M14 2v6h6M16 13H8M16 17H8M10 9H8"/></svg>
-                </div>
-                <h2 data-i18n="c3t">审计与历史</h2>
-                <p data-i18n="c3d">操作写入审计日志；条目与密文保留历史版本，支持按版本查看与恢复。</p>
-            </article>
-        </div>
-    </main>
-    <footer class="foot">
-        <span data-i18n="versionLabel">版本</span> {{ version }} ·
-        <a href="/llms.txt">llms.txt</a>
-        <span data-i18n="sep"> · </span>
-        <a href="https://gitea.refining.dev/refining/secrets" target="_blank" rel="noopener noreferrer" data-i18n="footRepo">源码仓库</a>
-        <span data-i18n="sep"> · </span>
-        <a href="/changelog" data-i18n="footChangelog">变更记录</a>
-    </footer>
-    <script>
-    const T = {
-        'zh-CN': {
-            docTitle: 'Secrets MCP — 端到端加密的密钥管理',
-            ctaDashboard: '进入控制台',
-            ctaLogin: '登录',
-            heroTitle: '端到端加密的密钥与配置管理',
-            heroTagline: 'Streamable HTTP MCP 与 Web 控制台：元数据与密文分库存储，密钥永不离开你的客户端逻辑。',
-            c1t: '客户端密钥派生',
-            c1d: 'PBKDF2-SHA256（约 60 万次）在浏览器本地从密码短语派生密钥；服务端仅保存盐与校验值，不持有密码或明文主密钥。',
-            c2t: 'AES-256-GCM 加密',
-            c2d: '敏感字段以 AES-GCM 密文落库；Web 端在本地加解密，明文默认不经过服务端持久化。',
-            c3t: '审计与历史',
-            c3d: '操作写入审计日志；条目与密文保留历史版本，支持按版本查看与恢复。',
-            versionLabel: '版本',
-            sep: ' · ',
-            footRepo: '源码仓库',
-            footChangelog: '变更记录',
-        },
-        'zh-TW': {
-            docTitle: 'Secrets MCP — 端到端加密的金鑰管理',
-            ctaDashboard: '進入控制台',
-            ctaLogin: '登入',
-            heroTitle: '端到端加密的金鑰與設定管理',
-            heroTagline: 'Streamable HTTP MCP 與 Web 控制台：中繼資料與密文分庫儲存，金鑰不離開你的用戶端邏輯。',
-            c1t: '用戶端金鑰派生',
-            c1d: 'PBKDF2-SHA256（約 60 萬次）在瀏覽器本地從密碼片語派生金鑰；伺服端僅保存鹽與校驗值，不持有密碼或明文主金鑰。',
-            c2t: 'AES-256-GCM 加密',
-            c2d: '敏感欄位以 AES-GCM 密文落庫；Web 端在本地加解密，明文預設不經伺服端持久化。',
-            c3t: '稽核與歷史',
-            c3d: '操作寫入稽核日誌；條目與密文保留歷史版本，支援依版本檢視與還原。',
-            versionLabel: '版本',
-            sep: ' · ',
-            footRepo: '原始碼倉庫',
-            footChangelog: '變更記錄',
-        },
-        'en': {
-            docTitle: 'Secrets MCP — End-to-end encrypted secrets',
-            ctaDashboard: 'Open dashboard',
-            ctaLogin: 'Sign in',
-            heroTitle: 'End-to-end encrypted secrets and configuration',
-            heroTagline: 'Streamable HTTP MCP plus web console: metadata and ciphertext stored separately; keys stay on your client.',
-            c1t: 'Client-side key derivation',
-            c1d: 'PBKDF2-SHA256 (~600k iterations) derives keys from your passphrase in the browser; the server stores only salt and a verification blob, never your password or raw master key.',
-            c2t: 'AES-256-GCM',
-            c2d: 'Secret fields are stored as AES-GCM ciphertext; the web UI encrypts and decrypts locally so plaintext is not persisted server-side by default.',
-            c3t: 'Audit and history',
-            c3d: 'Operations are audited; entries and secrets keep version history for review and rollback.',
-            versionLabel: 'Version',
-            sep: ' · ',
-            footRepo: 'Source repository',
-            footChangelog: 'Changelog',
-        }
-    };
-
-    let currentLang = localStorage.getItem('lang') || 'zh-CN';
-
-    function t(key) {
-        return (T[currentLang] && T[currentLang][key]) || T['en'][key] || key;
-    }
-
-    function applyLang() {
-        document.documentElement.lang = currentLang;
-        document.title = t('docTitle');
-        document.querySelectorAll('[data-i18n]').forEach(el => {
-            const key = el.getAttribute('data-i18n');
-            el.textContent = t(key);
-        });
-        document.querySelectorAll('.lang-btn').forEach(btn => {
-            const map = { 'zh-CN': '简', 'zh-TW': '繁', 'en': 'EN' };
-            btn.classList.toggle('active', btn.textContent === map[currentLang]);
-        });
-    }
-
-    function setLang(lang) {
-        currentLang = lang;
-        localStorage.setItem('lang', lang);
-        applyLang();
-    }
-
-    applyLang();
-    </script>
-</body>
-</html>

crates/secrets-mcp/templates/i18n.js

@@ -1,83 +0,0 @@
-var I18N_SHARED = {
-  'zh-CN': {
-    pageTitleBase: 'Secrets',
-    navMcp: 'MCP',
-    navEntries: '条目',
-    navTrash: '回收站',
-    navAudit: '审计',
-    signOut: '退出',
-    mobileLabelTime: '时间',
-    mobileLabelAction: '动作',
-    mobileLabelTarget: '目标',
-    mobileLabelDetail: '详情'
-  },
-  'zh-TW': {
-    pageTitleBase: 'Secrets',
-    navMcp: 'MCP',
-    navEntries: '條目',
-    navTrash: '回收站',
-    navAudit: '審計',
-    signOut: '登出',
-    mobileLabelTime: '時間',
-    mobileLabelAction: '動作',
-    mobileLabelTarget: '目標',
-    mobileLabelDetail: '詳情'
-  },
-  en: {
-    pageTitleBase: 'Secrets',
-    navMcp: 'MCP',
-    navEntries: 'Entries',
-    navTrash: 'Trash',
-    navAudit: 'Audit',
-    signOut: 'Sign out',
-    mobileLabelTime: 'Time',
-    mobileLabelAction: 'Action',
-    mobileLabelTarget: 'Target',
-    mobileLabelDetail: 'Detail'
-  }
-};
-
-var currentLang = localStorage.getItem('lang') || 'zh-CN';
-var I18N_PAGE = {};
-
-function t(key) {
-  var dict = I18N_PAGE[currentLang] || I18N_PAGE['en'] || {};
-  var val = dict[key] || (I18N_SHARED[currentLang] && I18N_SHARED[currentLang][key]) || (I18N_SHARED.en && I18N_SHARED.en[key]) || key;
-  return val;
-}
-
-function tf(key, vars) {
-  var tpl = t(key);
-  return Object.keys(vars || {}).reduce(function (acc, k) {
-    return acc.replace(new RegExp('\\{' + k + '\\}', 'g'), String(vars[k]));
-  }, tpl);
-}
-
-function applyLang() {
-  document.documentElement.lang = currentLang;
-  var title = t('pageTitle');
-  if (title) document.title = title;
-  document.querySelectorAll('[data-i18n]').forEach(function (el) {
-    var key = el.getAttribute('data-i18n');
-    el.textContent = t(key);
-  });
-  document.querySelectorAll('[data-i18n-ph]').forEach(function (el) {
-    var key = el.getAttribute('data-i18n-ph');
-    el.placeholder = t(key);
-  });
-  document.querySelectorAll('[data-i18n-title]').forEach(function (el) {
-    var key = el.getAttribute('data-i18n-title');
-    el.title = t(key);
-  });
-  document.querySelectorAll('.lang-btn').forEach(function (btn) {
-    var map = { 'zh-CN': '简', 'zh-TW': '繁', en: 'EN' };
-    btn.classList.toggle('active', btn.textContent === map[currentLang]);
-  });
-  if (typeof applyPageLang === 'function') applyPageLang();
-}
-
-window.setLang = function (lang) {
-  currentLang = lang;
-  localStorage.setItem('lang', lang);
-  applyLang();
-};

crates/secrets-mcp/templates/login.html

@@ -1,186 +0,0 @@
-<!DOCTYPE html>
-<html lang="zh-CN">
-<head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <meta name="robots" content="noindex, follow">
-    <meta name="description" content="登录 Secrets MCP Web 控制台，安全管理跨设备加密 secrets。">
-    <meta name="keywords" content="Secrets MCP,登录,OAuth,密钥管理">
-    <link rel="canonical" href="{{ base_url }}/login">
-    <link rel="icon" href="/favicon.svg?v={{ version }}" type="image/svg+xml">
-    <title>登录 — Secrets MCP</title>
-    <meta property="og:type" content="website">
-    <meta property="og:url" content="{{ base_url }}/login">
-    <meta property="og:title" content="登录 — Secrets MCP">
-    <meta property="og:description" content="登录 Web 控制台，管理加密存储的密钥与配置。">
-    <meta name="twitter:card" content="summary">
-    <meta name="twitter:title" content="登录 — Secrets MCP">
-    <meta name="twitter:description" content="登录 Web 控制台，管理加密存储的密钥与配置。">
-    <style>
-        *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
-        @import url('https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600&display=swap');
-        :root {
-            --bg: #0d1117;
-            --surface: #161b22;
-            --border: #30363d;
-            --text: #e6edf3;
-            --text-muted: #8b949e;
-            --accent: #58a6ff;
-            --accent-hover: #79b8ff;
-            --google: #4285f4;
-            --danger: #f85149;
-        }
-        body { background: var(--bg); color: var(--text); font-family: 'Inter', sans-serif;
-               min-height: 100vh; display: flex; align-items: center; justify-content: center; }
-        .card {
-            background: var(--surface); border: 1px solid var(--border); border-radius: 12px;
-            padding: 48px 40px; width: 100%; max-width: 400px;
-            box-shadow: 0 8px 32px rgba(0,0,0,0.4);
-        }
-        .topbar { display: flex; justify-content: space-between; align-items: flex-start; margin-bottom: 20px; gap: 12px; }
-        .back-home {
-            font-size: 13px; color: var(--accent); text-decoration: none; white-space: nowrap;
-        }
-        .back-home:hover { text-decoration: underline; }
-        .lang-bar { display: flex; gap: 2px; background: rgba(255,255,255,0.04); border-radius: 6px; padding: 2px; flex-shrink: 0; }
-        .lang-btn { padding: 3px 9px; border: none; background: none; color: var(--text-muted);
-                    font-size: 12px; cursor: pointer; border-radius: 4px; }
-        .lang-btn.active { background: var(--border); color: var(--text); }
-        .oauth-alert {
-            display: none;
-            margin-bottom: 16px; padding: 10px 12px; border-radius: 8px;
-            font-size: 13px; line-height: 1.4;
-            background: rgba(248, 81, 73, 0.12);
-            border: 1px solid rgba(248, 81, 73, 0.35);
-            color: #ffa198;
-        }
-        .oauth-alert.visible { display: block; }
-        h1 { font-size: 22px; font-weight: 600; margin-bottom: 8px; }
-        .subtitle { color: var(--text-muted); font-size: 14px; margin-bottom: 32px; }
-        .btn {
-            display: flex; align-items: center; justify-content: center; gap: 12px;
-            width: 100%; padding: 12px 20px; border: 1px solid var(--border); border-radius: 8px;
-            background: var(--surface); color: var(--text); font-size: 14px; font-weight: 500;
-            cursor: pointer; text-decoration: none; transition: all 0.2s;
-        }
-        .btn:hover { background: var(--border); border-color: var(--text-muted); }
-        .btn + .btn { margin-top: 12px; }
-        .btn svg { flex-shrink: 0; }
-        .footer { margin-top: 28px; text-align: center; color: var(--text-muted); font-size: 12px; }
-        .footer a { color: var(--accent); text-decoration: none; }
-    </style>
-</head>
-<body>
-    <div class="card">
-        <div class="topbar">
-            <a class="back-home" href="/" data-i18n="backHome">返回首页</a>
-            <div class="lang-bar">
-                <button type="button" class="lang-btn" onclick="setLang('zh-CN')">简</button>
-                <button type="button" class="lang-btn" onclick="setLang('zh-TW')">繁</button>
-                <button type="button" class="lang-btn" onclick="setLang('en')">EN</button>
-            </div>
-        </div>
-        <div id="oauth-alert" class="oauth-alert" role="alert"></div>
-        <h1 data-i18n="title">登录</h1>
-        <p class="subtitle" data-i18n="subtitle">安全管理你的跨设备 secrets。</p>
-
-        {% if has_google %}
-        <a href="/auth/google" class="btn">
-            <svg width="18" height="18" viewBox="0 0 18 18" fill="none">
-                <path d="M17.64 9.2c0-.637-.057-1.251-.164-1.84H9v3.481h4.844a4.14 4.14 0 01-1.796 2.716v2.259h2.908c1.702-1.567 2.684-3.875 2.684-6.615z" fill="#4285F4"/>
-                <path d="M9 18c2.43 0 4.467-.806 5.956-2.18l-2.908-2.259c-.806.54-1.837.86-3.048.86-2.344 0-4.328-1.584-5.036-3.711H.957v2.332A8.997 8.997 0 009 18z" fill="#34A853"/>
-                <path d="M3.964 10.71A5.41 5.41 0 013.682 9c0-.593.102-1.17.282-1.71V4.958H.957A8.996 8.996 0 000 9c0 1.452.348 2.827.957 4.042l3.007-2.332z" fill="#FBBC05"/>
-                <path d="M9 3.58c1.321 0 2.508.454 3.44 1.345l2.582-2.58C13.463.891 11.426 0 9 0A8.997 8.997 0 00.957 4.958L3.964 7.29C4.672 5.163 6.656 3.58 9 3.58z" fill="#EA4335"/>
-            </svg>
-            <span data-i18n="google">使用 Google 登录</span>
-        </a>
-        {% endif %}
-
-        {% if !has_google %}
-        <p style="text-align:center; color: var(--text-muted); font-size: 14px;" data-i18n="noProviders">
-            未配置登录方式，请联系管理员。
-        </p>
-        {% endif %}
-    </div>
-    <script>
-    const T = {
-        'zh-CN': {
-            docTitle: '登录 — Secrets MCP',
-            backHome: '返回首页',
-            title: '登录',
-            subtitle: '安全管理你的跨设备 secrets。',
-            google: '使用 Google 登录',
-            noProviders: '未配置登录方式，请联系管理员。',
-            err_oauth_error: '登录失败：授权提供方返回错误，请重试。',
-            err_oauth_missing_code: '登录失败：未收到授权码，请重试。',
-            err_oauth_missing_state: '登录失败：缺少安全校验参数，请重试。',
-            err_oauth_state: '登录失败：会话校验不匹配（可能因 Cookie 策略或服务器重启）。请返回首页再试。',
-        },
-        'zh-TW': {
-            docTitle: '登入 — Secrets MCP',
-            backHome: '返回首頁',
-            title: '登入',
-            subtitle: '安全管理你的跨裝置 secrets。',
-            google: '使用 Google 登入',
-            noProviders: '尚未設定登入方式，請聯絡管理員。',
-            err_oauth_error: '登入失敗：授權方回傳錯誤，請再試一次。',
-            err_oauth_missing_code: '登入失敗：未取得授權碼，請再試一次。',
-            err_oauth_missing_state: '登入失敗：缺少安全校驗參數，請再試一次。',
-            err_oauth_state: '登入失敗：工作階段校驗不符（可能與 Cookie 政策或伺服器重啟有關）。請回到首頁再試。',
-        },
-        'en': {
-            docTitle: 'Sign in — Secrets MCP',
-            backHome: 'Back to home',
-            title: 'Sign in',
-            subtitle: 'Manage your cross-device secrets securely.',
-            google: 'Continue with Google',
-            noProviders: 'No login providers configured. Please contact your administrator.',
-            err_oauth_error: 'Sign-in failed: the identity provider returned an error. Please try again.',
-            err_oauth_missing_code: 'Sign-in failed: no authorization code was returned. Please try again.',
-            err_oauth_missing_state: 'Sign-in failed: missing security state. Please try again.',
-            err_oauth_state: 'Sign-in failed: session state mismatch (often cookies or server restart). Open the home page and try again.',
-        }
-    };
-
-    let currentLang = localStorage.getItem('lang') || 'zh-CN';
-
-    function t(key) { return T[currentLang][key] || T['en'][key] || key; }
-
-    function showOAuthError() {
-        const params = new URLSearchParams(window.location.search);
-        const code = params.get('error');
-        const el = document.getElementById('oauth-alert');
-        if (!code || !code.startsWith('oauth_')) {
-            el.classList.remove('visible');
-            el.textContent = '';
-            return;
-        }
-        const key = 'err_' + code;
-        el.textContent = t(key) || t('err_oauth_error');
-        el.classList.add('visible');
-    }
-
-    function applyLang() {
-        document.documentElement.lang = currentLang;
-        document.title = t('docTitle');
-        document.querySelectorAll('[data-i18n]').forEach(el => {
-            const key = el.getAttribute('data-i18n');
-            el.textContent = t(key);
-        });
-        document.querySelectorAll('.lang-btn').forEach(btn => {
-            const map = { 'zh-CN': '简', 'zh-TW': '繁', 'en': 'EN' };
-            btn.classList.toggle('active', btn.textContent === map[currentLang]);
-        });
-        showOAuthError();
-    }
-
-    function setLang(lang) {
-        currentLang = lang;
-        localStorage.setItem('lang', lang);
-        applyLang();
-    }
-
-    applyLang();
-    </script>
-</body>
-</html>

crates/secrets-mcp/templates/trash.html

@@ -1,275 +0,0 @@
-<!DOCTYPE html>
-<html lang="zh-CN">
-<head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <link rel="icon" href="/favicon.svg?v={{ version }}" type="image/svg+xml">
-    <title data-i18n="pageTitle">Secrets — 回收站</title>
-    <style>
-        *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
-        @import url('https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;600&family=Inter:wght@400;500;600&display=swap');
-        :root {
-            --bg: #0d1117; --surface: #161b22; --surface2: #21262d;
-            --border: #30363d; --text: #e6edf3; --text-muted: #8b949e;
-            --accent: #58a6ff; --accent-hover: #79b8ff;
-        }
-        body { background: var(--bg); color: var(--text); font-family: 'Inter', sans-serif; min-height: 100vh; }
-        .layout { display: flex; min-height: 100vh; }
-        .sidebar {
-            width: 200px; flex-shrink: 0; background: #0b1220; border-right: 1px solid rgba(240,246,252,0.08);
-            padding: 20px 12px; display: flex; flex-direction: column; gap: 20px;
-        }
-        .sidebar-logo { font-family: 'Inter', sans-serif; font-size: 16px; font-weight: 700;
-                        color: #fff; text-decoration: none; padding: 0 10px; }
-        .sidebar-menu { display: grid; gap: 6px; }
-        .sidebar-link {
-            padding: 10px 12px; border-radius: 10px; color: #8b949e; text-decoration: none;
-            font-size: 13px; font-weight: 500;
-        }
-        .sidebar-link:hover { background: rgba(56,139,253,0.14); color: #fff; }
-        .sidebar-link.active { background: rgba(56,139,253,0.14); color: #fff; }
-        .content-shell { flex: 1; min-width: 0; display: flex; flex-direction: column; }
-        .topbar {
-            background: transparent; border-bottom: none; padding: 0 24px;
-            display: flex; align-items: center; gap: 12px; min-height: 44px;
-        }
-        .topbar-spacer { flex: 1; }
-        .nav-user { font-size: 14px; color: #8b949e; }
-        .lang-bar { display: flex; gap: 2px; background: rgba(240,246,252,0.06); border-radius: 8px; padding: 2px; }
-        .lang-btn { padding: 4px 10px; border: none; background: none; color: #8b949e;
-                    font-size: 12px; cursor: pointer; border-radius: 6px; }
-        .lang-btn.active { background: rgba(240,246,252,0.1); color: #fff; }
-        .btn-sign-out {
-            padding: 6px 14px; border-radius: 10px; border: 1px solid rgba(240,246,252,0.12);
-            background: #161b22; color: #c9d1d9; font-size: 13px; text-decoration: none; cursor: pointer;
-        }
-        .btn-sign-out:hover { border-color: rgba(56,139,253,0.45); color: #fff; }
-        .main { padding: 16px 16px 24px; flex: 1; }
-        .card { background: #111827; border: 1px solid rgba(240,246,252,0.08); border-radius: 18px;
-                padding: 20px; width: 100%; }
-        .card-title { font-size: 22px; font-weight: 700; margin-bottom: 8px; color: #fff; }
-        .card-subtitle { color: #8b949e; font-size: 14px; margin-bottom: 18px; }
-        table { width: 100%; border-collapse: collapse; }
-        th, td { text-align: left; padding: 14px 12px; border-top: 1px solid rgba(240,246,252,0.08); vertical-align: top; }
-        th { color: #8b949e; font-size: 12px; font-weight: 600; }
-        td { font-size: 13px; color: #c9d1d9; }
-        .mono { font-family: 'JetBrains Mono', monospace; }
-        .row-actions { display: flex; gap: 8px; flex-wrap: wrap; }
-        .btn { border: 1px solid rgba(240,246,252,0.12); background: #161b22; color: #c9d1d9; border-radius: 10px; padding: 8px 12px; cursor: pointer; font-size: 13px; font-family: inherit; }
-        .btn:hover { border-color: rgba(56,139,253,0.45); color: #fff; }
-        .btn-danger { color: #f85149; }
-        .empty { color: #8b949e; font-size: 14px; padding: 20px 0; }
-        .pagination {
-            display: flex; align-items: center; gap: 12px; margin-top: 18px;
-            justify-content: center; padding: 12px 0;
-        }
-        .page-btn {
-            padding: 8px 12px; border-radius: 10px; border: 1px solid rgba(240,246,252,0.12);
-            background: #161b22; color: #c9d1d9; text-decoration: none;
-            font-size: 13px; cursor: pointer;
-        }
-        .page-btn:hover { border-color: rgba(56,139,253,0.45); color: #fff; }
-        .page-btn.disabled {
-            padding: 8px 12px; border-radius: 10px; border: 1px solid rgba(240,246,252,0.12);
-            background: #161b22; color: #6e7681; font-size: 13px;
-            opacity: 0.5; cursor: not-allowed;
-        }
-        .page-info {
-            color: #8b949e; font-size: 13px; font-family: 'JetBrains Mono', monospace;
-        }
-        @media (max-width: 900px) {
-            .layout { flex-direction: column; }
-            .sidebar {
-                width: 100%; border-right: none; border-bottom: 1px solid rgba(240,246,252,0.08);
-                padding: 16px; gap: 14px;
-            }
-            .sidebar-menu { flex-direction: row; flex-wrap: wrap; }
-            .sidebar-link { flex: 1; text-align: center; min-width: 72px; }
-            .main { padding: 20px 12px 28px; }
-            .card { padding: 16px; }
-            .topbar { padding: 12px 16px; flex-wrap: wrap; }
-            table, thead, tbody, th, td, tr { display: block; }
-            thead { display: none; }
-            tr { border-top: 1px solid rgba(240,246,252,0.08); padding: 12px 0; }
-            td { border-top: none; padding: 6px 0; }
-            td::before {
-                display: block; color: #8b949e; font-size: 11px;
-                margin-bottom: 4px; text-transform: uppercase;
-                content: attr(data-label);
-            }
-        }
-    </style>
-</head>
-<body>
-<div class="layout">
-    <aside class="sidebar">
-        <a href="/dashboard" class="sidebar-logo">secrets</a>
-        <nav class="sidebar-menu">
-            <a href="/dashboard" class="sidebar-link" data-i18n="navMcp">MCP</a>
-            <a href="/entries" class="sidebar-link" data-i18n="navEntries">条目</a>
-            <a href="/trash" class="sidebar-link active" data-i18n="navTrash">回收站</a>
-            <a href="/audit" class="sidebar-link" data-i18n="navAudit">审计</a>
-        </nav>
-    </aside>
-
-    <div class="content-shell">
-        <div class="topbar">
-            <span class="topbar-spacer"></span>
-            <span class="nav-user">{{ user_name }}{% if !user_email.is_empty() %} · {{ user_email }}{% endif %}</span>
-            <div class="lang-bar">
-                <button class="lang-btn" onclick="setLang('zh-CN')">简</button>
-                <button class="lang-btn" onclick="setLang('zh-TW')">繁</button>
-                <button class="lang-btn" onclick="setLang('en')">EN</button>
-            </div>
-            <form action="/auth/logout" method="post" style="display:inline">
-                <button type="submit" class="btn-sign-out" data-i18n="signOut">退出</button>
-            </form>
-        </div>
-
-        <main class="main">
-        <section class="card">
-            <div class="card-title" data-i18n="trashTitle">回收站</div>
-            <div class="card-subtitle" data-i18n="trashSubtitle">已删除条目会保留 3 个月，可在此恢复或永久删除。</div>
-
-            {% if entries.is_empty() %}
-            <div class="empty" data-i18n="emptyTrash">回收站为空。</div>
-            {% else %}
-            <table>
-                <thead>
-                    <tr>
-                        <th data-i18n="colName">名称</th>
-                        <th data-i18n="colType">类型</th>
-                        <th data-i18n="colFolder">文件夹</th>
-                        <th data-i18n="colDeletedAt">删除时间</th>
-                        <th data-i18n="colActions">操作</th>
-                    </tr>
-                </thead>
-                <tbody>
-                    {% for entry in entries %}
-                    <tr data-trash-entry-id="{{ entry.id }}">
-                        <td class="mono" data-label="名称">{{ entry.name }}</td>
-                        <td class="mono" data-label="类型">{{ entry.entry_type }}</td>
-                        <td class="mono" data-label="文件夹">{{ entry.folder }}</td>
-                        <td class="mono" data-label="删除时间" title="{{ entry.deleted_at_iso }}">{{ entry.deleted_at_label }}</td>
-                        <td data-label="操作">
-                            <div class="row-actions">
-                                <button type="button" class="btn btn-restore" data-i18n="btnRestore">恢复</button>
-                                <button type="button" class="btn btn-danger btn-purge" data-i18n="btnPurge">永久删除</button>
-                            </div>
-                        </td>
-                    </tr>
-                    {% endfor %}
-                </tbody>
-            </table>
-            {% endif %}
-
-            {% if total_count > 0 %}
-            <div class="pagination">
-                {% if current_page > 1 %}
-                <a class="page-btn" href="/trash?page={{ current_page - 1 }}" data-i18n="prevPage">上一页</a>
-                {% else %}
-                <span class="page-btn disabled" data-i18n="prevPage">上一页</span>
-                {% endif %}
-                <span class="page-info">{{ current_page }} / {{ total_pages }}</span>
-                {% if current_page < total_pages %}
-                <a class="page-btn" href="/trash?page={{ current_page + 1 }}" data-i18n="nextPage">下一页</a>
-                {% else %}
-                <span class="page-btn disabled" data-i18n="nextPage">下一页</span>
-                {% endif %}
-            </div>
-            {% endif %}
-        </section>
-        </main>
-    </div>
-</div>
-
-<script src="/static/i18n.js?v={{ version }}"></script>
-<script>
-(function () {
-  I18N_PAGE = {
-    'zh-CN': {
-      pageTitle: 'Secrets — 回收站',
-      navMcp: 'MCP', navEntries: '条目', navTrash: '回收站', navAudit: '审计',
-      signOut: '退出', trashTitle: '回收站', trashSubtitle: '已删除条目会保留 3 个月，可在此恢复或永久删除。',
-      emptyTrash: '回收站为空。', colName: '名称', colType: '类型', colFolder: '文件夹',
-      colDeletedAt: '删除时间', colActions: '操作', btnRestore: '恢复', btnPurge: '永久删除',
-      prevPage: '上一页', nextPage: '下一页',
-      mobileLabelName: '名称', mobileLabelType: '类型', mobileLabelFolder: '文件夹',
-      mobileLabelDeletedAt: '删除时间', mobileLabelActions: '操作'
-    },
-    'zh-TW': {
-      pageTitle: 'Secrets — 回收站',
-      navMcp: 'MCP', navEntries: '條目', navTrash: '回收站', navAudit: '審計',
-      signOut: '退出', trashTitle: '回收站', trashSubtitle: '已刪除條目會保留 3 個月，可在此恢復或永久刪除。',
-      emptyTrash: '回收站為空。', colName: '名稱', colType: '類型', colFolder: '文件夾',
-      colDeletedAt: '刪除時間', colActions: '操作', btnRestore: '恢復', btnPurge: '永久刪除',
-      prevPage: '上一頁', nextPage: '下一頁',
-      mobileLabelName: '名稱', mobileLabelType: '類型', mobileLabelFolder: '文件夾',
-      mobileLabelDeletedAt: '刪除時間', mobileLabelActions: '操作'
-    },
-    en: {
-      pageTitle: 'Secrets — Trash',
-      navMcp: 'MCP', navEntries: 'Entries', navTrash: 'Trash', navAudit: 'Audit',
-      signOut: 'Sign out', trashTitle: 'Trash', trashSubtitle: 'Deleted entries are kept for 3 months. Restore or permanently delete them here.',
-      emptyTrash: 'Trash is empty.', colName: 'Name', colType: 'Type', colFolder: 'Folder',
-      colDeletedAt: 'Deleted at', colActions: 'Actions', btnRestore: 'Restore', btnPurge: 'Purge',
-      prevPage: 'Previous', nextPage: 'Next',
-      mobileLabelName: 'Name', mobileLabelType: 'Type', mobileLabelFolder: 'Folder',
-      mobileLabelDeletedAt: 'Deleted at', mobileLabelActions: 'Actions'
-    }
-  };
-
-  window.applyPageLang = function () {
-    document.querySelectorAll('tbody tr').forEach(function (tr) {
-      ['Name', 'Type', 'Folder', 'DeletedAt', 'Actions'].forEach(function (col) {
-        var td = tr.querySelector('[data-label]');
-      });
-    });
-  };
-
-  applyLang();
-})();
-
-document.querySelectorAll('tr[data-trash-entry-id]').forEach(function (row) {
-  var entryId = row.getAttribute('data-trash-entry-id');
-  var restoreButton = row.querySelector('.btn-restore');
-  var purgeButton = row.querySelector('.btn-purge');
-
-  restoreButton.addEventListener('click', function () {
-    fetch('/api/trash/' + encodeURIComponent(entryId) + '/restore', {
-      method: 'POST',
-      credentials: 'same-origin'
-    }).then(function (response) {
-      return response.json().then(function (body) {
-        if (!response.ok) throw new Error(body.error || ('HTTP ' + response.status));
-        return body;
-      });
-    }).then(function () {
-      row.remove();
-      if (!document.querySelector('tr[data-trash-entry-id]')) window.location.reload();
-    }).catch(function (error) {
-      window.alert(error.message || String(error));
-    });
-  });
-
-  purgeButton.addEventListener('click', function () {
-    if (!window.confirm(t('confirmPurge') || '确定永久删除该条目？此操作不可撤销。')) return;
-    fetch('/api/trash/' + encodeURIComponent(entryId), {
-      method: 'DELETE',
-      credentials: 'same-origin'
-    }).then(function (response) {
-      return response.json().then(function (body) {
-        if (!response.ok) throw new Error(body.error || ('HTTP ' + response.status));
-        return body;
-      });
-    }).then(function () {
-      row.remove();
-      if (!document.querySelector('tr[data-trash-entry-id]')) window.location.reload();
-    }).catch(function (error) {
-      window.alert(error.message || String(error));
-    });
-  });
-});
-</script>
-</body>
-</html>