release(secrets-mcp): v0.3.2 — 修复 key_ref 多租户与歧义

- env_map：key_ref 解析传入 user_id；支持 folder/name；多条匹配时报错 - 文档同步 key_ref 说明 - bump secrets-mcp 0.3.1 → 0.3.2，更新 Cargo.lock Made-with: Cursor
2026-03-27 10:45:12 +08:00
parent beade4503d
commit 08e81363c9
5 changed files with 32 additions and 9 deletions
--- a/crates/secrets-core/src/service/env_map.rs
+++ b/crates/secrets-core/src/service/env_map.rs
@@ -26,7 +26,8 @@ pub async fn build_env_map(
    let mut combined: HashMap<String, String> = HashMap::new();

    for entry in &entries {
-        let entry_map = build_entry_env_map(pool, entry, only_fields, prefix, master_key).await?;
+        let entry_map =
+            build_entry_env_map(pool, entry, only_fields, prefix, master_key, user_id).await?;
        combined.extend(entry_map);
    }

@@ -39,6 +40,7 @@ async fn build_entry_env_map(
    only_fields: &[String],
    prefix: &str,
    master_key: &[u8; 32],
+    user_id: Option<Uuid>,
 ) -> Result<HashMap<String, String>> {
    let entry_ids = vec![entry.id];
    let secrets_map = fetch_secrets_for_entries(pool, &entry_ids).await?;
@@ -66,10 +68,31 @@ async fn build_entry_env_map(
        map.insert(key, json_to_env_string(&decrypted));
    }

-    // Resolve key_ref
+    // Resolve key_ref. Supported formats: "name" or "folder/name".
    if let Some(key_ref) = entry.metadata.get("key_ref").and_then(|v| v.as_str()) {
-        let key_entries =
-            fetch_entries(pool, None, Some("key"), Some(key_ref), &[], None, None).await?;
+        let (ref_folder, ref_name) = if let Some((f, n)) = key_ref.split_once('/') {
+            (Some(f), n)
+        } else {
+            (None, key_ref)
+        };
+        let key_entries = fetch_entries(
+            pool,
+            ref_folder,
+            Some("key"),
+            Some(ref_name),
+            &[],
+            None,
+            user_id,
+        )
+        .await?;
+
+        if key_entries.len() > 1 {
+            anyhow::bail!(
+                "key_ref '{}' matched {} entries; qualify with folder/name to resolve the ambiguity",
+                key_ref,
+                key_entries.len()
+            );
+        }

        if let Some(key_entry) = key_entries.first() {
            let key_ids = vec![key_entry.id];
@@ -87,7 +110,7 @@ async fn build_entry_env_map(
                map.insert(key_var, json_to_env_string(&decrypted));
            }
        } else {
-            tracing::warn!(key_ref, "key_ref target not found");
+            tracing::warn!(key_ref, ?user_id, "key_ref target not found");
        }
    }

--- a/crates/secrets-mcp/Cargo.toml
+++ b/crates/secrets-mcp/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "secrets-mcp"
-version = "0.3.1"
+version = "0.3.2"
 edition.workspace = true

 [[bin]]