From 137a4d42b02ddfe6dbc783f7d892585f75766f6c Mon Sep 17 00:00:00 2001
From: agent <agent@gitea.refining.dev>
Date: Fri, 10 Apr 2026 17:10:55 +0800
Subject: [PATCH] =?UTF-8?q?release(secrets-mcp):=200.5.17=20=E2=80=94=20?=
 =?UTF-8?q?=E5=8F=96=E6=B6=88=E7=94=9F=E4=BA=A7=E7=8E=AF=E5=A2=83=E5=BC=BA?=
 =?UTF-8?q?=E5=88=B6=20PG=20TLS=20=E6=A0=A1=E9=AA=8C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

移除 SECRETS_ENV=production 时对 verify-ca/verify-full 的硬性要求，
仍可通过 SECRETS_DATABASE_SSL_MODE 显式选择模式。

Made-with: Cursor
---
 Cargo.lock                        |  2 +-
 crates/secrets-core/src/config.rs | 11 -----------
 crates/secrets-core/src/db.rs     | 14 +-------------
 crates/secrets-mcp/Cargo.toml     |  2 +-
 4 files changed, 3 insertions(+), 26 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index a84619e..dc33500 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2065,7 +2065,7 @@ dependencies = [
 
 [[package]]
 name = "secrets-mcp"
-version = "0.5.16"
+version = "0.5.17"
 dependencies = [
  "anyhow",
  "askama",
diff --git a/crates/secrets-core/src/config.rs b/crates/secrets-core/src/config.rs
index 8cb29b5..dbcd003 100644
--- a/crates/secrets-core/src/config.rs
+++ b/crates/secrets-core/src/config.rs
@@ -8,7 +8,6 @@ pub struct DatabaseConfig {
     pub url: String,
     pub ssl_mode: Option<PgSslMode>,
     pub ssl_root_cert: Option<PathBuf>,
-    pub enforce_strict_tls: bool,
 }
 
 /// Resolve database URL from environment.
@@ -63,20 +62,10 @@ fn resolve_ssl_root_cert_from_env() -> Result<Option<PathBuf>> {
     Ok(Some(path))
 }
 
-fn is_production_env() -> bool {
-    matches!(
-        env_var_non_empty("SECRETS_ENV")
-            .as_deref()
-            .map(|value| value.to_ascii_lowercase()),
-        Some(value) if value == "prod" || value == "production"
-    )
-}
-
 pub fn resolve_db_config(override_url: &str) -> Result<DatabaseConfig> {
     Ok(DatabaseConfig {
         url: resolve_db_url(override_url)?,
         ssl_mode: parse_ssl_mode_from_env()?,
         ssl_root_cert: resolve_ssl_root_cert_from_env()?,
-        enforce_strict_tls: is_production_env(),
     })
 }
diff --git a/crates/secrets-core/src/db.rs b/crates/secrets-core/src/db.rs
index e111d02..3669694 100644
--- a/crates/secrets-core/src/db.rs
+++ b/crates/secrets-core/src/db.rs
@@ -3,7 +3,7 @@ use std::str::FromStr;
 use anyhow::{Context, Result};
 use serde_json::{Map, Value};
 use sqlx::PgPool;
-use sqlx::postgres::{PgConnectOptions, PgPoolOptions, PgSslMode};
+use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
 use crate::config::DatabaseConfig;
 
@@ -18,18 +18,6 @@ fn build_connect_options(config: &DatabaseConfig) -> Result<PgConnectOptions> {
         options = options.ssl_root_cert(path);
     }
 
-    if config.enforce_strict_tls
-        && !matches!(
-            options.get_ssl_mode(),
-            PgSslMode::VerifyCa | PgSslMode::VerifyFull
-        )
-    {
-        anyhow::bail!(
-            "Refusing to start in production with weak PostgreSQL TLS mode. \
-             Set SECRETS_DATABASE_SSL_MODE=verify-ca or verify-full."
-        );
-    }
-
     Ok(options)
 }
 
diff --git a/crates/secrets-mcp/Cargo.toml b/crates/secrets-mcp/Cargo.toml
index f0a8e95..9ff111f 100644
--- a/crates/secrets-mcp/Cargo.toml
+++ b/crates/secrets-mcp/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "secrets-mcp"
-version = "0.5.16"
+version = "0.5.17"
 edition.workspace = true
 
 [[bin]]