release(secrets-mcp): 0.5.17 — 取消生产环境强制 PG TLS 校验

移除 SECRETS_ENV=production 时对 verify-ca/verify-full 的硬性要求，仍可通过 SECRETS_DATABASE_SSL_MODE 显式选择模式。 Made-with: Cursor
2026-04-10 17:10:55 +08:00
parent ff2ea91e72
commit 137a4d42b0
4 changed files with 3 additions and 26 deletions
--- a/crates/secrets-core/src/db.rs
+++ b/crates/secrets-core/src/db.rs
@@ -3,7 +3,7 @@ use std::str::FromStr;
 use anyhow::{Context, Result};
 use serde_json::{Map, Value};
 use sqlx::PgPool;
-use sqlx::postgres::{PgConnectOptions, PgPoolOptions, PgSslMode};
+use sqlx::postgres::{PgConnectOptions, PgPoolOptions};

 use crate::config::DatabaseConfig;

@@ -18,18 +18,6 @@ fn build_connect_options(config: &DatabaseConfig) -> Result<PgConnectOptions> {
        options = options.ssl_root_cert(path);
    }

-    if config.enforce_strict_tls
-        && !matches!(
-            options.get_ssl_mode(),
-            PgSslMode::VerifyCa | PgSslMode::VerifyFull
-        )
-    {
-        anyhow::bail!(
-            "Refusing to start in production with weak PostgreSQL TLS mode. \
-             Set SECRETS_DATABASE_SSL_MODE=verify-ca or verify-full."
-        );
-    }
-
    Ok(options)
 }