refining/secrets
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 61 Wiki Activity

chore(release): secrets-mcp 0.4.0
All checks were successful
Secrets MCP — Build & Release / 检查 / 构建 / 发版 (push) Successful in 4m19s
Details
Secrets MCP — Build & Release / 部署 secrets-mcp (push) Successful in 6s
Details

Browse Source 
Bump version for the N:N entry_secrets data model and related MCP/Web
changes. Remove superseded SQL migration artifacts; rely on auto-migrate.
Add structured errors, taxonomy normalization, and web i18n helpers.

Made-with: Cursor
This commit is contained in:
voson
2026-04-04 17:58:12 +08:00
parent b99d821644
commit 1518388374
29 changed files with 2285 additions and 1260 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
crates/secrets-mcp/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "secrets-mcp"
version = "0.3.9"
version = "0.4.0"
edition.workspace = true
[[bin]]

36
crates/secrets-mcp/src/error.rs Normal file
View File

@@ -0,0 +1,36 @@
use secrets_core::error::AppError;
/// Map a structured `AppError` to an MCP protocol error.
///
/// This replaces the previous pattern of swallowing all errors into `-32603`.
pub fn app_error_to_mcp(err: &AppError) -> rmcp::ErrorData {
match err {
AppError::ConflictSecretName { secret_name } => rmcp::ErrorData::invalid_request(
format!(
"A secret with the name '{secret_name}' already exists for your account. \
Secret names must be unique per user."
),
None,
),
AppError::ConflictEntryName { folder, name } => rmcp::ErrorData::invalid_request(
format!(
"An entry with folder='{folder}' and name='{name}' already exists. \
The combination of folder and name must be unique."
),
None,
),
AppError::NotFoundEntry => rmcp::ErrorData::invalid_request(
"Entry not found. Use secrets_find to discover existing entries.",
None,
),
AppError::Validation { message } => rmcp::ErrorData::invalid_request(message.clone(), None),
AppError::ConcurrentModification => rmcp::ErrorData::invalid_request(
"The entry was modified by another request. Please refresh and try again.",
None,
),
AppError::Internal(_) => rmcp::ErrorData::internal_error(
"Request failed due to a server error. Check service logs if you need details.",
None,
),
}
}

1
crates/secrets-mcp/src/main.rs
View File

@@ -1,4 +1,5 @@
mod auth;
mod error;
mod logging;
mod oauth;
mod tools;

62
crates/secrets-mcp/src/tools.rs
View File

@@ -31,6 +31,7 @@ use secrets_core::service::{
};
use crate::auth::AuthUser;
use crate::error;
// ── MCP client-facing errors (no internal details) ───────────────────────────
@@ -50,6 +51,17 @@ fn mcp_err_internal_logged(
)
}
fn mcp_err_from_anyhow(
tool: &'static str,
user_id: Option<Uuid>,
err: anyhow::Error,
) -> rmcp::ErrorData {
if let Some(app_err) = err.downcast_ref::<secrets_core::error::AppError>() {
return error::app_error_to_mcp(app_err);
}
mcp_err_internal_logged(tool, user_id, err)
}
fn mcp_err_invalid_encryption_key_logged(err: impl std::fmt::Display) -> rmcp::ErrorData {
tracing::warn!(error = %err, "invalid X-Encryption-Key");
rmcp::ErrorData::invalid_request(
@@ -162,11 +174,17 @@ struct FindInput {
query: Option<String>,
#[schemars(description = "Exact folder filter (e.g. 'refining', 'ricnsmart')")]
folder: Option<String>,
#[schemars(description = "Exact type filter (e.g. 'server', 'service', 'person', 'key')")]
#[schemars(
description = "Exact type filter (recommended: 'server', 'service', 'person', 'document')"
)]
#[serde(rename = "type")]
entry_type: Option<String>,
#[schemars(description = "Exact name filter")]
#[schemars(description = "Exact name filter. For fuzzy matching use name_query instead.")]
name: Option<String>,
#[schemars(
description = "Fuzzy name filter (ILIKE, case-insensitive partial match). Use this instead of 'name' when you don't know the exact name."
)]
name_query: Option<String>,
#[schemars(description = "Tag filters (all must match)")]
tags: Option<Vec<String>>,
#[schemars(description = "Max results (default 20)")]
@@ -179,11 +197,17 @@ struct SearchInput {
query: Option<String>,
#[schemars(description = "Folder filter (e.g. 'refining', 'personal', 'family')")]
folder: Option<String>,
#[schemars(description = "Type filter (e.g. 'server', 'service', 'person', 'key')")]
#[schemars(
description = "Type filter (recommended: 'server', 'service', 'person', 'document')"
)]
#[serde(rename = "type")]
entry_type: Option<String>,
#[schemars(description = "Exact name to match")]
#[schemars(description = "Exact name to match. For fuzzy matching use name_query instead.")]
name: Option<String>,
#[schemars(
description = "Fuzzy name filter (ILIKE, case-insensitive partial match). Use this instead of 'name' when you don't know the exact name."
)]
name_query: Option<String>,
#[schemars(description = "Tag filters (all must match)")]
tags: Option<Vec<String>>,
#[schemars(description = "Return only summary fields (name/tags/notes/updated_at)")]
@@ -211,7 +235,7 @@ struct AddInput {
#[schemars(description = "Folder for organization (optional, e.g. 'personal', 'refining')")]
folder: Option<String>,
#[schemars(
description = "Type/category of this entry (optional, e.g. 'server', 'person', 'key')"
description = "Type/category of this entry (optional, recommended: 'server', 'service', 'person', 'document')"
)]
#[serde(rename = "type")]
entry_type: Option<String>,
@@ -233,6 +257,10 @@ struct AddInput {
description = "Secret fields as a JSON object {\"key\": \"value\"}. Merged with 'secrets' if both provided. Reminder: non-sensitive endpoint/address fields should go to metadata.address."
)]
secrets_obj: Option<Map<String, Value>>,
#[schemars(
description = "Secret types as {\"secret_name\": \"type\"}. Keys must match secret field names. Missing keys default to \"text\"."
)]
secret_types: Option<Map<String, Value>>,
#[schemars(
description = "Link existing secrets by secret name. Names must resolve uniquely under current user."
)]
@@ -273,6 +301,10 @@ struct UpdateInput {
description = "Secret fields to update/add as a JSON object {\"key\": \"value\"}. Merged with 'secrets' if both provided. Reminder: non-sensitive endpoint/address fields should go to metadata.address."
)]
secrets_obj: Option<Map<String, Value>>,
#[schemars(
description = "Secret types as {\"secret_name\": \"type\"}. Keys must match secret field names. Missing keys default to \"text\"."
)]
secret_types: Option<Map<String, Value>>,
#[schemars(description = "Secret field keys to remove")]
remove_secrets: Option<Vec<String>>,
}
@@ -412,6 +444,7 @@ impl SecretsService {
folder = input.folder.as_deref(),
entry_type = input.entry_type.as_deref(),
name = input.name.as_deref(),
name_query = input.name_query.as_deref(),
query = input.query.as_deref(),
"tool call start",
);
@@ -422,6 +455,7 @@ impl SecretsService {
folder: input.folder.as_deref(),
entry_type: input.entry_type.as_deref(),
name: input.name.as_deref(),
name_query: input.name_query.as_deref(),
tags: &tags,
query: input.query.as_deref(),
sort: "name",
@@ -499,6 +533,7 @@ impl SecretsService {
folder = input.folder.as_deref(),
entry_type = input.entry_type.as_deref(),
name = input.name.as_deref(),
name_query = input.name_query.as_deref(),
query = input.query.as_deref(),
"tool call start",
);
@@ -509,6 +544,7 @@ impl SecretsService {
folder: input.folder.as_deref(),
entry_type: input.entry_type.as_deref(),
name: input.name.as_deref(),
name_query: input.name_query.as_deref(),
tags: &tags,
query: input.query.as_deref(),
sort: input.sort.as_deref().unwrap_or("name"),
@@ -667,6 +703,11 @@ impl SecretsService {
if let Some(obj) = input.secrets_obj {
secrets.extend(map_to_kv_strings(obj));
}
let secret_types = input.secret_types.unwrap_or_default();
let secret_types_map: std::collections::HashMap<String, String> = secret_types
.into_iter()
.filter_map(|(k, v)| v.as_str().map(|s| (k, s.to_string())))
.collect();
let link_secret_names = input.link_secret_names.unwrap_or_default();
let folder = input.folder.as_deref().unwrap_or("");
let entry_type = input.entry_type.as_deref().unwrap_or("");
@@ -682,13 +723,14 @@ impl SecretsService {
tags: &tags,
meta_entries: &meta,
secret_entries: &secrets,
secret_types: &secret_types_map,
link_secret_names: &link_secret_names,
user_id: Some(user_id),
},
&user_key,
)
.await
.map_err(|e| mcp_err_internal_logged("secrets_add", Some(user_id), e))?;
.map_err(|e| mcp_err_from_anyhow("secrets_add", Some(user_id), e))?;
tracing::info!(
tool = "secrets_add",
@@ -745,6 +787,11 @@ impl SecretsService {
if let Some(obj) = input.secrets_obj {
secrets.extend(map_to_kv_strings(obj));
}
let secret_types = input.secret_types.unwrap_or_default();
let secret_types_map: std::collections::HashMap<String, String> = secret_types
.into_iter()
.filter_map(|(k, v)| v.as_str().map(|s| (k, s.to_string())))
.collect();
let remove_secrets = input.remove_secrets.unwrap_or_default();
let result = svc_update(
@@ -758,13 +805,14 @@ impl SecretsService {
meta_entries: &meta,
remove_meta: &remove_meta,
secret_entries: &secrets,
secret_types: &secret_types_map,
remove_secrets: &remove_secrets,
user_id: Some(user_id),
},
&user_key,
)
.await
.map_err(|e| mcp_err_internal_logged("secrets_update", Some(user_id), e))?;
.map_err(|e| mcp_err_from_anyhow("secrets_update", Some(user_id), e))?;
tracing::info!(
tool = "secrets_update",

645
crates/secrets-mcp/src/web.rs
View File

@@ -17,11 +17,12 @@ use uuid::Uuid;
use secrets_core::audit::log_login;
use secrets_core::crypto::hex;
use secrets_core::error::AppError;
use secrets_core::service::{
api_key::{ensure_api_key, regenerate_api_key},
audit_log::list_for_user,
delete::delete_by_id,
search::{SearchParams, count_entries, fetch_secret_schemas, list_entries},
search::{SearchParams, fetch_secret_schemas, ilike_pattern, list_entries},
update::{UpdateEntryFieldsByIdParams, update_fields_by_id},
user::{
OAuthProfile, bind_oauth_account, find_or_create_user, get_user_by_id,
@@ -88,15 +89,16 @@ struct EntriesPageTemplate {
user_name: String,
user_email: String,
entries: Vec<EntryListItemView>,
total_count: i64,
shown_count: usize,
limit: u32,
folder_tabs: Vec<FolderTabView>,
type_options: Vec<String>,
secret_type_options_json: String,
filter_folder: String,
filter_name: String,
filter_type: String,
version: &'static str,
}
/// Non-sensitive fields only (no `secrets` / ciphertext).
/// Non-sensitive entry fields; `secrets` lists field names/types only (no ciphertext).
struct EntryListItemView {
id: String,
folder: String,
@@ -104,24 +106,37 @@ struct EntryListItemView {
name: String,
notes: String,
tags: String,
metadata: String,
/// Compact JSON for `data-entry-metadata` (dialog editor).
metadata_json: String,
/// Secret field summaries for table + dialog chips.
secrets: Vec<SecretSummaryView>,
/// RFC3339 UTC for `<time datetime>`; localized in entries.html.
/// JSON array of `{ id, name, secret_type }` for dialog secret chips.
secrets_json: String,
/// RFC3339 UTC; shown in edit dialog.
updated_at_iso: String,
}
#[derive(Serialize)]
struct SecretSummaryView {
id: String,
name: String,
secret_type: String,
}
struct FolderTabView {
name: String,
count: i64,
href: String,
active: bool,
}
/// Cap for HTML list (avoids loading unbounded rows into memory).
const ENTRIES_PAGE_LIMIT: u32 = 5_000;
#[derive(Deserialize)]
struct EntriesQuery {
folder: Option<String>,
name: Option<String>,
/// URL query key is `type` (maps to DB column `entries.type`).
#[serde(rename = "type")]
entry_type: Option<String>,
@@ -183,6 +198,7 @@ pub fn web_router() -> Router<AppState> {
.route("/robots.txt", get(robots_txt))
.route("/llms.txt", get(llms_txt))
.route("/ai.txt", get(ai_txt))
.route("/static/i18n.js", get(i18n_js))
.route("/favicon.svg", get(favicon_svg))
.route(
"/favicon.ico",
@@ -218,6 +234,8 @@ pub fn web_router() -> Router<AppState> {
"/api/entries/{entry_id}/secrets/{secret_id}",
axum::routing::delete(api_entry_secret_unlink),
)
.route("/api/secrets/{secret_id}", patch(api_secret_patch))
.route("/api/secrets/check-name", get(api_secret_check_name))
}
fn text_asset_response(content: &'static str, content_type: &'static str) -> Response {
@@ -247,6 +265,13 @@ async fn ai_txt() -> Response {
llms_txt().await
}
async fn i18n_js() -> Response {
text_asset_response(
include_str!("../templates/i18n.js"),
"application/javascript; charset=utf-8",
)
}
async fn favicon_svg() -> Response {
Response::builder()
.status(StatusCode::OK)
@@ -565,11 +590,17 @@ async fn entries_page(
.map(|s| s.trim())
.filter(|s| !s.is_empty())
.map(|s| s.to_string());
let name_filter = q
.name
.as_ref()
.map(|s| s.trim())
.filter(|s| !s.is_empty())
.map(|s| s.to_string());
let params = SearchParams {
folder: folder_filter.as_deref(),
entry_type: type_filter.as_deref(),
name: None,
name_query: name_filter.as_deref(),
tags: &[],
query: None,
sort: "updated",
@@ -578,16 +609,10 @@ async fn entries_page(
user_id: Some(user_id),
};
let total_count = count_entries(&state.pool, &params).await.map_err(|e| {
tracing::error!(error = %e, "failed to count entries for web");
StatusCode::INTERNAL_SERVER_ERROR
})?;
let rows = list_entries(&state.pool, params).await.map_err(|e| {
tracing::error!(error = %e, "failed to load entries list for web");
StatusCode::INTERNAL_SERVER_ERROR
})?;
let shown_count = rows.len();
let entry_ids: Vec<Uuid> = rows.iter().map(|e| e.id).collect();
let secret_schemas = fetch_secret_schemas(&state.pool, &entry_ids)
.await
@@ -596,18 +621,112 @@ async fn entries_page(
StatusCode::INTERNAL_SERVER_ERROR
})?;
#[derive(sqlx::FromRow)]
struct FolderCountRow {
folder: String,
count: i64,
}
let mut folder_sql =
"SELECT folder, COUNT(*)::bigint AS count FROM entries WHERE user_id = $1".to_string();
let mut bind_idx = 2;
if type_filter.is_some() {
folder_sql.push_str(&format!(" AND type = ${bind_idx}"));
bind_idx += 1;
}
if name_filter.is_some() {
folder_sql.push_str(&format!(" AND name ILIKE ${bind_idx} ESCAPE '\\'"));
bind_idx += 1;
}
let _ = bind_idx;
folder_sql.push_str(" GROUP BY folder ORDER BY folder");
let mut folder_query = sqlx::query_as::<_, FolderCountRow>(&folder_sql).bind(user_id);
if let Some(t) = type_filter.as_deref() {
folder_query = folder_query.bind(t);
}
if let Some(n) = name_filter.as_deref() {
folder_query = folder_query.bind(ilike_pattern(n));
}
let folder_rows: Vec<FolderCountRow> =
folder_query.fetch_all(&state.pool).await.map_err(|e| {
tracing::error!(error = %e, "failed to load folder tabs for web");
StatusCode::INTERNAL_SERVER_ERROR
})?;
#[derive(sqlx::FromRow)]
struct TypeOptionRow {
#[sqlx(rename = "type")]
entry_type: String,
}
let mut type_options: Vec<String> = sqlx::query_as::<_, TypeOptionRow>(
"SELECT DISTINCT type FROM entries WHERE user_id = $1 ORDER BY type",
)
.bind(user_id)
.fetch_all(&state.pool)
.await
.map_err(|e| {
tracing::error!(error = %e, "failed to load type options for web");
StatusCode::INTERNAL_SERVER_ERROR
})?
.into_iter()
.map(|r| r.entry_type)
.filter(|t| !t.is_empty())
.collect();
if let Some(current) = type_filter.as_ref()
&& !current.is_empty()
&& !type_options.iter().any(|t| t == current)
{
type_options.push(current.clone());
type_options.sort_unstable();
}
fn entries_href(folder: Option<&str>, entry_type: Option<&str>, name: Option<&str>) -> String {
let mut pairs: Vec<String> = Vec::new();
if let Some(f) = folder
&& !f.is_empty()
{
pairs.push(format!("folder={}", urlencoding::encode(f)));
}
if let Some(t) = entry_type
&& !t.is_empty()
{
pairs.push(format!("type={}", urlencoding::encode(t)));
}
if let Some(n) = name
&& !n.is_empty()
{
pairs.push(format!("name={}", urlencoding::encode(n)));
}
if pairs.is_empty() {
"/entries".to_string()
} else {
format!("/entries?{}", pairs.join("&"))
}
}
let all_count: i64 = folder_rows.iter().map(|r| r.count).sum();
let mut folder_tabs: Vec<FolderTabView> = Vec::with_capacity(folder_rows.len() + 1);
folder_tabs.push(FolderTabView {
name: "全部".to_string(),
count: all_count,
href: entries_href(None, type_filter.as_deref(), name_filter.as_deref()),
active: folder_filter.is_none(),
});
for r in folder_rows {
let name = r.folder;
folder_tabs.push(FolderTabView {
href: entries_href(Some(&name), type_filter.as_deref(), name_filter.as_deref()),
active: folder_filter.as_deref() == Some(name.as_str()),
name,
count: r.count,
});
}
let entries = rows
.into_iter()
.map(|e| EntryListItemView {
id: e.id.to_string(),
folder: e.folder,
entry_type: e.entry_type,
name: e.name,
notes: e.notes,
tags: e.tags.join(", "),
metadata: serde_json::to_string_pretty(&e.metadata)
.unwrap_or_else(|_| "{}".to_string()),
secrets: secret_schemas
.map(|e| {
let secrets: Vec<SecretSummaryView> = secret_schemas
.get(&e.id)
.map(|fields| {
fields
@@ -619,8 +738,22 @@ async fn entries_page(
})
.collect()
})
.unwrap_or_default(),
updated_at_iso: e.updated_at.to_rfc3339_opts(SecondsFormat::Secs, true),
.unwrap_or_default();
let secrets_json = serde_json::to_string(&secrets).unwrap_or_else(|_| "[]".to_string());
let metadata_json =
serde_json::to_string(&e.metadata).unwrap_or_else(|_| "{}".to_string());
EntryListItemView {
id: e.id.to_string(),
folder: e.folder,
entry_type: e.entry_type,
name: e.name,
notes: e.notes,
tags: e.tags.join(", "),
metadata_json,
secrets,
secrets_json,
updated_at_iso: e.updated_at.to_rfc3339_opts(SecondsFormat::Secs, true),
}
})
.collect();
@@ -628,10 +761,17 @@ async fn entries_page(
user_name: user.name.clone(),
user_email: user.email.clone().unwrap_or_default(),
entries,
total_count,
shown_count,
limit: ENTRIES_PAGE_LIMIT,
folder_tabs,
type_options,
secret_type_options_json: serde_json::to_string(
&secrets_core::taxonomy::SECRET_TYPE_OPTIONS
.iter()
.map(|s| s.to_string())
.collect::<Vec<_>>(),
)
.unwrap_or_default(),
filter_folder: folder_filter.unwrap_or_default(),
filter_name: name_filter.unwrap_or_default(),
filter_type: type_filter.unwrap_or_default(),
version: env!("CARGO_PKG_VERSION"),
};
@@ -927,24 +1067,53 @@ struct EntryPatchBody {
type EntryApiError = (StatusCode, Json<serde_json::Value>);
fn map_entry_mutation_err(e: anyhow::Error) -> EntryApiError {
let msg = e.to_string();
if msg.contains("Entry not found") {
return (
StatusCode::NOT_FOUND,
Json(json!({ "error": "条目不存在或无权访问" })),
);
#[derive(Clone, Copy)]
enum UiLang {
ZhCn,
ZhTw,
En,
}
fn request_ui_lang(headers: &HeaderMap) -> UiLang {
let Some(raw) = headers
.get(header::ACCEPT_LANGUAGE)
.and_then(|v| v.to_str().ok())
else {
return UiLang::ZhCn;
};
let lower = raw.to_ascii_lowercase();
if lower.contains("zh-tw") || lower.contains("zh-hk") || lower.contains("zh-hant") {
UiLang::ZhTw
} else if lower.contains("zh") {
UiLang::ZhCn
} else if lower.contains("en") {
UiLang::En
} else {
UiLang::ZhCn
}
}
fn tr(lang: UiLang, zh_cn: &'static str, zh_tw: &'static str, en: &'static str) -> &'static str {
match lang {
UiLang::ZhCn => zh_cn,
UiLang::ZhTw => zh_tw,
UiLang::En => en,
}
}
fn map_entry_mutation_err(e: anyhow::Error, lang: UiLang) -> EntryApiError {
if let Some(app_err) = e.downcast_ref::<AppError>() {
return map_app_error(app_err, lang);
}
// Fallback for legacy string-based errors and raw sqlx errors
let msg = e.to_string();
if msg.contains("already exists") {
return (
StatusCode::CONFLICT,
Json(json!({ "error": "该账号下已存在相同 folder + name 的条目" })),
);
}
if msg.contains("Concurrent modification") {
return (
StatusCode::CONFLICT,
Json(json!({ "error": "条目已被修改,请刷新后重试" })),
Json(
json!({ "error": tr(lang, "该账号下已存在相同 folder + name 的条目", "此帳號下已存在相同 folder + name 的條目", "An entry with the same folder + name already exists for this account") }),
),
);
}
if msg.contains("must be at most") {
@@ -953,19 +1122,57 @@ fn map_entry_mutation_err(e: anyhow::Error) -> EntryApiError {
tracing::error!(error = %e, "entry mutation failed");
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(json!({ "error": "操作失败,请稍后重试" })),
Json(
json!({ "error": tr(lang, "操作失败,请稍后重试", "操作失敗,請稍後重試", "Operation failed, please try again later") }),
),
)
}
fn map_app_error(err: &AppError, lang: UiLang) -> EntryApiError {
match err {
AppError::ConflictEntryName { .. } | AppError::ConflictSecretName { .. } => (
StatusCode::CONFLICT,
Json(json!({ "error": err.to_string() })),
),
AppError::NotFoundEntry => (
StatusCode::NOT_FOUND,
Json(
json!({ "error": tr(lang, "条目不存在或无权访问", "條目不存在或無權存取", "Entry not found or no access") }),
),
),
AppError::Validation { message } => {
(StatusCode::BAD_REQUEST, Json(json!({ "error": message })))
}
AppError::ConcurrentModification => (
StatusCode::CONFLICT,
Json(
json!({ "error": tr(lang, "条目已被修改,请刷新后重试", "條目已被修改,請重新整理後重試", "Entry was modified, please refresh and try again") }),
),
),
AppError::Internal(_) => {
tracing::error!(error = %err, "internal error in entry mutation");
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(
json!({ "error": tr(lang, "操作失败,请稍后重试", "操作失敗,請稍後重試", "Operation failed, please try again later") }),
),
)
}
}
}
async fn api_entry_patch(
State(state): State<AppState>,
session: Session,
headers: HeaderMap,
Path(entry_id): Path<Uuid>,
Json(body): Json<EntryPatchBody>,
) -> Result<Json<serde_json::Value>, EntryApiError> {
let user_id = current_user_id(&session)
.await
.ok_or((StatusCode::UNAUTHORIZED, Json(json!({ "error": "未登录" }))))?;
let lang = request_ui_lang(&headers);
let user_id = current_user_id(&session).await.ok_or((
StatusCode::UNAUTHORIZED,
Json(json!({ "error": tr(lang, "未登录", "尚未登入", "Not logged in") })),
))?;
let folder = body.folder.trim();
let entry_type = body.entry_type.trim();
@@ -975,7 +1182,9 @@ async fn api_entry_patch(
if name.is_empty() {
return Err((
StatusCode::BAD_REQUEST,
Json(json!({ "error": "name 不能为空" })),
Json(
json!({ "error": tr(lang, "name 不能为空", "name 不能為空", "name cannot be empty") }),
),
));
}
@@ -989,7 +1198,9 @@ async fn api_entry_patch(
if !body.metadata.is_object() {
return Err((
StatusCode::BAD_REQUEST,
Json(json!({ "error": "metadata 必须是 JSON 对象" })),
Json(
json!({ "error": tr(lang, "metadata 必须是 JSON 对象", "metadata 必須是 JSON 物件", "metadata must be a JSON object") }),
),
));
}
@@ -1007,7 +1218,7 @@ async fn api_entry_patch(
},
)
.await
.map_err(map_entry_mutation_err)?;
.map_err(|e| map_entry_mutation_err(e, lang))?;
Ok(Json(json!({ "ok": true })))
}
@@ -1015,25 +1226,291 @@ async fn api_entry_patch(
async fn api_entry_delete(
State(state): State<AppState>,
session: Session,
headers: HeaderMap,
Path(entry_id): Path<Uuid>,
) -> Result<Json<serde_json::Value>, EntryApiError> {
let user_id = current_user_id(&session)
.await
.ok_or((StatusCode::UNAUTHORIZED, Json(json!({ "error": "未登录" }))))?;
let lang = request_ui_lang(&headers);
let user_id = current_user_id(&session).await.ok_or((
StatusCode::UNAUTHORIZED,
Json(json!({ "error": tr(lang, "未登录", "尚未登入", "Not logged in") })),
))?;
let result = delete_by_id(&state.pool, entry_id, user_id)
delete_by_id(&state.pool, entry_id, user_id)
.await
.map_err(map_entry_mutation_err)?;
.map_err(|e| map_entry_mutation_err(e, lang))?;
Ok(Json(json!({
"ok": true,
"migrated": result.migrated,
})))
}
#[derive(Deserialize)]
struct SecretCheckNameQuery {
name: String,
exclude_secret_id: Option<Uuid>,
}
#[derive(Serialize)]
struct SecretCheckNameResponse {
ok: bool,
available: bool,
#[serde(skip_serializing_if = "Option::is_none")]
error: Option<String>,
}
async fn api_secret_check_name(
State(state): State<AppState>,
session: Session,
headers: HeaderMap,
Query(params): Query<SecretCheckNameQuery>,
) -> Result<Json<SecretCheckNameResponse>, EntryApiError> {
let lang = request_ui_lang(&headers);
let user_id = current_user_id(&session).await.ok_or((
StatusCode::UNAUTHORIZED,
Json(json!({ "error": tr(lang, "未登录", "尚未登入", "Not logged in") })),
))?;
let name = params.name.trim();
if name.is_empty() {
return Err((
StatusCode::BAD_REQUEST,
Json(
json!({ "error": tr(lang, "secret name 不能为空", "secret name 不能為空", "secret name cannot be empty") }),
),
));
}
if name.chars().count() > 256 {
return Err((
StatusCode::BAD_REQUEST,
Json(
json!({ "error": tr(lang, "secret name 长度不能超过 256 个字符", "secret name 長度不能超過 256 個字元", "secret name must be at most 256 characters") }),
),
));
}
let count: i64 = if let Some(exclude_id) = params.exclude_secret_id {
sqlx::query_scalar::<_, i64>(
"SELECT COUNT(*) FROM secrets WHERE user_id = $1 AND name = $2 AND id != $3",
)
.bind(user_id)
.bind(name)
.bind(exclude_id)
.fetch_one(&state.pool)
.await
} else {
sqlx::query_scalar::<_, i64>(
"SELECT COUNT(*) FROM secrets WHERE user_id = $1 AND name = $2",
)
.bind(user_id)
.bind(name)
.fetch_one(&state.pool)
.await
}.map_err(|e| {
tracing::error!(error = %e, "failed to check secret name availability");
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(
json!({ "error": tr(lang, "操作失败,请稍后重试", "操作失敗,請稍後重試", "Operation failed, please try again later") }),
),
)
})?;
let available = count == 0;
let error = if available {
None
} else {
Some(
tr(
lang,
"该用户下已存在相同 name 的密文",
"該用戶下已存在相同 name 的密文",
"A secret with the same name already exists for this user",
)
.to_string(),
)
};
Ok(Json(SecretCheckNameResponse {
ok: true,
available,
error,
}))
}
#[derive(Deserialize)]
struct SecretPatchBody {
name: Option<String>,
#[serde(rename = "type")]
secret_type: Option<String>,
}
async fn api_secret_patch(
State(state): State<AppState>,
session: Session,
headers: HeaderMap,
Path(secret_id): Path<Uuid>,
Json(body): Json<SecretPatchBody>,
) -> Result<Json<serde_json::Value>, EntryApiError> {
#[derive(Serialize, sqlx::FromRow)]
struct LinkedEntryAuditRow {
folder: String,
#[sqlx(rename = "type")]
entry_type: String,
name: String,
}
let lang = request_ui_lang(&headers);
let user_id = current_user_id(&session).await.ok_or((
StatusCode::UNAUTHORIZED,
Json(json!({ "error": tr(lang, "未登录", "尚未登入", "Not logged in") })),
))?;
let name = body.name.as_ref().map(|s| s.trim());
let secret_type = body.secret_type.as_ref().map(|s| s.trim());
if let Some(n) = name {
if n.is_empty() {
return Err((
StatusCode::BAD_REQUEST,
Json(
json!({ "error": tr(lang, "secret name 不能为空", "secret name 不能為空", "secret name cannot be empty") }),
),
));
}
if n.chars().count() > 256 {
return Err((
StatusCode::BAD_REQUEST,
Json(
json!({ "error": tr(lang, "secret name 长度不能超过 256 个字符", "secret name 長度不能超過 256 個字元", "secret name must be at most 256 characters") }),
),
));
}
}
if let Some(t) = secret_type {
if t.is_empty() {
return Err((
StatusCode::BAD_REQUEST,
Json(
json!({ "error": tr(lang, "secret type 不能为空", "secret type 不能為空", "secret type cannot be empty") }),
),
));
}
if t.chars().count() > 64 {
return Err((
StatusCode::BAD_REQUEST,
Json(
json!({ "error": tr(lang, "secret type 长度不能超过 64 个字符", "secret type 長度不能超過 64 個字元", "secret type must be at most 64 characters") }),
),
));
}
}
if name.is_none() && secret_type.is_none() {
return Err((
StatusCode::BAD_REQUEST,
Json(
json!({ "error": tr(lang, "至少需要提供 name 或 type 之一", "至少需要提供 name 或 type 之一", "At least one of name or type is required") }),
),
));
}
let mut tx = state
.pool
.begin()
.await
.map_err(|e| map_entry_mutation_err(e.into(), lang))?;
let secret_row: Option<(String, String)> =
sqlx::query_as("SELECT name, type FROM secrets WHERE id = $1 AND user_id = $2 FOR UPDATE")
.bind(secret_id)
.bind(user_id)
.fetch_optional(&mut *tx)
.await
.map_err(|e| map_entry_mutation_err(e.into(), lang))?;
let Some((old_name, old_type)) = secret_row else {
let _ = tx.rollback().await;
return Err((
StatusCode::NOT_FOUND,
Json(
json!({ "error": tr(lang, "密文不存在或无权访问", "密文不存在或無權存取", "Secret not found or no access") }),
),
));
};
let linked_entries: Vec<LinkedEntryAuditRow> = sqlx::query_as(
"SELECT e.folder, e.type, e.name \
FROM entry_secrets es \
JOIN entries e ON e.id = es.entry_id \
WHERE es.secret_id = $1 AND e.user_id = $2 \
ORDER BY e.folder, e.type, e.name",
)
.bind(secret_id)
.bind(user_id)
.fetch_all(&mut *tx)
.await
.map_err(|e| map_entry_mutation_err(e.into(), lang))?;
let new_name = name.unwrap_or(&old_name).to_string();
let new_type = secret_type.unwrap_or(&old_type).to_string();
let result = sqlx::query(
"UPDATE secrets SET name = $1, type = $2, version = version + 1, updated_at = NOW() \
WHERE id = $3",
)
.bind(&new_name)
.bind(&new_type)
.bind(secret_id)
.execute(&mut *tx)
.await;
if let Err(e) = result {
if let Some(db_err) = e.as_database_error()
&& db_err.code() == Some("23505".into())
{
let _ = tx.rollback().await;
return Err(map_app_error(
&AppError::ConflictSecretName {
secret_name: new_name.clone(),
},
lang,
));
}
let _ = tx.rollback().await;
return Err(map_entry_mutation_err(e.into(), lang));
}
secrets_core::audit::log_tx(
&mut tx,
Some(user_id),
"rename_secret",
"",
"",
&old_name,
json!({
"source": "web",
"secret_id": secret_id,
"old_name": old_name,
"new_name": new_name,
"old_type": old_type,
"new_type": new_type,
"linked_entries": linked_entries,
}),
)
.await;
tx.commit()
.await
.map_err(|e| map_entry_mutation_err(e.into(), lang))?;
Ok(Json(json!({ "ok": true })))
}
async fn api_entry_secret_unlink(
State(state): State<AppState>,
session: Session,
headers: HeaderMap,
Path((entry_id, secret_id)): Path<(Uuid, Uuid)>,
) -> Result<Json<serde_json::Value>, EntryApiError> {
#[derive(sqlx::FromRow)]
@@ -1044,15 +1521,17 @@ async fn api_entry_secret_unlink(
name: String,
}
let user_id = current_user_id(&session)
.await
.ok_or((StatusCode::UNAUTHORIZED, Json(json!({ "error": "未登录" }))))?;
let lang = request_ui_lang(&headers);
let user_id = current_user_id(&session).await.ok_or((
StatusCode::UNAUTHORIZED,
Json(json!({ "error": tr(lang, "未登录", "尚未登入", "Not logged in") })),
))?;
let mut tx = state
.pool
.begin()
.await
.map_err(|e| map_entry_mutation_err(e.into()))?;
.map_err(|e| map_entry_mutation_err(e.into(), lang))?;
let entry_row: Option<EntryAuditRow> =
sqlx::query_as("SELECT folder, type, name FROM entries WHERE id = $1 AND user_id = $2")
@@ -1060,15 +1539,15 @@ async fn api_entry_secret_unlink(
.bind(user_id)
.fetch_optional(&mut *tx)
.await
.map_err(|e| map_entry_mutation_err(e.into()))?;
.map_err(|e| map_entry_mutation_err(e.into(), lang))?;
let Some(entry_row) = entry_row else {
tx.rollback()
.await
.map_err(|e| map_entry_mutation_err(e.into()))?;
let _ = tx.rollback().await;
return Err((
StatusCode::NOT_FOUND,
Json(json!({ "error": "条目不存在或无权访问" })),
Json(
json!({ "error": tr(lang, "条目不存在或无权访问", "條目不存在或無權存取", "Entry not found or no access") }),
),
));
};
@@ -1077,16 +1556,14 @@ async fn api_entry_secret_unlink(
.bind(secret_id)
.execute(&mut *tx)
.await
.map_err(|e| map_entry_mutation_err(e.into()))?
.map_err(|e| map_entry_mutation_err(e.into(), lang))?
.rows_affected();
if deleted == 0 {
tx.rollback()
.await
.map_err(|e| map_entry_mutation_err(e.into()))?;
let _ = tx.rollback().await;
return Err((
StatusCode::NOT_FOUND,
Json(json!({ "error": "关联不存在" })),
Json(json!({ "error": tr(lang, "关联不存在", "關聯不存在", "Relation not found") })),
));
}
@@ -1098,7 +1575,7 @@ async fn api_entry_secret_unlink(
.bind(secret_id)
.execute(&mut *tx)
.await
.map_err(|e| map_entry_mutation_err(e.into()))?
.map_err(|e| map_entry_mutation_err(e.into(), lang))?
.rows_affected()
> 0;
@@ -1120,7 +1597,7 @@ async fn api_entry_secret_unlink(
tx.commit()
.await
.map_err(|e| map_entry_mutation_err(e.into()))?;
.map_err(|e| map_entry_mutation_err(e.into(), lang))?;
Ok(Json(json!({
"ok": true,
@@ -1173,3 +1650,27 @@ fn format_audit_target(folder: &str, entry_type: &str, name: &str) -> String {
name.to_string()
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn request_ui_lang_prefers_zh_cn_over_en_fallback() {
let mut headers = HeaderMap::new();
headers.insert(header::ACCEPT_LANGUAGE, "zh-CN, en;q=0.5".parse().unwrap());
assert!(matches!(request_ui_lang(&headers), UiLang::ZhCn));
}
#[test]
fn request_ui_lang_detects_traditional_chinese_variants() {
let mut headers = HeaderMap::new();
headers.insert(
header::ACCEPT_LANGUAGE,
"zh-Hant, en;q=0.5".parse().unwrap(),
);
assert!(matches!(request_ui_lang(&headers), UiLang::ZhTw));
}
}

65
crates/secrets-mcp/templates/audit.html
View File

@@ -38,6 +38,10 @@
}
.topbar-spacer { flex: 1; }
.nav-user { font-size: 13px; color: var(--text-muted); }
.lang-bar { display: flex; gap: 2px; background: var(--surface2); border-radius: 6px; padding: 2px; }
.lang-btn { padding: 3px 9px; border: none; background: none; color: var(--text-muted);
font-size: 12px; cursor: pointer; border-radius: 4px; }
.lang-btn.active { background: var(--border); color: var(--text); }
.btn-sign-out {
padding: 5px 12px; border-radius: 6px; border: 1px solid var(--border);
background: none; color: var(--text); font-size: 12px; text-decoration: none; cursor: pointer;
@@ -77,11 +81,8 @@
td::before {
display: block; color: var(--text-muted); font-size: 11px;
margin-bottom: 4px; text-transform: uppercase;
content: attr(data-label);
}
td.col-time::before { content: "Time"; }
td.col-action::before { content: "Action"; }
td.col-target::before { content: "Target"; }
td.col-detail::before { content: "Detail"; }
.detail { max-width: none; }
}
</style>
@@ -91,9 +92,9 @@
<aside class="sidebar">
<a href="/dashboard" class="sidebar-logo"><span>secrets</span></a>
<nav class="sidebar-menu">
<a href="/dashboard" class="sidebar-link">MCP</a>
<a href="/entries" class="sidebar-link">条目</a>
<a href="/audit" class="sidebar-link active">审计</a>
<a href="/dashboard" class="sidebar-link" data-i18n="navMcp">MCP</a>
<a href="/entries" class="sidebar-link" data-i18n="navEntries">条目</a>
<a href="/audit" class="sidebar-link active" data-i18n="navAudit">审计</a>
</nav>
</aside>
@@ -101,35 +102,40 @@
<div class="topbar">
<span class="topbar-spacer"></span>
<span class="nav-user">{{ user_name }}{% if !user_email.is_empty() %} · {{ user_email }}{% endif %}</span>
<div class="lang-bar">
<button class="lang-btn" onclick="setLang('zh-CN')"></button>
<button class="lang-btn" onclick="setLang('zh-TW')"></button>
<button class="lang-btn" onclick="setLang('en')">EN</button>
</div>
<form action="/auth/logout" method="post" style="display:inline">
<button type="submit" class="btn-sign-out">退出</button>
<button type="submit" class="btn-sign-out" data-i18n="signOut">退出</button>
</form>
</div>
<main class="main">
<section class="card">
<div class="card-title">我的审计</div>
<div class="card-subtitle">展示最近 100 条与当前用户相关的新审计记录。时间为浏览器本地时区。</div>
<div class="card-title" data-i18n="auditTitle">我的审计</div>
<div class="card-subtitle" data-i18n="auditSubtitle">展示最近 100 条与当前用户相关的新审计记录。时间为浏览器本地时区。</div>
{% if entries.is_empty() %}
<div class="empty">暂无审计记录。</div>
<div class="empty" data-i18n="emptyAudit">暂无审计记录。</div>
{% else %}
<table>
<thead>
<tr>
<th>时间</th>
<th>动作</th>
<th>目标</th>
<th>详情</th>
<th data-i18n="colTime">时间</th>
<th data-i18n="colAction">动作</th>
<th data-i18n="colTarget">目标</th>
<th data-i18n="colDetail">详情</th>
</tr>
</thead>
<tbody>
{% for entry in entries %}
<tr>
<td class="col-time mono"><time class="audit-local-time" datetime="{{ entry.created_at_iso }}">{{ entry.created_at_iso }}</time></td>
<td class="col-action mono">{{ entry.action }}</td>
<td class="col-target mono">{{ entry.target }}</td>
<td class="col-detail"><pre class="detail">{{ entry.detail }}</pre></td>
<td class="col-time mono" data-label="时间"><time class="audit-local-time" datetime="{{ entry.created_at_iso }}">{{ entry.created_at_iso }}</time></td>
<td class="col-action mono" data-label="动作">{{ entry.action }}</td>
<td class="col-target mono" data-label="目标">{{ entry.target }}</td>
<td class="col-detail" data-label="详情"><pre class="detail">{{ entry.detail }}</pre></td>
</tr>
{% endfor %}
</tbody>
@@ -139,8 +145,28 @@
</main>
</div>
</div>
<script src="/static/i18n.js"></script>
<script>
(function () {
I18N_PAGE = {
'zh-CN': { pageTitle: 'Secrets — 审计', auditTitle: '我的审计', auditSubtitle: '展示最近 100 条与当前用户相关的新审计记录。时间为浏览器本地时区。', emptyAudit: '暂无审计记录。', colTime: '时间', colAction: '动作', colTarget: '目标', colDetail: '详情' },
'zh-TW': { pageTitle: 'Secrets — 審計', auditTitle: '我的審計', auditSubtitle: '顯示最近 100 筆與目前使用者相關的新審計記錄。時間為瀏覽器本地時區。', emptyAudit: '暫無審計記錄。', colTime: '時間', colAction: '動作', colTarget: '目標', colDetail: '詳情' },
en: { pageTitle: 'Secrets — Audit', auditTitle: 'My audit', auditSubtitle: 'Shows the latest 100 audit records related to the current user. Time is in browser local timezone.', emptyAudit: 'No audit records.', colTime: 'Time', colAction: 'Action', colTarget: 'Target', colDetail: 'Detail' }
};
window.applyPageLang = function () {
document.querySelectorAll('tbody tr').forEach(function (tr) {
var time = tr.querySelector('.col-time');
var action = tr.querySelector('.col-action');
var target = tr.querySelector('.col-target');
var detail = tr.querySelector('.col-detail');
if (time) time.setAttribute('data-label', t('mobileLabelTime'));
if (action) action.setAttribute('data-label', t('mobileLabelAction'));
if (target) target.setAttribute('data-label', t('mobileLabelTarget'));
if (detail) detail.setAttribute('data-label', t('mobileLabelDetail'));
});
};
document.querySelectorAll('time.audit-local-time[datetime]').forEach(function (el) {
var raw = el.getAttribute('datetime');
var d = raw ? new Date(raw) : null;
@@ -149,6 +175,7 @@
el.title = raw + ' (UTC)';
}
});
applyLang();
})();
</script>
</body>

910
crates/secrets-mcp/templates/entries.html
View File

File diff suppressed because it is too large Load Diff

76
crates/secrets-mcp/templates/i18n.js Normal file
View File

@@ -0,0 +1,76 @@
var I18N_SHARED = {
'zh-CN': {
pageTitleBase: 'Secrets',
navMcp: 'MCP',
navEntries: '条目',
navAudit: '审计',
signOut: '退出',
mobileLabelTime: '时间',
mobileLabelAction: '动作',
mobileLabelTarget: '目标',
mobileLabelDetail: '详情'
},
'zh-TW': {
pageTitleBase: 'Secrets',
navMcp: 'MCP',
navEntries: '條目',
navAudit: '審計',
signOut: '登出',
mobileLabelTime: '時間',
mobileLabelAction: '動作',
mobileLabelTarget: '目標',
mobileLabelDetail: '詳情'
},
en: {
pageTitleBase: 'Secrets',
navMcp: 'MCP',
navEntries: 'Entries',
navAudit: 'Audit',
signOut: 'Sign out',
mobileLabelTime: 'Time',
mobileLabelAction: 'Action',
mobileLabelTarget: 'Target',
mobileLabelDetail: 'Detail'
}
};
var currentLang = localStorage.getItem('lang') || 'zh-CN';
var I18N_PAGE = {};
function t(key) {
var dict = I18N_PAGE[currentLang] || I18N_PAGE['en'] || {};
var val = dict[key] || (I18N_SHARED[currentLang] && I18N_SHARED[currentLang][key]) || (I18N_SHARED.en && I18N_SHARED.en[key]) || key;
return val;
}
function tf(key, vars) {
var tpl = t(key);
return Object.keys(vars || {}).reduce(function (acc, k) {
return acc.replace(new RegExp('\\{' + k + '\\}', 'g'), String(vars[k]));
}, tpl);
}
function applyLang() {
document.documentElement.lang = currentLang;
var title = t('pageTitle');
if (title) document.title = title;
document.querySelectorAll('[data-i18n]').forEach(function (el) {
var key = el.getAttribute('data-i18n');
el.textContent = t(key);
});
document.querySelectorAll('[data-i18n-ph]').forEach(function (el) {
var key = el.getAttribute('data-i18n-ph');
el.placeholder = t(key);
});
document.querySelectorAll('.lang-btn').forEach(function (btn) {
var map = { 'zh-CN': '简', 'zh-TW': '繁', en: 'EN' };
btn.classList.toggle('active', btn.textContent === map[currentLang]);
});
if (typeof applyPageLang === 'function') applyPageLang();
}
window.setLang = function (lang) {
currentLang = lang;
localStorage.setItem('lang', lang);
applyLang();
};