refactor: workspace secrets-core + secrets-mcp MCP SaaS

- Split library (db/crypto/service) and MCP/Web/OAuth binary
- Add deploy examples and CI/docs updates

Made-with: Cursor

crates/secrets-mcp/src/main.rs

@@ -0,0 +1,155 @@
+mod auth;
+mod oauth;
+mod tools;
+mod web;
+
+use std::net::SocketAddr;
+use std::sync::Arc;
+
+use anyhow::{Context, Result};
+use axum::Router;
+use rmcp::transport::streamable_http_server::{
+    StreamableHttpService, session::local::LocalSessionManager,
+};
+use sqlx::PgPool;
+use tower_http::cors::{Any, CorsLayer};
+use tower_sessions::cookie::SameSite;
+use tower_sessions::{MemoryStore, SessionManagerLayer};
+use tracing_subscriber::EnvFilter;
+
+use secrets_core::config::resolve_db_url;
+use secrets_core::db::{create_pool, migrate};
+
+use crate::oauth::OAuthConfig;
+use crate::tools::SecretsService;
+
+/// Shared application state injected into web routes and middleware.
+#[derive(Clone)]
+pub struct AppState {
+    pub pool: PgPool,
+    pub google_config: Option<OAuthConfig>,
+    pub base_url: String,
+    pub http_client: reqwest::Client,
+}
+
+fn load_env_var(name: &str) -> Option<String> {
+    std::env::var(name).ok().filter(|s| !s.is_empty())
+}
+
+fn load_oauth_config(prefix: &str, base_url: &str, path: &str) -> Option<OAuthConfig> {
+    let client_id = load_env_var(&format!("{}_CLIENT_ID", prefix))?;
+    let client_secret = load_env_var(&format!("{}_CLIENT_SECRET", prefix))?;
+    Some(OAuthConfig {
+        client_id,
+        client_secret,
+        redirect_uri: format!("{}{}", base_url, path),
+    })
+}
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    // Load .env if present
+    let _ = dotenvy::dotenv();
+
+    tracing_subscriber::fmt()
+        .with_env_filter(
+            EnvFilter::try_from_default_env().unwrap_or_else(|_| "secrets_mcp=info".into()),
+        )
+        .init();
+
+    // ── Database ──────────────────────────────────────────────────────────────
+    let db_url = resolve_db_url("")
+        .context("Database not configured. Set SECRETS_DATABASE_URL environment variable.")?;
+    let pool = create_pool(&db_url)
+        .await
+        .context("failed to connect to database")?;
+    migrate(&pool)
+        .await
+        .context("failed to run database migrations")?;
+    tracing::info!("Database connected and migrated");
+
+    // ── Configuration ─────────────────────────────────────────────────────────
+    let base_url = load_env_var("BASE_URL").unwrap_or_else(|| "http://localhost:9315".to_string());
+    let bind_addr = load_env_var("SECRETS_MCP_BIND").unwrap_or_else(|| "0.0.0.0:9315".to_string());
+
+    // ── OAuth providers ───────────────────────────────────────────────────────
+    let google_config = load_oauth_config("GOOGLE", &base_url, "/auth/google/callback");
+
+    if google_config.is_none() {
+        tracing::warn!(
+            "No OAuth providers configured. Set GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET to enable login."
+        );
+    }
+
+    // ── Session store ─────────────────────────────────────────────────────────
+    let session_store = MemoryStore::default();
+    // Strict would drop the session cookie on redirect from Google → our origin (cross-site nav).
+    let session_layer = SessionManagerLayer::new(session_store)
+        .with_secure(base_url.starts_with("https://"))
+        .with_same_site(SameSite::Lax);
+
+    // ── App state ─────────────────────────────────────────────────────────────
+    let app_state = AppState {
+        pool: pool.clone(),
+        google_config,
+        base_url: base_url.clone(),
+        http_client: reqwest::Client::builder()
+            .timeout(std::time::Duration::from_secs(15))
+            .build()
+            .context("failed to build HTTP client")?,
+    };
+
+    // ── MCP service ───────────────────────────────────────────────────────────
+    let pool_arc = Arc::new(pool.clone());
+
+    let mcp_service = StreamableHttpService::new(
+        move || {
+            let p = pool_arc.clone();
+            Ok(SecretsService::new(p))
+        },
+        LocalSessionManager::default().into(),
+        Default::default(),
+    );
+
+    // ── Router ────────────────────────────────────────────────────────────────
+    let cors = CorsLayer::new()
+        .allow_origin(Any)
+        .allow_methods(Any)
+        .allow_headers(Any);
+
+    let router = Router::new()
+        .merge(web::web_router())
+        .nest_service("/mcp", mcp_service)
+        .layer(axum::middleware::from_fn_with_state(
+            pool,
+            auth::bearer_auth_middleware,
+        ))
+        .layer(session_layer)
+        .layer(cors)
+        .with_state(app_state);
+
+    // ── Start server ──────────────────────────────────────────────────────────
+    let listener = tokio::net::TcpListener::bind(&bind_addr)
+        .await
+        .with_context(|| format!("failed to bind to {}", bind_addr))?;
+
+    tracing::info!("Secrets MCP Server listening on http://{}", bind_addr);
+    tracing::info!("MCP endpoint: {}/mcp", base_url);
+
+    axum::serve(
+        listener,
+        router.into_make_service_with_connect_info::<SocketAddr>(),
+    )
+    .with_graceful_shutdown(shutdown_signal())
+    .await
+    .context("server error")?;
+
+    Ok(())
+}
+
+async fn shutdown_signal() {
+    tokio::signal::ctrl_c()
+        .await
+        .expect("failed to install CTRL+C signal handler");
+    tracing::info!("Shutting down gracefully...");
+}