refining/secrets
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 61 Wiki Activity

refactor: 消除冗余、统一设计,bump 0.9.1
Some checks failed
Secrets CLI - Build & Release / 版本 & Release (push) Successful in 3s
Details
Secrets CLI - Build & Release / 质量检查 (fmt / clippy / test) (push) Successful in 2m46s
Details
Secrets CLI - Build & Release / Build (macOS aarch64 + x86_64) (push) Successful in 1m27s
Details
Secrets CLI - Build & Release / Build (x86_64-unknown-linux-musl) (push) Successful in 2m0s
Details
Secrets CLI - Build & Release / 发布草稿 Release (push) Has been cancelled
Details
Secrets CLI - Build & Release / Build (x86_64-pc-windows-msvc) (push) Has been cancelled
Details

Browse Source 
- 提取 EntryRow/SecretFieldRow 到 models.rs
- 提取 current_actor()、print_json() 公共函数
- ExportFormat::from_extension 复用 from_str
- fetch_entries 默认 limit 100k(export/inject/run 不再截断)
- history 独立为 history.rs 模块
- delete 改用 DeleteArgs 结构体
- config_dir 改为 Result,Argon2id 参数提取常量
- Cargo 依赖 ^ 前缀、tokio 精简 features
- 更新 AGENTS.md 项目结构

Made-with: Cursor
This commit is contained in:
voson
2026-03-19 15:46:57 +08:00
parent 12aec6675a
commit 56a28e8cf7
19 changed files with 312 additions and 288 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
AGENTS.md
View File

@@ -28,7 +28,8 @@ secrets/
search.rs # search 命令:多条件查询,展示 secrets 字段 schema无需 master_key search.rs # search 命令:多条件查询,展示 secrets 字段 schema无需 master_key
delete.rs # delete 命令事务化CASCADE 删除 secrets含历史快照 delete.rs # delete 命令事务化CASCADE 删除 secrets含历史快照
update.rs # update 命令增量更新secrets 行级 UPSERT/DELETECAS 并发保护 update.rs # update 命令增量更新secrets 行级 UPSERT/DELETECAS 并发保护
rollback.rs # rollback / history 命令:按 entry_version 恢复 entry + secrets rollback.rs # rollback 命令:按 entry_version 恢复 entry + secrets
history.rs # history 命令:查看 entry 变更历史列表
run.rs # inject / run 命令:逐字段解密 + key_ref 引用解析 run.rs # inject / run 命令:逐字段解密 + key_ref 引用解析
upgrade.rs # upgrade 命令:检查、校验摘要并下载最新版本,自动替换二进制 upgrade.rs # upgrade 命令:检查、校验摘要并下载最新版本,自动替换二进制
export_cmd.rs # export 命令:批量导出记录,支持 JSON/TOML/YAML含解密明文 export_cmd.rs # export 命令:批量导出记录,支持 JSON/TOML/YAML含解密明文

3
Cargo.lock generated
View File

@@ -1836,7 +1836,7 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
[[package]] [[package]]
name = "secrets" name = "secrets"
version = "0.9.0" version = "0.9.1"
dependencies = [ dependencies = [
"aes-gcm", "aes-gcm",
"anyhow", "anyhow",
@@ -2448,7 +2448,6 @@ dependencies = [
"bytes", "bytes",
"libc", "libc",
"mio", "mio",
"parking_lot",
"pin-project-lite", "pin-project-lite",
"signal-hook-registry", "signal-hook-registry",
"socket2", "socket2",

54
Cargo.toml
View File

@@ -1,32 +1,32 @@
[package] [package]
name = "secrets" name = "secrets"
version = "0.9.0" version = "0.9.1"
edition = "2024" edition = "2024"
[dependencies] [dependencies]
aes-gcm = "0.10.3" aes-gcm = "^0.10.3"
anyhow = "1.0.102" anyhow = "^1.0.102"
argon2 = { version = "0.5.3", features = ["std"] } argon2 = { version = "^0.5.3", features = ["std"] }
chrono = { version = "0.4.44", features = ["serde"] } chrono = { version = "^0.4.44", features = ["serde"] }
clap = { version = "4.6.0", features = ["derive"] } clap = { version = "^4.6.0", features = ["derive"] }
dirs = "6.0.0" dirs = "^6.0.0"
flate2 = "1.1.9" flate2 = "^1.1.9"
keyring = { version = "3.6.3", features = ["apple-native", "windows-native", "linux-native"] } keyring = { version = "^3.6.3", features = ["apple-native", "windows-native", "linux-native"] }
rand = "0.10.0" rand = "^0.10.0"
reqwest = { version = "0.12", default-features = false, features = ["rustls-tls", "json"] } reqwest = { version = "^0.12", default-features = false, features = ["rustls-tls", "json"] }
rpassword = "7.4.0" rpassword = "^7.4.0"
self-replace = "1.5.0" self-replace = "^1.5.0"
semver = "1.0.27" semver = "^1.0.27"
serde = { version = "1.0.228", features = ["derive"] } serde = { version = "^1.0.228", features = ["derive"] }
serde_json = "1.0.149" serde_json = "^1.0.149"
serde_yaml = "0.9" serde_yaml = "^0.9"
sha2 = "0.10.9" sha2 = "^0.10.9"
sqlx = { version = "0.8.6", features = ["runtime-tokio", "tls-rustls", "postgres", "uuid", "json", "chrono"] } sqlx = { version = "^0.8.6", features = ["runtime-tokio", "tls-rustls", "postgres", "uuid", "json", "chrono"] }
tar = "0.4.44" tar = "^0.4.44"
tempfile = "3.19" tempfile = "^3.19"
tokio = { version = "1.50.0", features = ["full"] } tokio = { version = "^1.50.0", features = ["rt-multi-thread", "macros", "fs", "io-util", "process", "signal"] }
toml = "1.0.7" toml = "^1.0.7"
tracing = "0.1" tracing = "^0.1"
tracing-subscriber = { version = "0.3", features = ["env-filter"] } tracing-subscriber = { version = "^0.3", features = ["env-filter"] }
uuid = { version = "1.22.0", features = ["serde"] } uuid = { version = "^1.22.0", features = ["serde"] }
zip = { version = "8.2.0", default-features = false, features = ["deflate"] } zip = { version = "^8.2.0", default-features = false, features = ["deflate"] }

7
src/audit.rs
View File

@@ -1,6 +1,11 @@
use serde_json::Value; use serde_json::Value;
use sqlx::{Postgres, Transaction}; use sqlx::{Postgres, Transaction};
/// Return the current OS user as the audit actor (falls back to empty string).
pub fn current_actor() -> String {
std::env::var("USER").unwrap_or_default()
}
/// Write an audit entry within an existing transaction. /// Write an audit entry within an existing transaction.
pub async fn log_tx( pub async fn log_tx(
tx: &mut Transaction<'_, Postgres>, tx: &mut Transaction<'_, Postgres>,
@@ -10,7 +15,7 @@ pub async fn log_tx(
name: &str, name: &str,
detail: Value, detail: Value,
) { ) {
let actor = std::env::var("USER").unwrap_or_default(); let actor = current_actor();
let result: Result<_, sqlx::Error> = sqlx::query( let result: Result<_, sqlx::Error> = sqlx::query(
"INSERT INTO audit_log (action, namespace, kind, name, detail, actor) \ "INSERT INTO audit_log (action, namespace, kind, name, detail, actor) \
VALUES ($1, $2, $3, $4, $5, $6)", VALUES ($1, $2, $3, $4, $5, $6)",

17
src/commands/add.rs
View File

@@ -5,7 +5,8 @@ use std::fs;
use crate::crypto; use crate::crypto;
use crate::db; use crate::db;
use crate::output::OutputMode; use crate::models::EntryRow;
use crate::output::{OutputMode, print_json};
// ── Key/value parsing helpers (shared with update.rs) ─────────────────────── // ── Key/value parsing helpers (shared with update.rs) ───────────────────────
@@ -228,13 +229,6 @@ pub async fn run(pool: &PgPool, args: AddArgs<'_>, master_key: &[u8; 32]) -> Res
let mut tx = pool.begin().await?; let mut tx = pool.begin().await?;
// Upsert the entry row (tags + metadata). // Upsert the entry row (tags + metadata).
#[derive(sqlx::FromRow)]
struct EntryRow {
id: uuid::Uuid,
version: i64,
tags: Vec<String>,
metadata: Value,
}
let existing: Option<EntryRow> = sqlx::query_as( let existing: Option<EntryRow> = sqlx::query_as(
"SELECT id, version, tags, metadata FROM entries \ "SELECT id, version, tags, metadata FROM entries \
WHERE namespace = $1 AND kind = $2 AND name = $3", WHERE namespace = $1 AND kind = $2 AND name = $3",
@@ -383,11 +377,8 @@ pub async fn run(pool: &PgPool, args: AddArgs<'_>, master_key: &[u8; 32]) -> Res
}); });
match args.output { match args.output {
OutputMode::Json => { OutputMode::Json | OutputMode::JsonCompact => {
println!("{}", serde_json::to_string_pretty(&result_json)?); print_json(&result_json, &args.output)?;
}
OutputMode::JsonCompact => {
println!("{}", serde_json::to_string(&result_json)?);
} }
_ => { _ => {
println!("Added: [{}/{}] {}", args.namespace, args.kind, args.name); println!("Added: [{}/{}] {}", args.namespace, args.kind, args.name);

6
src/commands/config.rs
View File

@@ -15,7 +15,7 @@ pub async fn run(action: crate::ConfigAction) -> Result<()> {
database_url: Some(url.clone()), database_url: Some(url.clone()),
}; };
config::save_config(&cfg)?; config::save_config(&cfg)?;
println!("Database URL saved to: {}", config_path().display()); println!("Database URL saved to: {}", config_path()?.display());
println!(" {}", mask_password(&url)); println!(" {}", mask_password(&url));
} }
crate::ConfigAction::Show => { crate::ConfigAction::Show => {
@@ -23,7 +23,7 @@ pub async fn run(action: crate::ConfigAction) -> Result<()> {
match cfg.database_url { match cfg.database_url {
Some(url) => { Some(url) => {
println!("database_url = {}", mask_password(&url)); println!("database_url = {}", mask_password(&url));
println!("config file: {}", config_path().display()); println!("config file: {}", config_path()?.display());
} }
None => { None => {
println!("Database URL not configured."); println!("Database URL not configured.");
@@ -32,7 +32,7 @@ pub async fn run(action: crate::ConfigAction) -> Result<()> {
} }
} }
crate::ConfigAction::Path => { crate::ConfigAction::Path => {
println!("{}", config_path().display()); println!("{}", config_path()?.display());
} }
} }
Ok(()) Ok(())

73
src/commands/delete.rs
View File

@@ -1,35 +1,20 @@
use anyhow::Result; use anyhow::Result;
use serde_json::{Value, json}; use serde_json::json;
use sqlx::{FromRow, PgPool}; use sqlx::PgPool;
use uuid::Uuid;
use crate::db; use crate::db;
use crate::output::OutputMode; use crate::models::{EntryRow, SecretFieldRow};
use crate::output::{OutputMode, print_json};
#[derive(FromRow)] pub struct DeleteArgs<'a> {
struct EntryRow { pub namespace: &'a str,
id: Uuid, pub kind: &'a str,
version: i64, pub name: &'a str,
tags: Vec<String>, pub output: OutputMode,
metadata: Value,
} }
#[derive(FromRow)] pub async fn run(pool: &PgPool, args: DeleteArgs<'_>) -> Result<()> {
struct SecretFieldRow { let (namespace, kind, name) = (args.namespace, args.kind, args.name);
id: Uuid,
field_name: String,
field_type: String,
value_len: i32,
encrypted: Vec<u8>,
}
pub async fn run(
pool: &PgPool,
namespace: &str,
kind: &str,
name: &str,
output: OutputMode,
) -> Result<()> {
tracing::debug!(namespace, kind, name, "deleting entry"); tracing::debug!(namespace, kind, name, "deleting entry");
let mut tx = pool.begin().await?; let mut tx = pool.begin().await?;
@@ -48,20 +33,10 @@ pub async fn run(
let Some(row) = row else { let Some(row) = row else {
tx.rollback().await?; tx.rollback().await?;
tracing::warn!(namespace, kind, name, "entry not found for deletion"); tracing::warn!(namespace, kind, name, "entry not found for deletion");
match output { let v = json!({"action":"not_found","namespace":namespace,"kind":kind,"name":name});
OutputMode::Json => println!( match args.output {
"{}", OutputMode::Text => println!("Not found: [{}/{}] {}", namespace, kind, name),
serde_json::to_string_pretty( ref mode => print_json(&v, mode)?,
&json!({"action":"not_found","namespace":namespace,"kind":kind,"name":name})
)?
),
OutputMode::JsonCompact => println!(
"{}",
serde_json::to_string(
&json!({"action":"not_found","namespace":namespace,"kind":kind,"name":name})
)?
),
_ => println!("Not found: [{}/{}] {}", namespace, kind, name),
} }
return Ok(()); return Ok(());
}; };
@@ -124,20 +99,10 @@ pub async fn run(
tx.commit().await?; tx.commit().await?;
match output { let v = json!({"action":"deleted","namespace":namespace,"kind":kind,"name":name});
OutputMode::Json => println!( match args.output {
"{}", OutputMode::Text => println!("Deleted: [{}/{}] {}", namespace, kind, name),
serde_json::to_string_pretty( ref mode => print_json(&v, mode)?,
&json!({"action":"deleted","namespace":namespace,"kind":kind,"name":name})
)?
),
OutputMode::JsonCompact => println!(
"{}",
serde_json::to_string(
&json!({"action":"deleted","namespace":namespace,"kind":kind,"name":name})
)?
),
_ => println!("Deleted: [{}/{}] {}", namespace, kind, name),
} }
Ok(()) Ok(())

78
src/commands/history.rs Normal file
View File

@@ -0,0 +1,78 @@
use anyhow::Result;
use serde_json::{Value, json};
use sqlx::{FromRow, PgPool};
use crate::output::{OutputMode, format_local_time, print_json};
pub struct HistoryArgs<'a> {
pub namespace: &'a str,
pub kind: &'a str,
pub name: &'a str,
pub limit: u32,
pub output: OutputMode,
}
/// List history entries for an entry.
pub async fn run(pool: &PgPool, args: HistoryArgs<'_>) -> Result<()> {
#[derive(FromRow)]
struct HistorySummary {
version: i64,
action: String,
actor: String,
created_at: chrono::DateTime<chrono::Utc>,
}
let rows: Vec<HistorySummary> = sqlx::query_as(
"SELECT version, action, actor, created_at FROM entries_history \
WHERE namespace = $1 AND kind = $2 AND name = $3 \
ORDER BY id DESC LIMIT $4",
)
.bind(args.namespace)
.bind(args.kind)
.bind(args.name)
.bind(args.limit as i64)
.fetch_all(pool)
.await?;
match args.output {
OutputMode::Json | OutputMode::JsonCompact => {
let arr: Vec<Value> = rows
.iter()
.map(|r| {
json!({
"version": r.version,
"action": r.action,
"actor": r.actor,
"created_at": r.created_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
})
})
.collect();
print_json(&Value::Array(arr), &args.output)?;
}
_ => {
if rows.is_empty() {
println!(
"No history found for [{}/{}] {}.",
args.namespace, args.kind, args.name
);
return Ok(());
}
println!(
"History for [{}/{}] {}:",
args.namespace, args.kind, args.name
);
for r in &rows {
println!(
" v{:<4} {:8} {} {}",
r.version,
r.action,
r.actor,
format_local_time(r.created_at)
);
}
println!(" (use `secrets rollback --to-version <N>` to restore)");
}
}
Ok(())
}

116
src/commands/import_cmd.rs
View File

@@ -5,11 +5,13 @@ use std::collections::BTreeMap;
use crate::commands::add::{self, AddArgs}; use crate::commands::add::{self, AddArgs};
use crate::models::ExportFormat; use crate::models::ExportFormat;
use crate::output::OutputMode; use crate::output::{OutputMode, print_json};
pub struct ImportArgs<'a> { pub struct ImportArgs<'a> {
pub file: &'a str, pub file: &'a str,
/// Overwrite existing records when there is a conflict (upsert). /// Overwrite existing records when there is a conflict (upsert).
/// Without this flag, the import aborts on the first conflict.
/// A future `--skip` flag could allow silently skipping conflicts and continuing.
pub force: bool, pub force: bool,
/// Check and preview operations without writing to the database. /// Check and preview operations without writing to the database.
pub dry_run: bool, pub dry_run: bool,
@@ -48,26 +50,29 @@ pub async fn run(pool: &PgPool, args: ImportArgs<'_>, master_key: &[u8; 32]) ->
.unwrap_or(false); .unwrap_or(false);
if exists && !args.force { if exists && !args.force {
let msg = format!( let v = serde_json::json!({
"[{}/{}/{}] conflict — record already exists (use --force to overwrite)", "action": "conflict",
entry.namespace, entry.kind, entry.name "namespace": entry.namespace,
); "kind": entry.kind,
"name": entry.name,
});
match args.output { match args.output {
OutputMode::Json | OutputMode::JsonCompact => { OutputMode::Text => eprintln!(
let v = serde_json::json!({ "[{}/{}/{}] conflict — record already exists (use --force to overwrite)",
"action": "conflict", entry.namespace, entry.kind, entry.name
"namespace": entry.namespace, ),
"kind": entry.kind, ref mode => {
"name": entry.name, // Write conflict notice to stderr so it does not mix with summary JSON.
}); eprint!(
let s = if args.output == OutputMode::Json { "{}",
serde_json::to_string_pretty(&v)? if *mode == OutputMode::Json {
} else { serde_json::to_string_pretty(&v)?
serde_json::to_string(&v)? } else {
}; serde_json::to_string(&v)?
eprintln!("{}", s); }
);
eprintln!();
} }
_ => eprintln!("{}", msg),
} }
return Err(anyhow::anyhow!( return Err(anyhow::anyhow!(
"Import aborted: conflict on [{}/{}/{}]", "Import aborted: conflict on [{}/{}/{}]",
@@ -80,26 +85,19 @@ pub async fn run(pool: &PgPool, args: ImportArgs<'_>, master_key: &[u8; 32]) ->
let action = if exists { "upsert" } else { "insert" }; let action = if exists { "upsert" } else { "insert" };
if args.dry_run { if args.dry_run {
let v = serde_json::json!({
"action": action,
"namespace": entry.namespace,
"kind": entry.kind,
"name": entry.name,
"dry_run": true,
});
match args.output { match args.output {
OutputMode::Json | OutputMode::JsonCompact => { OutputMode::Text => println!(
let v = serde_json::json!({
"action": action,
"namespace": entry.namespace,
"kind": entry.kind,
"name": entry.name,
"dry_run": true,
});
let s = if args.output == OutputMode::Json {
serde_json::to_string_pretty(&v)?
} else {
serde_json::to_string(&v)?
};
println!("{}", s);
}
_ => println!(
"[dry-run] {} [{}/{}/{}]", "[dry-run] {} [{}/{}/{}]",
action, entry.namespace, entry.kind, entry.name action, entry.namespace, entry.kind, entry.name
), ),
ref mode => print_json(&v, mode)?,
} }
if exists { if exists {
skipped += 1; skipped += 1;
@@ -131,25 +129,18 @@ pub async fn run(pool: &PgPool, args: ImportArgs<'_>, master_key: &[u8; 32]) ->
.await .await
{ {
Ok(()) => { Ok(()) => {
let v = serde_json::json!({
"action": action,
"namespace": entry.namespace,
"kind": entry.kind,
"name": entry.name,
});
match args.output { match args.output {
OutputMode::Json | OutputMode::JsonCompact => { OutputMode::Text => println!(
let v = serde_json::json!({
"action": action,
"namespace": entry.namespace,
"kind": entry.kind,
"name": entry.name,
});
let s = if args.output == OutputMode::Json {
serde_json::to_string_pretty(&v)?
} else {
serde_json::to_string(&v)?
};
println!("{}", s);
}
_ => println!(
"Imported [{}/{}/{}]", "Imported [{}/{}/{}]",
entry.namespace, entry.kind, entry.name entry.namespace, entry.kind, entry.name
), ),
ref mode => print_json(&v, mode)?,
} }
inserted += 1; inserted += 1;
} }
@@ -163,23 +154,15 @@ pub async fn run(pool: &PgPool, args: ImportArgs<'_>, master_key: &[u8; 32]) ->
} }
} }
let summary = serde_json::json!({
"total": total,
"inserted": inserted,
"skipped": skipped,
"failed": failed,
"dry_run": args.dry_run,
});
match args.output { match args.output {
OutputMode::Json | OutputMode::JsonCompact => { OutputMode::Text => {
let v = serde_json::json!({
"total": total,
"inserted": inserted,
"skipped": skipped,
"failed": failed,
"dry_run": args.dry_run,
});
let s = if args.output == OutputMode::Json {
serde_json::to_string_pretty(&v)?
} else {
serde_json::to_string(&v)?
};
println!("{}", s);
}
_ => {
if args.dry_run { if args.dry_run {
println!( println!(
"\n[dry-run] {} total: {} would insert, {} would skip, {} would fail", "\n[dry-run] {} total: {} would insert, {} would skip, {} would fail",
@@ -192,6 +175,7 @@ pub async fn run(pool: &PgPool, args: ImportArgs<'_>, master_key: &[u8; 32]) ->
); );
} }
} }
ref mode => print_json(&summary, mode)?,
} }
if failed > 0 { if failed > 0 {

1
src/commands/mod.rs
View File

@@ -2,6 +2,7 @@ pub mod add;
pub mod config; pub mod config;
pub mod delete; pub mod delete;
pub mod export_cmd; pub mod export_cmd;
pub mod history;
pub mod import_cmd; pub mod import_cmd;
pub mod init; pub mod init;
pub mod rollback; pub mod rollback;

78
src/commands/rollback.rs
View File

@@ -5,7 +5,7 @@ use uuid::Uuid;
use crate::crypto; use crate::crypto;
use crate::db; use crate::db;
use crate::output::{OutputMode, format_local_time}; use crate::output::{OutputMode, print_json};
pub struct RollbackArgs<'a> { pub struct RollbackArgs<'a> {
pub namespace: &'a str, pub namespace: &'a str,
@@ -255,83 +255,11 @@ pub async fn run(pool: &PgPool, args: RollbackArgs<'_>, master_key: &[u8; 32]) -
}); });
match args.output { match args.output {
OutputMode::Json => println!("{}", serde_json::to_string_pretty(&result_json)?), OutputMode::Text => println!(
OutputMode::JsonCompact => println!("{}", serde_json::to_string(&result_json)?),
_ => println!(
"Rolled back: [{}/{}] {} → version {}", "Rolled back: [{}/{}] {} → version {}",
args.namespace, args.kind, args.name, snap.version args.namespace, args.kind, args.name, snap.version
), ),
} ref mode => print_json(&result_json, mode)?,
Ok(())
}
/// List history entries for an entry.
pub async fn list_history(
pool: &PgPool,
namespace: &str,
kind: &str,
name: &str,
limit: u32,
output: OutputMode,
) -> Result<()> {
#[derive(FromRow)]
struct HistorySummary {
version: i64,
action: String,
actor: String,
created_at: chrono::DateTime<chrono::Utc>,
}
let rows: Vec<HistorySummary> = sqlx::query_as(
"SELECT version, action, actor, created_at FROM entries_history \
WHERE namespace = $1 AND kind = $2 AND name = $3 \
ORDER BY id DESC LIMIT $4",
)
.bind(namespace)
.bind(kind)
.bind(name)
.bind(limit as i64)
.fetch_all(pool)
.await?;
match output {
OutputMode::Json | OutputMode::JsonCompact => {
let arr: Vec<Value> = rows
.iter()
.map(|r| {
json!({
"version": r.version,
"action": r.action,
"actor": r.actor,
"created_at": r.created_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
})
})
.collect();
let out = if output == OutputMode::Json {
serde_json::to_string_pretty(&arr)?
} else {
serde_json::to_string(&arr)?
};
println!("{}", out);
}
_ => {
if rows.is_empty() {
println!("No history found for [{}/{}] {}.", namespace, kind, name);
return Ok(());
}
println!("History for [{}/{}] {}:", namespace, kind, name);
for r in &rows {
println!(
" v{:<4} {:8} {} {}",
r.version,
r.action,
r.actor,
format_local_time(r.created_at)
);
}
println!(" (use `secrets rollback --to-version <N>` to restore)");
}
} }
Ok(()) Ok(())

20
src/commands/search.rs
View File

@@ -121,7 +121,12 @@ struct PagedFetchArgs<'a> {
offset: u32, offset: u32,
} }
/// A very large limit used when callers need all matching records (export, inject, run).
/// Postgres will stop scanning when this many rows are found; adjust if needed.
pub const FETCH_ALL_LIMIT: u32 = 100_000;
/// Fetch entries matching the given filters (used by search, inject, run). /// Fetch entries matching the given filters (used by search, inject, run).
/// `limit` caps the result set; pass `FETCH_ALL_LIMIT` when you need all matching records.
pub async fn fetch_entries( pub async fn fetch_entries(
pool: &PgPool, pool: &PgPool,
namespace: Option<&str>, namespace: Option<&str>,
@@ -129,6 +134,19 @@ pub async fn fetch_entries(
name: Option<&str>, name: Option<&str>,
tags: &[String], tags: &[String],
query: Option<&str>, query: Option<&str>,
) -> Result<Vec<Entry>> {
fetch_entries_with_limit(pool, namespace, kind, name, tags, query, FETCH_ALL_LIMIT).await
}
/// Like `fetch_entries` but with an explicit limit. Used internally by `search`.
pub(crate) async fn fetch_entries_with_limit(
pool: &PgPool,
namespace: Option<&str>,
kind: Option<&str>,
name: Option<&str>,
tags: &[String],
query: Option<&str>,
limit: u32,
) -> Result<Vec<Entry>> { ) -> Result<Vec<Entry>> {
fetch_entries_paged( fetch_entries_paged(
pool, pool,
@@ -139,7 +157,7 @@ pub async fn fetch_entries(
tags, tags,
query, query,
sort: "name", sort: "name",
limit: 200, limit,
offset: 0, offset: 0,
}, },
) )

20
src/commands/update.rs
View File

@@ -1,6 +1,6 @@
use anyhow::Result; use anyhow::Result;
use serde_json::{Map, Value, json}; use serde_json::{Map, Value, json};
use sqlx::{FromRow, PgPool}; use sqlx::PgPool;
use uuid::Uuid; use uuid::Uuid;
use super::add::{ use super::add::{
@@ -9,15 +9,8 @@ use super::add::{
}; };
use crate::crypto; use crate::crypto;
use crate::db; use crate::db;
use crate::output::OutputMode; use crate::models::EntryRow;
use crate::output::{OutputMode, print_json};
#[derive(FromRow)]
struct EntryRow {
id: Uuid,
version: i64,
tags: Vec<String>,
metadata: Value,
}
pub struct UpdateArgs<'a> { pub struct UpdateArgs<'a> {
pub namespace: &'a str, pub namespace: &'a str,
@@ -284,11 +277,8 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
}); });
match args.output { match args.output {
OutputMode::Json => { OutputMode::Json | OutputMode::JsonCompact => {
println!("{}", serde_json::to_string_pretty(&result_json)?); print_json(&result_json, &args.output)?;
}
OutputMode::JsonCompact => {
println!("{}", serde_json::to_string(&result_json)?);
} }
_ => { _ => {
println!("Updated: [{}/{}] {}", args.namespace, args.kind, args.name); println!("Updated: [{}/{}] {}", args.namespace, args.kind, args.name);

22
src/config.rs
View File

@@ -8,19 +8,23 @@ pub struct Config {
pub database_url: Option<String>, pub database_url: Option<String>,
} }
pub fn config_dir() -> PathBuf { pub fn config_dir() -> Result<PathBuf> {
dirs::config_dir() let dir = dirs::config_dir()
.or_else(|| dirs::home_dir().map(|h| h.join(".config"))) .or_else(|| dirs::home_dir().map(|h| h.join(".config")))
.unwrap_or_else(|| PathBuf::from(".config")) .context(
.join("secrets") "Cannot determine config directory: \
neither XDG_CONFIG_HOME nor HOME is set",
)?
.join("secrets");
Ok(dir)
} }
pub fn config_path() -> PathBuf { pub fn config_path() -> Result<PathBuf> {
config_dir().join("config.toml") Ok(config_dir()?.join("config.toml"))
} }
pub fn load_config() -> Result<Config> { pub fn load_config() -> Result<Config> {
let path = config_path(); let path = config_path()?;
if !path.exists() { if !path.exists() {
return Ok(Config::default()); return Ok(Config::default());
} }
@@ -32,11 +36,11 @@ pub fn load_config() -> Result<Config> {
} }
pub fn save_config(config: &Config) -> Result<()> { pub fn save_config(config: &Config) -> Result<()> {
let dir = config_dir(); let dir = config_dir()?;
fs::create_dir_all(&dir) fs::create_dir_all(&dir)
.with_context(|| format!("failed to create config dir: {}", dir.display()))?; .with_context(|| format!("failed to create config dir: {}", dir.display()))?;
let path = config_path(); let path = dir.join("config.toml");
let content = toml::to_string_pretty(config).context("failed to serialize config")?; let content = toml::to_string_pretty(config).context("failed to serialize config")?;
fs::write(&path, &content) fs::write(&path, &content)
.with_context(|| format!("failed to write config file: {}", path.display()))?; .with_context(|| format!("failed to write config file: {}", path.display()))?;

14
src/crypto.rs
View File

@@ -10,12 +10,24 @@ const KEYRING_SERVICE: &str = "secrets-cli";
const KEYRING_USER: &str = "master-key"; const KEYRING_USER: &str = "master-key";
const NONCE_LEN: usize = 12; const NONCE_LEN: usize = 12;
// Argon2id parameters — OWASP recommended (m=64 MiB, t=3 iterations, p=4 threads, key=32 B)
const ARGON2_M_COST: u32 = 65_536;
const ARGON2_T_COST: u32 = 3;
const ARGON2_P_COST: u32 = 4;
const ARGON2_KEY_LEN: usize = 32;
// ─── Argon2id key derivation ───────────────────────────────────────────────── // ─── Argon2id key derivation ─────────────────────────────────────────────────
/// Derive a 32-byte Master Key from a password and salt using Argon2id. /// Derive a 32-byte Master Key from a password and salt using Argon2id.
/// Parameters: m=65536 KiB (64 MB), t=3, p=4 — OWASP recommended. /// Parameters: m=65536 KiB (64 MB), t=3, p=4 — OWASP recommended.
pub fn derive_master_key(password: &str, salt: &[u8]) -> Result<[u8; 32]> { pub fn derive_master_key(password: &str, salt: &[u8]) -> Result<[u8; 32]> {
let params = Params::new(65536, 3, 4, Some(32)).context("invalid Argon2id params")?; let params = Params::new(
ARGON2_M_COST,
ARGON2_T_COST,
ARGON2_P_COST,
Some(ARGON2_KEY_LEN),
)
.context("invalid Argon2id params")?;
let argon2 = Argon2::new(argon2::Algorithm::Argon2id, Version::V0x13, params); let argon2 = Argon2::new(argon2::Algorithm::Argon2id, Version::V0x13, params);
let mut key = [0u8; 32]; let mut key = [0u8; 32];
argon2 argon2

6
src/db.rs
View File

@@ -3,6 +3,8 @@ use serde_json::Value;
use sqlx::PgPool; use sqlx::PgPool;
use sqlx::postgres::PgPoolOptions; use sqlx::postgres::PgPoolOptions;
use crate::audit::current_actor;
pub async fn create_pool(database_url: &str) -> Result<PgPool> { pub async fn create_pool(database_url: &str) -> Result<PgPool> {
tracing::debug!("connecting to database"); tracing::debug!("connecting to database");
let pool = PgPoolOptions::new() let pool = PgPoolOptions::new()
@@ -139,7 +141,7 @@ pub async fn snapshot_entry_history(
tx: &mut sqlx::Transaction<'_, sqlx::Postgres>, tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
p: EntrySnapshotParams<'_>, p: EntrySnapshotParams<'_>,
) -> Result<()> { ) -> Result<()> {
let actor = std::env::var("USER").unwrap_or_default(); let actor = current_actor();
sqlx::query( sqlx::query(
"INSERT INTO entries_history \ "INSERT INTO entries_history \
(entry_id, namespace, kind, name, version, action, tags, metadata, actor) \ (entry_id, namespace, kind, name, version, action, tags, metadata, actor) \
@@ -177,7 +179,7 @@ pub async fn snapshot_secret_history(
tx: &mut sqlx::Transaction<'_, sqlx::Postgres>, tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
p: SecretSnapshotParams<'_>, p: SecretSnapshotParams<'_>,
) -> Result<()> { ) -> Result<()> {
let actor = std::env::var("USER").unwrap_or_default(); let actor = current_actor();
sqlx::query( sqlx::query(
"INSERT INTO secrets_history \ "INSERT INTO secrets_history \
(entry_id, secret_id, entry_version, field_name, field_type, value_len, encrypted, action, actor) \ (entry_id, secret_id, entry_version, field_name, field_type, value_len, encrypted, action, actor) \

23
src/main.rs
View File

@@ -639,7 +639,16 @@ async fn main() -> Result<()> {
let _span = let _span =
tracing::info_span!("cmd", command = "delete", %namespace, %kind, %name).entered(); tracing::info_span!("cmd", command = "delete", %namespace, %kind, %name).entered();
let out = resolve_output_mode(output.as_deref())?; let out = resolve_output_mode(output.as_deref())?;
commands::delete::run(&pool, &namespace, &kind, &name, out).await?; commands::delete::run(
&pool,
commands::delete::DeleteArgs {
namespace: &namespace,
kind: &kind,
name: &name,
output: out,
},
)
.await?;
} }
Commands::Update { Commands::Update {
@@ -685,7 +694,17 @@ async fn main() -> Result<()> {
output, output,
} => { } => {
let out = resolve_output_mode(output.as_deref())?; let out = resolve_output_mode(output.as_deref())?;
commands::rollback::list_history(&pool, &namespace, &kind, &name, limit, out).await?; commands::history::run(
&pool,
commands::history::HistoryArgs {
namespace: &namespace,
kind: &kind,
name: &name,
limit,
output: out,
},
)
.await?;
} }
Commands::Rollback { Commands::Rollback {

46
src/models.rs
View File

@@ -38,6 +38,27 @@ pub struct SecretField {
pub updated_at: DateTime<Utc>, pub updated_at: DateTime<Utc>,
} }
// ── Internal query row types (shared across commands) ─────────────────────────
/// Minimal entry row fetched for write operations (add / update / delete / rollback).
#[derive(Debug, sqlx::FromRow)]
pub struct EntryRow {
pub id: Uuid,
pub version: i64,
pub tags: Vec<String>,
pub metadata: Value,
}
/// Minimal secret field row fetched before snapshots or cascade deletes.
#[derive(Debug, sqlx::FromRow)]
pub struct SecretFieldRow {
pub id: Uuid,
pub field_name: String,
pub field_type: String,
pub value_len: i32,
pub encrypted: Vec<u8>,
}
// ── Export / Import types ────────────────────────────────────────────────────── // ── Export / Import types ──────────────────────────────────────────────────────
/// Supported file formats for export/import. /// Supported file formats for export/import.
@@ -52,15 +73,12 @@ impl ExportFormat {
/// Infer format from file extension (.json / .toml / .yaml / .yml). /// Infer format from file extension (.json / .toml / .yaml / .yml).
pub fn from_extension(path: &str) -> anyhow::Result<Self> { pub fn from_extension(path: &str) -> anyhow::Result<Self> {
let ext = path.rsplit('.').next().unwrap_or("").to_lowercase(); let ext = path.rsplit('.').next().unwrap_or("").to_lowercase();
match ext.as_str() { Self::from_str(&ext).map_err(|_| {
"json" => Ok(Self::Json), anyhow::anyhow!(
"toml" => Ok(Self::Toml),
"yaml" | "yml" => Ok(Self::Yaml),
other => anyhow::bail!(
"Cannot infer format from extension '.{}'. Use --format json|toml|yaml", "Cannot infer format from extension '.{}'. Use --format json|toml|yaml",
other ext
), )
} })
} }
/// Parse from --format CLI value. /// Parse from --format CLI value.
@@ -146,16 +164,12 @@ pub fn json_to_toml_value(v: &Value) -> anyhow::Result<toml::Value> {
} }
Value::String(s) => Ok(toml::Value::String(s.clone())), Value::String(s) => Ok(toml::Value::String(s.clone())),
Value::Array(arr) => { Value::Array(arr) => {
// Check for uniform scalar type (TOML requires homogeneous arrays at the value level,
// though arrays of tables are handled separately via TOML's [[table]] syntax).
// For simplicity we convert each element; if types are mixed, toml crate will
// handle it gracefully or we fall back to a JSON string.
let items: anyhow::Result<Vec<toml::Value>> = let items: anyhow::Result<Vec<toml::Value>> =
arr.iter().map(json_to_toml_value).collect(); arr.iter().map(json_to_toml_value).collect();
match items { match items {
Ok(vals) => Ok(toml::Value::Array(vals)), Ok(vals) => Ok(toml::Value::Array(vals)),
Err(_) => { Err(e) => {
// Fallback: serialise as JSON string tracing::debug!(error = %e, "mixed-type array; falling back to JSON string");
Ok(toml::Value::String(serde_json::to_string(v)?)) Ok(toml::Value::String(serde_json::to_string(v)?))
} }
} }
@@ -171,8 +185,8 @@ pub fn json_to_toml_value(v: &Value) -> anyhow::Result<toml::Value> {
Ok(tv) => { Ok(tv) => {
toml_map.insert(k.clone(), tv); toml_map.insert(k.clone(), tv);
} }
Err(_) => { Err(e) => {
// Fallback: serialise as JSON string tracing::debug!(key = %k, error = %e, "field not representable in TOML; falling back to JSON string");
toml_map toml_map
.insert(k.clone(), toml::Value::String(serde_json::to_string(val)?)); .insert(k.clone(), toml::Value::String(serde_json::to_string(val)?));
} }

13
src/output.rs
View File

@@ -50,3 +50,16 @@ pub fn format_local_time(dt: DateTime<Utc>) -> String {
.format("%Y-%m-%d %H:%M:%S %:z") .format("%Y-%m-%d %H:%M:%S %:z")
.to_string() .to_string()
} }
/// Print a JSON value to stdout in the requested output mode.
/// - `Json` → pretty-printed
/// - `JsonCompact` → single line
/// - `Text` → no-op (caller is responsible for the text branch)
pub fn print_json(value: &serde_json::Value, mode: &OutputMode) -> anyhow::Result<()> {
match mode {
OutputMode::Json => println!("{}", serde_json::to_string_pretty(value)?),
OutputMode::JsonCompact => println!("{}", serde_json::to_string(value)?),
OutputMode::Text => {}
}
Ok(())
}