release(secrets-mcp): 0.5.10 — Web 模块化、性能与错误处理

- 拆分 web.rs 为 web/ 子模块；统一 client_ip 提取
- core: user_scope SQL 复用、env_map N+1 消除、FETCH_ALL 上限调整
- entries 列表页并行查询；PgPool 去 Arc；结构化 NotFound 等错误
- CI: SSH 私钥安全写入；crypto/hex 与依赖清理；MCP 输入长度校验
- AGENTS: API Key 明文存储设计说明

crates/secrets-core/Cargo.toml

@@ -17,7 +17,6 @@ rand.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 serde_yaml.workspace = true
-sha2.workspace = true
 sqlx.workspace = true
 toml.workspace = true
 tokio.workspace = true

crates/secrets-core/src/crypto.rs

@@ -79,7 +79,7 @@ pub mod hex {
     use anyhow::Result;
 
     pub fn encode_hex(bytes: &[u8]) -> String {
-        bytes.iter().map(|b| format!("{:02x}", b)).collect()
+        ::hex::encode(bytes)
     }
 
     pub fn decode_hex(s: &str) -> Result<Vec<u8>> {

crates/secrets-core/src/service/add.rs

@@ -185,6 +185,15 @@ pub struct AddParams<'a> {
 }
 
 pub async fn run(pool: &PgPool, params: AddParams<'_>, master_key: &[u8; 32]) -> Result<AddResult> {
+    if params.folder.chars().count() > 128 {
+        anyhow::bail!("folder must be at most 128 characters");
+    }
+    if params.name.chars().count() > 256 {
+        anyhow::bail!("name must be at most 256 characters");
+    }
+    if params.entry_type.trim().chars().count() > 64 {
+        anyhow::bail!("type must be at most 64 characters");
+    }
     let Value::Object(metadata_map) = build_json(params.meta_entries)? else {
         unreachable!("build_json always returns a JSON object");
     };

crates/secrets-core/src/service/api_key.rs

@@ -11,8 +11,7 @@ pub fn generate_api_key() -> String {
     use rand::RngExt;
     let mut bytes = [0u8; 32];
     rand::rng().fill(&mut bytes);
-    let hex: String = bytes.iter().map(|b| format!("{:02x}", b)).collect();
-    format!("{}{}", KEY_PREFIX, hex)
+    format!("{}{}", KEY_PREFIX, ::hex::encode(bytes))
 }
 
 /// Return the user's existing API key, or generate and store a new one if NULL.

crates/secrets-core/src/service/delete.rs

@@ -5,6 +5,7 @@ use uuid::Uuid;
 
 use crate::db;
 use crate::models::{EntryRow, EntryWriteRow, SecretFieldRow};
+use crate::service::util::user_scope_condition;
 
 #[derive(Debug, serde::Serialize)]
 pub struct DeletedEntry {
@@ -126,48 +127,32 @@ async fn delete_one(
         // - 2+ matches → disambiguation error (same as non-dry-run)
         #[derive(sqlx::FromRow)]
         struct DryRunRow {
-            #[allow(dead_code)]
-            id: Uuid,
             folder: String,
             #[sqlx(rename = "type")]
             entry_type: String,
         }
 
-        let rows: Vec<DryRunRow> = if let Some(uid) = user_id {
-            if let Some(f) = folder {
-                sqlx::query_as(
-                    "SELECT id, folder, type FROM entries WHERE user_id = $1 AND folder = $2 AND name = $3",
-                )
-                .bind(uid)
-                .bind(f)
-                .bind(name)
-                .fetch_all(pool)
-                .await?
-            } else {
-                sqlx::query_as(
-                    "SELECT id, folder, type FROM entries WHERE user_id = $1 AND name = $2",
-                )
-                .bind(uid)
-                .bind(name)
-                .fetch_all(pool)
-                .await?
-            }
-        } else if let Some(f) = folder {
-            sqlx::query_as(
-                "SELECT id, folder, type FROM entries WHERE user_id IS NULL AND folder = $1 AND name = $2",
-            )
-            .bind(f)
-            .bind(name)
-            .fetch_all(pool)
-            .await?
-        } else {
-            sqlx::query_as(
-                "SELECT id, folder, type FROM entries WHERE user_id IS NULL AND name = $1",
-            )
-            .bind(name)
-            .fetch_all(pool)
-            .await?
-        };
+        let mut idx = 1i32;
+        let user_cond = user_scope_condition(user_id, &mut idx);
+        let mut conditions = vec![user_cond];
+        if folder.is_some() {
+            conditions.push(format!("folder = ${}", idx));
+            idx += 1;
+        }
+        conditions.push(format!("name = ${}", idx));
+        let sql = format!(
+            "SELECT folder, type FROM entries WHERE {}",
+            conditions.join(" AND ")
+        );
+        let mut q = sqlx::query_as::<_, DryRunRow>(&sql);
+        if let Some(uid) = user_id {
+            q = q.bind(uid);
+        }
+        if let Some(f) = folder {
+            q = q.bind(f);
+        }
+        q = q.bind(name);
+        let rows = q.fetch_all(pool).await?;
 
         return match rows.len() {
             0 => Ok(DeleteResult {
@@ -175,7 +160,10 @@ async fn delete_one(
                 dry_run: true,
             }),
             1 => {
-                let row = rows.into_iter().next().unwrap();
+                let row = rows
+                    .into_iter()
+                    .next()
+                    .ok_or_else(|| anyhow::anyhow!("internal: matched row vanished"))?;
                 Ok(DeleteResult {
                     deleted: vec![DeletedEntry {
                         name: name.to_string(),
@@ -201,45 +189,27 @@ async fn delete_one(
     let mut tx = pool.begin().await?;
 
     // Fetch matching rows with FOR UPDATE; use folder when provided to resolve ambiguity.
-    let rows: Vec<EntryRow> = if let Some(uid) = user_id {
-        if let Some(f) = folder {
-            sqlx::query_as(
-                "SELECT id, version, folder, type, tags, metadata, notes FROM entries \
-                 WHERE user_id = $1 AND folder = $2 AND name = $3 FOR UPDATE",
-            )
-            .bind(uid)
-            .bind(f)
-            .bind(name)
-            .fetch_all(&mut *tx)
-            .await?
-        } else {
-            sqlx::query_as(
-                "SELECT id, version, folder, type, tags, metadata, notes FROM entries \
-                 WHERE user_id = $1 AND name = $2 FOR UPDATE",
-            )
-            .bind(uid)
-            .bind(name)
-            .fetch_all(&mut *tx)
-            .await?
-        }
-    } else if let Some(f) = folder {
-        sqlx::query_as(
-            "SELECT id, version, folder, type, tags, metadata, notes FROM entries \
-             WHERE user_id IS NULL AND folder = $1 AND name = $2 FOR UPDATE",
-        )
-        .bind(f)
-        .bind(name)
-        .fetch_all(&mut *tx)
-        .await?
-    } else {
-        sqlx::query_as(
-            "SELECT id, version, folder, type, tags, metadata, notes FROM entries \
-             WHERE user_id IS NULL AND name = $1 FOR UPDATE",
-        )
-        .bind(name)
-        .fetch_all(&mut *tx)
-        .await?
-    };
+    let mut idx = 1i32;
+    let user_cond = user_scope_condition(user_id, &mut idx);
+    let mut conditions = vec![user_cond];
+    if folder.is_some() {
+        conditions.push(format!("folder = ${}", idx));
+        idx += 1;
+    }
+    conditions.push(format!("name = ${}", idx));
+    let sql = format!(
+        "SELECT id, version, folder, type, tags, metadata, notes FROM entries WHERE {} FOR UPDATE",
+        conditions.join(" AND ")
+    );
+    let mut q = sqlx::query_as::<_, EntryRow>(&sql);
+    if let Some(uid) = user_id {
+        q = q.bind(uid);
+    }
+    if let Some(f) = folder {
+        q = q.bind(f);
+    }
+    q = q.bind(name);
+    let rows = q.fetch_all(&mut *tx).await?;
 
     let row = match rows.len() {
         0 => {
@@ -249,7 +219,10 @@ async fn delete_one(
                 dry_run: false,
             });
         }
-        1 => rows.into_iter().next().unwrap(),
+        1 => rows
+            .into_iter()
+            .next()
+            .ok_or_else(|| anyhow::anyhow!("internal: matched row vanished"))?,
         _ => {
             tx.rollback().await?;
             let folders: Vec<&str> = rows.iter().map(|r| r.folder.as_str()).collect();

crates/secrets-core/src/service/env_map.rs

@@ -5,7 +5,6 @@ use std::collections::HashMap;
 use uuid::Uuid;
 
 use crate::crypto;
-use crate::models::Entry;
 use crate::service::search::{fetch_entries, fetch_secrets_for_entries};
 
 /// Build an env variable map from entry secrets (for dry-run preview or injection).
@@ -22,56 +21,43 @@ pub async fn build_env_map(
     user_id: Option<Uuid>,
 ) -> Result<HashMap<String, String>> {
     let entries = fetch_entries(pool, folder, entry_type, name, tags, None, user_id).await?;
+    if entries.is_empty() {
+        return Ok(HashMap::new());
+    }
+
+    let entry_ids: Vec<Uuid> = entries.iter().map(|e| e.id).collect();
+    let secrets_map = fetch_secrets_for_entries(pool, &entry_ids).await?;
 
     let mut combined: HashMap<String, String> = HashMap::new();
 
     for entry in &entries {
-        let entry_map =
-            build_entry_env_map(pool, entry, only_fields, prefix, master_key, user_id).await?;
-        combined.extend(entry_map);
+        let all_fields = secrets_map.get(&entry.id).map(Vec::as_slice).unwrap_or(&[]);
+        let effective_prefix = env_prefix(entry, prefix);
+
+        let fields: Vec<_> = if only_fields.is_empty() {
+            all_fields.iter().collect()
+        } else {
+            all_fields
+                .iter()
+                .filter(|f| only_fields.contains(&f.name))
+                .collect()
+        };
+
+        for f in fields {
+            let decrypted = crypto::decrypt_json(master_key, &f.encrypted)?;
+            let key = format!(
+                "{}_{}",
+                effective_prefix,
+                f.name.to_uppercase().replace(['-', '.'], "_")
+            );
+            combined.insert(key, json_to_env_string(&decrypted));
+        }
     }
 
     Ok(combined)
 }
 
-async fn build_entry_env_map(
-    pool: &PgPool,
-    entry: &Entry,
-    only_fields: &[String],
-    prefix: &str,
-    master_key: &[u8; 32],
-    _user_id: Option<Uuid>,
-) -> Result<HashMap<String, String>> {
-    let entry_ids = vec![entry.id];
-    let secrets_map = fetch_secrets_for_entries(pool, &entry_ids).await?;
-    let all_fields = secrets_map.get(&entry.id).map(Vec::as_slice).unwrap_or(&[]);
-
-    let fields: Vec<_> = if only_fields.is_empty() {
-        all_fields.iter().collect()
-    } else {
-        all_fields
-            .iter()
-            .filter(|f| only_fields.contains(&f.name))
-            .collect()
-    };
-
-    let effective_prefix = env_prefix(entry, prefix);
-    let mut map = HashMap::new();
-
-    for f in fields {
-        let decrypted = crypto::decrypt_json(master_key, &f.encrypted)?;
-        let key = format!(
-            "{}_{}",
-            effective_prefix,
-            f.name.to_uppercase().replace(['-', '.'], "_")
-        );
-        map.insert(key, json_to_env_string(&decrypted));
-    }
-
-    Ok(map)
-}
-
-fn env_prefix(entry: &Entry, prefix: &str) -> String {
+fn env_prefix(entry: &crate::models::Entry, prefix: &str) -> String {
     let name_part = entry.name.to_uppercase().replace(['-', '.', ' '], "_");
     if prefix.is_empty() {
         name_part

crates/secrets-core/src/service/get_secret.rs

@@ -5,6 +5,7 @@ use std::collections::HashMap;
 use uuid::Uuid;
 
 use crate::crypto;
+use crate::error::AppError;
 use crate::service::search::{fetch_secrets_for_entries, resolve_entry, resolve_entry_by_id};
 
 /// Decrypt a single named field from an entry.
@@ -64,7 +65,7 @@ pub async fn get_secret_field_by_id(
 ) -> Result<Value> {
     resolve_entry_by_id(pool, entry_id, user_id)
         .await
-        .map_err(|_| anyhow::anyhow!("Entry with id '{}' not found", entry_id))?;
+        .map_err(|_| anyhow::Error::from(AppError::NotFoundEntry))?;
 
     let entry_ids = vec![entry_id];
     let secrets_map = fetch_secrets_for_entries(pool, &entry_ids).await?;
@@ -89,7 +90,7 @@ pub async fn get_all_secrets_by_id(
     // Validate entry exists (and that it belongs to the requesting user)
     resolve_entry_by_id(pool, entry_id, user_id)
         .await
-        .map_err(|_| anyhow::anyhow!("Entry with id '{}' not found", entry_id))?;
+        .map_err(|_| anyhow::Error::from(AppError::NotFoundEntry))?;
 
     let entry_ids = vec![entry_id];
     let secrets_map = fetch_secrets_for_entries(pool, &entry_ids).await?;

crates/secrets-core/src/service/mod.rs

@@ -11,3 +11,4 @@ pub mod rollback;
 pub mod search;
 pub mod update;
 pub mod user;
+pub mod util;

crates/secrets-core/src/service/rollback.rs

@@ -23,7 +23,6 @@ pub async fn run(
     name: &str,
     folder: Option<&str>,
     to_version: Option<i64>,
-    master_key: &[u8; 32],
     user_id: Option<Uuid>,
 ) -> Result<RollbackResult> {
     #[derive(sqlx::FromRow)]
@@ -154,8 +153,6 @@ pub async fn run(
     let snap_secret_snapshot = db::entry_secret_snapshot_from_metadata(&snap.metadata);
     let snap_metadata = db::strip_secret_snapshot_from_metadata(&snap.metadata);
 
-    let _ = master_key;
-
     let mut tx = pool.begin().await?;
 
     #[derive(sqlx::FromRow)]
@@ -167,13 +164,11 @@ pub async fn run(
         entry_type: String,
         tags: Vec<String>,
         metadata: Value,
-        #[allow(dead_code)]
-        notes: String,
     }
 
     // Lock the live entry if it exists (matched by entry_id for precision).
     let live: Option<LiveEntry> = sqlx::query_as(
-        "SELECT id, version, folder, type, tags, metadata, notes FROM entries \
+        "SELECT id, version, folder, type, tags, metadata FROM entries \
          WHERE id = $1 FOR UPDATE",
     )
     .bind(entry_id)

crates/secrets-core/src/service/search.rs

@@ -6,7 +6,7 @@ use uuid::Uuid;
 
 use crate::models::{Entry, SecretField};
 
-pub const FETCH_ALL_LIMIT: u32 = 100_000;
+pub const FETCH_ALL_LIMIT: u32 = 10_000;
 
 /// Build an ILIKE pattern for fuzzy matching, escaping `%` and `_` literals.
 pub fn ilike_pattern(value: &str) -> String {
@@ -145,7 +145,7 @@ pub async fn run(pool: &PgPool, params: SearchParams<'_>) -> Result<SearchResult
     let entries = fetch_entries_paged(pool, &params).await?;
     let entry_ids: Vec<Uuid> = entries.iter().map(|e| e.id).collect();
     let secret_schemas = if !entry_ids.is_empty() {
-        fetch_secret_schemas(pool, &entry_ids).await?
+        fetch_secrets_for_entries(pool, &entry_ids).await?
     } else {
         HashMap::new()
     };
@@ -229,33 +229,6 @@ async fn fetch_entries_paged(pool: &PgPool, a: &SearchParams<'_>) -> Result<Vec<
     Ok(rows.into_iter().map(Entry::from).collect())
 }
 
-/// Fetch secret field names for a set of entry ids (no decryption).
-pub async fn fetch_secret_schemas(
-    pool: &PgPool,
-    entry_ids: &[Uuid],
-) -> Result<HashMap<Uuid, Vec<SecretField>>> {
-    if entry_ids.is_empty() {
-        return Ok(HashMap::new());
-    }
-    let fields: Vec<EntrySecretRow> = sqlx::query_as(
-        "SELECT es.entry_id, s.id, s.user_id, s.name, s.type, s.encrypted, s.version, s.created_at, s.updated_at \
-         FROM entry_secrets es \
-         JOIN secrets s ON s.id = es.secret_id \
-         WHERE es.entry_id = ANY($1) \
-         ORDER BY es.entry_id, es.sort_order, s.name",
-    )
-    .bind(entry_ids)
-    .fetch_all(pool)
-    .await?;
-
-    let mut map: HashMap<Uuid, Vec<SecretField>> = HashMap::new();
-    for f in fields {
-        let entry_id = f.entry_id;
-        map.entry(entry_id).or_default().push(f.secret());
-    }
-    Ok(map)
-}
-
 /// Fetch all secret fields (including encrypted bytes) for a set of entry ids.
 pub async fn fetch_secrets_for_entries(
     pool: &PgPool,
@@ -334,7 +307,10 @@ pub async fn resolve_entry(
                 anyhow::bail!("Not found: '{}'", name)
             }
         }
-        1 => Ok(entries.into_iter().next().unwrap()),
+        1 => entries
+            .into_iter()
+            .next()
+            .ok_or_else(|| anyhow::anyhow!("internal: resolve_entry result vanished")),
         _ => {
             let folders: Vec<&str> = entries.iter().map(|e| e.folder.as_str()).collect();
             anyhow::bail!(

crates/secrets-core/src/service/update.rs

@@ -11,6 +11,7 @@ use crate::service::add::{
     collect_field_paths, collect_key_paths, flatten_json_fields, insert_path, parse_key_path,
     parse_kv, remove_path,
 };
+use crate::service::util::user_scope_condition;
 
 #[derive(Debug, serde::Serialize)]
 pub struct UpdateResult {
@@ -50,55 +51,43 @@ pub async fn run(
     params: UpdateParams<'_>,
     master_key: &[u8; 32],
 ) -> Result<UpdateResult> {
+    if params.name.chars().count() > 256 {
+        anyhow::bail!("name must be at most 256 characters");
+    }
     let mut tx = pool.begin().await?;
 
     // Fetch matching rows with FOR UPDATE; use folder when provided to resolve ambiguity.
-    let rows: Vec<EntryRow> = if let Some(uid) = params.user_id {
-        if let Some(folder) = params.folder {
-            sqlx::query_as(
-                "SELECT id, version, folder, type, tags, metadata, notes FROM entries \
-                 WHERE user_id = $1 AND folder = $2 AND name = $3 FOR UPDATE",
-            )
-            .bind(uid)
-            .bind(folder)
-            .bind(params.name)
-            .fetch_all(&mut *tx)
-            .await?
-        } else {
-            sqlx::query_as(
-                "SELECT id, version, folder, type, tags, metadata, notes FROM entries \
-                 WHERE user_id = $1 AND name = $2 FOR UPDATE",
-            )
-            .bind(uid)
-            .bind(params.name)
-            .fetch_all(&mut *tx)
-            .await?
-        }
-    } else if let Some(folder) = params.folder {
-        sqlx::query_as(
-            "SELECT id, version, folder, type, tags, metadata, notes FROM entries \
-             WHERE user_id IS NULL AND folder = $1 AND name = $2 FOR UPDATE",
-        )
-        .bind(folder)
-        .bind(params.name)
-        .fetch_all(&mut *tx)
-        .await?
-    } else {
-        sqlx::query_as(
-            "SELECT id, version, folder, type, tags, metadata, notes FROM entries \
-             WHERE user_id IS NULL AND name = $1 FOR UPDATE",
-        )
-        .bind(params.name)
-        .fetch_all(&mut *tx)
-        .await?
-    };
+    let mut idx = 1i32;
+    let user_cond = user_scope_condition(params.user_id, &mut idx);
+    let mut conditions = vec![user_cond];
+    if params.folder.is_some() {
+        conditions.push(format!("folder = ${}", idx));
+        idx += 1;
+    }
+    conditions.push(format!("name = ${}", idx));
+    let sql = format!(
+        "SELECT id, version, folder, type, tags, metadata, notes FROM entries WHERE {} FOR UPDATE",
+        conditions.join(" AND ")
+    );
+    let mut q = sqlx::query_as::<_, EntryRow>(&sql);
+    if let Some(uid) = params.user_id {
+        q = q.bind(uid);
+    }
+    if let Some(folder) = params.folder {
+        q = q.bind(folder);
+    }
+    q = q.bind(params.name);
+    let rows = q.fetch_all(&mut *tx).await?;
 
     let row = match rows.len() {
         0 => {
             tx.rollback().await?;
             return Err(AppError::NotFoundEntry.into());
         }
-        1 => rows.into_iter().next().unwrap(),
+        1 => rows
+            .into_iter()
+            .next()
+            .ok_or_else(|| anyhow::anyhow!("internal: matched row vanished"))?,
         _ => {
             tx.rollback().await?;
             let folders: Vec<&str> = rows.iter().map(|r| r.folder.as_str()).collect();

crates/secrets-core/src/service/util.rs

@@ -0,0 +1,27 @@
+use uuid::Uuid;
+
+/// Returns a WHERE condition fragment for user scope and advances `idx` if `user_id` is Some.
+///
+/// - `Some(uid)` → `"user_id = $N"` with idx incremented.
+/// - `None`      → `"user_id IS NULL"` with idx unchanged.
+///
+/// # Usage
+///
+/// ```rust,ignore
+/// let mut idx = 1i32;
+/// let user_cond = user_scope_condition(user_id, &mut idx);
+/// // idx is now 2 if user_id is Some, still 1 if None
+/// let sql = format!("SELECT ... FROM entries WHERE {user_cond} AND name = ${idx}");
+/// let mut q = sqlx::query_as::<_, Row>(&sql);
+/// if let Some(uid) = user_id { q = q.bind(uid); }
+/// q = q.bind(name);
+/// ```
+pub fn user_scope_condition(user_id: Option<Uuid>, idx: &mut i32) -> String {
+    if user_id.is_some() {
+        let s = format!("user_id = ${}", *idx);
+        *idx += 1;
+        s
+    } else {
+        "user_id IS NULL".to_string()
+    }
+}