release(secrets-mcp): 0.5.10 — Web 模块化、性能与错误处理

- 拆分 web.rs 为 web/ 子模块；统一 client_ip 提取
- core: user_scope SQL 复用、env_map N+1 消除、FETCH_ALL 上限调整
- entries 列表页并行查询；PgPool 去 Arc；结构化 NotFound 等错误
- CI: SSH 私钥安全写入；crypto/hex 与依赖清理；MCP 输入长度校验
- AGENTS: API Key 明文存储设计说明

crates/secrets-core/src/service/update.rs

@@ -11,6 +11,7 @@ use crate::service::add::{
     collect_field_paths, collect_key_paths, flatten_json_fields, insert_path, parse_key_path,
     parse_kv, remove_path,
 };
+use crate::service::util::user_scope_condition;
 
 #[derive(Debug, serde::Serialize)]
 pub struct UpdateResult {
@@ -50,55 +51,43 @@ pub async fn run(
     params: UpdateParams<'_>,
     master_key: &[u8; 32],
 ) -> Result<UpdateResult> {
+    if params.name.chars().count() > 256 {
+        anyhow::bail!("name must be at most 256 characters");
+    }
     let mut tx = pool.begin().await?;
 
     // Fetch matching rows with FOR UPDATE; use folder when provided to resolve ambiguity.
-    let rows: Vec<EntryRow> = if let Some(uid) = params.user_id {
-        if let Some(folder) = params.folder {
-            sqlx::query_as(
-                "SELECT id, version, folder, type, tags, metadata, notes FROM entries \
-                 WHERE user_id = $1 AND folder = $2 AND name = $3 FOR UPDATE",
-            )
-            .bind(uid)
-            .bind(folder)
-            .bind(params.name)
-            .fetch_all(&mut *tx)
-            .await?
-        } else {
-            sqlx::query_as(
-                "SELECT id, version, folder, type, tags, metadata, notes FROM entries \
-                 WHERE user_id = $1 AND name = $2 FOR UPDATE",
-            )
-            .bind(uid)
-            .bind(params.name)
-            .fetch_all(&mut *tx)
-            .await?
-        }
-    } else if let Some(folder) = params.folder {
-        sqlx::query_as(
-            "SELECT id, version, folder, type, tags, metadata, notes FROM entries \
-             WHERE user_id IS NULL AND folder = $1 AND name = $2 FOR UPDATE",
-        )
-        .bind(folder)
-        .bind(params.name)
-        .fetch_all(&mut *tx)
-        .await?
-    } else {
-        sqlx::query_as(
-            "SELECT id, version, folder, type, tags, metadata, notes FROM entries \
-             WHERE user_id IS NULL AND name = $1 FOR UPDATE",
-        )
-        .bind(params.name)
-        .fetch_all(&mut *tx)
-        .await?
-    };
+    let mut idx = 1i32;
+    let user_cond = user_scope_condition(params.user_id, &mut idx);
+    let mut conditions = vec![user_cond];
+    if params.folder.is_some() {
+        conditions.push(format!("folder = ${}", idx));
+        idx += 1;
+    }
+    conditions.push(format!("name = ${}", idx));
+    let sql = format!(
+        "SELECT id, version, folder, type, tags, metadata, notes FROM entries WHERE {} FOR UPDATE",
+        conditions.join(" AND ")
+    );
+    let mut q = sqlx::query_as::<_, EntryRow>(&sql);
+    if let Some(uid) = params.user_id {
+        q = q.bind(uid);
+    }
+    if let Some(folder) = params.folder {
+        q = q.bind(folder);
+    }
+    q = q.bind(params.name);
+    let rows = q.fetch_all(&mut *tx).await?;
 
     let row = match rows.len() {
         0 => {
             tx.rollback().await?;
             return Err(AppError::NotFoundEntry.into());
         }
-        1 => rows.into_iter().next().unwrap(),
+        1 => rows
+            .into_iter()
+            .next()
+            .ok_or_else(|| anyhow::anyhow!("internal: matched row vanished"))?,
         _ => {
             tx.rollback().await?;
             let folders: Vec<&str> = rows.iter().map(|r| r.folder.as_str()).collect();