release(secrets-mcp): 0.5.10 — Web 模块化、性能与错误处理

- 拆分 web.rs 为 web/ 子模块；统一 client_ip 提取
- core: user_scope SQL 复用、env_map N+1 消除、FETCH_ALL 上限调整
- entries 列表页并行查询；PgPool 去 Arc；结构化 NotFound 等错误
- CI: SSH 私钥安全写入；crypto/hex 与依赖清理；MCP 输入长度校验
- AGENTS: API Key 明文存储设计说明

crates/secrets-mcp/src/client_ip.rs

@@ -26,6 +26,26 @@ pub fn extract_client_ip(req: &Request) -> String {
     connect_info_ip(req).unwrap_or_else(|| "unknown".to_string())
 }
 
+/// Extract the client IP from individual header map and socket address components.
+///
+/// This variant is used by handlers that receive headers and connect info as
+/// separate axum extractor parameters (e.g. OAuth callback handlers).
+/// The same `TRUST_PROXY` logic applies.
+pub fn extract_client_ip_parts(
+    headers: &axum::http::HeaderMap,
+    addr: std::net::SocketAddr,
+) -> String {
+    if trust_proxy_enabled() {
+        if let Some(ip) = forwarded_for_ip(headers) {
+            return ip;
+        }
+        if let Some(ip) = real_ip(headers) {
+            return ip;
+        }
+    }
+    addr.ip().to_string()
+}
+
 fn trust_proxy_enabled() -> bool {
     static CACHE: std::sync::OnceLock<bool> = std::sync::OnceLock::new();
     *CACHE.get_or_init(|| {