feat: user-scoped history/delete/rollback, dashboard & login UI, ignore *.pem

- Filter history/rollback/delete by user_id in secrets-core
- MCP tools/web pass user context; dashboard refresh; favicon static
- .gitignore *.pem; vscode tasks tweaks
- clippy: collapse else-if in rollback latest-history branch

Made-with: Cursor

crates/secrets-core/src/service/rollback.rs

@@ -21,7 +21,7 @@ pub async fn run(
     name: &str,
     to_version: Option<i64>,
     master_key: &[u8; 32],
-    _user_id: Option<Uuid>,
+    user_id: Option<Uuid>,
 ) -> Result<RollbackResult> {
     #[derive(sqlx::FromRow)]
     struct EntryHistoryRow {
@@ -33,21 +33,49 @@ pub async fn run(
     }
 
     let snap: Option<EntryHistoryRow> = if let Some(ver) = to_version {
+        if let Some(uid) = user_id {
+            sqlx::query_as(
+                "SELECT entry_id, version, action, tags, metadata FROM entries_history \
+                 WHERE namespace = $1 AND kind = $2 AND name = $3 AND version = $4 \
+                 AND user_id = $5 ORDER BY id DESC LIMIT 1",
+            )
+            .bind(namespace)
+            .bind(kind)
+            .bind(name)
+            .bind(ver)
+            .bind(uid)
+            .fetch_optional(pool)
+            .await?
+        } else {
+            sqlx::query_as(
+                "SELECT entry_id, version, action, tags, metadata FROM entries_history \
+                 WHERE namespace = $1 AND kind = $2 AND name = $3 AND version = $4 \
+                 AND user_id IS NULL ORDER BY id DESC LIMIT 1",
+            )
+            .bind(namespace)
+            .bind(kind)
+            .bind(name)
+            .bind(ver)
+            .fetch_optional(pool)
+            .await?
+        }
+    } else if let Some(uid) = user_id {
         sqlx::query_as(
             "SELECT entry_id, version, action, tags, metadata FROM entries_history \
-             WHERE namespace = $1 AND kind = $2 AND name = $3 AND version = $4 \
-             ORDER BY id DESC LIMIT 1",
+             WHERE namespace = $1 AND kind = $2 AND name = $3 \
+             AND user_id = $4 ORDER BY id DESC LIMIT 1",
         )
         .bind(namespace)
         .bind(kind)
         .bind(name)
-        .bind(ver)
+        .bind(uid)
         .fetch_optional(pool)
         .await?
     } else {
         sqlx::query_as(
             "SELECT entry_id, version, action, tags, metadata FROM entries_history \
-             WHERE namespace = $1 AND kind = $2 AND name = $3 ORDER BY id DESC LIMIT 1",
+             WHERE namespace = $1 AND kind = $2 AND name = $3 \
+             AND user_id IS NULL ORDER BY id DESC LIMIT 1",
         )
         .bind(namespace)
         .bind(kind)
@@ -70,14 +98,13 @@ pub async fn run(
 
     #[derive(sqlx::FromRow)]
     struct SecretHistoryRow {
-        secret_id: Uuid,
         field_name: String,
         encrypted: Vec<u8>,
         action: String,
     }
 
     let field_snaps: Vec<SecretHistoryRow> = sqlx::query_as(
-        "SELECT secret_id, field_name, encrypted, action FROM secrets_history \
+        "SELECT field_name, encrypted, action FROM secrets_history \
          WHERE entry_id = $1 AND entry_version = $2 ORDER BY field_name",
     )
     .bind(snap.entry_id)
@@ -106,21 +133,38 @@ pub async fn run(
         tags: Vec<String>,
         metadata: Value,
     }
-    let live: Option<LiveEntry> = sqlx::query_as(
-        "SELECT id, version, tags, metadata FROM entries \
-         WHERE namespace = $1 AND kind = $2 AND name = $3 FOR UPDATE",
-    )
-    .bind(namespace)
-    .bind(kind)
-    .bind(name)
-    .fetch_optional(&mut *tx)
-    .await?;
 
-    if let Some(ref lr) = live {
+    // Query live entry with correct user_id scoping to avoid PK conflicts
+    let live: Option<LiveEntry> = if let Some(uid) = user_id {
+        sqlx::query_as(
+            "SELECT id, version, tags, metadata FROM entries \
+             WHERE user_id = $1 AND namespace = $2 AND kind = $3 AND name = $4 FOR UPDATE",
+        )
+        .bind(uid)
+        .bind(namespace)
+        .bind(kind)
+        .bind(name)
+        .fetch_optional(&mut *tx)
+        .await?
+    } else {
+        sqlx::query_as(
+            "SELECT id, version, tags, metadata FROM entries \
+             WHERE user_id IS NULL AND namespace = $1 AND kind = $2 AND name = $3 FOR UPDATE",
+        )
+        .bind(namespace)
+        .bind(kind)
+        .bind(name)
+        .fetch_optional(&mut *tx)
+        .await?
+    };
+
+    let entry_id = if let Some(ref lr) = live {
+        // Snapshot current state before overwriting
         if let Err(e) = db::snapshot_entry_history(
             &mut tx,
             db::EntrySnapshotParams {
                 entry_id: lr.id,
+                user_id,
                 namespace,
                 kind,
                 name,
@@ -164,27 +208,55 @@ pub async fn run(
                 tracing::warn!(error = %e, "failed to snapshot secret field before rollback");
             }
         }
-    }
 
-    sqlx::query(
-        "INSERT INTO entries (id, namespace, kind, name, tags, metadata, version, updated_at) \
-         VALUES ($1, $2, $3, $4, $5, $6, $7, NOW()) \
-         ON CONFLICT (namespace, kind, name) WHERE user_id IS NULL DO UPDATE SET \
-             tags = EXCLUDED.tags, metadata = EXCLUDED.metadata, \
-             version = entries.version + 1, updated_at = NOW()",
-    )
-    .bind(snap.entry_id)
-    .bind(namespace)
-    .bind(kind)
-    .bind(name)
-    .bind(&snap.tags)
-    .bind(&snap.metadata)
-    .bind(snap.version)
-    .execute(&mut *tx)
-    .await?;
+        // Update the existing row in-place to preserve its primary key and user_id
+        sqlx::query(
+            "UPDATE entries SET tags = $1, metadata = $2, version = version + 1, \
+             updated_at = NOW() WHERE id = $3",
+        )
+        .bind(&snap.tags)
+        .bind(&snap.metadata)
+        .bind(lr.id)
+        .execute(&mut *tx)
+        .await?;
+
+        lr.id
+    } else {
+        // No live entry — insert a fresh one with a new UUID
+        if let Some(uid) = user_id {
+            sqlx::query_scalar(
+                "INSERT INTO entries \
+                 (user_id, namespace, kind, name, tags, metadata, version, updated_at) \
+                 VALUES ($1, $2, $3, $4, $5, $6, $7, NOW()) RETURNING id",
+            )
+            .bind(uid)
+            .bind(namespace)
+            .bind(kind)
+            .bind(name)
+            .bind(&snap.tags)
+            .bind(&snap.metadata)
+            .bind(snap.version)
+            .fetch_one(&mut *tx)
+            .await?
+        } else {
+            sqlx::query_scalar(
+                "INSERT INTO entries \
+                 (namespace, kind, name, tags, metadata, version, updated_at) \
+                 VALUES ($1, $2, $3, $4, $5, $6, NOW()) RETURNING id",
+            )
+            .bind(namespace)
+            .bind(kind)
+            .bind(name)
+            .bind(&snap.tags)
+            .bind(&snap.metadata)
+            .bind(snap.version)
+            .fetch_one(&mut *tx)
+            .await?
+        }
+    };
 
     sqlx::query("DELETE FROM secrets WHERE entry_id = $1")
-        .bind(snap.entry_id)
+        .bind(entry_id)
         .execute(&mut *tx)
         .await?;
 
@@ -192,17 +264,12 @@ pub async fn run(
         if f.action == "delete" {
             continue;
         }
-        sqlx::query(
-            "INSERT INTO secrets (id, entry_id, field_name, encrypted) VALUES ($1, $2, $3, $4) \
-             ON CONFLICT (entry_id, field_name) DO UPDATE SET \
-                 encrypted = EXCLUDED.encrypted, version = secrets.version + 1, updated_at = NOW()",
-        )
-        .bind(f.secret_id)
-        .bind(snap.entry_id)
-        .bind(&f.field_name)
-        .bind(&f.encrypted)
-        .execute(&mut *tx)
-        .await?;
+        sqlx::query("INSERT INTO secrets (entry_id, field_name, encrypted) VALUES ($1, $2, $3)")
+            .bind(entry_id)
+            .bind(&f.field_name)
+            .bind(&f.encrypted)
+            .execute(&mut *tx)
+            .await?;
     }
 
     crate::audit::log_tx(