feat: 0.6.0 — 事务/版本化/类型化/inject/run

- 写路径事务化：add/update/delete 与 audit 同事务，update CAS 并发保护 - 版本化与回滚：secrets_history 表、version 字段、history/rollback 命令 - 类型化字段：key:=<json> 支持数字、布尔、数组、对象 - 临时 env 模式：inject 输出 KEY=VALUE，run 向子进程注入 - inject/run 至少需一个过滤条件；search -o env 使用 shell_quote；JSON 输出含 version Made-with: Cursor
2026-03-19 10:30:45 +08:00
parent 31b0ea9bf1
commit a765dcc428
16 changed files with 1247 additions and 196 deletions
--- a/src/commands/update.rs
+++ b/src/commands/update.rs
@@ -5,11 +5,13 @@ use uuid::Uuid;

 use super::add::parse_kv;
 use crate::crypto;
+use crate::db;
 use crate::output::OutputMode;

 #[derive(FromRow)]
 struct UpdateRow {
    id: Uuid,
+    version: i64,
    tags: Vec<String>,
    metadata: Value,
    encrypted: Vec<u8>,
@@ -29,17 +31,18 @@ pub struct UpdateArgs<'a> {
 }

 pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) -> Result<()> {
+    let mut tx = pool.begin().await?;
+
    let row: Option<UpdateRow> = sqlx::query_as(
-        r#"
-        SELECT id, tags, metadata, encrypted
-        FROM secrets
-        WHERE namespace = $1 AND kind = $2 AND name = $3
-        "#,
+        "SELECT id, version, tags, metadata, encrypted \
+         FROM secrets \
+         WHERE namespace = $1 AND kind = $2 AND name = $3 \
+         FOR UPDATE",
    )
    .bind(args.namespace)
    .bind(args.kind)
    .bind(args.name)
-    .fetch_optional(pool)
+    .fetch_optional(&mut *tx)
    .await?;

    let row = row.ok_or_else(|| {
@@ -51,6 +54,26 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
        )
    })?;

+    // Snapshot current state before modifying.
+    if let Err(e) = db::snapshot_history(
+        &mut tx,
+        db::SnapshotParams {
+            secret_id: row.id,
+            namespace: args.namespace,
+            kind: args.kind,
+            name: args.name,
+            version: row.version,
+            action: "update",
+            tags: &row.tags,
+            metadata: &row.metadata,
+            encrypted: &row.encrypted,
+        },
+    )
+    .await
+    {
+        tracing::warn!(error = %e, "failed to snapshot history before update");
+    }
+
    // Merge tags
    let mut tags: Vec<String> = row.tags;
    for t in args.add_tags {
@@ -67,7 +90,7 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
    };
    for entry in args.meta_entries {
        let (key, value) = parse_kv(entry)?;
-        meta_map.insert(key, Value::String(value));
+        meta_map.insert(key, value);
    }
    for key in args.remove_meta {
        meta_map.remove(key);
@@ -86,7 +109,7 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
    };
    for entry in args.secret_entries {
        let (key, value) = parse_kv(entry)?;
-        enc_map.insert(key, Value::String(value));
+        enc_map.insert(key, value);
    }
    for key in args.remove_secrets {
        enc_map.remove(key);
@@ -101,33 +124,43 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
        "updating record"
    );

-    sqlx::query(
-        r#"
-        UPDATE secrets
-        SET tags = $1, metadata = $2, encrypted = $3, updated_at = NOW()
-        WHERE id = $4
-        "#,
+    // CAS: update only if version hasn't changed (FOR UPDATE lock ensures this).
+    let result = sqlx::query(
+        "UPDATE secrets \
+         SET tags = $1, metadata = $2, encrypted = $3, version = version + 1, updated_at = NOW() \
+         WHERE id = $4 AND version = $5",
    )
    .bind(&tags)
-    .bind(metadata)
-    .bind(encrypted_bytes)
+    .bind(&metadata)
+    .bind(&encrypted_bytes)
    .bind(row.id)
-    .execute(pool)
+    .bind(row.version)
+    .execute(&mut *tx)
    .await?;

+    if result.rows_affected() == 0 {
+        tx.rollback().await?;
+        anyhow::bail!(
+            "Concurrent modification detected for [{}/{}] {}. Please retry.",
+            args.namespace,
+            args.kind,
+            args.name
+        );
+    }
+
    let meta_keys: Vec<&str> = args
        .meta_entries
        .iter()
-        .filter_map(|s| s.split_once('=').map(|(k, _)| k))
+        .filter_map(|s| s.split_once(['=', ':']).map(|(k, _)| k))
        .collect();
    let secret_keys: Vec<&str> = args
        .secret_entries
        .iter()
-        .filter_map(|s| s.split_once('=').map(|(k, _)| k))
+        .filter_map(|s| s.split_once(['=', ':']).map(|(k, _)| k))
        .collect();

-    crate::audit::log(
-        pool,
+    crate::audit::log_tx(
+        &mut tx,
        "update",
        args.namespace,
        args.kind,
@@ -143,6 +176,8 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
    )
    .await;

+    tx.commit().await?;
+
    let result_json = json!({
        "action": "updated",
        "namespace": args.namespace,