feat(nn): entry–secret N:N, unique secret names, web unlink

Bump secrets-mcp to 0.3.8 (tag 0.3.7 already used). - Junction table entry_secrets; secrets user-scoped with type - Per-user unique secrets.name; link_secret_names on add - Manual migrations + migrate script; MCP/tool and Web updates Made-with: Cursor
2026-04-03 17:37:04 +08:00
parent df701f21b9
commit c6fb457734
20 changed files with 1103 additions and 198 deletions
--- a/crates/secrets-core/src/db.rs
+++ b/crates/secrets-core/src/db.rs
@@ -83,16 +83,30 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
        -- ── secrets: one row per encrypted field ─────────────────────────────────
        CREATE TABLE IF NOT EXISTS secrets (
            id          UUID PRIMARY KEY DEFAULT uuidv7(),
-            entry_id    UUID         NOT NULL REFERENCES entries(id) ON DELETE CASCADE,
-            field_name  VARCHAR(256) NOT NULL,
+            user_id     UUID,
+            name        VARCHAR(256) NOT NULL,
+            type        VARCHAR(64)  NOT NULL DEFAULT 'text',
            encrypted   BYTEA        NOT NULL DEFAULT '\x',
            version     BIGINT       NOT NULL DEFAULT 1,
            created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
-            updated_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
-            UNIQUE(entry_id, field_name)
+            updated_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
        );

-        CREATE INDEX IF NOT EXISTS idx_secrets_entry_id ON secrets(entry_id);
+        CREATE INDEX IF NOT EXISTS idx_secrets_user_id  ON secrets(user_id) WHERE user_id IS NOT NULL;
+        CREATE UNIQUE INDEX IF NOT EXISTS idx_secrets_unique_user_name
+            ON secrets(user_id, name) WHERE user_id IS NOT NULL;
+        CREATE INDEX IF NOT EXISTS idx_secrets_name     ON secrets(name);
+        CREATE INDEX IF NOT EXISTS idx_secrets_type     ON secrets(type);
+
+        -- ── entry_secrets: N:N relation ────────────────────────────────────────────
+        CREATE TABLE IF NOT EXISTS entry_secrets (
+            entry_id    UUID NOT NULL REFERENCES entries(id) ON DELETE CASCADE,
+            secret_id   UUID NOT NULL REFERENCES secrets(id) ON DELETE CASCADE,
+            sort_order  INT NOT NULL DEFAULT 0,
+            created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+            PRIMARY KEY(entry_id, secret_id)
+        );
+        CREATE INDEX IF NOT EXISTS idx_entry_secrets_secret_id ON entry_secrets(secret_id);

        -- ── audit_log: append-only operation log ─────────────────────────────────
        CREATE TABLE IF NOT EXISTS audit_log (
@@ -141,17 +155,13 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
        -- ── secrets_history: field-level snapshot ────────────────────────────────
        CREATE TABLE IF NOT EXISTS secrets_history (
            id              BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
-            entry_id        UUID         NOT NULL,
            secret_id       UUID         NOT NULL,
-            entry_version   BIGINT       NOT NULL,
-            field_name      VARCHAR(256) NOT NULL,
+            name            VARCHAR(256) NOT NULL,
            encrypted       BYTEA        NOT NULL DEFAULT '\x',
            action          VARCHAR(16)  NOT NULL,
            created_at      TIMESTAMPTZ  NOT NULL DEFAULT NOW()
        );

-        CREATE INDEX IF NOT EXISTS idx_secrets_history_entry_id
-            ON secrets_history(entry_id, entry_version DESC);
        CREATE INDEX IF NOT EXISTS idx_secrets_history_secret_id
            ON secrets_history(secret_id);

@@ -210,6 +220,16 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
            END IF;
        END $$;

+        DO $$ BEGIN
+            IF NOT EXISTS (
+                SELECT 1 FROM pg_constraint WHERE conname = 'fk_secrets_user_id'
+            ) THEN
+                ALTER TABLE secrets
+                    ADD CONSTRAINT fk_secrets_user_id
+                    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE SET NULL;
+            END IF;
+        END $$;
+
        DO $$ BEGIN
            IF NOT EXISTS (
                SELECT 1 FROM pg_constraint WHERE conname = 'fk_audit_log_user_id'
@@ -499,10 +519,8 @@ pub async fn snapshot_entry_history(
 // ── Secret field-level history snapshot ──────────────────────────────────────

 pub struct SecretSnapshotParams<'a> {
-    pub entry_id: uuid::Uuid,
    pub secret_id: uuid::Uuid,
-    pub entry_version: i64,
-    pub field_name: &'a str,
+    pub name: &'a str,
    pub encrypted: &'a [u8],
    pub action: &'a str,
 }
@@ -513,13 +531,11 @@ pub async fn snapshot_secret_history(
 ) -> Result<()> {
    sqlx::query(
        "INSERT INTO secrets_history \
-         (entry_id, secret_id, entry_version, field_name, encrypted, action) \
-         VALUES ($1, $2, $3, $4, $5, $6)",
+         (secret_id, name, encrypted, action) \
+         VALUES ($1, $2, $3, $4)",
    )
-    .bind(p.entry_id)
    .bind(p.secret_id)
-    .bind(p.entry_version)
-    .bind(p.field_name)
+    .bind(p.name)
    .bind(p.encrypted)
    .bind(p.action)
    .execute(&mut **tx)