feat(nn): entry–secret N:N, unique secret names, web unlink

Bump secrets-mcp to 0.3.8 (tag 0.3.7 already used).

- Junction table entry_secrets; secrets user-scoped with type
- Per-user unique secrets.name; link_secret_names on add
- Manual migrations + migrate script; MCP/tool and Web updates

Made-with: Cursor

crates/secrets-core/src/service/rollback.rs

@@ -3,7 +3,6 @@ use serde_json::Value;
 use sqlx::PgPool;
 use uuid::Uuid;
 
-use crate::crypto;
 use crate::db;
 
 #[derive(Debug, serde::Serialize)]
@@ -27,7 +26,6 @@ pub async fn run(
 ) -> Result<RollbackResult> {
     #[derive(sqlx::FromRow)]
     struct EntryHistoryRow {
-        entry_id: Uuid,
         folder: String,
         #[sqlx(rename = "type")]
         entry_type: String,
@@ -122,7 +120,7 @@ pub async fn run(
 
     let snap: Option<EntryHistoryRow> = if let Some(ver) = to_version {
         sqlx::query_as(
-            "SELECT entry_id, folder, type, version, action, tags, metadata \
+            "SELECT folder, type, version, action, tags, metadata \
              FROM entries_history \
              WHERE entry_id = $1 AND version = $2 ORDER BY id DESC LIMIT 1",
         )
@@ -132,7 +130,7 @@ pub async fn run(
         .await?
     } else {
         sqlx::query_as(
-            "SELECT entry_id, folder, type, version, action, tags, metadata \
+            "SELECT folder, type, version, action, tags, metadata \
              FROM entries_history \
              WHERE entry_id = $1 ORDER BY id DESC LIMIT 1",
         )
@@ -151,33 +149,7 @@ pub async fn run(
         )
     })?;
 
-    #[derive(sqlx::FromRow)]
-    struct SecretHistoryRow {
-        field_name: String,
-        encrypted: Vec<u8>,
-        action: String,
-    }
-
-    let field_snaps: Vec<SecretHistoryRow> = sqlx::query_as(
-        "SELECT field_name, encrypted, action FROM secrets_history \
-         WHERE entry_id = $1 AND entry_version = $2 ORDER BY field_name",
-    )
-    .bind(snap.entry_id)
-    .bind(snap.version)
-    .fetch_all(pool)
-    .await?;
-
-    for f in &field_snaps {
-        if f.action != "delete" && !f.encrypted.is_empty() {
-            crypto::decrypt_json(master_key, &f.encrypted).map_err(|e| {
-                anyhow::anyhow!(
-                    "Cannot decrypt snapshot for field '{}': {}",
-                    f.field_name,
-                    e
-                )
-            })?;
-        }
-    }
+    let _ = master_key;
 
     let mut tx = pool.begin().await?;
 
@@ -226,23 +198,25 @@ pub async fn run(
         #[derive(sqlx::FromRow)]
         struct LiveField {
             id: Uuid,
-            field_name: String,
+            name: String,
             encrypted: Vec<u8>,
         }
-        let live_fields: Vec<LiveField> =
-            sqlx::query_as("SELECT id, field_name, encrypted FROM secrets WHERE entry_id = $1")
-                .bind(lr.id)
-                .fetch_all(&mut *tx)
-                .await?;
+        let live_fields: Vec<LiveField> = sqlx::query_as(
+            "SELECT s.id, s.name, s.encrypted \
+             FROM entry_secrets es \
+             JOIN secrets s ON s.id = es.secret_id \
+             WHERE es.entry_id = $1",
+        )
+        .bind(lr.id)
+        .fetch_all(&mut *tx)
+        .await?;
 
         for f in &live_fields {
             if let Err(e) = db::snapshot_secret_history(
                 &mut tx,
                 db::SecretSnapshotParams {
-                    entry_id: lr.id,
                     secret_id: f.id,
-                    entry_version: lr.version,
-                    field_name: &f.field_name,
+                    name: &f.name,
                     encrypted: &f.encrypted,
                     action: "rollback",
                 },
@@ -297,22 +271,9 @@ pub async fn run(
         }
     };
 
-    sqlx::query("DELETE FROM secrets WHERE entry_id = $1")
-        .bind(live_entry_id)
-        .execute(&mut *tx)
-        .await?;
-
-    for f in &field_snaps {
-        if f.action == "delete" {
-            continue;
-        }
-        sqlx::query("INSERT INTO secrets (entry_id, field_name, encrypted) VALUES ($1, $2, $3)")
-            .bind(live_entry_id)
-            .bind(&f.field_name)
-            .bind(&f.encrypted)
-            .execute(&mut *tx)
-            .await?;
-    }
+    // In N:N mode, rollback restores entry metadata/tags only.
+    // Secret snapshots are kept for audit but secret linkage/content is not rewritten here.
+    let _ = live_entry_id;
 
     crate::audit::log_tx(
         &mut tx,