refining/secrets
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 61 Wiki Activity

feat(nn): entry–secret N:N, unique secret names, web unlink
Some checks failed
Secrets MCP — Build & Release / 检查 / 构建 / 发版 (push) Failing after 2m37s
Details
Secrets MCP — Build & Release / 部署 secrets-mcp (push) Has been skipped
Details

Browse Source 
Bump secrets-mcp to 0.3.8 (tag 0.3.7 already used).

- Junction table entry_secrets; secrets user-scoped with type
- Per-user unique secrets.name; link_secret_names on add
- Manual migrations + migrate script; MCP/tool and Web updates

Made-with: Cursor
This commit is contained in:
王松
2026-04-03 17:37:04 +08:00
parent df701f21b9
commit c6fb457734
20 changed files with 1103 additions and 198 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
crates/secrets-mcp/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "secrets-mcp"
version = "0.3.7"
version = "0.3.8"
edition.workspace = true
[[bin]]

46
crates/secrets-mcp/src/tools.rs
View File

@@ -225,12 +225,18 @@ struct AddInput {
description = "Metadata fields as a JSON object {\"key\": value}. Merged with 'meta' if both provided."
)]
meta_obj: Option<Map<String, Value>>,
#[schemars(description = "Secret fields as 'key=value' strings")]
#[schemars(
description = "Secret fields as 'key=value' strings. Reminder: non-sensitive endpoint/address fields should go to metadata.address instead of secrets."
)]
secrets: Option<Vec<String>>,
#[schemars(
description = "Secret fields as a JSON object {\"key\": \"value\"}. Merged with 'secrets' if both provided."
description = "Secret fields as a JSON object {\"key\": \"value\"}. Merged with 'secrets' if both provided. Reminder: non-sensitive endpoint/address fields should go to metadata.address."
)]
secrets_obj: Option<Map<String, Value>>,
#[schemars(
description = "Link existing secrets by secret name. Names must resolve uniquely under current user."
)]
link_secret_names: Option<Vec<String>>,
}
#[derive(Debug, Deserialize, JsonSchema)]
@@ -259,10 +265,12 @@ struct UpdateInput {
meta_obj: Option<Map<String, Value>>,
#[schemars(description = "Metadata field keys to remove")]
remove_meta: Option<Vec<String>>,
#[schemars(description = "Secret fields to update/add as 'key=value' strings")]
#[schemars(
description = "Secret fields to update/add as 'key=value' strings. Reminder: non-sensitive endpoint/address fields should go to metadata.address instead of secrets."
)]
secrets: Option<Vec<String>>,
#[schemars(
description = "Secret fields to update/add as a JSON object {\"key\": \"value\"}. Merged with 'secrets' if both provided."
description = "Secret fields to update/add as a JSON object {\"key\": \"value\"}. Merged with 'secrets' if both provided. Reminder: non-sensitive endpoint/address fields should go to metadata.address."
)]
secrets_obj: Option<Map<String, Value>>,
#[schemars(description = "Secret field keys to remove")]
@@ -429,10 +437,20 @@ impl SecretsService {
.entries
.iter()
.map(|e| {
let schema: Vec<&str> = result
let schema: Vec<serde_json::Value> = result
.secret_schemas
.get(&e.id)
.map(|f| f.iter().map(|s| s.field_name.as_str()).collect())
.map(|f| {
f.iter()
.map(|s| {
serde_json::json!({
"id": s.id,
"name": s.name,
"type": s.secret_type,
})
})
.collect()
})
.unwrap_or_default();
serde_json::json!({
"id": e.id,
@@ -517,10 +535,20 @@ impl SecretsService {
"updated_at": e.updated_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
})
} else {
let schema: Vec<&str> = result
let schema: Vec<serde_json::Value> = result
.secret_schemas
.get(&e.id)
.map(|f| f.iter().map(|s| s.field_name.as_str()).collect())
.map(|f| {
f.iter()
.map(|s| {
serde_json::json!({
"id": s.id,
"name": s.name,
"type": s.secret_type,
})
})
.collect()
})
.unwrap_or_default();
serde_json::json!({
"id": e.id,
@@ -639,6 +667,7 @@ impl SecretsService {
if let Some(obj) = input.secrets_obj {
secrets.extend(map_to_kv_strings(obj));
}
let link_secret_names = input.link_secret_names.unwrap_or_default();
let folder = input.folder.as_deref().unwrap_or("");
let entry_type = input.entry_type.as_deref().unwrap_or("");
let notes = input.notes.as_deref().unwrap_or("");
@@ -653,6 +682,7 @@ impl SecretsService {
tags: &tags,
meta_entries: &meta,
secret_entries: &secrets,
link_secret_names: &link_secret_names,
user_id: Some(user_id),
},
&user_key,

131
crates/secrets-mcp/src/web.rs
View File

@@ -21,7 +21,7 @@ use secrets_core::service::{
api_key::{ensure_api_key, regenerate_api_key},
audit_log::list_for_user,
delete::delete_by_id,
search::{SearchParams, count_entries, list_entries},
search::{SearchParams, count_entries, fetch_secret_schemas, list_entries},
update::{UpdateEntryFieldsByIdParams, update_fields_by_id},
user::{
OAuthProfile, bind_oauth_account, find_or_create_user, get_user_by_id,
@@ -105,10 +105,17 @@ struct EntryListItemView {
notes: String,
tags: String,
metadata: String,
secrets: Vec<SecretSummaryView>,
/// RFC3339 UTC for `<time datetime>`; localized in entries.html.
updated_at_iso: String,
}
struct SecretSummaryView {
id: String,
name: String,
secret_type: String,
}
/// Cap for HTML list (avoids loading unbounded rows into memory).
const ENTRIES_PAGE_LIMIT: u32 = 5_000;
@@ -207,6 +214,10 @@ pub fn web_router() -> Router<AppState> {
"/api/entries/{id}",
patch(api_entry_patch).delete(api_entry_delete),
)
.route(
"/api/entries/{entry_id}/secrets/{secret_id}",
axum::routing::delete(api_entry_secret_unlink),
)
}
fn text_asset_response(content: &'static str, content_type: &'static str) -> Response {
@@ -577,6 +588,13 @@ async fn entries_page(
StatusCode::INTERNAL_SERVER_ERROR
})?;
let shown_count = rows.len();
let entry_ids: Vec<Uuid> = rows.iter().map(|e| e.id).collect();
let secret_schemas = fetch_secret_schemas(&state.pool, &entry_ids)
.await
.map_err(|e| {
tracing::error!(error = %e, "failed to load secret schema list for web");
StatusCode::INTERNAL_SERVER_ERROR
})?;
let entries = rows
.into_iter()
@@ -589,6 +607,19 @@ async fn entries_page(
tags: e.tags.join(", "),
metadata: serde_json::to_string_pretty(&e.metadata)
.unwrap_or_else(|_| "{}".to_string()),
secrets: secret_schemas
.get(&e.id)
.map(|fields| {
fields
.iter()
.map(|f| SecretSummaryView {
id: f.id.to_string(),
name: f.name.clone(),
secret_type: f.secret_type.clone(),
})
.collect()
})
.unwrap_or_default(),
updated_at_iso: e.updated_at.to_rfc3339_opts(SecondsFormat::Secs, true),
})
.collect();
@@ -1000,6 +1031,104 @@ async fn api_entry_delete(
})))
}
async fn api_entry_secret_unlink(
State(state): State<AppState>,
session: Session,
Path((entry_id, secret_id)): Path<(Uuid, Uuid)>,
) -> Result<Json<serde_json::Value>, EntryApiError> {
#[derive(sqlx::FromRow)]
struct EntryAuditRow {
folder: String,
#[sqlx(rename = "type")]
entry_type: String,
name: String,
}
let user_id = current_user_id(&session)
.await
.ok_or((StatusCode::UNAUTHORIZED, Json(json!({ "error": "未登录" }))))?;
let mut tx = state
.pool
.begin()
.await
.map_err(|e| map_entry_mutation_err(e.into()))?;
let entry_row: Option<EntryAuditRow> =
sqlx::query_as("SELECT folder, type, name FROM entries WHERE id = $1 AND user_id = $2")
.bind(entry_id)
.bind(user_id)
.fetch_optional(&mut *tx)
.await
.map_err(|e| map_entry_mutation_err(e.into()))?;
let Some(entry_row) = entry_row else {
tx.rollback()
.await
.map_err(|e| map_entry_mutation_err(e.into()))?;
return Err((
StatusCode::NOT_FOUND,
Json(json!({ "error": "条目不存在或无权访问" })),
));
};
let deleted = sqlx::query("DELETE FROM entry_secrets WHERE entry_id = $1 AND secret_id = $2")
.bind(entry_id)
.bind(secret_id)
.execute(&mut *tx)
.await
.map_err(|e| map_entry_mutation_err(e.into()))?
.rows_affected();
if deleted == 0 {
tx.rollback()
.await
.map_err(|e| map_entry_mutation_err(e.into()))?;
return Err((
StatusCode::NOT_FOUND,
Json(json!({ "error": "关联不存在" })),
));
}
let secret_deleted = sqlx::query(
"DELETE FROM secrets s \
WHERE s.id = $1 \
AND NOT EXISTS (SELECT 1 FROM entry_secrets es WHERE es.secret_id = s.id)",
)
.bind(secret_id)
.execute(&mut *tx)
.await
.map_err(|e| map_entry_mutation_err(e.into()))?
.rows_affected()
> 0;
secrets_core::audit::log_tx(
&mut tx,
Some(user_id),
"unlink_secret",
&entry_row.folder,
&entry_row.entry_type,
&entry_row.name,
json!({
"source": "web",
"entry_id": entry_id,
"secret_id": secret_id,
"deleted_secret": secret_deleted,
}),
)
.await;
tx.commit()
.await
.map_err(|e| map_entry_mutation_err(e.into()))?;
Ok(Json(json!({
"ok": true,
"deleted_relation": true,
"deleted_secret": secret_deleted,
})))
}
// ── OAuth / Well-known ────────────────────────────────────────────────────────
/// RFC 9728 — OAuth 2.0 Protected Resource Metadata.

130
crates/secrets-mcp/templates/entries.html
View File

@@ -45,7 +45,7 @@
.btn-sign-out:hover { background: var(--surface2); }
.main { padding: 32px 24px 40px; flex: 1; }
.card { background: var(--surface); border: 1px solid var(--border); border-radius: 12px;
padding: 24px; width: 100%; max-width: 1280px; margin: 0 auto; }
padding: 24px; width: 100%; max-width: 1480px; margin: 0 auto; }
.card-title { font-size: 20px; font-weight: 600; margin-bottom: 8px; }
.card-subtitle { color: var(--text-muted); font-size: 13px; margin-bottom: 20px; }
.filter-bar {
@@ -73,17 +73,46 @@
}
.btn-clear:hover { background: var(--surface2); color: var(--text); }
.empty { color: var(--text-muted); font-size: 14px; padding: 20px 0; }
.table-wrap { overflow-x: auto; }
table { width: 100%; border-collapse: collapse; min-width: 720px; }
th, td { text-align: left; vertical-align: top; padding: 12px 10px; border-top: 1px solid var(--border); }
th { color: var(--text-muted); font-size: 12px; font-weight: 600; white-space: nowrap; }
td { font-size: 13px; }
.mono { font-family: 'JetBrains Mono', monospace; }
.cell-notes, .cell-meta {
max-width: 280px; word-break: break-word;
.table-wrap {
overflow: auto;
border: 1px solid var(--border);
border-radius: 10px;
background: var(--bg);
max-height: 72vh;
}
table {
width: max-content;
min-width: 1240px;
border-collapse: separate;
border-spacing: 0;
}
th, td { text-align: left; vertical-align: top; padding: 12px 10px; border-top: 1px solid var(--border); }
th {
color: var(--text-muted);
font-size: 12px;
font-weight: 600;
white-space: nowrap;
position: sticky;
top: 0;
z-index: 2;
background: var(--surface);
}
td { font-size: 13px; line-height: 1.45; }
tbody tr:nth-child(2n) td { background: rgba(255, 255, 255, 0.01); }
.mono { font-family: 'JetBrains Mono', monospace; }
.col-updated { min-width: 168px; }
.col-folder { min-width: 128px; }
.col-type { min-width: 108px; }
.col-name { min-width: 180px; max-width: 260px; }
.col-tags { min-width: 160px; max-width: 220px; }
.col-actions { min-width: 132px; }
.cell-name, .cell-tags-val {
overflow-wrap: anywhere;
word-break: break-word;
}
.cell-notes, .cell-meta { min-width: 260px; max-width: 360px; }
.notes-scroll {
max-height: 160px;
max-height: 120px;
overflow: auto;
white-space: pre-wrap;
word-break: break-word;
@@ -96,10 +125,45 @@
.detail {
background: var(--bg); border: 1px solid var(--border); border-radius: 8px;
padding: 10px; white-space: pre-wrap; word-break: break-word; font-size: 12px;
max-width: 320px; max-height: 160px; overflow: auto;
max-width: 360px; max-height: 120px; overflow: auto;
}
.col-actions { white-space: nowrap; }
.row-actions { display: flex; flex-wrap: wrap; gap: 6px; }
.col-secrets { min-width: 300px; max-width: 420px; }
.secret-list { display: flex; flex-wrap: wrap; gap: 6px; max-width: 400px; }
.secret-chip {
display: inline-flex;
align-items: center;
gap: 6px;
border: 1px solid var(--border);
border-radius: 999px;
padding: 3px 8px;
font-size: 11px;
background: var(--surface2);
font-family: 'JetBrains Mono', monospace;
max-width: 100%;
min-width: 0;
}
.secret-name {
min-width: 0;
overflow: hidden;
text-overflow: ellipsis;
white-space: nowrap;
}
.secret-type {
color: var(--text-muted);
border-left: 1px solid var(--border);
padding-left: 6px;
}
.btn-unlink-secret {
border: none;
background: transparent;
color: #f85149;
cursor: pointer;
font-size: 12px;
line-height: 1;
padding: 0;
}
.btn-row {
padding: 4px 10px; border-radius: 6px; font-size: 12px; cursor: pointer;
border: 1px solid var(--border); background: var(--surface2); color: var(--text-muted);
@@ -145,7 +209,8 @@
.main { padding: 20px 12px 28px; }
.card { padding: 16px; }
.topbar { padding: 12px 16px; flex-wrap: wrap; }
table, thead, tbody, th, td, tr { display: block; }
.table-wrap { max-height: none; border: none; background: transparent; }
table, thead, tbody, th, td, tr { display: block; min-width: 0; width: 100%; }
thead { display: none; }
tr { border-top: 1px solid var(--border); padding: 12px 0; }
td { border-top: none; padding: 6px 0; max-width: none; }
@@ -160,9 +225,9 @@
td.col-notes::before { content: "Notes"; }
td.col-tags::before { content: "Tags"; }
td.col-meta::before { content: "Metadata"; }
td.col-secrets::before { content: "Secrets"; }
td.col-actions::before { content: "操作"; }
.detail { max-width: none; }
.notes-scroll { max-width: none; }
.detail, .notes-scroll, .secret-list { max-width: none; }
}
</style>
</head>
@@ -189,7 +254,7 @@
<main class="main">
<section class="card">
<div class="card-title">我的条目</div>
<div class="card-subtitle">在当前筛选条件下,共 <strong>{{ total_count }}</strong> 条记录;本页显示 <strong>{{ shown_count }}</strong> 条(按更新时间降序,单页最多 {{ limit }} 条)。不含密文字段。时间为浏览器本地时区。</div>
<div class="card-subtitle">在当前筛选条件下,共 <strong>{{ total_count }}</strong> 条记录;本页显示 <strong>{{ shown_count }}</strong> 条(按更新时间降序,单页最多 {{ limit }} 条)。不含密文字段。时间为浏览器本地时区。提示:非敏感地址类字段(如 address / endpoint / url建议放在 Metadata例如 <code>metadata.address</code>),仅密码/令牌等放 Secrets。</div>
<form class="filter-bar" method="get" action="/entries">
<div class="filter-field">
@@ -220,6 +285,7 @@
<th>Notes</th>
<th>Tags</th>
<th>Metadata</th>
<th>Secrets</th>
<th>操作</th>
</tr>
</thead>
@@ -233,6 +299,17 @@
<td class="col-notes cell-notes">{% if !entry.notes.is_empty() %}<div class="notes-scroll cell-notes-val">{{ entry.notes }}</div>{% endif %}</td>
<td class="col-tags mono cell-tags-val">{{ entry.tags }}</td>
<td class="col-meta cell-meta"><pre class="detail cell-meta-val">{{ entry.metadata }}</pre></td>
<td class="col-secrets">
<div class="secret-list">
{% for s in entry.secrets %}
<span class="secret-chip">
<span class="secret-name" title="{{ s.name }}">{{ s.name }}</span>
<span class="secret-type">{{ s.secret_type }}</span>
<button type="button" class="btn-unlink-secret" data-secret-id="{{ s.id }}" data-secret-name="{{ s.name }}" title="解除关联">x</button>
</span>
{% endfor %}
</div>
</td>
<td class="col-actions">
<div class="row-actions">
<button type="button" class="btn-row btn-edit">编辑</button>
@@ -383,6 +460,29 @@
})
.catch(function (e) { alert(e.message || String(e)); });
});
tr.querySelectorAll('.btn-unlink-secret').forEach(function (btn) {
btn.addEventListener('click', function () {
var entryId = tr.getAttribute('data-entry-id');
var secretId = btn.getAttribute('data-secret-id');
var secretName = btn.getAttribute('data-secret-name') || '';
if (!entryId || !secretId) return;
if (!confirm('确定解除 secret 关联「' + secretName + '」?')) return;
fetch('/api/entries/' + encodeURIComponent(entryId) + '/secrets/' + encodeURIComponent(secretId), {
method: 'DELETE',
credentials: 'same-origin'
}).then(function (r) {
return r.json().then(function (data) {
if (!r.ok) throw new Error(data.error || ('HTTP ' + r.status));
return data;
});
}).then(function () {
window.location.reload();
}).catch(function (e) {
alert(e.message || String(e));
});
});
});
});
})();
</script>