feat(nn): entry–secret N:N, unique secret names, web unlink

Bump secrets-mcp to 0.3.8 (tag 0.3.7 already used). - Junction table entry_secrets; secrets user-scoped with type - Per-user unique secrets.name; link_secret_names on add - Manual migrations + migrate script; MCP/tool and Web updates Made-with: Cursor
2026-04-03 17:37:04 +08:00
parent df701f21b9
commit c6fb457734
20 changed files with 1103 additions and 198 deletions
--- a/crates/secrets-mcp/src/tools.rs
+++ b/crates/secrets-mcp/src/tools.rs
@@ -225,12 +225,18 @@ struct AddInput {
        description = "Metadata fields as a JSON object {\"key\": value}. Merged with 'meta' if both provided."
    )]
    meta_obj: Option<Map<String, Value>>,
-    #[schemars(description = "Secret fields as 'key=value' strings")]
+    #[schemars(
+        description = "Secret fields as 'key=value' strings. Reminder: non-sensitive endpoint/address fields should go to metadata.address instead of secrets."
+    )]
    secrets: Option<Vec<String>>,
    #[schemars(
-        description = "Secret fields as a JSON object {\"key\": \"value\"}. Merged with 'secrets' if both provided."
+        description = "Secret fields as a JSON object {\"key\": \"value\"}. Merged with 'secrets' if both provided. Reminder: non-sensitive endpoint/address fields should go to metadata.address."
    )]
    secrets_obj: Option<Map<String, Value>>,
+    #[schemars(
+        description = "Link existing secrets by secret name. Names must resolve uniquely under current user."
+    )]
+    link_secret_names: Option<Vec<String>>,
 }

 #[derive(Debug, Deserialize, JsonSchema)]
@@ -259,10 +265,12 @@ struct UpdateInput {
    meta_obj: Option<Map<String, Value>>,
    #[schemars(description = "Metadata field keys to remove")]
    remove_meta: Option<Vec<String>>,
-    #[schemars(description = "Secret fields to update/add as 'key=value' strings")]
+    #[schemars(
+        description = "Secret fields to update/add as 'key=value' strings. Reminder: non-sensitive endpoint/address fields should go to metadata.address instead of secrets."
+    )]
    secrets: Option<Vec<String>>,
    #[schemars(
-        description = "Secret fields to update/add as a JSON object {\"key\": \"value\"}. Merged with 'secrets' if both provided."
+        description = "Secret fields to update/add as a JSON object {\"key\": \"value\"}. Merged with 'secrets' if both provided. Reminder: non-sensitive endpoint/address fields should go to metadata.address."
    )]
    secrets_obj: Option<Map<String, Value>>,
    #[schemars(description = "Secret field keys to remove")]
@@ -429,10 +437,20 @@ impl SecretsService {
            .entries
            .iter()
            .map(|e| {
-                let schema: Vec<&str> = result
+                let schema: Vec<serde_json::Value> = result
                    .secret_schemas
                    .get(&e.id)
-                    .map(|f| f.iter().map(|s| s.field_name.as_str()).collect())
+                    .map(|f| {
+                        f.iter()
+                            .map(|s| {
+                                serde_json::json!({
+                                    "id": s.id,
+                                    "name": s.name,
+                                    "type": s.secret_type,
+                                })
+                            })
+                            .collect()
+                    })
                    .unwrap_or_default();
                serde_json::json!({
                    "id": e.id,
@@ -517,10 +535,20 @@ impl SecretsService {
                        "updated_at": e.updated_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
                    })
                } else {
-                    let schema: Vec<&str> = result
+                    let schema: Vec<serde_json::Value> = result
                        .secret_schemas
                        .get(&e.id)
-                        .map(|f| f.iter().map(|s| s.field_name.as_str()).collect())
+                        .map(|f| {
+                            f.iter()
+                                .map(|s| {
+                                    serde_json::json!({
+                                        "id": s.id,
+                                        "name": s.name,
+                                        "type": s.secret_type,
+                                    })
+                                })
+                                .collect()
+                        })
                        .unwrap_or_default();
                    serde_json::json!({
                        "id": e.id,
@@ -639,6 +667,7 @@ impl SecretsService {
        if let Some(obj) = input.secrets_obj {
            secrets.extend(map_to_kv_strings(obj));
        }
+        let link_secret_names = input.link_secret_names.unwrap_or_default();
        let folder = input.folder.as_deref().unwrap_or("");
        let entry_type = input.entry_type.as_deref().unwrap_or("");
        let notes = input.notes.as_deref().unwrap_or("");
@@ -653,6 +682,7 @@ impl SecretsService {
                tags: &tags,
                meta_entries: &meta,
                secret_entries: &secrets,
+                link_secret_names: &link_secret_names,
                user_id: Some(user_id),
            },
            &user_key,
--- a/crates/secrets-mcp/src/web.rs
+++ b/crates/secrets-mcp/src/web.rs
@@ -21,7 +21,7 @@ use secrets_core::service::{
    api_key::{ensure_api_key, regenerate_api_key},
    audit_log::list_for_user,
    delete::delete_by_id,
-    search::{SearchParams, count_entries, list_entries},
+    search::{SearchParams, count_entries, fetch_secret_schemas, list_entries},
    update::{UpdateEntryFieldsByIdParams, update_fields_by_id},
    user::{
        OAuthProfile, bind_oauth_account, find_or_create_user, get_user_by_id,
@@ -105,10 +105,17 @@ struct EntryListItemView {
    notes: String,
    tags: String,
    metadata: String,
+    secrets: Vec<SecretSummaryView>,
    /// RFC3339 UTC for `<time datetime>`; localized in entries.html.
    updated_at_iso: String,
 }

+struct SecretSummaryView {
+    id: String,
+    name: String,
+    secret_type: String,
+}
+
 /// Cap for HTML list (avoids loading unbounded rows into memory).
 const ENTRIES_PAGE_LIMIT: u32 = 5_000;

@@ -207,6 +214,10 @@ pub fn web_router() -> Router<AppState> {
            "/api/entries/{id}",
            patch(api_entry_patch).delete(api_entry_delete),
        )
+        .route(
+            "/api/entries/{entry_id}/secrets/{secret_id}",
+            axum::routing::delete(api_entry_secret_unlink),
+        )
 }

 fn text_asset_response(content: &'static str, content_type: &'static str) -> Response {
@@ -577,6 +588,13 @@ async fn entries_page(
        StatusCode::INTERNAL_SERVER_ERROR
    })?;
    let shown_count = rows.len();
+    let entry_ids: Vec<Uuid> = rows.iter().map(|e| e.id).collect();
+    let secret_schemas = fetch_secret_schemas(&state.pool, &entry_ids)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to load secret schema list for web");
+            StatusCode::INTERNAL_SERVER_ERROR
+        })?;

    let entries = rows
        .into_iter()
@@ -589,6 +607,19 @@ async fn entries_page(
            tags: e.tags.join(", "),
            metadata: serde_json::to_string_pretty(&e.metadata)
                .unwrap_or_else(|_| "{}".to_string()),
+            secrets: secret_schemas
+                .get(&e.id)
+                .map(|fields| {
+                    fields
+                        .iter()
+                        .map(|f| SecretSummaryView {
+                            id: f.id.to_string(),
+                            name: f.name.clone(),
+                            secret_type: f.secret_type.clone(),
+                        })
+                        .collect()
+                })
+                .unwrap_or_default(),
            updated_at_iso: e.updated_at.to_rfc3339_opts(SecondsFormat::Secs, true),
        })
        .collect();
@@ -1000,6 +1031,104 @@ async fn api_entry_delete(
    })))
 }

+async fn api_entry_secret_unlink(
+    State(state): State<AppState>,
+    session: Session,
+    Path((entry_id, secret_id)): Path<(Uuid, Uuid)>,
+) -> Result<Json<serde_json::Value>, EntryApiError> {
+    #[derive(sqlx::FromRow)]
+    struct EntryAuditRow {
+        folder: String,
+        #[sqlx(rename = "type")]
+        entry_type: String,
+        name: String,
+    }
+
+    let user_id = current_user_id(&session)
+        .await
+        .ok_or((StatusCode::UNAUTHORIZED, Json(json!({ "error": "未登录" }))))?;
+
+    let mut tx = state
+        .pool
+        .begin()
+        .await
+        .map_err(|e| map_entry_mutation_err(e.into()))?;
+
+    let entry_row: Option<EntryAuditRow> =
+        sqlx::query_as("SELECT folder, type, name FROM entries WHERE id = $1 AND user_id = $2")
+            .bind(entry_id)
+            .bind(user_id)
+            .fetch_optional(&mut *tx)
+            .await
+            .map_err(|e| map_entry_mutation_err(e.into()))?;
+
+    let Some(entry_row) = entry_row else {
+        tx.rollback()
+            .await
+            .map_err(|e| map_entry_mutation_err(e.into()))?;
+        return Err((
+            StatusCode::NOT_FOUND,
+            Json(json!({ "error": "条目不存在或无权访问" })),
+        ));
+    };
+
+    let deleted = sqlx::query("DELETE FROM entry_secrets WHERE entry_id = $1 AND secret_id = $2")
+        .bind(entry_id)
+        .bind(secret_id)
+        .execute(&mut *tx)
+        .await
+        .map_err(|e| map_entry_mutation_err(e.into()))?
+        .rows_affected();
+
+    if deleted == 0 {
+        tx.rollback()
+            .await
+            .map_err(|e| map_entry_mutation_err(e.into()))?;
+        return Err((
+            StatusCode::NOT_FOUND,
+            Json(json!({ "error": "关联不存在" })),
+        ));
+    }
+
+    let secret_deleted = sqlx::query(
+        "DELETE FROM secrets s \
+         WHERE s.id = $1 \
+           AND NOT EXISTS (SELECT 1 FROM entry_secrets es WHERE es.secret_id = s.id)",
+    )
+    .bind(secret_id)
+    .execute(&mut *tx)
+    .await
+    .map_err(|e| map_entry_mutation_err(e.into()))?
+    .rows_affected()
+        > 0;
+
+    secrets_core::audit::log_tx(
+        &mut tx,
+        Some(user_id),
+        "unlink_secret",
+        &entry_row.folder,
+        &entry_row.entry_type,
+        &entry_row.name,
+        json!({
+            "source": "web",
+            "entry_id": entry_id,
+            "secret_id": secret_id,
+            "deleted_secret": secret_deleted,
+        }),
+    )
+    .await;
+
+    tx.commit()
+        .await
+        .map_err(|e| map_entry_mutation_err(e.into()))?;
+
+    Ok(Json(json!({
+        "ok": true,
+        "deleted_relation": true,
+        "deleted_secret": secret_deleted,
+    })))
+}
+
 // ── OAuth / Well-known ────────────────────────────────────────────────────────

 /// RFC 9728 — OAuth 2.0 Protected Resource Metadata.