feat(nn): entry–secret N:N, unique secret names, web unlink
Bump secrets-mcp to 0.3.8 (tag 0.3.7 already used). - Junction table entry_secrets; secrets user-scoped with type - Per-user unique secrets.name; link_secret_names on add - Manual migrations + migrate script; MCP/tool and Web updates Made-with: Cursor
This commit is contained in:
王松
126
migrations/001_nn_schema.sql
Normal file
126
migrations/001_nn_schema.sql
Normal file
@@ -0,0 +1,126 @@
|
||||
-- Entry-Secret N:N migration (manual SQL)
|
||||
-- Safe to re-run: uses IF EXISTS/IF NOT EXISTS guards.
|
||||
|
||||
BEGIN;
|
||||
|
||||
-- 1) secrets: add new columns
|
||||
ALTER TABLE secrets
|
||||
ADD COLUMN IF NOT EXISTS user_id UUID REFERENCES users(id) ON DELETE SET NULL;
|
||||
ALTER TABLE secrets
|
||||
ADD COLUMN IF NOT EXISTS type VARCHAR(64) NOT NULL DEFAULT 'text';
|
||||
|
||||
-- 2) rename field_name -> name (idempotent)
|
||||
DO $$ BEGIN
|
||||
IF EXISTS (
|
||||
SELECT 1
|
||||
FROM information_schema.columns
|
||||
WHERE table_name = 'secrets' AND column_name = 'field_name'
|
||||
) THEN
|
||||
ALTER TABLE secrets RENAME COLUMN field_name TO name;
|
||||
END IF;
|
||||
END $$;
|
||||
|
||||
-- 3) create join table
|
||||
CREATE TABLE IF NOT EXISTS entry_secrets (
|
||||
entry_id UUID NOT NULL REFERENCES entries(id) ON DELETE CASCADE,
|
||||
secret_id UUID NOT NULL REFERENCES secrets(id) ON DELETE CASCADE,
|
||||
sort_order INT NOT NULL DEFAULT 0,
|
||||
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
|
||||
PRIMARY KEY (entry_id, secret_id)
|
||||
);
|
||||
CREATE INDEX IF NOT EXISTS idx_entry_secrets_secret_id ON entry_secrets(secret_id);
|
||||
|
||||
-- 4) backfill user_id and relationship from old secrets.entry_id
|
||||
DO $$ BEGIN
|
||||
IF EXISTS (
|
||||
SELECT 1
|
||||
FROM information_schema.columns
|
||||
WHERE table_name = 'secrets' AND column_name = 'entry_id'
|
||||
) THEN
|
||||
UPDATE secrets s
|
||||
SET user_id = e.user_id
|
||||
FROM entries e
|
||||
WHERE s.entry_id = e.id AND s.user_id IS NULL;
|
||||
|
||||
INSERT INTO entry_secrets(entry_id, secret_id, sort_order)
|
||||
SELECT entry_id, id, 0
|
||||
FROM secrets
|
||||
WHERE entry_id IS NOT NULL
|
||||
ON CONFLICT DO NOTHING;
|
||||
END IF;
|
||||
END $$;
|
||||
|
||||
-- 5) backfill secret types
|
||||
UPDATE secrets SET type = 'pem' WHERE name IN ('ssh_key');
|
||||
UPDATE secrets SET type = 'password' WHERE name IN ('password');
|
||||
UPDATE secrets SET type = 'phone' WHERE name LIKE 'phone%';
|
||||
UPDATE secrets SET type = 'url' WHERE name IN ('webhook_url', 'address');
|
||||
UPDATE secrets
|
||||
SET type = 'token'
|
||||
WHERE name IN (
|
||||
'access_key_id',
|
||||
'access_key_secret',
|
||||
'global_api_key',
|
||||
'api_key',
|
||||
'secret_key',
|
||||
'personal_access_token',
|
||||
'runner_token',
|
||||
'GOOGLE_CLIENT_ID',
|
||||
'GOOGLE_CLIENT_SECRET'
|
||||
);
|
||||
|
||||
-- 6) drop old entry_id path
|
||||
ALTER TABLE secrets DROP CONSTRAINT IF EXISTS secrets_entry_id_fkey;
|
||||
DROP INDEX IF EXISTS idx_secrets_entry_id;
|
||||
ALTER TABLE secrets DROP CONSTRAINT IF EXISTS secrets_entry_id_field_name_key;
|
||||
ALTER TABLE secrets DROP CONSTRAINT IF EXISTS secrets_entry_id_name_key;
|
||||
ALTER TABLE secrets DROP COLUMN IF EXISTS entry_id;
|
||||
|
||||
-- 7) add indexes for new access paths
|
||||
CREATE INDEX IF NOT EXISTS idx_secrets_user_id
|
||||
ON secrets(user_id) WHERE user_id IS NOT NULL;
|
||||
DO $$
|
||||
DECLARE
|
||||
duplicate_samples TEXT;
|
||||
BEGIN
|
||||
SELECT string_agg(
|
||||
format('user_id=%s, name=%s, count=%s', t.user_id, t.name, t.cnt),
|
||||
E'\n'
|
||||
)
|
||||
INTO duplicate_samples
|
||||
FROM (
|
||||
SELECT user_id::TEXT AS user_id, name, COUNT(*) AS cnt
|
||||
FROM secrets
|
||||
WHERE user_id IS NOT NULL
|
||||
GROUP BY user_id, name
|
||||
HAVING COUNT(*) > 1
|
||||
ORDER BY cnt DESC, user_id, name
|
||||
LIMIT 20
|
||||
) t;
|
||||
|
||||
IF duplicate_samples IS NOT NULL THEN
|
||||
RAISE EXCEPTION
|
||||
'Cannot enforce unique constraint on secrets(user_id, name). Duplicates found:%',
|
||||
E'\n' || duplicate_samples
|
||||
USING HINT = 'Please deduplicate conflicting rows, then rerun migration.';
|
||||
END IF;
|
||||
END $$;
|
||||
CREATE UNIQUE INDEX IF NOT EXISTS idx_secrets_unique_user_name
|
||||
ON secrets(user_id, name) WHERE user_id IS NOT NULL;
|
||||
CREATE INDEX IF NOT EXISTS idx_secrets_name ON secrets(name);
|
||||
CREATE INDEX IF NOT EXISTS idx_secrets_type ON secrets(type);
|
||||
|
||||
-- 8) secrets_history: rename and remove entry-scoped columns
|
||||
DO $$ BEGIN
|
||||
IF EXISTS (
|
||||
SELECT 1
|
||||
FROM information_schema.columns
|
||||
WHERE table_name = 'secrets_history' AND column_name = 'field_name'
|
||||
) THEN
|
||||
ALTER TABLE secrets_history RENAME COLUMN field_name TO name;
|
||||
END IF;
|
||||
END $$;
|
||||
ALTER TABLE secrets_history DROP COLUMN IF EXISTS entry_id;
|
||||
ALTER TABLE secrets_history DROP COLUMN IF EXISTS entry_version;
|
||||
|
||||
COMMIT;
|
||||
67
migrations/002_data_cleanup.sql
Normal file
67
migrations/002_data_cleanup.sql
Normal file
@@ -0,0 +1,67 @@
|
||||
-- Metadata cleanup migration (manual SQL)
|
||||
-- Keep tags/type as dedicated columns; remove duplicated metadata keys.
|
||||
|
||||
BEGIN;
|
||||
|
||||
-- 1) Promote metadata.type -> entries.type when present.
|
||||
UPDATE entries
|
||||
SET type = metadata->>'type'
|
||||
WHERE metadata->>'type' IS NOT NULL
|
||||
AND metadata->>'type' <> '';
|
||||
|
||||
-- 2) Remove metadata.type.
|
||||
UPDATE entries
|
||||
SET metadata = metadata - 'type'
|
||||
WHERE metadata ? 'type';
|
||||
|
||||
-- 3) Remove metadata.environment (duplicated by tags prod/dev).
|
||||
UPDATE entries
|
||||
SET metadata = metadata - 'environment'
|
||||
WHERE metadata ? 'environment';
|
||||
|
||||
-- 4) Remove metadata.account when equal to folder.
|
||||
UPDATE entries
|
||||
SET metadata = metadata - 'account'
|
||||
WHERE metadata->>'account' = folder;
|
||||
|
||||
-- 5) Normalize manufacturer -> provider.
|
||||
UPDATE entries
|
||||
SET metadata = (metadata - 'manufacturer')
|
||||
|| jsonb_build_object('provider', metadata->>'manufacturer')
|
||||
WHERE metadata ? 'manufacturer'
|
||||
AND NOT metadata ? 'provider';
|
||||
|
||||
UPDATE entries
|
||||
SET metadata = metadata - 'manufacturer'
|
||||
WHERE metadata ? 'manufacturer'
|
||||
AND metadata ? 'provider';
|
||||
|
||||
-- 6) Drop ssh_key_format (moved to secrets.type).
|
||||
UPDATE entries
|
||||
SET metadata = metadata - 'ssh_key_format'
|
||||
WHERE metadata ? 'ssh_key_format';
|
||||
|
||||
-- 7) Remove display_name when duplicated by name.
|
||||
UPDATE entries
|
||||
SET metadata = metadata - 'display_name'
|
||||
WHERE metadata->>'display_name' = name;
|
||||
|
||||
-- 8) Condense server_* metadata into server_ref.
|
||||
UPDATE entries
|
||||
SET metadata = metadata
|
||||
- 'server_account'
|
||||
- 'server_hostname'
|
||||
- 'server_location'
|
||||
- 'server_public_ip'
|
||||
|| CASE
|
||||
WHEN metadata ? 'server_entry_name'
|
||||
THEN jsonb_build_object('server_ref', metadata->>'server_entry_name')
|
||||
ELSE '{}'::jsonb
|
||||
END
|
||||
WHERE metadata ? 'server_entry_name' OR metadata ? 'server_account';
|
||||
|
||||
UPDATE entries
|
||||
SET metadata = metadata - 'server_entry_name'
|
||||
WHERE metadata ? 'server_entry_name';
|
||||
|
||||
COMMIT;
|
||||
Reference in New Issue
Block a user