refactor: entries + secrets 双表，search 展示 field schema，key_ref PEM 共享

- secrets 表拆为 entries（主表）+ secrets（每字段一行）
- search 无需 master_key 即可展示 secrets 字段名、类型、长度
- inject/run 支持 metadata.key_ref 引用 kind=key 记录，PEM 轮换 O(1)
- entries_history + secrets_history 字段级历史，rollback 按 version 恢复
- 移除迁移用 DROP 语句，migrate 幂等
- v0.8.0

Made-with: Cursor

src/models.rs

@@ -3,16 +3,34 @@ use serde::{Deserialize, Serialize};
 use serde_json::Value;
 use uuid::Uuid;
 
+/// A top-level entry (server, service, key, …).
+/// Sensitive fields are stored separately in `secrets`.
 #[derive(Debug, Serialize, Deserialize, sqlx::FromRow)]
-pub struct Secret {
+pub struct Entry {
     pub id: Uuid,
     pub namespace: String,
     pub kind: String,
     pub name: String,
     pub tags: Vec<String>,
     pub metadata: Value,
+    pub version: i64,
+    pub created_at: DateTime<Utc>,
+    pub updated_at: DateTime<Utc>,
+}
+
+/// A single encrypted field belonging to an Entry.
+/// field_name, field_type, and value_len are stored in plaintext so that
+/// `search` can show the schema without requiring the master key.
+#[derive(Debug, Serialize, Deserialize, sqlx::FromRow)]
+pub struct SecretField {
+    pub id: Uuid,
+    pub entry_id: Uuid,
+    pub field_name: String,
+    /// Inferred type: "string", "number", "boolean", "json"
+    pub field_type: String,
+    /// Length of the plaintext value in characters (0 for binary-like PEM)
+    pub value_len: i32,
     /// AES-256-GCM ciphertext: nonce(12B) || ciphertext+tag
-    /// Decrypt with crypto::decrypt_json() before use.
     pub encrypted: Vec<u8>,
     pub version: i64,
     pub created_at: DateTime<Utc>,