release(secrets-mcp): 0.2.0

- 日志时间戳使用本地时区（chrono RFC3339 + 偏移）
- MCP tools / Web 路由与行为调整
- 新增 static/llms.txt、robots.txt；文档与 deploy 示例同步

Made-with: Cursor

crates/secrets-mcp/src/main.rs

@@ -15,8 +15,11 @@ use rmcp::transport::streamable_http_server::{
 use sqlx::PgPool;
 use tower_http::cors::{Any, CorsLayer};
 use tower_sessions::cookie::SameSite;
-use tower_sessions::{MemoryStore, SessionManagerLayer};
+use tower_sessions::session_store::ExpiredDeletion;
+use tower_sessions::{Expiry, SessionManagerLayer};
+use tower_sessions_sqlx_store_chrono::PostgresStore;
 use tracing_subscriber::EnvFilter;
+use tracing_subscriber::fmt::time::FormatTime;
 
 use secrets_core::config::resolve_db_url;
 use secrets_core::db::{create_pool, migrate};
@@ -47,12 +50,27 @@ fn load_oauth_config(prefix: &str, base_url: &str, path: &str) -> Option<OAuthCo
     })
 }
 
+/// Log line timestamps in the process local timezone (honors `TZ` / system zone).
+#[derive(Clone, Copy, Default)]
+struct LocalRfc3339Time;
+
+impl FormatTime for LocalRfc3339Time {
+    fn format_time(&self, w: &mut tracing_subscriber::fmt::format::Writer<'_>) -> std::fmt::Result {
+        write!(
+            w,
+            "{}",
+            chrono::Local::now().to_rfc3339_opts(chrono::SecondsFormat::Millis, false)
+        )
+    }
+}
+
 #[tokio::main]
 async fn main() -> Result<()> {
     // Load .env if present
     let _ = dotenvy::dotenv();
 
     tracing_subscriber::fmt()
+        .with_timer(LocalRfc3339Time)
         .with_env_filter(
             EnvFilter::try_from_default_env()
                 .unwrap_or_else(|_| "secrets_mcp=info,tower_http=info".into()),
@@ -72,7 +90,8 @@ async fn main() -> Result<()> {
 
     // ── Configuration ─────────────────────────────────────────────────────────
     let base_url = load_env_var("BASE_URL").unwrap_or_else(|| "http://localhost:9315".to_string());
-    let bind_addr = load_env_var("SECRETS_MCP_BIND").unwrap_or_else(|| "0.0.0.0:9315".to_string());
+    let bind_addr =
+        load_env_var("SECRETS_MCP_BIND").unwrap_or_else(|| "127.0.0.1:9315".to_string());
 
     // ── OAuth providers ───────────────────────────────────────────────────────
     let google_config = load_oauth_config("GOOGLE", &base_url, "/auth/google/callback");
@@ -83,12 +102,23 @@ async fn main() -> Result<()> {
         );
     }
 
-    // ── Session store ─────────────────────────────────────────────────────────
-    let session_store = MemoryStore::default();
+    // ── Session store (PostgreSQL-backed) ─────────────────────────────────────
+    let session_store = PostgresStore::new(pool.clone());
+    session_store
+        .migrate()
+        .await
+        .context("failed to run session table migration")?;
+    // Prune expired rows every hour; task is aborted when the server shuts down.
+    let session_cleanup = tokio::spawn(
+        session_store
+            .clone()
+            .continuously_delete_expired(tokio::time::Duration::from_secs(3600)),
+    );
     // Strict would drop the session cookie on redirect from Google → our origin (cross-site nav).
     let session_layer = SessionManagerLayer::new(session_store)
         .with_secure(base_url.starts_with("https://"))
-        .with_same_site(SameSite::Lax);
+        .with_same_site(SameSite::Lax)
+        .with_expiry(Expiry::OnInactivity(time::Duration::days(14)));
 
     // ── App state ─────────────────────────────────────────────────────────────
     let app_state = AppState {
@@ -149,6 +179,7 @@ async fn main() -> Result<()> {
     .await
     .context("server error")?;
 
+    session_cleanup.abort();
     Ok(())
 }