feat(secrets-mcp): 审计页、audit_log user_id、OAuth 登录与仪表盘 footer

- audit_log 增加 user_id；业务写审计透传 user_id - Web /audit 与侧边栏；Dashboard 版本 footer 贴底（margin-top: auto） - 停止 API Key 鉴权成功写入登录审计 - 文档、CI、release-check 配套更新 Made-with: Cursor
2026-03-21 11:12:11 +08:00
parent ee028d45c3
commit f2344b7543
19 changed files with 361 additions and 69 deletions
--- a/crates/secrets-mcp/src/web.rs
+++ b/crates/secrets-mcp/src/web.rs
@@ -17,6 +17,7 @@ use secrets_core::audit::log_login;
 use secrets_core::crypto::hex;
 use secrets_core::service::{
    api_key::{ensure_api_key, regenerate_api_key},
+    audit_log::list_for_user,
    user::{
        OAuthProfile, bind_oauth_account, find_or_create_user, get_user_by_id,
        unbind_oauth_account, update_user_key_setup,
@@ -50,6 +51,22 @@ struct DashboardTemplate {
    version: &'static str,
 }

+#[derive(Template)]
+#[template(path = "audit.html")]
+struct AuditPageTemplate {
+    user_name: String,
+    user_email: String,
+    entries: Vec<AuditEntryView>,
+    version: &'static str,
+}
+
+struct AuditEntryView {
+    created_at: String,
+    action: String,
+    target: String,
+    detail: String,
+}
+
 // ── App state helpers ─────────────────────────────────────────────────────────

 fn google_cfg(state: &AppState) -> Option<&OAuthConfig> {
@@ -103,6 +120,7 @@ pub fn web_router() -> Router<AppState> {
        .route("/auth/google/callback", get(auth_google_callback))
        .route("/auth/logout", post(auth_logout))
        .route("/dashboard", get(dashboard))
+        .route("/audit", get(audit_page))
        .route("/account/bind/google", get(account_bind_google))
        .route(
            "/account/bind/google/callback",
@@ -364,6 +382,49 @@ async fn dashboard(
    render_template(tmpl)
 }

+async fn audit_page(
+    State(state): State<AppState>,
+    session: Session,
+) -> Result<Response, StatusCode> {
+    let Some(user_id) = current_user_id(&session).await else {
+        return Ok(Redirect::to("/").into_response());
+    };
+
+    let user = match get_user_by_id(&state.pool, user_id)
+        .await
+        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?
+    {
+        Some(u) => u,
+        None => return Ok(Redirect::to("/").into_response()),
+    };
+
+    let rows = list_for_user(&state.pool, user_id, 100)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to load audit log for user");
+            StatusCode::INTERNAL_SERVER_ERROR
+        })?;
+
+    let entries = rows
+        .into_iter()
+        .map(|row| AuditEntryView {
+            created_at: row.created_at.format("%Y-%m-%d %H:%M:%S UTC").to_string(),
+            action: row.action,
+            target: format_audit_target(&row.namespace, &row.kind, &row.name),
+            detail: serde_json::to_string_pretty(&row.detail).unwrap_or_else(|_| "{}".to_string()),
+        })
+        .collect();
+
+    let tmpl = AuditPageTemplate {
+        user_name: user.name.clone(),
+        user_email: user.email.clone().unwrap_or_default(),
+        entries,
+        version: env!("CARGO_PKG_VERSION"),
+    };
+
+    render_template(tmpl)
+}
+
 // ── Account bind/unbind ───────────────────────────────────────────────────────

 async fn account_bind_google(
@@ -577,3 +638,11 @@ fn render_template<T: Template>(tmpl: T) -> Result<Response, StatusCode> {
    })?;
    Ok(Html(html).into_response())
 }
+
+fn format_audit_target(namespace: &str, kind: &str, name: &str) -> String {
+    if namespace == "auth" {
+        format!("{}/{}", kind, name)
+    } else {
+        format!("[{}/{}] {}", namespace, kind, name)
+    }
+}