refactor: 消除冗余、统一设计，bump 0.9.1

- 提取 EntryRow/SecretFieldRow 到 models.rs - 提取 current_actor()、print_json() 公共函数 - ExportFormat::from_extension 复用 from_str - fetch_entries 默认 limit 100k（export/inject/run 不再截断） - history 独立为 history.rs 模块 - delete 改用 DeleteArgs 结构体 - config_dir 改为 Result，Argon2id 参数提取常量 - Cargo 依赖 ^ 前缀、tokio 精简 features - 更新 AGENTS.md 项目结构 Made-with: Cursor
feat: add export/import commands for batch backup (JSON/TOML/YAML)
2026-03-19 15:46:57 +08:00 · 2026-03-19 15:29:26 +08:00 · 2026-03-19 15:18:12 +08:00 · 2026-03-19 14:33:38 +08:00 · 2026-03-19 14:27:04 +08:00 · 2026-03-19 12:24:20 +08:00
29 changed files with 6398 additions and 569 deletions
--- a/.gitea/workflows/secrets.yml
+++ b/.gitea/workflows/secrets.yml
@@ -7,7 +7,6 @@ on:
      - 'src/**'
      - 'Cargo.toml'
      - 'Cargo.lock'
      - '.gitea/workflows/secrets.yml'
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -56,6 +55,13 @@ jobs:
            echo "将创建新版本 ${tag}"
          fi
      - name: 严格拦截重复版本
        if: steps.ver.outputs.tag_exists == 'true'
        run: |
          echo "错误: 版本 ${{ steps.ver.outputs.tag }} 已存在，禁止重复发版。"
          echo "请先 bump Cargo.toml 中的 version，并执行 cargo build 同步 Cargo.lock。"
          exit 1
      - name: 创建 Tag
        if: steps.ver.outputs.tag_exists == 'false'
        run: |
@@ -128,71 +134,6 @@ jobs:
            echo "release_id=" >> "$GITHUB_OUTPUT"
          fi
  probe-runners:
    name: 探测 Runner
    runs-on: debian
    outputs:
      has_linux: ${{ steps.probe.outputs.has_linux }}
      has_macos: ${{ steps.probe.outputs.has_macos }}
      has_windows: ${{ steps.probe.outputs.has_windows }}
    steps:
      - name: 查询可用 Runner
        id: probe
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
          fallback_all() {
            echo "has_linux=true" >> "$GITHUB_OUTPUT"
            echo "has_macos=true" >> "$GITHUB_OUTPUT"
            echo "has_windows=true" >> "$GITHUB_OUTPUT"
          }
          if [ -z "$RELEASE_TOKEN" ]; then
            echo "未配置 RELEASE_TOKEN，默认尝试所有平台"
            fallback_all; exit 0
          fi
          command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq)
          http_code=$(curl -sS -o /tmp/runners.json -w '%{http_code}' \
            -H "Authorization: token $RELEASE_TOKEN" \
            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/runners")
          if [ "$http_code" != "200" ]; then
            echo "Runner API 返回 HTTP ${http_code}，默认尝试所有平台"
            fallback_all; exit 0
          fi
          has_runner() {
            local label="$1"
            jq -e --arg label "$label" '
              (.runners // .data // . // [])
              | any(
                  (
                    (.online == true)
                    or (
                      ((.status // "") | ascii_downcase)
                      | IN("online", "idle", "busy", "active")
                    )
                  )
                  and (
                    (.labels // [])
                    | map(if type == "object" then (.name // .label // "") else tostring end | ascii_downcase)
                    | index($label)
                  ) != null
                )
            ' /tmp/runners.json >/dev/null
          }
          for pair in "debian:has_linux" "darwin-arm64:has_macos" "windows:has_windows"; do
            label="$(printf '%s' "${pair%%:*}" | tr '[:upper:]' '[:lower:]')"; key="${pair##*:}"
            if has_runner "$label"; then
              echo "${key}=true" >> "$GITHUB_OUTPUT"
            else
              echo "${key}=false" >> "$GITHUB_OUTPUT"
            fi
          done
  check:
    name: 质量检查 (fmt / clippy / test)
    runs-on: debian
@@ -227,10 +168,9 @@ jobs:
  build-linux:
    name: Build (x86_64-unknown-linux-musl)
-    needs: [version, probe-runners, check]
+    needs: [version, check]
    if: needs.probe-runners.outputs.has_linux == 'true'
    runs-on: debian
-    timeout-minutes: 1
+    timeout-minutes: 15
    steps:
      - name: 安装依赖
        run: |
@@ -270,16 +210,39 @@ jobs:
          bin="target/x86_64-unknown-linux-musl/release/${{ env.BINARY_NAME }}"
          archive="${{ env.BINARY_NAME }}-${tag}-x86_64-linux-musl.tar.gz"
          tar -czf "$archive" -C "$(dirname "$bin")" "$(basename "$bin")"
          sha256sum "$archive" > "${archive}.sha256"
          curl -fsS -H "Authorization: token $RELEASE_TOKEN" \
            -F "attachment=@${archive}" \
            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}/assets"
          curl -fsS -H "Authorization: token $RELEASE_TOKEN" \
            -F "attachment=@${archive}.sha256" \
            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}/assets"
      - name: 飞书通知
        if: always()
        env:
          WEBHOOK_URL: ${{ vars.WEBHOOK_URL }}
        run: |
          [ -z "$WEBHOOK_URL" ] && exit 0
          command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq)
          tag="${{ needs.version.outputs.tag }}"
          commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A")
          url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
          result="${{ job.status }}"
          if [ "$result" = "success" ]; then icon="✅"; else icon="❌"; fi
          msg="secrets linux 构建${icon}
          版本：${tag}
          提交：${commit}
          作者：${{ github.actor }}
          详情：${url}"
          payload=$(jq -n --arg text "$msg" '{msg_type: "text", content: {text: $text}}')
          curl -sS -H "Content-Type: application/json" -X POST -d "$payload" "$WEBHOOK_URL"
  build-macos:
-    name: Build (aarch64-apple-darwin)
+    name: Build (macOS aarch64 + x86_64)
-    needs: [version, probe-runners, check]
+    needs: [version, check]
    if: needs.probe-runners.outputs.has_macos == 'true'
    runs-on: darwin-arm64
-    timeout-minutes: 1
+    timeout-minutes: 15
    steps:
      - name: 安装依赖
        run: |
@@ -288,6 +251,7 @@ jobs:
          fi
          source "$HOME/.cargo/env" 2>/dev/null || true
          rustup target add aarch64-apple-darwin
          rustup target add x86_64-apple-darwin
          echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
      - uses: actions/checkout@v4
@@ -300,12 +264,14 @@ jobs:
            ~/.cargo/registry/cache
            ~/.cargo/git/db
            target
-          key: cargo-aarch64-apple-darwin-${{ hashFiles('Cargo.lock') }}
+          key: cargo-macos-${{ hashFiles('Cargo.lock') }}
          restore-keys: |
-            cargo-aarch64-apple-darwin-
+            cargo-macos-
      - run: cargo build --release --locked --target aarch64-apple-darwin
      - run: cargo build --release --locked --target x86_64-apple-darwin
      - run: strip -x target/aarch64-apple-darwin/release/${{ env.BINARY_NAME }}
      - run: strip -x target/x86_64-apple-darwin/release/${{ env.BINARY_NAME }}
      - name: 上传 Release 产物
        if: needs.version.outputs.release_id != ''
@@ -314,28 +280,67 @@ jobs:
        run: |
          [ -z "$RELEASE_TOKEN" ] && exit 0
          tag="${{ needs.version.outputs.tag }}"
-          bin="target/aarch64-apple-darwin/release/${{ env.BINARY_NAME }}"
+          release_id="${{ needs.version.outputs.release_id }}"
-          archive="${{ env.BINARY_NAME }}-${tag}-aarch64-macos.tar.gz"
+
-          tar -czf "$archive" -C "$(dirname "$bin")" "$(basename "$bin")"
+          arm_bin="target/aarch64-apple-darwin/release/${{ env.BINARY_NAME }}"
          arm_archive="${{ env.BINARY_NAME }}-${tag}-aarch64-macos.tar.gz"
          tar -czf "$arm_archive" -C "$(dirname "$arm_bin")" "$(basename "$arm_bin")"
          shasum -a 256 "$arm_archive" > "${arm_archive}.sha256"
          curl -fsS -H "Authorization: token $RELEASE_TOKEN" \
-            -F "attachment=@${archive}" \
+            -F "attachment=@${arm_archive}" \
-            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}/assets"
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${release_id}/assets"
          curl -fsS -H "Authorization: token $RELEASE_TOKEN" \
            -F "attachment=@${arm_archive}.sha256" \
            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${release_id}/assets"
          intel_bin="target/x86_64-apple-darwin/release/${{ env.BINARY_NAME }}"
          intel_archive="${{ env.BINARY_NAME }}-${tag}-x86_64-macos.tar.gz"
          tar -czf "$intel_archive" -C "$(dirname "$intel_bin")" "$(basename "$intel_bin")"
          shasum -a 256 "$intel_archive" > "${intel_archive}.sha256"
          curl -fsS -H "Authorization: token $RELEASE_TOKEN" \
            -F "attachment=@${intel_archive}" \
            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${release_id}/assets"
          curl -fsS -H "Authorization: token $RELEASE_TOKEN" \
            -F "attachment=@${intel_archive}.sha256" \
            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${release_id}/assets"
      - name: 飞书通知
        if: always()
        env:
          WEBHOOK_URL: ${{ vars.WEBHOOK_URL }}
        run: |
          [ -z "$WEBHOOK_URL" ] && exit 0
          tag="${{ needs.version.outputs.tag }}"
          commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A")
          url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
          result="${{ job.status }}"
          if [ "$result" = "success" ]; then icon="✅"; else icon="❌"; fi
          msg="secrets macOS 双架构构建${icon}
          版本：${tag}
          目标：aarch64-apple-darwin, x86_64-apple-darwin
          提交：${commit}
          作者：${{ github.actor }}
          详情：${url}"
          payload=$(python3 -c "import json,sys; print(json.dumps({'msg_type':'text','content':{'text':sys.argv[1]}}))" "$msg")
          curl -sS -H "Content-Type: application/json" -X POST -d "$payload" "$WEBHOOK_URL"
  build-windows:
    name: Build (x86_64-pc-windows-msvc)
-    needs: [version, probe-runners, check]
+    needs: [version, check]
    if: needs.probe-runners.outputs.has_windows == 'true'
    runs-on: windows
-    timeout-minutes: 1
+    timeout-minutes: 15
    steps:
      - name: 安装依赖
        shell: pwsh
        run: |
          $cargoBin = Join-Path $env:USERPROFILE ".cargo\bin"
          if (-not (Get-Command cargo -ErrorAction SilentlyContinue)) {
            Invoke-WebRequest -Uri "https://win.rustup.rs/x86_64" -OutFile rustup-init.exe
            .\rustup-init.exe -y --default-toolchain stable
            Remove-Item rustup-init.exe
          }
          $env:Path = "$cargoBin;$env:Path"
          Add-Content -Path $env:GITHUB_PATH -Value $cargoBin
          rustup target add x86_64-pc-windows-msvc
      - uses: actions/checkout@v4
@@ -367,39 +372,56 @@ jobs:
          $bin = "target\x86_64-pc-windows-msvc\release\${{ env.BINARY_NAME }}.exe"
          $archive = "${{ env.BINARY_NAME }}-${tag}-x86_64-windows.zip"
          Compress-Archive -Path $bin -DestinationPath $archive -Force
          $hash = (Get-FileHash -Algorithm SHA256 $archive).Hash.ToLower()
          Set-Content -Path "${archive}.sha256" -Value "$hash  $archive" -NoNewline
          $url = "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}/assets"
          Invoke-RestMethod -Uri $url -Method Post `
            -Headers @{ "Authorization" = "token $env:RELEASE_TOKEN" } `
            -Form @{ attachment = Get-Item $archive }
          Invoke-RestMethod -Uri $url -Method Post `
            -Headers @{ "Authorization" = "token $env:RELEASE_TOKEN" } `
            -Form @{ attachment = Get-Item "${archive}.sha256" }
      - name: 飞书通知
        if: always()
        shell: pwsh
        env:
          WEBHOOK_URL: ${{ vars.WEBHOOK_URL }}
        run: |
          if (-not $env:WEBHOOK_URL) { exit 0 }
          $tag = "${{ needs.version.outputs.tag }}"
          $commit = (git log -1 --pretty=format:"%s" 2>$null) ?? "N/A"
          $url = "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
          $result = "${{ job.status }}"
          $icon = if ($result -eq "success") { "✅" } else { "❌" }
          $msg = "secrets windows 构建${icon}`n版本：${tag}`n提交：${commit}`n作者：${{ github.actor }}`n详情：${url}"
          $payload = @{ msg_type = "text"; content = @{ text = $msg } } | ConvertTo-Json
          Invoke-RestMethod -Uri $env:WEBHOOK_URL -Method Post `
            -ContentType "application/json" -Body $payload
  publish-release:
    name: 发布草稿 Release
-    needs: [version, check, build-linux, build-macos, build-windows]
+    needs: [version, build-linux, build-macos, build-windows]
    if: always() && needs.version.outputs.release_id != ''
    runs-on: debian
-    timeout-minutes: 2
+    timeout-minutes: 5
    steps:
      - uses: actions/checkout@v4
      - name: 发布草稿
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
          [ -z "$RELEASE_TOKEN" ] && exit 0
          version_r="${{ needs.version.result }}"
          check_r="${{ needs.check.result }}"
          linux_r="${{ needs.build-linux.result }}"
          macos_r="${{ needs.build-macos.result }}"
          windows_r="${{ needs.build-windows.result }}"
-
+          if [ "$linux_r" != "success" ] || [ "$macos_r" != "success" ] || [ "$windows_r" != "success" ]; then
-          for result in "$version_r" "$check_r" "$linux_r" "$macos_r" "$windows_r"; do
+            echo "存在未成功的构建任务，保留草稿 Release"
-            case "$result" in
+            echo "linux=${linux_r} macos=${macos_r} windows=${windows_r}"
-              success|skipped) ;;
+            exit 0
-              *)
+          fi
                echo "存在失败或取消的 job，保留草稿 Release"
                exit 0
                ;;
            esac
          done
          release_api="${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}"
          http_code=$(curl -sS -o /tmp/publish-release.json -w '%{http_code}' \
@@ -413,18 +435,10 @@ jobs:
            cat /tmp/publish-release.json 2>/dev/null || true
            exit 1
          fi
          echo "Release 已发布"
-  notify:
+      - name: 飞书汇总通知
-    name: 通知
+        if: always()
    needs: [version, probe-runners, check, build-linux, build-macos, build-windows, publish-release]
    if: always() && github.event_name == 'push'
    runs-on: debian
    timeout-minutes: 1
    continue-on-error: true
    steps:
      - uses: actions/checkout@v4
      - name: 发送飞书通知
        env:
          WEBHOOK_URL: ${{ vars.WEBHOOK_URL }}
        run: |
@@ -436,43 +450,30 @@ jobs:
          commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A")
          url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
          version_r="${{ needs.version.result }}"
          check_r="${{ needs.check.result }}"
          linux_r="${{ needs.build-linux.result }}"
          macos_r="${{ needs.build-macos.result }}"
          windows_r="${{ needs.build-windows.result }}"
-          publish_r="${{ needs.publish-release.result }}"
+          publish_r="${{ job.status }}"
-          if [ "$version_r" = "success" ] && [ "$check_r" = "success" ] \
+          icon() { case "$1" in success) echo "✅";; skipped) echo "⏭";; *) echo "❌";; esac; }
-            && [ "$linux_r" != "failure" ] && [ "$linux_r" != "cancelled" ] \
+
-            && [ "$macos_r" != "failure" ] && [ "$macos_r" != "cancelled" ] \
+          if [ "$linux_r" = "success" ] && [ "$macos_r" = "success" ] && [ "$windows_r" = "success" ] && [ "$publish_r" = "success" ]; then
-            && [ "$windows_r" != "failure" ] && [ "$windows_r" != "cancelled" ] \
+            status="发布成功 ✅"
-            && [ "$publish_r" != "failure" ] && [ "$publish_r" != "cancelled" ]; then
+          elif [ "$linux_r" != "success" ] || [ "$macos_r" != "success" ] || [ "$windows_r" != "success" ]; then
            status="构建成功 ✅"
          else
            status="构建失败 ❌"
          fi
          icon() {
            case "$1" in
              success) echo "✅" ;;
              skipped) echo "⏭" ;;
              *) echo "❌" ;;
            esac
          }
          msg="${{ env.BINARY_NAME }} ${status}"
          if [ "$tag_exists" = "false" ]; then
            msg="${msg}
          🆕 新版本 ${tag}"
          else
-            msg="${msg}
+            status="发布失败 ❌"
          🔄 重复构建 ${tag}"
          fi
-          msg="${msg}
+          if [ "$tag_exists" = "false" ]; then
-          构建结果：linux$(icon "$linux_r") macOS$(icon "$macos_r") windows$(icon "$windows_r")
+            version_line="🆕 新版本 ${tag}"
-          Release：$(icon "$publish_r")
+          else
            version_line="🔄 重复构建 ${tag}"
          fi
          msg="secrets ${status}
          ${version_line}
          linux $(icon "$linux_r") | macOS $(icon "$macos_r") | windows $(icon "$windows_r") | Release $(icon "$publish_r")
          提交：${commit}
          作者：${{ github.actor }}
          详情：${url}"
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 /target
 .env
-.DS_Store
+.DS_Store
 .cursor/
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -25,12 +25,36 @@
      "command": "./target/debug/secrets help add",
      "dependsOn": "build"
    },
    {
      "label": "cli: help config",
      "type": "shell",
      "command": "./target/debug/secrets help config",
      "dependsOn": "build"
    },
    {
      "label": "cli: config path",
      "type": "shell",
      "command": "./target/debug/secrets config path",
      "dependsOn": "build"
    },
    {
      "label": "cli: config show",
      "type": "shell",
      "command": "./target/debug/secrets config show",
      "dependsOn": "build"
    },
    {
      "label": "test: search all",
      "type": "shell",
      "command": "./target/debug/secrets search",
      "dependsOn": "build"
    },
    {
      "label": "test: search all (verbose)",
      "type": "shell",
      "command": "./target/debug/secrets --verbose search",
      "dependsOn": "build"
    },
    {
      "label": "test: search by namespace (refining)",
      "type": "shell",
@@ -80,9 +104,9 @@
      "dependsOn": "build"
    },
    {
-      "label": "test: search with secrets revealed",
+      "label": "test: inject service secrets",
      "type": "shell",
-      "command": "./target/debug/secrets search -n refining --kind service --name gitea --show-secrets",
+      "command": "./target/debug/secrets inject -n refining --kind service --name gitea",
      "dependsOn": "build"
    },
    {
@@ -94,13 +118,31 @@
    {
      "label": "test: add + delete roundtrip",
      "type": "shell",
-      "command": "echo '--- add ---' && ./target/debug/secrets add -n test --kind demo --name roundtrip-test --tag test -m foo=bar -s password=secret123 && echo '--- search ---' && ./target/debug/secrets search -n test --show-secrets && echo '--- delete ---' && ./target/debug/secrets delete -n test --kind demo --name roundtrip-test && echo '--- verify deleted ---' && ./target/debug/secrets search -n test",
+      "command": "echo '--- add ---' && ./target/debug/secrets add -n test --kind demo --name roundtrip-test --tag test -m foo=bar -s password=secret123 && echo '--- search metadata ---' && ./target/debug/secrets search -n test && echo '--- inject secrets ---' && ./target/debug/secrets inject -n test --kind demo --name roundtrip-test && echo '--- delete ---' && ./target/debug/secrets delete -n test --kind demo --name roundtrip-test && echo '--- verify deleted ---' && ./target/debug/secrets search -n test",
      "dependsOn": "build"
    },
    {
      "label": "test: add + delete roundtrip (verbose)",
      "type": "shell",
      "command": "echo '--- add (verbose) ---' && ./target/debug/secrets --verbose add -n test --kind demo --name roundtrip-verbose --tag test -m foo=bar -s password=secret123 && echo '--- delete (verbose) ---' && ./target/debug/secrets --verbose delete -n test --kind demo --name roundtrip-verbose",
      "dependsOn": "build"
    },
    {
      "label": "test: update roundtrip",
      "type": "shell",
      "command": "echo '--- add ---' && ./target/debug/secrets add -n test --kind demo --name update-test --tag v1 -m env=staging && echo '--- update ---' && ./target/debug/secrets update -n test --kind demo --name update-test --add-tag v2 --remove-tag v1 -m env=production && echo '--- verify ---' && ./target/debug/secrets search -n test --kind demo && echo '--- cleanup ---' && ./target/debug/secrets delete -n test --kind demo --name update-test",
      "dependsOn": "build"
    },
    {
      "label": "test: audit log",
      "type": "shell",
      "command": "echo '--- add ---' && ./target/debug/secrets add -n test --kind demo --name audit-test -m foo=bar -s key=val && echo '--- update ---' && ./target/debug/secrets update -n test --kind demo --name audit-test -m foo=baz && echo '--- delete ---' && ./target/debug/secrets delete -n test --kind demo --name audit-test && echo '--- audit log (last 5) ---' && psql $DATABASE_URL -c \"SELECT action, namespace, kind, name, actor, detail, created_at FROM audit_log ORDER BY created_at DESC LIMIT 5;\"",
      "dependsOn": "build"
    },
    {
      "label": "test: add with file secret",
      "type": "shell",
-      "command": "echo '--- add key from file ---' && ./target/debug/secrets add -n test --kind key --name test-key --tag test -s content=@./refining/keys/Vultr && echo '--- verify ---' && ./target/debug/secrets search -n test --kind key --show-secrets && echo '--- cleanup ---' && ./target/debug/secrets delete -n test --kind key --name test-key",
+      "command": "echo '--- add key from file ---' && ./target/debug/secrets add -n test --kind key --name test-key --tag test -s content=@./refining/keys/Vultr && echo '--- verify metadata ---' && ./target/debug/secrets search -n test --kind key && echo '--- verify inject ---' && ./target/debug/secrets inject -n test --kind key --name test-key && echo '--- cleanup ---' && ./target/debug/secrets delete -n test --kind key --name test-key",
      "dependsOn": "build"
    }
  ]
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -1,98 +1,300 @@
 # Secrets CLI — AGENTS.md
-跨设备密钥与配置管理 CLI 工具，将 refining / ricnsmart 两个项目的服务器信息、服务凭据存储到 PostgreSQL 18，供 AI 工具读取上下文。
+## 提交 / 发版硬规则（优先于下文其他说明）
 1. 涉及 `src/**`、`Cargo.toml`、`Cargo.lock`、CLI 行为变更的提交，默认视为**需要发版**，除非用户明确说明“本次不发版”。
 2. 发版前必须先检查 `Cargo.toml` 中的 `version`，再检查是否已存在对应 tag：`git tag -l 'secrets-*'`。
 3. 若当前版本对应 tag 已存在，必须先 bump `Cargo.toml` 的 `version`，再执行 `cargo build` 同步 `Cargo.lock`，然后才能提交。
 4. 提交前优先运行 `./scripts/release-check.sh`；该脚本会检查重复版本并执行 `cargo fmt -- --check && cargo clippy --locked -- -D warnings && cargo test --locked`。
 跨设备密钥与配置管理 CLI 工具，将服务器信息、服务凭据等存储到 PostgreSQL 18，供 AI 工具读取上下文。每个加密字段单独行存储（`secrets` 子表），字段名、类型、长度以明文保存，主密钥由 Argon2id 从主密码派生并存入平台安全存储（macOS Keychain / Windows Credential Manager / Linux keyutils）。
 ## 项目结构
 ```
 secrets/
  src/
-    main.rs              # CLI 入口，clap 命令定义，auto-migrate
+    main.rs              # CLI 入口，clap 命令定义，auto-migrate，--verbose 全局参数
-    db.rs                # PgPool 创建 + 建表/索引（幂等）
+    output.rs            # OutputMode 枚举 + TTY 检测（TTY→text，非 TTY→json-compact）
-    models.rs            # Secret 结构体（sqlx::FromRow + serde）
+    config.rs            # 配置读写：~/.config/secrets/config.toml（database_url）
    db.rs                # PgPool 创建 + 建表/索引（DROP+CREATE，含所有表）
    crypto.rs            # AES-256-GCM 加解密、Argon2id 派生、OS 钥匙串
    models.rs            # Entry + SecretField 结构体（sqlx::FromRow + serde）
    audit.rs             # 审计写入：log_tx（事务内）
    commands/
-      add.rs             # add 命令：upsert，支持 --meta key=value / --secret key=@file
+      init.rs            # init 命令：主密钥初始化（每台设备一次）
-      search.rs          # search 命令：多条件动态查询
+      add.rs             # add 命令：upsert entries + 逐字段写入 secrets，含历史快照
-      delete.rs          # delete 命令
+      config.rs          # config 命令：set-db / show / path（持久化 database_url）
      search.rs          # search 命令：多条件查询，展示 secrets 字段 schema（无需 master_key）
      delete.rs          # delete 命令：事务化，CASCADE 删除 secrets，含历史快照
      update.rs          # update 命令：增量更新，secrets 行级 UPSERT/DELETE，CAS 并发保护
      rollback.rs        # rollback 命令：按 entry_version 恢复 entry + secrets
      history.rs         # history 命令：查看 entry 变更历史列表
      run.rs             # inject / run 命令：逐字段解密 + key_ref 引用解析
      upgrade.rs         # upgrade 命令：检查、校验摘要并下载最新版本，自动替换二进制
      export_cmd.rs      # export 命令：批量导出记录，支持 JSON/TOML/YAML，含解密明文
      import_cmd.rs      # import 命令：批量导入记录，冲突检测，dry-run，重新加密写入
  scripts/
-    seed-data.sh         # 从 refining/ricnsmart config.toml 导入全量数据
+    release-check.sh        # 发版前检查版本号/tag 是否重复，并执行 fmt/clippy/test
    setup-gitea-actions.sh  # 配置 Gitea Actions 变量与 Secrets
  .gitea/workflows/
    secrets.yml          # CI：fmt + clippy + musl 构建 + Release 上传 + 飞书通知
-  .vscode/tasks.json     # 本地测试任务（build / search / add+delete roundtrip 等）
+  .vscode/tasks.json     # 本地测试任务（build / config / search / add+delete / update / audit 等）
  .env                   # DATABASE_URL（gitignore，不提交）
 ```
 ## 数据库
- **Host**: `47.117.131.22:5432`（阿里云上海 ECS，PostgreSQL 18 with io_uring）
+- **Host**: `<host>:<port>`
 - **Database**: `secrets`
- **连接串**: `postgres://postgres:<password>@47.117.131.22:5432/secrets`
+- **连接串**: `postgres://postgres:<password>@<host>:<port>/secrets`
- **表**: 单张 `secrets` 表，首次连接自动建表（auto-migrate）
+- **表**: `entries`（主表）+ `secrets`（加密字段子表）+ `entries_history` + `secrets_history` + `audit_log` + `kv_config`，首次连接自动建表（auto-migrate）
 ### 表结构
 ```sql
-secrets (
+entries (
  id          UUID PRIMARY KEY DEFAULT uuidv7(),  -- PG18 时间有序 UUID
  namespace   VARCHAR(64)   NOT NULL,              -- 一级隔离: "refining" | "ricnsmart"
-  kind        VARCHAR(64)   NOT NULL,              -- 类型: "server" | "service"（可扩展）
+  kind        VARCHAR(64)   NOT NULL,              -- 类型: "server" | "service" | "key"（可扩展）
  name        VARCHAR(256)  NOT NULL,              -- 人类可读标识
  tags        TEXT[]        NOT NULL DEFAULT '{}', -- 灵活标签: ["aliyun","hongkong"]
  metadata    JSONB         NOT NULL DEFAULT '{}', -- 明文描述: ip, desc, domains, location...
-  encrypted   JSONB         NOT NULL DEFAULT '{}', -- 敏感数据: ssh_key, password, token...
+  version     BIGINT        NOT NULL DEFAULT 1,    -- 乐观锁版本号，每次写操作自增
  created_at  TIMESTAMPTZ   NOT NULL DEFAULT NOW(),
  updated_at  TIMESTAMPTZ   NOT NULL DEFAULT NOW(),
  UNIQUE(namespace, kind, name)
 )
 ```
 ```sql
 secrets (
  id          UUID PRIMARY KEY DEFAULT uuidv7(),
  entry_id    UUID         NOT NULL REFERENCES entries(id) ON DELETE CASCADE,
  field_name  VARCHAR(256) NOT NULL,              -- 明文字段名: "username", "token", "ssh_key"
  field_type  VARCHAR(32)  NOT NULL DEFAULT 'string', -- 明文类型: "string"|"number"|"boolean"|"json"
  value_len   INT          NOT NULL DEFAULT 0,    -- 明文原始值字符数（PEM≈4096，token≈40）
  encrypted   BYTEA        NOT NULL DEFAULT '\x', -- 仅加密值本身：nonce(12B)||ciphertext+tag
  version     BIGINT       NOT NULL DEFAULT 1,
  created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
  updated_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
  UNIQUE(entry_id, field_name)
 )
 ```
 ```sql
 kv_config (
  key   TEXT PRIMARY KEY,   -- 如 'argon2_salt'
  value BYTEA NOT NULL      -- Argon2id salt，首台设备 init 时生成
 )
 ```
 ### audit_log 表结构
 ```sql
 audit_log (
  id          BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
  action      VARCHAR(32)   NOT NULL,              -- 'add' | 'update' | 'delete' | 'rollback'
  namespace   VARCHAR(64)   NOT NULL,
  kind        VARCHAR(64)   NOT NULL,
  name        VARCHAR(256)  NOT NULL,
  detail      JSONB         NOT NULL DEFAULT '{}', -- 变更摘要（tags/meta keys/secret keys，不含 value）
  actor       VARCHAR(128)  NOT NULL DEFAULT '',   -- 操作者（$USER 环境变量）
  created_at  TIMESTAMPTZ   NOT NULL DEFAULT NOW()
 )
 ```
 ### entries_history 表结构
 ```sql
 entries_history (
  id          BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
  entry_id    UUID         NOT NULL,
  namespace   VARCHAR(64)  NOT NULL,
  kind        VARCHAR(64)  NOT NULL,
  name        VARCHAR(256) NOT NULL,
  version     BIGINT       NOT NULL,   -- 被快照时的版本号
  action      VARCHAR(16)  NOT NULL,   -- 'add' | 'update' | 'delete' | 'rollback'
  tags        TEXT[]       NOT NULL DEFAULT '{}',
  metadata    JSONB        NOT NULL DEFAULT '{}',
  actor       VARCHAR(128) NOT NULL DEFAULT '',
  created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
 )
 ```
 ### secrets_history 表结构
 ```sql
 secrets_history (
  id              BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
  entry_id        UUID         NOT NULL,
  secret_id       UUID         NOT NULL,  -- 对应 secrets.id
  entry_version   BIGINT       NOT NULL,  -- 关联 entries_history 的版本号
  field_name      VARCHAR(256) NOT NULL,
  field_type      VARCHAR(32)  NOT NULL DEFAULT 'string',
  value_len       INT          NOT NULL DEFAULT 0,
  encrypted       BYTEA        NOT NULL DEFAULT '\x',
  action          VARCHAR(16)  NOT NULL,   -- 'add' | 'update' | 'delete' | 'rollback'
  actor           VARCHAR(128) NOT NULL DEFAULT '',
  created_at      TIMESTAMPTZ  NOT NULL DEFAULT NOW()
 )
 ```
 ### 字段职责划分
 | 字段 | 存什么 | 示例 |
 |------|--------|------|
 | `namespace` | 项目/团队隔离 | `refining`, `ricnsmart` |
-| `kind` | 记录类型 | `server`, `service` |
+| `kind` | 记录类型 | `server`, `service`, `key` |
 | `name` | 唯一标识名 | `i-uf63f2uookgs5uxmrdyc`, `gitea` |
 | `tags` | 多维分类标签 | `["aliyun","hongkong","ricn"]` |
-| `metadata` | 明文非敏感信息 | `{"ip":"47.243.154.187","desc":"Grafana","domains":["..."]}` |
+| `metadata` | 明文非敏感信息 | `{"ip":"47.243.154.187","desc":"Grafana","key_ref":"ricn-hk-260127"}` |
-| `encrypted` | 敏感凭据（MVP 阶段明文存储，后续对 value 加密） | `{"ssh_key":"-----BEGIN...","password":"..."}` |
+| `secrets.field_name` | 加密字段名（明文） | `"username"`, `"token"`, `"ssh_key"` |
 | `secrets.field_type` | 值类型（明文） | `"string"`, `"number"`, `"boolean"`, `"json"` |
 | `secrets.value_len` | 原始值字符数（明文） | `4`（root），`40`（token），`4096`（PEM） |
 | `secrets.encrypted` | 仅加密值本身 | AES-256-GCM 密文 |
 ### PEM 共享机制（key_ref）
 同一 PEM 被多台服务器共享时，将 PEM 存为独立的 `kind=key` 记录，服务器通过 `metadata.key_ref` 引用：
 ```bash
 # 1. 存共享 PEM
 secrets add -n refining --kind key --name ricn-hk-260127 \
  --tag aliyun --tag hongkong \
  -s content=@./keys/ricn-hk-260127.pem
 # 2. 服务器通过 metadata.key_ref 引用（inject/run 时自动合并 key 的 secrets）
 secrets add -n refining --kind server --name i-j6c39dmtkr26vztii0ox \
  -m ip=47.243.154.187 -m key_ref=ricn-hk-260127 \
  -s username=ecs-user
 # 3. 轮换只需更新 key 记录，所有引用服务器自动生效
 secrets update -n refining --kind key --name ricn-hk-260127 \
  -s content=@./keys/new-key.pem
 ```
 ## 数据库配置
 首次使用需显式配置数据库连接，设置一次后在该设备上持久生效：
 ```bash
 secrets config set-db "postgres://postgres:<password>@<host>:<port>/secrets"
 secrets config show   # 查看当前配置（密码脱敏）
 secrets config path   # 打印配置文件路径
 ```
 `set-db` 会先验证连接可用，成功后才写入配置文件；连接失败时提示 "Database connection failed" 且不修改配置。
 配置文件：`~/.config/secrets/config.toml`，权限 0600。`--db-url` 参数可一次性覆盖。
 ## 主密钥与加密
 首次使用（每台设备各执行一次）：
 ```bash
 secrets config set-db "postgres://postgres:<password>@<host>:<port>/secrets"
 secrets init   # 提示输入主密码，Argon2id 派生主密钥后存入 OS 钥匙串
 ```
 主密码不存储；salt 存于 `kv_config`，首台设备生成后共享，确保同一主密码在所有设备派生出相同主密钥。
 主密钥存储后端：macOS Keychain、Windows Credential Manager、Linux keyutils（会话级，重启后需再次 `secrets init`）。
 **从旧版（明文 JSONB）升级**：升级后执行 `secrets init` 即可（明文记录需手动重新 add 或通过 update 更新）。
 ## CLI 命令
 ### AI 使用主路径
 **读取一律用 `search`，写入用 `add` / `update`，避免反复查帮助。**
 输出格式规则：
 - TTY（终端直接运行）→ 默认 `text`
 - 非 TTY（管道/重定向/AI 调用）→ 自动 `json-compact`
 - 显式 `-o json` → 美化 JSON
 ---
 ### init — 主密钥初始化（每台设备一次）
 ```bash
-# 查看版本
+# 首次设备：生成 Argon2id salt 并存库，派生主密钥后存 OS 钥匙串
-secrets -V / --version
+secrets init
-# 查看帮助
+# 后续设备：复用已有 salt，派生主密钥后存钥匙串（主密码需与首台相同）
-secrets -h / --help
+secrets init
 secrets help <subcommand>   # 子命令详细帮助，如 secrets help add
 # 添加或更新记录（upsert）
 secrets add -n <namespace> --kind <kind> --name <name> \
  [--tag <tag>]...          # 可重复
  [-m key=value]...         # --meta 明文字段，-m 是短标志
  [-s key=value]...         # --secret 敏感字段，value 以 @ 开头表示从文件读取
 # 搜索（默认隐藏 encrypted 内容）
 secrets search [-n <namespace>] [--kind <kind>] [--tag <tag>] [-q <keyword>] [--show-secrets]
 # -q 匹配范围：name、namespace、kind、metadata 全文内容、tags
 # 增量更新已有记录（合并语义，记录不存在则报错）
 secrets update -n <namespace> --kind <kind> --name <name> \
  [--add-tag <tag>]...        # 添加标签（不影响已有标签）
  [--remove-tag <tag>]...     # 移除标签
  [-m key=value]...           # 新增或覆盖 metadata 字段（不影响其他字段）
  [--remove-meta <key>]...    # 删除 metadata 字段
  [-s key=value]...           # 新增或覆盖 encrypted 字段（不影响其他字段）
  [--remove-secret <key>]...  # 删除 encrypted 字段
 # 删除
 secrets delete -n <namespace> --kind <kind> --name <name>
 ```
-### 示例
+### search — 发现与读取
 ```bash
 # 参数说明（带典型值）
 #   -n / --namespace   refining | ricnsmart
 #   --kind             server | service
 #   --name             gitea | i-uf63f2uookgs5uxmrdyc | mqtt
 #   --tag              aliyun | hongkong | production
 #   -q / --query       mqtt | grafana | gitea   （模糊匹配 name/namespace/kind/tags/metadata）
 #   secrets schema  search 默认展示 secrets 字段名、类型与长度（无需 master_key）
 #   -f / --field       metadata.ip | metadata.url | metadata.default_org
 #   --summary          不带值的 flag，仅返回摘要（name/tags/desc/updated_at）
 #   --limit            20 | 50（默认 50）
 #   --offset           0 | 10 | 20（分页偏移）
 #   --sort             name（默认）| updated | created
 #   -o / --output      text | json | json-compact
 # 发现概览（起步推荐）
 secrets search --summary --limit 20
 secrets search -n refining --summary --limit 20
 secrets search --sort updated --limit 10 --summary
 # 精确定位单条记录
 secrets search -n refining --kind service --name gitea
 secrets search -n refining --kind server --name i-uf63f2uookgs5uxmrdyc
 # 精确定位并获取完整内容（secrets 保持加密占位）
 secrets search -n refining --kind service --name gitea -o json
 # 直接提取 metadata 字段值（最短路径）
 secrets search -n refining --kind service --name gitea -f metadata.url
 secrets search -n refining --kind service --name gitea \
  -f metadata.url -f metadata.default_org
 # 需要 secrets 时，改用 inject / run
 secrets inject -n refining --kind service --name gitea
 secrets run -n refining --kind service --name gitea -- printenv
 # 模糊关键词搜索
 secrets search -q mqtt
 secrets search -q grafana
 secrets search -q 47.117
 # 按条件过滤
 secrets search -n refining --kind service
 secrets search -n ricnsmart --kind server
 secrets search --tag hongkong
 secrets search --tag aliyun --summary
 # 分页
 secrets search -n refining --summary --limit 10 --offset 0
 secrets search -n refining --summary --limit 10 --offset 10
 # 管道 / AI 调用（非 TTY 自动 json-compact）
 secrets search -n refining --kind service | jq '.[].name'
 ```
 ---
 ### add — 新增或全量覆盖（upsert）
 ```bash
 # 参数说明（带典型值）
 #   -n / --namespace   refining | ricnsmart
 #   --kind             server | service
 #   --name             gitea | i-uf63f2uookgs5uxmrdyc
 #   --tag              aliyun | hongkong（可重复）
 #   -m / --meta        ip=47.117.131.22 | desc="Aliyun ECS" | url=https://... | tls:cert@./cert.pem（可重复）
 #   -s / --secret      token=<value> | ssh_key=@./key.pem | password=secret123 | credentials:content@./key.pem（可重复）
 # 添加服务器
 secrets add -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
  --tag aliyun --tag shanghai \
@@ -102,30 +304,295 @@ secrets add -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
 # 添加服务凭据
 secrets add -n refining --kind service --name gitea \
  --tag gitea \
-  -m url=https://gitea.refining.dev \
+  -m url=https://gitea.refining.dev -m default_org=refining -m username=voson \
-  -s token=<token>
+  -s token=<token> -s runner_token=<runner_token>
-# 搜索含 mqtt 的所有记录
+# 从文件读取 token
-secrets search -q mqtt
+secrets add -n ricnsmart --kind service --name mqtt \
  -m host=mqtt.ricnsmart.com -m port=1883 \
  -s password=@./mqtt_password.txt
-# 查看 refining 的全部服务配置（显示 secrets）
+# 多行文件直接写入嵌套 secret 字段
-secrets search -n refining --kind service --show-secrets
+secrets add -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
  -s credentials:content@./keys/voson_shanghai_e.pem
-# 按 tag 筛选
+# 使用类型化值（key:=<json>）存储非字符串类型
-secrets search --tag hongkong
+secrets add -n refining --kind service --name prometheus \
  -m scrape_interval:=15 \
  -m enabled:=true \
  -m labels:='["prod","metrics"]' \
  -s api_key=abc123
 ```
-# 只更新一个 IP（不影响其他 metadata/secrets/tags）
+---
 ### update — 增量更新（记录必须已存在）
 只有传入的字段才会变动，其余全部保留。
 ```bash
 # 参数说明（带典型值）
 #   -n / --namespace   refining | ricnsmart
 #   --kind             server | service
 #   --name             gitea | i-uf63f2uookgs5uxmrdyc
 #   --add-tag          production | backup（不影响已有 tag，可重复）
 #   --remove-tag       staging | deprecated（可重复）
 #   -m / --meta        ip=10.0.0.1 | desc="新描述" | credentials:username=root（新增或覆盖，可重复）
 #   --remove-meta      old_port | legacy_key | credentials:content（删除 metadata 字段，可重复）
 #   -s / --secret      token=<new> | ssh_key=@./new.pem | credentials:content@./new.pem（新增或覆盖，可重复）
 #   --remove-secret    old_password | deprecated_key | credentials:content（删除 secret 字段，可重复）
 # 更新单个 metadata 字段
 secrets update -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
  -m ip=10.0.0.1
-# 给一条记录新增 tag 并轮换密码
+# 轮换 token
 secrets update -n refining --kind service --name gitea \
  -s token=<new-token>
 # 新增 tag 并轮换 token
 secrets update -n refining --kind service --name gitea \
  --add-tag production \
  -s token=<new-token>
-# 移除一个废弃的 metadata 字段
+# 移除废弃字段
 secrets update -n refining --kind service --name mqtt \
-  --remove-meta old_port
+  --remove-meta old_port --remove-secret old_password
 # 从文件更新嵌套 secret 字段
 secrets update -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
  -s credentials:content@./keys/voson_shanghai_e.pem
 # 删除嵌套字段
 secrets update -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
  --remove-secret credentials:content
 # 移除 tag
 secrets update -n refining --kind service --name gitea --remove-tag staging
 ```
 ---
 ### delete — 删除记录
 ```bash
 # 参数说明（带典型值）
 #   -n / --namespace   refining | ricnsmart
 #   --kind             server | service
 #   --name             gitea | i-uf63f2uookgs5uxmrdyc（必须精确匹配）
 # 删除服务凭据
 secrets delete -n refining --kind service --name legacy-mqtt
 # 删除服务器记录
 secrets delete -n ricnsmart --kind server --name i-old-server-id
 ```
 ---
 ### history — 查看变更历史
 ```bash
 # 参数说明
 #   -n / --namespace   refining | ricnsmart
 #   --kind             server | service
 #   --name             记录名
 #   --limit            返回条数（默认 20）
 # 查看某条记录的历史版本列表
 secrets history -n refining --kind service --name gitea
 # 查最近 5 条
 secrets history -n refining --kind service --name gitea --limit 5
 # JSON 输出
 secrets history -n refining --kind service --name gitea -o json
 ```
 ---
 ### rollback — 回滚到指定版本
 ```bash
 # 参数说明
 #   -n / --namespace     refining | ricnsmart
 #   --kind               server | service
 #   --name               记录名
 #   --to-version <N>     目标版本号（省略则恢复最近一次快照）
 # 撤销上次修改（回滚到最近一次快照）
 secrets rollback -n refining --kind service --name gitea
 # 回滚到版本 3
 secrets rollback -n refining --kind service --name gitea --to-version 3
 ```
 ---
 ### inject — 输出临时环境变量
 敏感值仅打印到 stdout，不持久化、不写入当前 shell。
 ```bash
 # 参数说明
 #   -n / --namespace   refining | ricnsmart
 #   --kind             server | service
 #   --name             记录名
 #   --tag              按 tag 过滤（可重复）
 #   --prefix           变量名前缀（留空则以记录 name 作前缀）
 #   -o / --output      text（默认 KEY=VALUE）| json | json-compact
 # 打印单条记录的所有变量（KEY=VALUE 格式）
 secrets inject -n refining --kind service --name gitea
 # 自定义前缀
 secrets inject -n refining --kind service --name gitea --prefix GITEA
 # JSON 格式（适合管道或脚本解析）
 secrets inject -n refining --kind service --name gitea -o json
 # eval 注入当前 shell（谨慎使用）
 eval $(secrets inject -n refining --kind service --name gitea)
 ```
 ---
 ### run — 向子进程注入 secrets 并执行命令
 secrets 仅作用于子进程环境，不修改当前 shell，进程退出码透传。
 ```bash
 # 参数说明
 #   -n / --namespace   refining | ricnsmart
 #   --kind             server | service
 #   --name             记录名
 #   --tag              按 tag 过滤（可重复）
 #   --prefix           变量名前缀
 #   -- <command>       执行的命令及参数
 # 向脚本注入单条记录的 secrets
 secrets run -n refining --kind service --name gitea -- ./deploy.sh
 # 按 tag 批量注入（多条记录合并）
 secrets run --tag production -- env | grep -i token
 # 验证注入了哪些变量
 secrets run -n refining --kind service --name gitea -- printenv
 ```
 ---
 ### upgrade — 自动更新 CLI 二进制
 从 Gitea Release 下载最新版本，校验对应 `.sha256` 摘要后替换当前二进制，无需数据库连接或主密钥。
 ```bash
 # 检查是否有新版本（不下载）
 secrets upgrade --check
 # 下载、校验 SHA-256 并安装最新版本
 secrets upgrade
 ```
 ---
 ### export — 批量导出记录
 将匹配的记录（含解密后的明文 secrets）导出到文件或 stdout。支持 JSON、TOML、YAML 三种格式，文件格式由扩展名自动推断。使用 `--no-secrets` 时无需主密钥。
 ```bash
 # 参数说明
 # -n / --namespace refining | ricnsmart
 # --kind server | service
 # --name gitea | i-uf63f2uookgs5uxmrdyc
 # --tag aliyun | production（可重复）
 # -q / --query 模糊关键词
 # --file <path>   输出文件路径，格式由扩展名推断（.json / .toml / .yaml / .yml）
 # --format json | toml | yaml   显式指定格式（输出到 stdout 时必须指定）
 # --no-secrets    不导出 secrets，无需主密钥
 # 全量导出到 JSON 文件
 secrets export --file backup.json
 # 按 namespace 导出为 TOML
 secrets export -n refining --file refining.toml
 # 按 kind 导出为 YAML
 secrets export -n refining --kind service --file services.yaml
 # 按 tag 过滤导出
 secrets export --tag production --file prod.json
 # 模糊关键词导出
 secrets export -q mqtt --file mqtt.json
 # 仅导出 schema（不含 secrets，无需主密钥）
 secrets export --no-secrets --file schema.json
 # 输出到 stdout（必须指定 --format）
 secrets export -n refining --format yaml
 secrets export --format json | jq '.'
 ```
 ---
 ### import — 批量导入记录
 从导出文件读取记录并写入数据库，自动重新加密 secrets。支持 JSON、TOML、YAML 三种格式，文件格式由扩展名自动推断。
 ```bash
 # 参数说明
 # <file>        必选，输入文件路径（格式由扩展名推断）
 # --force       冲突时覆盖已有记录（默认：报错并停止）
 # --dry-run     预览将执行的操作，不写入数据库
 # -o / --output text | json | json-compact
 # 导入 JSON 文件（遇到已存在记录报错）
 secrets import backup.json
 # 导入 TOML 文件，冲突时覆盖
 secrets import --force refining.toml
 # 导入 YAML 文件，冲突时覆盖
 secrets import --force services.yaml
 # 预览将执行的操作（不写入）
 secrets import --dry-run backup.json
 # JSON 格式输出导入摘要
 secrets import backup.json -o json
 ```
 ---
 ### config — 配置管理（无需主密钥）
 ```bash
 # 设置数据库连接（每台设备执行一次，之后永久生效；先验证连接可用再写入）
 secrets config set-db "postgres://postgres:<password>@<host>:<port>/secrets"
 # 查看当前配置（密码脱敏）
 secrets config show
 # 打印配置文件路径
 secrets config path
 # 输出: /Users/<user>/.config/secrets/config.toml
 ```
 ---
 ### 全局参数
 ```bash
 # debug 日志（位于子命令之前）
 secrets --verbose search -q mqtt
 secrets -v add -n refining --kind service --name gitea -m url=xxx -s token=yyy
 # 或通过环境变量精细控制
 RUST_LOG=secrets=trace secrets search
 # 一次性覆盖数据库连接
 secrets --db-url "postgres://..." search -n refining
 ```
 ## 代码规范
@@ -134,15 +601,27 @@ secrets update -n refining --kind service --name mqtt \
 - 异步：全程 `tokio`，数据库操作 `sqlx` async
 - SQL：使用 `sqlx::query` / `sqlx::query_as` 绑定参数，禁止字符串拼接（搜索的动态 WHERE 子句除外，需使用参数绑定 `$1/$2`）
 - 新增 `kind` 类型时：只需在 `add` 调用时传入，无需改代码
- 字段命名：CLI 短标志 `-n`=namespace，`-m`=meta，`-s`=secret，`-q`=query
+- 字段命名：CLI 短标志 `-n`=namespace，`-m`=meta，`-s`=secret，`-q`=query，`-v`=verbose，`-f`=field，`-o`=output
 - 日志：用户可见输出用 `println!`；调试/运维信息用 `tracing::debug!`/`info!`/`warn!`/`error!`
 - 审计：`add`/`update`/`delete` 成功后调用 `audit::log_tx`，写入 `audit_log` 表；失败只 warn 不中断
 - 加密：`encrypted` 列存储 AES-256-GCM 密文；`add`/`update`/`search`/`delete` 需主密钥（`secrets init` 后从 OS 钥匙串加载）
 - 输出：读命令通过 `OutputMode` 支持 text/json/json-compact/env；写命令 `add` 同样支持 `-o json`
 ## 提交前检查（必须全部通过）
 每次提交代码前，请在本地依次执行以下检查，**全部通过后再 push**：
 优先使用：
 ```bash
 ./scripts/release-check.sh
 ```
 它等价于先检查版本号 / tag，再执行下面的格式、Lint、测试。
 ### 1. 版本号（按需）
-若本次改动需要发版，请先确认 `Cargo.toml` 中的 `version` 已提升，避免 CI 打出的 Tag 与已有版本重复。可通过 git tag 判断：
+若本次改动需要发版，请先确认 `Cargo.toml` 中的 `version` 已提升，避免 CI 打出的 Tag 与已有版本重复。**升级版本后需同时更新 `Cargo.lock`**（运行 `cargo build` 即可自动同步），否则 CI 中 `cargo clippy --locked` 会因 lock 与 manifest 不一致而失败。可通过 git tag 判断：
 ```bash
 # 查看当前 Cargo.toml 版本
@@ -152,7 +631,7 @@ grep '^version' Cargo.toml
 git tag -l 'secrets-*'
 ```
-若当前版本已被 tag（例如已有 `secrets-0.1.0` 且 `Cargo.toml` 仍为 `0.1.0`），则应在 `Cargo.toml` 中 bump 版本号后再提交，以便 CI 自动打新 Tag 并发布 Release。
+若当前版本已被 tag（例如已有 `secrets-0.3.0` 且 `Cargo.toml` 仍为 `0.3.0`），则应在 `Cargo.toml` 中 bump 版本号，再执行 `cargo build` 同步 `Cargo.lock`，最后一并提交，以便 CI 自动打新 Tag 并发布 Release。
 ### 2. 格式、Lint、测试
@@ -170,15 +649,20 @@ cargo fmt -- --check && cargo clippy -- -D warnings && cargo test
 ## CI/CD
- Gitea Actions（runner: debian）
+- Gitea Actions（runners: debian / darwin-arm64 / windows）
 - 触发：`src/**`、`Cargo.toml`、`Cargo.lock` 变更推送到 main
- 构建目标：`x86_64-unknown-linux-musl`（静态链接，无 glibc 依赖）
+- 构建目标：`x86_64-unknown-linux-musl`、`aarch64-apple-darwin`、`x86_64-apple-darwin`（由 ARM mac runner 交叉编译）、`x86_64-pc-windows-msvc`
- 新版本自动打 Tag（格式 `secrets-<version>`）并上传二进制到 Gitea Release
+- 新版本自动打 Tag（格式 `secrets-<version>`）并上传二进制与对应 `.sha256` 摘要到 Gitea Release
 - Release 仅在 Linux/macOS/Windows 构建全部成功后才会从 draft 发布
 - 通知：飞书 Webhook（`vars.WEBHOOK_URL`）
 - 所需 secrets/vars：`RELEASE_TOKEN`（Release 上传，Gitea PAT）、`vars.WEBHOOK_URL`（通知，可选）
 - **注意**：Gitea Actions 的 Secret/Variable 创建时，`data`/`value` 字段需传入**原始值**，不要使用 base64 编码
 ## 环境变量
 | 变量 | 说明 |
 |------|------|
-| `DATABASE_URL` | PostgreSQL 连接串，优先级高于 `--db-url` 参数 |
+| `RUST_LOG` | 日志级别，如 `secrets=debug`、`secrets=trace`（默认 warn） |
 | `USER` | 审计日志 actor 字段来源，Shell 自动设置，通常无需手动配置 |
 数据库连接通过 `secrets config set-db` 持久化到 `~/.config/secrets/config.toml`，不支持环境变量。
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,16 +1,32 @@
 [package]
 name = "secrets"
-version = "0.2.0"
+version = "0.9.1"
 edition = "2024"
 [dependencies]
-anyhow = "1.0.102"
+aes-gcm = "^0.10.3"
-chrono = { version = "0.4.44", features = ["serde"] }
+anyhow = "^1.0.102"
-clap = { version = "4.6.0", features = ["derive", "env"] }
+argon2 = { version = "^0.5.3", features = ["std"] }
-dotenvy = "0.15.7"
+chrono = { version = "^0.4.44", features = ["serde"] }
-serde = { version = "1.0.228", features = ["derive"] }
+clap = { version = "^4.6.0", features = ["derive"] }
-serde_json = "1.0.149"
+dirs = "^6.0.0"
-sqlx = { version = "0.8.6", features = ["runtime-tokio", "tls-rustls", "postgres", "uuid", "json", "chrono"] }
+flate2 = "^1.1.9"
-tokio = { version = "1.50.0", features = ["full"] }
+keyring = { version = "^3.6.3", features = ["apple-native", "windows-native", "linux-native"] }
-toml = "1.0.7"
+rand = "^0.10.0"
-uuid = { version = "1.22.0", features = ["serde", "v4"] }
+reqwest = { version = "^0.12", default-features = false, features = ["rustls-tls", "json"] }
 rpassword = "^7.4.0"
 self-replace = "^1.5.0"
 semver = "^1.0.27"
 serde = { version = "^1.0.228", features = ["derive"] }
 serde_json = "^1.0.149"
 serde_yaml = "^0.9"
 sha2 = "^0.10.9"
 sqlx = { version = "^0.8.6", features = ["runtime-tokio", "tls-rustls", "postgres", "uuid", "json", "chrono"] }
 tar = "^0.4.44"
 tempfile = "^3.19"
 tokio = { version = "^1.50.0", features = ["rt-multi-thread", "macros", "fs", "io-util", "process", "signal"] }
 toml = "^1.0.7"
 tracing = "^0.1"
 tracing-subscriber = { version = "^0.3", features = ["env-filter"] }
 uuid = { version = "^1.22.0", features = ["serde"] }
 zip = { version = "^8.2.0", default-features = false, features = ["deflate"] }
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 跨设备密钥与配置管理 CLI，基于 Rust + PostgreSQL 18。
-将服务器信息、服务凭据统一存入数据库，供本地工具和 AI 读取上下文。
+将服务器信息、服务凭据统一存入数据库，供本地工具和 AI 读取上下文。每个敏感字段单独行存储（`secrets` 子表），字段名、类型、长度以明文保存便于 AI 理解，仅值本身使用 AES-256-GCM 加密；主密钥由 Argon2id 从主密码派生并存入系统钥匙串。
 ## 安装
@@ -11,92 +11,317 @@ cargo build --release
 # 或从 Release 页面下载预编译二进制
 ```
-配置数据库连接：
+已有旧版本时，可执行 `secrets upgrade` 自动下载最新版并替换。该命令会校验 Release 附带的 `.sha256` 摘要后再安装。
 ## 首次使用（每台设备各执行一次）
 ```bash
-export DATABASE_URL=postgres://postgres:<password>@<host>:5432/secrets
+# 1. 配置数据库连接（会先验证连接可用再写入）
-# 或在项目根目录创建 .env 文件写入上述变量
+secrets config set-db "postgres://postgres:<password>@<host>:<port>/secrets"
 # 2. 初始化主密钥（提示输入至少 8 位的主密码，派生后存入 OS 钥匙串）
 secrets init
 ```
-## 使用
+主密码不会存储，仅用于派生主密钥，且至少需 8 位。同一主密码在所有设备上会得到相同主密钥（salt 存于数据库，首台设备生成后共享）。
 **主密钥存储**：macOS → Keychain；Windows → Credential Manager；Linux → keyutils（会话级，重启后需再次 `secrets init`）。
 **从旧版（明文存储）升级**：升级后首次运行需执行 `secrets init` 即可（明文记录需手动重新 add 或通过 update 更新）。
 ## AI Agent 快速指南
 这个 CLI 以 AI 使用优先设计。核心路径只有一条：**读取用 `search`，写入用 `add` / `update`**。
 ### 第一步：发现有哪些数据
 ```bash
-# 查看版本
+# 列出所有记录摘要（默认最多 50 条，安全起步）
-secrets -V
+secrets search --summary --limit 20
 secrets --version
-# 查看帮助
+# 按 namespace 过滤
 secrets search -n refining --summary --limit 20
 # 按最近更新排序
 secrets search --sort updated --limit 10 --summary
 ```
 `--summary` 只返回轻量字段（namespace、kind、name、tags、desc、updated_at），不含完整 metadata 和 secrets。
 ### 第二步：精确读取单条记录
 ```bash
 # 精确定位（namespace + kind + name 三元组）
 secrets search -n refining --kind service --name gitea
 # 获取完整记录（含 secrets 字段 schema：field_name、field_type、value_len，无需 master_key）
 secrets search -n refining --kind service --name gitea -o json
 # 直接提取单个 metadata 字段值（最短路径）
 secrets search -n refining --kind service --name gitea -f metadata.url
 # 同时提取多个 metadata 字段
 secrets search -n refining --kind service --name gitea \
  -f metadata.url -f metadata.default_org
 # 需要 secrets 时，改用 inject / run
 secrets inject -n refining --kind service --name gitea
 secrets run -n refining --kind service --name gitea -- printenv
 ```
 `search` 展示 metadata 与 secrets 的字段 schema（字段名、类型、长度），不展示 secret 值本身；需要值时用 `inject` / `run`。
 ### 输出格式
 | 场景 | 推荐命令 |
 |------|----------|
 | AI 解析 / 管道处理 | `-o json` 或 `-o json-compact` |
 | 注入 secrets 到环境变量 | `inject` / `run` |
 | 人类查看 | 默认 `text`（TTY 下自动启用） |
 | 非 TTY（管道/重定向） | 自动 `json-compact` |
 说明：`text` 输出中的时间会按当前机器本地时区显示；`json/json-compact` 继续使用 UTC（RFC3339 风格）以便脚本和 AI 稳定解析。
 ```bash
 # 管道直接 jq 解析（非 TTY 自动 json-compact）
 secrets search -n refining --kind service | jq '.[].name'
 # 需要 secrets 时，使用 inject / run
 secrets inject -n refining --kind service --name gitea > ~/.config/gitea/secrets.env
 secrets run -n refining --kind service --name gitea -- ./deploy.sh
 ```
 ## 完整命令参考
 ```bash
 # 查看帮助（包含各子命令 EXAMPLES）
 secrets --help
-secrets -h
+secrets init --help           # 主密钥初始化
 secrets search --help
 secrets add --help
 secrets update --help
 secrets delete --help
 secrets config --help
 secrets upgrade --help     # 检查并更新 CLI 版本
 secrets export --help      # 批量导出（JSON/TOML/YAML）
 secrets import --help      # 批量导入（JSON/TOML/YAML）
-# 查看子命令帮助
+# ── search ──────────────────────────────────────────────────────────────────
-secrets help add
+secrets search --summary --limit 20                        # 发现概览
-secrets help search
+secrets search -n refining --kind service                  # 按 namespace + kind
-secrets help delete
+secrets search -n refining --kind service --name gitea     # 精确查找
-secrets help update
+secrets search -q mqtt                                     # 关键词模糊搜索
 secrets search --tag hongkong                              # 按 tag 过滤
 secrets search -n refining --kind service --name gitea -f metadata.url   # 提取 metadata 字段
 secrets search -n refining --kind service --name gitea -o json            # 完整记录（含 secrets schema）
 secrets search --sort updated --limit 10 --summary         # 最近改动
 secrets search -n refining --summary --limit 10 --offset 10  # 翻页
-# 添加服务器
+# ── add ──────────────────────────────────────────────────────────────────────
 secrets add -n refining --kind server --name my-server \
  --tag aliyun --tag shanghai \
-  -m ip=1.2.3.4 -m desc="My Server" \
+  -m ip=47.117.131.22 -m desc="Aliyun Shanghai ECS" \
-  -s username=root \
+  -s username=root -s ssh_key=@./keys/server.pem
-  -s ssh_key=@./keys/my.pem
+
 # 多行文件直接写入嵌套 secret 字段
 secrets add -n refining --kind server --name my-server \
  -s credentials:content@./keys/server.pem
 # 使用 typed JSON 写入 secret（布尔、数字、数组、对象）
 secrets add -n refining --kind service --name deploy-bot \
  -s enabled:=true \
  -s retry_count:=3 \
  -s scopes:='["repo","workflow"]' \
  -s extra:='{"region":"ap-east-1","verify_tls":true}'
 # 添加服务凭据
 secrets add -n refining --kind service --name gitea \
-  -m url=https://gitea.example.com \
+  --tag gitea \
  -m url=https://gitea.refining.dev -m default_org=refining \
  -s token=<token>
-# 搜索（默认隐藏敏感字段）
+# ── update ───────────────────────────────────────────────────────────────────
 secrets search
 secrets search -n refining --kind server
 secrets search --tag hongkong
 secrets search -q mqtt              # 关键词匹配 name / metadata / tags
 secrets search -n refining --kind service --name gitea --show-secrets
 # 增量更新已有记录（合并语义，记录不存在则报错）
 secrets update -n refining --kind server --name my-server -m ip=10.0.0.1
-secrets update -n refining --kind service --name gitea --add-tag production -s token=<new-token>
+secrets update -n refining --kind service --name gitea --add-tag production -s token=<new>
 secrets update -n refining --kind service --name mqtt --remove-meta old_port --remove-secret old_key
 secrets update -n refining --kind server --name my-server --remove-secret credentials:content
-# 删除
+# ── delete ───────────────────────────────────────────────────────────────────
-secrets delete -n refining --kind server --name my-server
+secrets delete -n refining --kind service --name legacy-mqtt
 # ── init ─────────────────────────────────────────────────────────────────────
 secrets init              # 主密钥初始化（每台设备一次，主密码至少 8 位，派生后存钥匙串）
 # ── config ───────────────────────────────────────────────────────────────────
 secrets config set-db "postgres://postgres:<password>@<host>:<port>/secrets"   # 先验证再写入
 secrets config show    # 密码脱敏展示
 secrets config path    # 打印配置文件路径
 # ── upgrade ──────────────────────────────────────────────────────────────────
 secrets upgrade --check   # 仅检查是否有新版本
 secrets upgrade           # 下载、校验 SHA-256 并安装最新版（从 Gitea Release）
 # ── export ────────────────────────────────────────────────────────────────────
 secrets export --file backup.json                        # 全量导出到 JSON
 secrets export -n refining --file refining.toml          # 按 namespace 导出为 TOML
 secrets export -n refining --kind service --file svc.yaml   # 按 kind 导出为 YAML
 secrets export --tag production --file prod.json         # 按 tag 过滤
 secrets export -q mqtt --file mqtt.json                   # 模糊搜索导出
 secrets export --no-secrets --file schema.json           # 仅导出 schema（无需主密钥）
 secrets export -n refining --format yaml                  # 输出到 stdout，指定格式
 # ── import ────────────────────────────────────────────────────────────────────
 secrets import backup.json                               # 导入（冲突时报错）
 secrets import --force refining.toml                     # 冲突时覆盖已有记录
 secrets import --dry-run backup.yaml                     # 预览将要执行的操作（不写入）
 # ── 调试 ──────────────────────────────────────────────────────────────────────
 secrets --verbose search -q mqtt
 RUST_LOG=secrets=trace secrets search
 ```
 ## 数据模型
-单张 `secrets` 表，首次连接自动建表。
+主表 `entries`（namespace、kind、name、tags、metadata）+ 子表 `secrets`（每个加密字段一行，含 field_name、field_type、value_len、encrypted）。首次连接自动建表；同时创建 `audit_log`、`entries_history`、`secrets_history` 等表。
-| 字段 | 说明 |
+| 位置 | 字段 | 说明 |
-|------|------|
+|------|------|------|
-| `namespace` | 一级隔离，如 `refining`、`ricnsmart` |
+| entries | namespace | 一级隔离，如 `refining`、`ricnsmart` |
-| `kind` | 记录类型，如 `server`、`service`（可自由扩展） |
+| entries | kind | 记录类型，如 `server`、`service`、`key`（可自由扩展） |
-| `name` | 人类可读唯一标识 |
+| entries | name | 人类可读唯一标识 |
-| `tags` | 多维标签，如 `["aliyun","hongkong"]` |
+| entries | tags | 多维标签，如 `["aliyun","hongkong"]` |
-| `metadata` | 明文描述信息（ip、desc、domains 等） |
+| entries | metadata | 明文描述（ip、desc、domains、key_ref 等） |
-| `encrypted` | 敏感凭据（ssh_key、password、token 等），MVP 阶段明文存储，预留加密字段 |
+| secrets | field_name / field_type / value_len | 明文，search 可见，AI 可推断 inject 会生成什么变量 |
 | secrets | encrypted | 仅加密值本身，AES-256-GCM |
-`-m` / `--meta` 写入 `metadata`，`-s` / `--secret` 写入 `encrypted`，`value=@file` 从文件读取内容。
+`-m` / `--meta` 写入 `metadata`，`-s` / `--secret` 写入 `secrets` 表的独立行。支持 `key=value`、`key=@file`、`key:=<json>`，也支持 `credentials:content@./key.pem` 这类嵌套字段文件写入；删除时支持 `--remove-secret credentials:content`。加解密使用主密钥（由 `secrets init` 设置）。
 **PEM 共享**：同一 PEM 被多台服务器共享时，可存为 `kind=key` 记录，服务器通过 `metadata.key_ref` 引用；轮换只需 update 一条 key 记录，所有引用自动生效。详见 [AGENTS.md](AGENTS.md)。
 ### `-m` / `--meta` JSON 语法速查
 `-m` 和 `-s` 走的是同一套解析规则，只是写入位置不同：`-m` 写到明文 `metadata`，适合端口、开关、标签、描述性配置等非敏感信息。
 | 目标值 | 写法示例 | 实际存入 |
 |------|------|------|
 | 普通字符串 | `-m url=https://gitea.refining.dev` | `"https://gitea.refining.dev"` |
 | 文件内容字符串 | `-m notes=@./service-notes.txt` | `"..."` |
 | 布尔值 | `-m enabled:=true` | `true` |
 | 数字 | `-m port:=3000` | `3000` |
 | `null` | `-m deprecated_at:=null` | `null` |
 | 数组 | `-m domains:='["gitea.refining.dev","git.refining.dev"]'` | `["gitea.refining.dev","git.refining.dev"]` |
 | 对象 | `-m tls:='{"enabled":true,"redirect_http":true}'` | `{"enabled":true,"redirect_http":true}` |
 | 嵌套路径 + JSON | `-m deploy:strategy:='{"type":"rolling","batch":2}'` | `{"deploy":{"strategy":{"type":"rolling","batch":2}}}` |
 常见规则：
 - `=` 表示按字符串存储。
 - `:=` 表示按 JSON 解析。
 - shell 中数组和对象建议整体用单引号包住。
 - 嵌套字段继续用冒号分隔：`-m runtime:max_open_conns:=20`。
 示例：新增一条带 typed metadata 的记录
 ```bash
 secrets add -n refining --kind service --name gitea \
  -m url=https://gitea.refining.dev \
  -m port:=3000 \
  -m enabled:=true \
  -m domains:='["gitea.refining.dev","git.refining.dev"]' \
  -m tls:='{"enabled":true,"redirect_http":true}'
 ```
 示例：更新已有记录中的嵌套 metadata
 ```bash
 secrets update -n refining --kind service --name gitea \
  -m deploy:strategy:='{"type":"rolling","batch":2}' \
  -m runtime:max_open_conns:=20
 ```
 ### `-s` / `--secret` JSON 语法速查
 当你希望写入的不是普通字符串，而是 `true`、`123`、`null`、数组或对象时，用 `:=`，右侧按 JSON 解析。
 | 目标值 | 写法示例 | 实际存入 |
 |------|------|------|
 | 普通字符串 | `-s token=abc123` | `"abc123"` |
 | 文件内容字符串 | `-s ssh_key=@./id_ed25519` | `"-----BEGIN ..."` |
 | 布尔值 | `-s enabled:=true` | `true` |
 | 数字 | `-s retry_count:=3` | `3` |
 | `null` | `-s deprecated_at:=null` | `null` |
 | 数组 | `-s scopes:='["repo","workflow"]'` | `["repo","workflow"]` |
 | 对象 | `-s extra:='{"region":"ap-east-1","verify_tls":true}'` | `{"region":"ap-east-1","verify_tls":true}` |
 | 嵌套路径 + JSON | `-s auth:policy:='{"mfa":true,"ttl":3600}'` | `{"auth":{"policy":{"mfa":true,"ttl":3600}}}` |
 常见规则：
 - `=` 表示按字符串存储，不做 JSON 解析。
 - `:=` 表示按 JSON 解析，适合布尔、数字、数组、对象、`null`。
 - shell 里对象和数组通常要整体加引号，推荐单引号：`-s flags:='["a","b"]'`。
 - 嵌套字段继续用冒号分隔：`-s credentials:enabled:=true`。
 - 如果你就是想存一个“JSON 字符串字面量”，可以写成 `-s note:='"hello"'`，但大多数字符串场景直接用 `=` 更直观。
 示例：新增一条同时包含字符串、文件、布尔、数组、对象的记录
 ```bash
 secrets add -n refining --kind service --name deploy-bot \
  -s token=abc123 \
  -s ssh_key=@./keys/deploy-bot.pem \
  -s enabled:=true \
  -s scopes:='["repo","workflow"]' \
  -s policy:='{"ttl":3600,"mfa":true}'
 ```
 示例：更新已有记录中的嵌套 JSON 字段
 ```bash
 secrets update -n refining --kind service --name deploy-bot \
  -s auth:config:='{"issuer":"gitea","rotate":true}' \
  -s auth:retry:=5
 ```
 ## 审计日志
 `add`、`update`、`delete` 操作成功后自动向 `audit_log` 表写入一条记录，包含操作类型、操作对象和变更摘要（不含 secret 值）。操作者取自 `$USER` 环境变量。
 ```sql
 -- 查看最近 20 条审计记录
 SELECT action, namespace, kind, name, actor, detail, created_at
 FROM audit_log
 ORDER BY created_at DESC
 LIMIT 20;
 ```
 ## 项目结构
 ```
 src/
-  main.rs          # CLI 入口（clap）
+  main.rs          # CLI 入口（clap），含各子命令 after_help 示例
-  db.rs            # 连接池 + auto-migrate
+  output.rs        # OutputMode 枚举 + TTY 检测
-  models.rs        # Secret 结构体
+  config.rs        # 配置读写（~/.config/secrets/config.toml）
  db.rs            # 连接池 + auto-migrate（entries + secrets + entries_history + secrets_history + audit_log + kv_config）
  crypto.rs        # AES-256-GCM 加解密、Argon2id 派生、OS 钥匙串
  models.rs        # Entry + SecretField 结构体
  audit.rs         # 审计日志写入（audit_log 表）
  commands/
-    add.rs         # upsert
+    init.rs        # 主密钥初始化（首次/新设备）
-    search.rs      # 多条件查询
+    add.rs         # upsert entries + secrets 行，支持 -o json
-    delete.rs      # 删除
+    config.rs      # config set-db/show/path
-    update.rs      # 增量更新（合并 tags/metadata/encrypted）
+    search.rs      # 多条件查询，展示 secrets schema（-f/-o/--summary/--limit/--offset/--sort）
    delete.rs      # 删除（CASCADE 删除 secrets）
    update.rs      # 增量更新（tags/metadata + secrets 行级 UPSERT/DELETE）
    rollback.rs    # rollback / history：按 entry_version 恢复
    run.rs         # inject / run，逐字段解密 + key_ref 引用解析
    upgrade.rs     # 从 Gitea Release 自更新
    export_cmd.rs  # export：批量导出，支持 JSON/TOML/YAML，含解密明文
    import_cmd.rs  # import：批量导入，冲突检测，dry-run，重新加密写入
 scripts/
-  seed-data.sh     # 导入 refining / ricnsmart 全量数据
+  setup-gitea-actions.sh  # 配置 Gitea Actions 变量与 Secrets
 ```
 ## CI/CD（Gitea Actions）
-推送 `main` 分支时自动：fmt/clippy 检查 → musl 构建 → 创建 Release 并上传二进制。
+推送 `main` 分支时自动：fmt/clippy/test 检查 → Linux/macOS/Windows 构建 → 上传二进制与 `.sha256` 摘要 → 所有平台成功后发布 Release。
 **首次使用需配置 Actions 变量和 Secrets：**
@@ -107,5 +332,12 @@ scripts/
 - `RELEASE_TOKEN`（Secret）：Gitea PAT，用于创建 Release 上传二进制
 - `WEBHOOK_URL`（Variable）：飞书通知，可选
 - **注意**：Secret/Variable 的 `data`/`value` 字段需传入原始值，不要 base64 编码
 当前 Release 预编译产物覆盖：
 - Linux `x86_64-unknown-linux-musl`
 - macOS Apple Silicon `aarch64-apple-darwin`
 - macOS Intel `x86_64-apple-darwin`（由 ARM mac runner 交叉编译）
 - Windows `x86_64-pc-windows-msvc`
 详见 [AGENTS.md](AGENTS.md)。
--- a/scripts/release-check.sh
+++ b/scripts/release-check.sh
@@ -0,0 +1,23 @@
 #!/usr/bin/env bash
 set -euo pipefail
 repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 cd "$repo_root"
 version="$(grep -m1 '^version' Cargo.toml | sed 's/.*"\(.*\)".*/\1/')"
 tag="secrets-${version}"
 echo "==> 当前版本: ${version}"
 echo "==> 检查是否已存在 tag: ${tag}"
 if git rev-parse "refs/tags/${tag}" >/dev/null 2>&1; then
  echo "错误: 已存在 tag ${tag}"
  echo "请先 bump Cargo.toml 中的 version，再执行 cargo build 同步 Cargo.lock。"
  exit 1
 fi
 echo "==> 未发现重复 tag，开始执行检查"
 cargo fmt -- --check
 cargo clippy --locked -- -D warnings
 cargo test --locked
--- a/scripts/setup-gitea-actions.sh
+++ b/scripts/setup-gitea-actions.sh
@@ -7,7 +7,9 @@
 #   - secrets.RELEASE_TOKEN  (必选) Release 上传用，值为 Gitea PAT
 #   - vars.WEBHOOK_URL       (可选) 飞书通知
 #
-# 注意: Gitea 不允许 secret/variable 名以 GITEA_ 或 GITHUB_ 开头，故使用 RELEASE_TOKEN
+# 注意:
 #   - Gitea 不允许 secret/variable 名以 GITEA_ 或 GITHUB_ 开头，故使用 RELEASE_TOKEN
 #   - Secret/Variable 的 data/value 字段需传入原始值，不要使用 base64 编码
 #
 # 用法:
 #   1. 从 ~/.config/gitea/config.env 读取 GITEA_URL, GITEA_TOKEN, GITEA_WEBHOOK_URL
@@ -108,11 +110,13 @@ echo "━━━━━━━━━━━━━━━━━━━━━━━━
 echo ""
 # 1. 创建 Secret: RELEASE_TOKEN
 # 注意: Gitea Actions API 的 data 字段需传入原始值，不要使用 base64 编码
 echo "1. 创建 Secret: RELEASE_TOKEN"
 secret_payload=$(jq -n --arg t "$GITEA_TOKEN" '{data: $t}')
 resp=$(curl -s -w "\n%{http_code}" -X PUT \
  -H "Authorization: token $GITEA_TOKEN" \
  -H "Content-Type: application/json" \
-  -d "{\"data\":\"${GITEA_TOKEN}\"}" \
+  -d "$secret_payload" \
  "${API_BASE}/repos/${OWNER}/${REPO}/actions/secrets/RELEASE_TOKEN")
 http_code=$(echo "$resp" | tail -n1)
 body=$(echo "$resp" | sed '$d')
@@ -126,14 +130,16 @@ else
 fi
 # 2. 创建/更新 Variable: WEBHOOK_URL（可选）
 # 注意: Secret 和 Variable 均使用原始值，不要 base64 编码
 WEBHOOK_VALUE="${WEBHOOK_URL:-$GITEA_WEBHOOK_URL}"
 if [[ -n "$WEBHOOK_VALUE" ]]; then
  echo ""
  echo "2. 创建/更新 Variable: WEBHOOK_URL"
  var_payload=$(jq -n --arg v "$WEBHOOK_VALUE" '{value: $v}')
  resp=$(curl -s -w "\n%{http_code}" -X POST \
    -H "Authorization: token $GITEA_TOKEN" \
    -H "Content-Type: application/json" \
-    -d "{\"value\":\"${WEBHOOK_VALUE}\"}" \
+    -d "$var_payload" \
    "${API_BASE}/repos/${OWNER}/${REPO}/actions/variables/WEBHOOK_URL")
  http_code=$(echo "$resp" | tail -n1)
  body=$(echo "$resp" | sed '$d')
@@ -145,7 +151,7 @@ if [[ -n "$WEBHOOK_VALUE" ]]; then
    resp=$(curl -s -w "\n%{http_code}" -X PUT \
      -H "Authorization: token $GITEA_TOKEN" \
      -H "Content-Type: application/json" \
-      -d "{\"value\":\"${WEBHOOK_VALUE}\"}" \
+      -d "$var_payload" \
      "${API_BASE}/repos/${OWNER}/${REPO}/actions/variables/WEBHOOK_URL")
    http_code=$(echo "$resp" | tail -n1)
    if [[ "$http_code" == "200" || "$http_code" == "204" ]]; then
--- a/src/audit.rs
+++ b/src/audit.rs
@@ -0,0 +1,37 @@
 use serde_json::Value;
 use sqlx::{Postgres, Transaction};
 /// Return the current OS user as the audit actor (falls back to empty string).
 pub fn current_actor() -> String {
    std::env::var("USER").unwrap_or_default()
 }
 /// Write an audit entry within an existing transaction.
 pub async fn log_tx(
    tx: &mut Transaction<'_, Postgres>,
    action: &str,
    namespace: &str,
    kind: &str,
    name: &str,
    detail: Value,
 ) {
    let actor = current_actor();
    let result: Result<_, sqlx::Error> = sqlx::query(
        "INSERT INTO audit_log (action, namespace, kind, name, detail, actor) \
         VALUES ($1, $2, $3, $4, $5, $6)",
    )
    .bind(action)
    .bind(namespace)
    .bind(kind)
    .bind(name)
    .bind(&detail)
    .bind(&actor)
    .execute(&mut **tx)
    .await;
    if let Err(e) = result {
        tracing::warn!(error = %e, "failed to write audit log");
    } else {
        tracing::debug!(action, namespace, kind, name, actor, "audit logged");
    }
 }
--- a/src/commands/add.rs
+++ b/src/commands/add.rs
@@ -1,87 +1,507 @@
 use anyhow::Result;
-use serde_json::{Map, Value};
+use serde_json::{Map, Value, json};
 use sqlx::PgPool;
 use std::fs;
-/// Parse "key=value" entries. Value starting with '@' reads from file.
+use crate::crypto;
-pub(crate) fn parse_kv(entry: &str) -> Result<(String, String)> {
+use crate::db;
-    let (key, raw_val) = entry.split_once('=').ok_or_else(|| {
+use crate::models::EntryRow;
-        anyhow::anyhow!(
+use crate::output::{OutputMode, print_json};
            "Invalid format '{}'. Expected: key=value or key=@file",
            entry
        )
    })?;
-    let value = if let Some(path) = raw_val.strip_prefix('@') {
+// ── Key/value parsing helpers (shared with update.rs) ───────────────────────
        fs::read_to_string(path)
            .map_err(|e| anyhow::anyhow!("Failed to read file '{}': {}", path, e))?
    } else {
        raw_val.to_string()
    };
-    Ok((key.to_string(), value))
+/// Parse secret / metadata entries into a nested key path and JSON value.
 /// - `key=value`        → stores the literal string `value`
 /// - `key:=<json>`      → parses `<json>` as a typed JSON value
 /// - `key=@file`        → reads the file content as a string
 /// - `a:b=value`        → writes nested fields: `{ "a": { "b": "value" } }`
 /// - `a:b@./file.txt`   → shorthand for nested file reads without manual JSON escaping
 pub(crate) fn parse_kv(entry: &str) -> Result<(Vec<String>, Value)> {
    // Typed JSON form: key:=<json>
    if let Some((key, json_str)) = entry.split_once(":=") {
        let val: Value = serde_json::from_str(json_str).map_err(|e| {
            anyhow::anyhow!(
                "Invalid JSON value for key '{}': {} (use key=value for plain strings)",
                key,
                e
            )
        })?;
        return Ok((parse_key_path(key)?, val));
    }
    // Plain string form: key=value or key=@file
    if let Some((key, raw_val)) = entry.split_once('=') {
        let value = if let Some(path) = raw_val.strip_prefix('@') {
            fs::read_to_string(path)
                .map_err(|e| anyhow::anyhow!("Failed to read file '{}': {}", path, e))?
        } else {
            raw_val.to_string()
        };
        return Ok((parse_key_path(key)?, Value::String(value)));
    }
    // Shorthand file form: nested:key@file
    if let Some((key, path)) = entry.split_once('@') {
        let value = fs::read_to_string(path)
            .map_err(|e| anyhow::anyhow!("Failed to read file '{}': {}", path, e))?;
        return Ok((parse_key_path(key)?, Value::String(value)));
    }
    anyhow::bail!(
        "Invalid format '{}'. Expected: key=value, key=@file, nested:key@file, or key:=<json>",
        entry
    )
 }
-fn build_json(entries: &[String]) -> Result<Value> {
+pub(crate) fn build_json(entries: &[String]) -> Result<Value> {
    let mut map = Map::new();
    for entry in entries {
-        let (key, value) = parse_kv(entry)?;
+        let (path, value) = parse_kv(entry)?;
-        map.insert(key, Value::String(value));
+        insert_path(&mut map, &path, value)?;
    }
    Ok(Value::Object(map))
 }
-pub async fn run(
+pub(crate) fn key_path_to_string(path: &[String]) -> String {
-    pool: &PgPool,
+    path.join(":")
-    namespace: &str,
+}
-    kind: &str,
+
-    name: &str,
+pub(crate) fn collect_key_paths(entries: &[String]) -> Result<Vec<String>> {
-    tags: &[String],
+    entries
-    meta_entries: &[String],
+        .iter()
-    secret_entries: &[String],
+        .map(|entry| parse_kv(entry).map(|(path, _)| key_path_to_string(&path)))
        .collect()
 }
 pub(crate) fn collect_field_paths(entries: &[String]) -> Result<Vec<String>> {
    entries
        .iter()
        .map(|entry| parse_key_path(entry).map(|path| key_path_to_string(&path)))
        .collect()
 }
 pub(crate) fn parse_key_path(key: &str) -> Result<Vec<String>> {
    let path: Vec<String> = key
        .split(':')
        .map(str::trim)
        .map(ToOwned::to_owned)
        .collect();
    if path.is_empty() || path.iter().any(|part| part.is_empty()) {
        anyhow::bail!(
            "Invalid key path '{}'. Use non-empty segments like 'credentials:content'.",
            key
        );
    }
    Ok(path)
 }
 pub(crate) fn insert_path(
    map: &mut Map<String, Value>,
    path: &[String],
    value: Value,
 ) -> Result<()> {
-    let metadata = build_json(meta_entries)?;
+    if path.is_empty() {
-    let encrypted = build_json(secret_entries)?;
+        anyhow::bail!("Key path cannot be empty");
    sqlx::query(
        r#"
        INSERT INTO secrets (namespace, kind, name, tags, metadata, encrypted, updated_at)
        VALUES ($1, $2, $3, $4, $5, $6, NOW())
        ON CONFLICT (namespace, kind, name)
        DO UPDATE SET
            tags      = EXCLUDED.tags,
            metadata  = EXCLUDED.metadata,
            encrypted = EXCLUDED.encrypted,
            updated_at = NOW()
        "#,
    )
    .bind(namespace)
    .bind(kind)
    .bind(name)
    .bind(tags)
    .bind(&metadata)
    .bind(&encrypted)
    .execute(pool)
    .await?;
    println!("Added: [{}/{}] {}", namespace, kind, name);
    if !tags.is_empty() {
        println!("  tags:     {}", tags.join(", "));
    }
-    if !meta_entries.is_empty() {
+
-        let keys: Vec<&str> = meta_entries
+    if path.len() == 1 {
-            .iter()
+        map.insert(path[0].clone(), value);
-            .filter_map(|s| s.split_once('=').map(|(k, _)| k))
+        return Ok(());
            .collect();
        println!("  metadata: {}", keys.join(", "));
    }
-    if !secret_entries.is_empty() {
+
-        let keys: Vec<&str> = secret_entries
+    let head = path[0].clone();
-            .iter()
+    let tail = &path[1..];
-            .filter_map(|s| s.split_once('=').map(|(k, _)| k))
+
-            .collect();
+    match map.entry(head.clone()) {
-        println!("  secrets:  {}", keys.join(", "));
+        serde_json::map::Entry::Vacant(entry) => {
            let mut child = Map::new();
            insert_path(&mut child, tail, value)?;
            entry.insert(Value::Object(child));
        }
        serde_json::map::Entry::Occupied(mut entry) => match entry.get_mut() {
            Value::Object(child) => insert_path(child, tail, value)?,
            _ => {
                anyhow::bail!(
                    "Cannot set nested key '{}' because '{}' is already a non-object value",
                    key_path_to_string(path),
                    head
                );
            }
        },
    }
    Ok(())
 }
 pub(crate) fn remove_path(map: &mut Map<String, Value>, path: &[String]) -> Result<bool> {
    if path.is_empty() {
        anyhow::bail!("Key path cannot be empty");
    }
    if path.len() == 1 {
        return Ok(map.remove(&path[0]).is_some());
    }
    let Some(value) = map.get_mut(&path[0]) else {
        return Ok(false);
    };
    let Value::Object(child) = value else {
        return Ok(false);
    };
    let removed = remove_path(child, &path[1..])?;
    if child.is_empty() {
        map.remove(&path[0]);
    }
    Ok(removed)
 }
 // ── field_type inference and value_len ──────────────────────────────────────
 /// Infer the field type string from a JSON value.
 pub(crate) fn infer_field_type(v: &Value) -> &'static str {
    match v {
        Value::String(_) => "string",
        Value::Number(_) => "number",
        Value::Bool(_) => "boolean",
        Value::Null => "string",
        Value::Array(_) | Value::Object(_) => "json",
    }
 }
 /// Compute the plaintext length of a JSON value (chars for string, serialized length otherwise).
 pub(crate) fn compute_value_len(v: &Value) -> i32 {
    match v {
        Value::String(s) => s.chars().count() as i32,
        Value::Null => 0,
        other => other.to_string().chars().count() as i32,
    }
 }
 /// Flatten a (potentially nested) JSON object into dot-separated field entries.
 /// e.g. `{"credentials": {"type": "ssh", "content": "..."}}` →
 ///   `[("credentials.type", "ssh"), ("credentials.content", "...")]`
 /// Top-level non-object values are emitted directly.
 pub(crate) fn flatten_json_fields(prefix: &str, value: &Value) -> Vec<(String, Value)> {
    match value {
        Value::Object(map) => {
            let mut out = Vec::new();
            for (k, v) in map {
                let full_key = if prefix.is_empty() {
                    k.clone()
                } else {
                    format!("{}.{}", prefix, k)
                };
                out.extend(flatten_json_fields(&full_key, v));
            }
            out
        }
        other => vec![(prefix.to_string(), other.clone())],
    }
 }
 // ── Add command ──────────────────────────────────────────────────────────────
 pub struct AddArgs<'a> {
    pub namespace: &'a str,
    pub kind: &'a str,
    pub name: &'a str,
    pub tags: &'a [String],
    pub meta_entries: &'a [String],
    pub secret_entries: &'a [String],
    pub output: OutputMode,
 }
 pub async fn run(pool: &PgPool, args: AddArgs<'_>, master_key: &[u8; 32]) -> Result<()> {
    let metadata = build_json(args.meta_entries)?;
    let secret_json = build_json(args.secret_entries)?;
    tracing::debug!(args.namespace, args.kind, args.name, "upserting entry");
    let meta_keys = collect_key_paths(args.meta_entries)?;
    let secret_keys = collect_key_paths(args.secret_entries)?;
    let mut tx = pool.begin().await?;
    // Upsert the entry row (tags + metadata).
    let existing: Option<EntryRow> = sqlx::query_as(
        "SELECT id, version, tags, metadata FROM entries \
         WHERE namespace = $1 AND kind = $2 AND name = $3",
    )
    .bind(args.namespace)
    .bind(args.kind)
    .bind(args.name)
    .fetch_optional(&mut *tx)
    .await?;
    // Snapshot the current entry state before overwriting.
    if let Some(ref ex) = existing
        && let Err(e) = db::snapshot_entry_history(
            &mut tx,
            db::EntrySnapshotParams {
                entry_id: ex.id,
                namespace: args.namespace,
                kind: args.kind,
                name: args.name,
                version: ex.version,
                action: "add",
                tags: &ex.tags,
                metadata: &ex.metadata,
            },
        )
        .await
    {
        tracing::warn!(error = %e, "failed to snapshot entry history before upsert");
    }
    let entry_id: uuid::Uuid = sqlx::query_scalar(
        r#"
        INSERT INTO entries (namespace, kind, name, tags, metadata, version, updated_at)
        VALUES ($1, $2, $3, $4, $5, 1, NOW())
        ON CONFLICT (namespace, kind, name)
        DO UPDATE SET
            tags       = EXCLUDED.tags,
            metadata   = EXCLUDED.metadata,
            version    = entries.version + 1,
            updated_at = NOW()
        RETURNING id
        "#,
    )
    .bind(args.namespace)
    .bind(args.kind)
    .bind(args.name)
    .bind(args.tags)
    .bind(&metadata)
    .fetch_one(&mut *tx)
    .await?;
    let new_entry_version: i64 = sqlx::query_scalar("SELECT version FROM entries WHERE id = $1")
        .bind(entry_id)
        .fetch_one(&mut *tx)
        .await?;
    // Snapshot existing secret fields before replacing.
    if existing.is_some() {
        #[derive(sqlx::FromRow)]
        struct ExistingField {
            id: uuid::Uuid,
            field_name: String,
            field_type: String,
            value_len: i32,
            encrypted: Vec<u8>,
        }
        let existing_fields: Vec<ExistingField> = sqlx::query_as(
            "SELECT id, field_name, field_type, value_len, encrypted \
             FROM secrets WHERE entry_id = $1",
        )
        .bind(entry_id)
        .fetch_all(&mut *tx)
        .await?;
        for f in &existing_fields {
            if let Err(e) = db::snapshot_secret_history(
                &mut tx,
                db::SecretSnapshotParams {
                    entry_id,
                    secret_id: f.id,
                    entry_version: new_entry_version - 1,
                    field_name: &f.field_name,
                    field_type: &f.field_type,
                    value_len: f.value_len,
                    encrypted: &f.encrypted,
                    action: "add",
                },
            )
            .await
            {
                tracing::warn!(error = %e, "failed to snapshot secret field history");
            }
        }
        // Delete existing secret fields so we can re-insert the full set.
        sqlx::query("DELETE FROM secrets WHERE entry_id = $1")
            .bind(entry_id)
            .execute(&mut *tx)
            .await?;
    }
    // Insert new secret fields.
    let flat_fields = flatten_json_fields("", &secret_json);
    for (field_name, field_value) in &flat_fields {
        let field_type = infer_field_type(field_value);
        let value_len = compute_value_len(field_value);
        let encrypted = crypto::encrypt_json(master_key, field_value)?;
        sqlx::query(
            "INSERT INTO secrets (entry_id, field_name, field_type, value_len, encrypted) \
             VALUES ($1, $2, $3, $4, $5)",
        )
        .bind(entry_id)
        .bind(field_name)
        .bind(field_type)
        .bind(value_len)
        .bind(&encrypted)
        .execute(&mut *tx)
        .await?;
    }
    crate::audit::log_tx(
        &mut tx,
        "add",
        args.namespace,
        args.kind,
        args.name,
        json!({
            "tags": args.tags,
            "meta_keys": meta_keys,
            "secret_keys": secret_keys,
        }),
    )
    .await;
    tx.commit().await?;
    let result_json = json!({
        "action": "added",
        "namespace": args.namespace,
        "kind": args.kind,
        "name": args.name,
        "tags": args.tags,
        "meta_keys": meta_keys,
        "secret_keys": secret_keys,
    });
    match args.output {
        OutputMode::Json | OutputMode::JsonCompact => {
            print_json(&result_json, &args.output)?;
        }
        _ => {
            println!("Added: [{}/{}] {}", args.namespace, args.kind, args.name);
            if !args.tags.is_empty() {
                println!("  tags:     {}", args.tags.join(", "));
            }
            if !args.meta_entries.is_empty() {
                println!("  metadata: {}", meta_keys.join(", "));
            }
            if !args.secret_entries.is_empty() {
                println!("  secrets:  {}", secret_keys.join(", "));
            }
        }
    }
    Ok(())
 }
 #[cfg(test)]
 mod tests {
    use super::{
        build_json, compute_value_len, flatten_json_fields, infer_field_type, key_path_to_string,
        parse_kv, remove_path,
    };
    use serde_json::Value;
    use std::fs;
    use std::path::PathBuf;
    use std::time::{SystemTime, UNIX_EPOCH};
    fn temp_file_path(name: &str) -> PathBuf {
        let nanos = SystemTime::now()
            .duration_since(UNIX_EPOCH)
            .expect("clock should be after unix epoch")
            .as_nanos();
        std::env::temp_dir().join(format!("secrets-{name}-{nanos}.txt"))
    }
    #[test]
    fn parse_nested_file_shorthand() {
        let path = temp_file_path("ssh-key");
        fs::write(&path, "line1\nline2\n").expect("should write temp file");
        let entry = format!("credentials:content@{}", path.display());
        let (path_parts, value) = parse_kv(&entry).expect("should parse nested file shorthand");
        assert_eq!(key_path_to_string(&path_parts), "credentials:content");
        assert_eq!(value, serde_json::Value::String("line1\nline2\n".into()));
        fs::remove_file(path).expect("should remove temp file");
    }
    #[test]
    fn build_nested_json_from_mixed_entries() {
        let payload = vec![
            "credentials:type=ssh".to_string(),
            "credentials:enabled:=true".to_string(),
            "username=root".to_string(),
        ];
        let value = build_json(&payload).expect("should build nested json");
        assert_eq!(
            value,
            serde_json::json!({
                "credentials": {
                    "type": "ssh",
                    "enabled": true
                },
                "username": "root"
            })
        );
    }
    #[test]
    fn remove_nested_path_prunes_empty_parents() {
        let mut value = serde_json::json!({
            "credentials": {
                "content": "pem-data"
            },
            "username": "root"
        });
        let map = match &mut value {
            Value::Object(map) => map,
            _ => panic!("expected object"),
        };
        let removed = remove_path(map, &["credentials".to_string(), "content".to_string()])
            .expect("should remove nested field");
        assert!(removed);
        assert_eq!(value, serde_json::json!({ "username": "root" }));
    }
    #[test]
    fn flatten_json_fields_nested() {
        let v = serde_json::json!({
            "username": "root",
            "credentials": {
                "type": "ssh",
                "content": "pem-data"
            }
        });
        let mut fields = flatten_json_fields("", &v);
        fields.sort_by(|a, b| a.0.cmp(&b.0));
        assert_eq!(fields[0].0, "credentials.content");
        assert_eq!(fields[1].0, "credentials.type");
        assert_eq!(fields[2].0, "username");
    }
    #[test]
    fn infer_field_types() {
        assert_eq!(infer_field_type(&Value::String("x".into())), "string");
        assert_eq!(infer_field_type(&serde_json::json!(42)), "number");
        assert_eq!(infer_field_type(&Value::Bool(true)), "boolean");
        assert_eq!(infer_field_type(&serde_json::json!(["a"])), "json");
    }
    #[test]
    fn compute_value_len_string() {
        assert_eq!(compute_value_len(&Value::String("root".into())), 4);
        assert_eq!(compute_value_len(&Value::Null), 0);
        assert_eq!(compute_value_len(&serde_json::json!(1234)), 4);
    }
 }
--- a/src/commands/config.rs
+++ b/src/commands/config.rs
@@ -0,0 +1,55 @@
 use crate::config::{self, Config, config_path};
 use anyhow::Result;
 pub async fn run(action: crate::ConfigAction) -> Result<()> {
    match action {
        crate::ConfigAction::SetDb { url } => {
            // Verify connection before writing config
            let pool = crate::db::create_pool(&url)
                .await
                .map_err(|e| anyhow::anyhow!("Database connection failed: {}", e))?;
            drop(pool);
            println!("Database connection successful.");
            let cfg = Config {
                database_url: Some(url.clone()),
            };
            config::save_config(&cfg)?;
            println!("Database URL saved to: {}", config_path()?.display());
            println!("  {}", mask_password(&url));
        }
        crate::ConfigAction::Show => {
            let cfg = config::load_config()?;
            match cfg.database_url {
                Some(url) => {
                    println!("database_url = {}", mask_password(&url));
                    println!("config file:  {}", config_path()?.display());
                }
                None => {
                    println!("Database URL not configured.");
                    println!("Run: secrets config set-db <DATABASE_URL>");
                }
            }
        }
        crate::ConfigAction::Path => {
            println!("{}", config_path()?.display());
        }
    }
    Ok(())
 }
 /// Mask the password in a postgres://user:password@host/db URL.
 fn mask_password(url: &str) -> String {
    if let Some(at_pos) = url.rfind('@')
        && let Some(scheme_end) = url.find("://")
    {
        let prefix = &url[..scheme_end + 3];
        let credentials = &url[scheme_end + 3..at_pos];
        let rest = &url[at_pos..];
        if let Some(colon_pos) = credentials.find(':') {
            let user = &credentials[..colon_pos];
            return format!("{}{}:***{}", prefix, user, rest);
        }
    }
    url.to_string()
 }
--- a/src/commands/delete.rs
+++ b/src/commands/delete.rs
@@ -1,19 +1,109 @@
 use anyhow::Result;
 use serde_json::json;
 use sqlx::PgPool;
-pub async fn run(pool: &PgPool, namespace: &str, kind: &str, name: &str) -> Result<()> {
+use crate::db;
-    let result =
+use crate::models::{EntryRow, SecretFieldRow};
-        sqlx::query("DELETE FROM secrets WHERE namespace = $1 AND kind = $2 AND name = $3")
+use crate::output::{OutputMode, print_json};
            .bind(namespace)
            .bind(kind)
            .bind(name)
            .execute(pool)
            .await?;
-    if result.rows_affected() == 0 {
+pub struct DeleteArgs<'a> {
-        println!("Not found: [{}/{}] {}", namespace, kind, name);
+    pub namespace: &'a str,
-    } else {
+    pub kind: &'a str,
-        println!("Deleted: [{}/{}] {}", namespace, kind, name);
+    pub name: &'a str,
    pub output: OutputMode,
 }
 pub async fn run(pool: &PgPool, args: DeleteArgs<'_>) -> Result<()> {
    let (namespace, kind, name) = (args.namespace, args.kind, args.name);
    tracing::debug!(namespace, kind, name, "deleting entry");
    let mut tx = pool.begin().await?;
    let row: Option<EntryRow> = sqlx::query_as(
        "SELECT id, version, tags, metadata FROM entries \
         WHERE namespace = $1 AND kind = $2 AND name = $3 \
         FOR UPDATE",
    )
    .bind(namespace)
    .bind(kind)
    .bind(name)
    .fetch_optional(&mut *tx)
    .await?;
    let Some(row) = row else {
        tx.rollback().await?;
        tracing::warn!(namespace, kind, name, "entry not found for deletion");
        let v = json!({"action":"not_found","namespace":namespace,"kind":kind,"name":name});
        match args.output {
            OutputMode::Text => println!("Not found: [{}/{}] {}", namespace, kind, name),
            ref mode => print_json(&v, mode)?,
        }
        return Ok(());
    };
    // Snapshot entry history before deleting.
    if let Err(e) = db::snapshot_entry_history(
        &mut tx,
        db::EntrySnapshotParams {
            entry_id: row.id,
            namespace,
            kind,
            name,
            version: row.version,
            action: "delete",
            tags: &row.tags,
            metadata: &row.metadata,
        },
    )
    .await
    {
        tracing::warn!(error = %e, "failed to snapshot entry history before delete");
    }
    // Snapshot all secret fields before cascade delete.
    let fields: Vec<SecretFieldRow> = sqlx::query_as(
        "SELECT id, field_name, field_type, value_len, encrypted \
         FROM secrets WHERE entry_id = $1",
    )
    .bind(row.id)
    .fetch_all(&mut *tx)
    .await?;
    for f in &fields {
        if let Err(e) = db::snapshot_secret_history(
            &mut tx,
            db::SecretSnapshotParams {
                entry_id: row.id,
                secret_id: f.id,
                entry_version: row.version,
                field_name: &f.field_name,
                field_type: &f.field_type,
                value_len: f.value_len,
                encrypted: &f.encrypted,
                action: "delete",
            },
        )
        .await
        {
            tracing::warn!(error = %e, "failed to snapshot secret field history before delete");
        }
    }
    // Delete the entry — secrets rows are removed via ON DELETE CASCADE.
    sqlx::query("DELETE FROM entries WHERE id = $1")
        .bind(row.id)
        .execute(&mut *tx)
        .await?;
    crate::audit::log_tx(&mut tx, "delete", namespace, kind, name, json!({})).await;
    tx.commit().await?;
    let v = json!({"action":"deleted","namespace":namespace,"kind":kind,"name":name});
    match args.output {
        OutputMode::Text => println!("Deleted: [{}/{}] {}", namespace, kind, name),
        ref mode => print_json(&v, mode)?,
    }
    Ok(())
 }
--- a/src/commands/export_cmd.rs
+++ b/src/commands/export_cmd.rs
@@ -0,0 +1,109 @@
 use anyhow::Result;
 use sqlx::PgPool;
 use std::collections::BTreeMap;
 use std::io::Write;
 use crate::commands::search::{fetch_entries, fetch_secrets_for_entries};
 use crate::crypto;
 use crate::models::{ExportData, ExportEntry, ExportFormat};
 pub struct ExportArgs<'a> {
    pub namespace: Option<&'a str>,
    pub kind: Option<&'a str>,
    pub name: Option<&'a str>,
    pub tags: &'a [String],
    pub query: Option<&'a str>,
    /// Output file path. None means write to stdout.
    pub file: Option<&'a str>,
    /// Explicit format override (e.g. from --format flag).
    pub format: Option<&'a str>,
    /// When true, secrets are omitted and master_key is not used.
    pub no_secrets: bool,
 }
 pub async fn run(pool: &PgPool, args: ExportArgs<'_>, master_key: Option<&[u8; 32]>) -> Result<()> {
    // Determine output format: --format > file extension > default JSON.
    let format = if let Some(fmt_str) = args.format {
        ExportFormat::from_str(fmt_str)?
    } else if let Some(path) = args.file {
        ExportFormat::from_extension(path).unwrap_or(ExportFormat::Json)
    } else {
        ExportFormat::Json
    };
    let entries = fetch_entries(
        pool,
        args.namespace,
        args.kind,
        args.name,
        args.tags,
        args.query,
    )
    .await?;
    let entry_ids: Vec<uuid::Uuid> = entries.iter().map(|e| e.id).collect();
    let secrets_map = if !args.no_secrets && !entry_ids.is_empty() {
        fetch_secrets_for_entries(pool, &entry_ids).await?
    } else {
        std::collections::HashMap::new()
    };
    let key = if !args.no_secrets { master_key } else { None };
    let mut export_entries: Vec<ExportEntry> = Vec::with_capacity(entries.len());
    for entry in &entries {
        let secrets = if args.no_secrets {
            None
        } else {
            let fields = secrets_map.get(&entry.id).map(Vec::as_slice).unwrap_or(&[]);
            if fields.is_empty() {
                Some(BTreeMap::new())
            } else {
                let mk =
                    key.ok_or_else(|| anyhow::anyhow!("master key required to decrypt secrets"))?;
                let mut map = BTreeMap::new();
                for f in fields {
                    let decrypted = crypto::decrypt_json(mk, &f.encrypted)?;
                    map.insert(f.field_name.clone(), decrypted);
                }
                Some(map)
            }
        };
        export_entries.push(ExportEntry {
            namespace: entry.namespace.clone(),
            kind: entry.kind.clone(),
            name: entry.name.clone(),
            tags: entry.tags.clone(),
            metadata: entry.metadata.clone(),
            secrets,
        });
    }
    let data = ExportData {
        version: 1,
        exported_at: chrono::Utc::now().format("%Y-%m-%dT%H:%M:%SZ").to_string(),
        entries: export_entries,
    };
    let serialized = format.serialize(&data)?;
    if let Some(path) = args.file {
        std::fs::write(path, &serialized)?;
        println!(
            "Exported {} record(s) to {} ({:?})",
            data.entries.len(),
            path,
            format
        );
    } else {
        std::io::stdout().write_all(serialized.as_bytes())?;
        // Ensure trailing newline on stdout.
        if !serialized.ends_with('\n') {
            println!();
        }
    }
    Ok(())
 }
--- a/src/commands/history.rs
+++ b/src/commands/history.rs
@@ -0,0 +1,78 @@
 use anyhow::Result;
 use serde_json::{Value, json};
 use sqlx::{FromRow, PgPool};
 use crate::output::{OutputMode, format_local_time, print_json};
 pub struct HistoryArgs<'a> {
    pub namespace: &'a str,
    pub kind: &'a str,
    pub name: &'a str,
    pub limit: u32,
    pub output: OutputMode,
 }
 /// List history entries for an entry.
 pub async fn run(pool: &PgPool, args: HistoryArgs<'_>) -> Result<()> {
    #[derive(FromRow)]
    struct HistorySummary {
        version: i64,
        action: String,
        actor: String,
        created_at: chrono::DateTime<chrono::Utc>,
    }
    let rows: Vec<HistorySummary> = sqlx::query_as(
        "SELECT version, action, actor, created_at FROM entries_history \
         WHERE namespace = $1 AND kind = $2 AND name = $3 \
         ORDER BY id DESC LIMIT $4",
    )
    .bind(args.namespace)
    .bind(args.kind)
    .bind(args.name)
    .bind(args.limit as i64)
    .fetch_all(pool)
    .await?;
    match args.output {
        OutputMode::Json | OutputMode::JsonCompact => {
            let arr: Vec<Value> = rows
                .iter()
                .map(|r| {
                    json!({
                        "version": r.version,
                        "action": r.action,
                        "actor": r.actor,
                        "created_at": r.created_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
                    })
                })
                .collect();
            print_json(&Value::Array(arr), &args.output)?;
        }
        _ => {
            if rows.is_empty() {
                println!(
                    "No history found for [{}/{}] {}.",
                    args.namespace, args.kind, args.name
                );
                return Ok(());
            }
            println!(
                "History for [{}/{}] {}:",
                args.namespace, args.kind, args.name
            );
            for r in &rows {
                println!(
                    "  v{:<4}  {:8}  {}  {}",
                    r.version,
                    r.action,
                    r.actor,
                    format_local_time(r.created_at)
                );
            }
            println!("  (use `secrets rollback --to-version <N>` to restore)");
        }
    }
    Ok(())
 }
--- a/src/commands/import_cmd.rs
+++ b/src/commands/import_cmd.rs
@@ -0,0 +1,217 @@
 use anyhow::Result;
 use serde_json::Value;
 use sqlx::PgPool;
 use std::collections::BTreeMap;
 use crate::commands::add::{self, AddArgs};
 use crate::models::ExportFormat;
 use crate::output::{OutputMode, print_json};
 pub struct ImportArgs<'a> {
    pub file: &'a str,
    /// Overwrite existing records when there is a conflict (upsert).
    /// Without this flag, the import aborts on the first conflict.
    /// A future `--skip` flag could allow silently skipping conflicts and continuing.
    pub force: bool,
    /// Check and preview operations without writing to the database.
    pub dry_run: bool,
    pub output: OutputMode,
 }
 pub async fn run(pool: &PgPool, args: ImportArgs<'_>, master_key: &[u8; 32]) -> Result<()> {
    let format = ExportFormat::from_extension(args.file)?;
    let content = std::fs::read_to_string(args.file)
        .map_err(|e| anyhow::anyhow!("Cannot read file '{}': {}", args.file, e))?;
    let data = format.deserialize(&content)?;
    if data.version != 1 {
        anyhow::bail!(
            "Unsupported export version {}. Only version 1 is supported.",
            data.version
        );
    }
    let total = data.entries.len();
    let mut inserted = 0usize;
    let mut skipped = 0usize;
    let mut failed = 0usize;
    for entry in &data.entries {
        // Check if record already exists.
        let exists: bool = sqlx::query_scalar(
            "SELECT EXISTS(SELECT 1 FROM entries \
             WHERE namespace = $1 AND kind = $2 AND name = $3)",
        )
        .bind(&entry.namespace)
        .bind(&entry.kind)
        .bind(&entry.name)
        .fetch_one(pool)
        .await
        .unwrap_or(false);
        if exists && !args.force {
            let v = serde_json::json!({
                "action": "conflict",
                "namespace": entry.namespace,
                "kind": entry.kind,
                "name": entry.name,
            });
            match args.output {
                OutputMode::Text => eprintln!(
                    "[{}/{}/{}] conflict — record already exists (use --force to overwrite)",
                    entry.namespace, entry.kind, entry.name
                ),
                ref mode => {
                    // Write conflict notice to stderr so it does not mix with summary JSON.
                    eprint!(
                        "{}",
                        if *mode == OutputMode::Json {
                            serde_json::to_string_pretty(&v)?
                        } else {
                            serde_json::to_string(&v)?
                        }
                    );
                    eprintln!();
                }
            }
            return Err(anyhow::anyhow!(
                "Import aborted: conflict on [{}/{}/{}]",
                entry.namespace,
                entry.kind,
                entry.name
            ));
        }
        let action = if exists { "upsert" } else { "insert" };
        if args.dry_run {
            let v = serde_json::json!({
                "action": action,
                "namespace": entry.namespace,
                "kind": entry.kind,
                "name": entry.name,
                "dry_run": true,
            });
            match args.output {
                OutputMode::Text => println!(
                    "[dry-run] {} [{}/{}/{}]",
                    action, entry.namespace, entry.kind, entry.name
                ),
                ref mode => print_json(&v, mode)?,
            }
            if exists {
                skipped += 1;
            } else {
                inserted += 1;
            }
            continue;
        }
        // Build secret_entries: convert BTreeMap<String, Value> to Vec<String> ("key:=json")
        let secret_entries = build_secret_entries(entry.secrets.as_ref());
        // Build meta_entries from metadata JSON object.
        let meta_entries = build_meta_entries(&entry.metadata);
        match add::run(
            pool,
            AddArgs {
                namespace: &entry.namespace,
                kind: &entry.kind,
                name: &entry.name,
                tags: &entry.tags,
                meta_entries: &meta_entries,
                secret_entries: &secret_entries,
                output: OutputMode::Text,
            },
            master_key,
        )
        .await
        {
            Ok(()) => {
                let v = serde_json::json!({
                    "action": action,
                    "namespace": entry.namespace,
                    "kind": entry.kind,
                    "name": entry.name,
                });
                match args.output {
                    OutputMode::Text => println!(
                        "Imported [{}/{}/{}]",
                        entry.namespace, entry.kind, entry.name
                    ),
                    ref mode => print_json(&v, mode)?,
                }
                inserted += 1;
            }
            Err(e) => {
                eprintln!(
                    "Error importing [{}/{}/{}]: {}",
                    entry.namespace, entry.kind, entry.name, e
                );
                failed += 1;
            }
        }
    }
    let summary = serde_json::json!({
        "total": total,
        "inserted": inserted,
        "skipped": skipped,
        "failed": failed,
        "dry_run": args.dry_run,
    });
    match args.output {
        OutputMode::Text => {
            if args.dry_run {
                println!(
                    "\n[dry-run] {} total: {} would insert, {} would skip, {} would fail",
                    total, inserted, skipped, failed
                );
            } else {
                println!(
                    "\nImport done: {} total — {} inserted, {} skipped, {} failed",
                    total, inserted, skipped, failed
                );
            }
        }
        ref mode => print_json(&summary, mode)?,
    }
    if failed > 0 {
        anyhow::bail!("{} record(s) failed to import", failed);
    }
    Ok(())
 }
 /// Convert metadata JSON object into Vec<String> of "key:=json_value" entries.
 fn build_meta_entries(metadata: &Value) -> Vec<String> {
    let mut entries = Vec::new();
    if let Some(obj) = metadata.as_object() {
        for (k, v) in obj {
            entries.push(value_to_kv_entry(k, v));
        }
    }
    entries
 }
 /// Convert a BTreeMap<String, Value> (secrets) into Vec<String> of "key:=json_value" entries.
 fn build_secret_entries(secrets: Option<&BTreeMap<String, Value>>) -> Vec<String> {
    let mut entries = Vec::new();
    if let Some(map) = secrets {
        for (k, v) in map {
            entries.push(value_to_kv_entry(k, v));
        }
    }
    entries
 }
 /// Convert a key/value pair to a CLI-style entry string.
 /// Strings use `key=value`; everything else uses `key:=<json>`.
 fn value_to_kv_entry(key: &str, value: &Value) -> String {
    match value {
        Value::String(s) => format!("{}={}", key, s),
        other => format!("{}:={}", key, other),
    }
 }
--- a/src/commands/init.rs
+++ b/src/commands/init.rs
@@ -0,0 +1,70 @@
 use anyhow::{Context, Result};
 use rand::RngExt;
 use sqlx::PgPool;
 use crate::{crypto, db};
 const MIN_MASTER_PASSWORD_LEN: usize = 8;
 pub async fn run(pool: &PgPool) -> Result<()> {
    println!("Initializing secrets master key...");
    println!();
    // Read password (no echo)
    let password = rpassword::prompt_password(format!(
        "Enter master password (at least {} characters): ",
        MIN_MASTER_PASSWORD_LEN
    ))
    .context("failed to read password")?;
    if password.chars().count() < MIN_MASTER_PASSWORD_LEN {
        anyhow::bail!(
            "Master password must be at least {} characters.",
            MIN_MASTER_PASSWORD_LEN
        );
    }
    let confirm = rpassword::prompt_password("Confirm master password: ")
        .context("failed to read password confirmation")?;
    if password != confirm {
        anyhow::bail!("Passwords do not match.");
    }
    // Get or create Argon2id salt
    let salt = match db::load_argon2_salt(pool).await? {
        Some(existing) => {
            println!("Found existing salt in database (not the first device).");
            existing
        }
        None => {
            println!("Generating new Argon2id salt and storing in database...");
            let mut salt = vec![0u8; 16];
            rand::rng().fill(&mut salt[..]);
            db::store_argon2_salt(pool, &salt).await?;
            salt
        }
    };
    // Derive master key
    print!("Deriving master key (Argon2id, this takes a moment)... ");
    let master_key = crypto::derive_master_key(&password, &salt)?;
    println!("done.");
    // Store in OS Keychain
    crypto::store_master_key(&master_key)?;
    // Self-test: encrypt and decrypt a canary value
    let canary = b"secrets-cli-canary";
    let enc = crypto::encrypt(&master_key, canary)?;
    let dec = crypto::decrypt(&master_key, &enc)?;
    if dec != canary {
        anyhow::bail!("Self-test failed: encryption roundtrip mismatch");
    }
    println!();
    println!("Master key stored in OS Keychain.");
    println!("You can now use `secrets add` / `secrets search` commands.");
    println!();
    println!("IMPORTANT: Remember your master password — it is not stored anywhere.");
    println!("           On a new device, run `secrets init` with the same password.");
    Ok(())
 }
--- a/src/commands/mod.rs
+++ b/src/commands/mod.rs
@@ -1,4 +1,12 @@
 pub mod add;
 pub mod config;
 pub mod delete;
 pub mod export_cmd;
 pub mod history;
 pub mod import_cmd;
 pub mod init;
 pub mod rollback;
 pub mod run;
 pub mod search;
 pub mod update;
 pub mod upgrade;
--- a/src/commands/rollback.rs
+++ b/src/commands/rollback.rs
@@ -0,0 +1,266 @@
 use anyhow::Result;
 use serde_json::{Value, json};
 use sqlx::{FromRow, PgPool};
 use uuid::Uuid;
 use crate::crypto;
 use crate::db;
 use crate::output::{OutputMode, print_json};
 pub struct RollbackArgs<'a> {
    pub namespace: &'a str,
    pub kind: &'a str,
    pub name: &'a str,
    /// Target entry version to restore. None → restore the most recent history entry.
    pub to_version: Option<i64>,
    pub output: OutputMode,
 }
 pub async fn run(pool: &PgPool, args: RollbackArgs<'_>, master_key: &[u8; 32]) -> Result<()> {
    // ── Find the target entry history snapshot ────────────────────────────────
    #[derive(FromRow)]
    struct EntryHistoryRow {
        entry_id: Uuid,
        version: i64,
        action: String,
        tags: Vec<String>,
        metadata: Value,
    }
    let snap: Option<EntryHistoryRow> = if let Some(ver) = args.to_version {
        sqlx::query_as(
            "SELECT entry_id, version, action, tags, metadata \
             FROM entries_history \
             WHERE namespace = $1 AND kind = $2 AND name = $3 AND version = $4 \
             ORDER BY id DESC LIMIT 1",
        )
        .bind(args.namespace)
        .bind(args.kind)
        .bind(args.name)
        .bind(ver)
        .fetch_optional(pool)
        .await?
    } else {
        sqlx::query_as(
            "SELECT entry_id, version, action, tags, metadata \
             FROM entries_history \
             WHERE namespace = $1 AND kind = $2 AND name = $3 \
             ORDER BY id DESC LIMIT 1",
        )
        .bind(args.namespace)
        .bind(args.kind)
        .bind(args.name)
        .fetch_optional(pool)
        .await?
    };
    let snap = snap.ok_or_else(|| {
        anyhow::anyhow!(
            "No history found for [{}/{}] {}{}.",
            args.namespace,
            args.kind,
            args.name,
            args.to_version
                .map(|v| format!(" at version {}", v))
                .unwrap_or_default()
        )
    })?;
    // ── Find the matching secret field snapshots ──────────────────────────────
    #[derive(FromRow)]
    struct SecretHistoryRow {
        secret_id: Uuid,
        field_name: String,
        field_type: String,
        value_len: i32,
        encrypted: Vec<u8>,
        action: String,
    }
    let field_snaps: Vec<SecretHistoryRow> = sqlx::query_as(
        "SELECT secret_id, field_name, field_type, value_len, encrypted, action \
         FROM secrets_history \
         WHERE entry_id = $1 AND entry_version = $2 \
         ORDER BY field_name",
    )
    .bind(snap.entry_id)
    .bind(snap.version)
    .fetch_all(pool)
    .await?;
    // Validate: try decrypting all encrypted fields before writing anything.
    for f in &field_snaps {
        if f.action != "delete" && !f.encrypted.is_empty() {
            crypto::decrypt_json(master_key, &f.encrypted).map_err(|e| {
                anyhow::anyhow!(
                    "Cannot decrypt snapshot for field '{}': {}",
                    f.field_name,
                    e
                )
            })?;
        }
    }
    let mut tx = pool.begin().await?;
    // ── Snapshot the current live state before overwriting ────────────────────
    #[derive(sqlx::FromRow)]
    struct LiveEntry {
        id: Uuid,
        version: i64,
        tags: Vec<String>,
        metadata: Value,
    }
    let live: Option<LiveEntry> = sqlx::query_as(
        "SELECT id, version, tags, metadata FROM entries \
         WHERE namespace = $1 AND kind = $2 AND name = $3 FOR UPDATE",
    )
    .bind(args.namespace)
    .bind(args.kind)
    .bind(args.name)
    .fetch_optional(&mut *tx)
    .await?;
    if let Some(ref lr) = live {
        if let Err(e) = db::snapshot_entry_history(
            &mut tx,
            db::EntrySnapshotParams {
                entry_id: lr.id,
                namespace: args.namespace,
                kind: args.kind,
                name: args.name,
                version: lr.version,
                action: "rollback",
                tags: &lr.tags,
                metadata: &lr.metadata,
            },
        )
        .await
        {
            tracing::warn!(error = %e, "failed to snapshot entry before rollback");
        }
        // Snapshot existing secret fields.
        #[derive(sqlx::FromRow)]
        struct LiveField {
            id: Uuid,
            field_name: String,
            field_type: String,
            value_len: i32,
            encrypted: Vec<u8>,
        }
        let live_fields: Vec<LiveField> = sqlx::query_as(
            "SELECT id, field_name, field_type, value_len, encrypted \
             FROM secrets WHERE entry_id = $1",
        )
        .bind(lr.id)
        .fetch_all(&mut *tx)
        .await?;
        for f in &live_fields {
            if let Err(e) = db::snapshot_secret_history(
                &mut tx,
                db::SecretSnapshotParams {
                    entry_id: lr.id,
                    secret_id: f.id,
                    entry_version: lr.version,
                    field_name: &f.field_name,
                    field_type: &f.field_type,
                    value_len: f.value_len,
                    encrypted: &f.encrypted,
                    action: "rollback",
                },
            )
            .await
            {
                tracing::warn!(error = %e, "failed to snapshot secret field before rollback");
            }
        }
    }
    // ── Restore entry row ─────────────────────────────────────────────────────
    sqlx::query(
        "INSERT INTO entries (id, namespace, kind, name, tags, metadata, version, updated_at) \
         VALUES ($1, $2, $3, $4, $5, $6, $7, NOW()) \
         ON CONFLICT (namespace, kind, name) DO UPDATE SET \
             tags       = EXCLUDED.tags, \
             metadata   = EXCLUDED.metadata, \
             version    = entries.version + 1, \
             updated_at = NOW()",
    )
    .bind(snap.entry_id)
    .bind(args.namespace)
    .bind(args.kind)
    .bind(args.name)
    .bind(&snap.tags)
    .bind(&snap.metadata)
    .bind(snap.version)
    .execute(&mut *tx)
    .await?;
    // ── Restore secret fields ─────────────────────────────────────────────────
    // Delete all current fields and re-insert from snapshot
    // (only non-deleted fields from the snapshot are restored).
    sqlx::query("DELETE FROM secrets WHERE entry_id = $1")
        .bind(snap.entry_id)
        .execute(&mut *tx)
        .await?;
    for f in &field_snaps {
        if f.action == "delete" {
            // Field was deleted at this snapshot point — don't restore it.
            continue;
        }
        sqlx::query(
            "INSERT INTO secrets (id, entry_id, field_name, field_type, value_len, encrypted) \
             VALUES ($1, $2, $3, $4, $5, $6) \
             ON CONFLICT (entry_id, field_name) DO UPDATE SET \
                 field_type = EXCLUDED.field_type, \
                 value_len  = EXCLUDED.value_len, \
                 encrypted  = EXCLUDED.encrypted, \
                 version    = secrets.version + 1, \
                 updated_at = NOW()",
        )
        .bind(f.secret_id)
        .bind(snap.entry_id)
        .bind(&f.field_name)
        .bind(&f.field_type)
        .bind(f.value_len)
        .bind(&f.encrypted)
        .execute(&mut *tx)
        .await?;
    }
    crate::audit::log_tx(
        &mut tx,
        "rollback",
        args.namespace,
        args.kind,
        args.name,
        json!({
            "restored_version": snap.version,
            "original_action": snap.action,
        }),
    )
    .await;
    tx.commit().await?;
    let result_json = json!({
        "action": "rolled_back",
        "namespace": args.namespace,
        "kind": args.kind,
        "name": args.name,
        "restored_version": snap.version,
    });
    match args.output {
        OutputMode::Text => println!(
            "Rolled back: [{}/{}] {} → version {}",
            args.namespace, args.kind, args.name, snap.version
        ),
        ref mode => print_json(&result_json, mode)?,
    }
    Ok(())
 }
--- a/src/commands/run.rs
+++ b/src/commands/run.rs
@@ -0,0 +1,143 @@
 use anyhow::Result;
 use serde_json::Value;
 use sqlx::PgPool;
 use std::collections::HashMap;
 use crate::commands::search::{build_injected_env_map, fetch_entries, fetch_secrets_for_entries};
 use crate::output::OutputMode;
 pub struct InjectArgs<'a> {
    pub namespace: Option<&'a str>,
    pub kind: Option<&'a str>,
    pub name: Option<&'a str>,
    pub tags: &'a [String],
    pub prefix: &'a str,
    pub output: OutputMode,
 }
 pub struct RunArgs<'a> {
    pub namespace: Option<&'a str>,
    pub kind: Option<&'a str>,
    pub name: Option<&'a str>,
    pub tags: &'a [String],
    pub prefix: &'a str,
    pub command: &'a [String],
 }
 /// Fetch entries matching the filter and build a flat env map (metadata + decrypted secrets).
 pub async fn collect_env_map(
    pool: &PgPool,
    namespace: Option<&str>,
    kind: Option<&str>,
    name: Option<&str>,
    tags: &[String],
    prefix: &str,
    master_key: &[u8; 32],
 ) -> Result<HashMap<String, String>> {
    if namespace.is_none() && kind.is_none() && name.is_none() && tags.is_empty() {
        anyhow::bail!(
            "At least one filter (--namespace, --kind, --name, or --tag) is required for inject/run"
        );
    }
    let entries = fetch_entries(pool, namespace, kind, name, tags, None).await?;
    if entries.is_empty() {
        anyhow::bail!("No records matched the given filters.");
    }
    let entry_ids: Vec<uuid::Uuid> = entries.iter().map(|e| e.id).collect();
    let fields_map = fetch_secrets_for_entries(pool, &entry_ids).await?;
    let mut map = HashMap::new();
    for entry in &entries {
        let empty = vec![];
        let fields = fields_map.get(&entry.id).unwrap_or(&empty);
        let row_map = build_injected_env_map(pool, entry, prefix, master_key, fields).await?;
        for (k, v) in row_map {
            map.insert(k, v);
        }
    }
    Ok(map)
 }
 /// `inject` command: print env vars to stdout.
 pub async fn run_inject(pool: &PgPool, args: InjectArgs<'_>, master_key: &[u8; 32]) -> Result<()> {
    let env_map = collect_env_map(
        pool,
        args.namespace,
        args.kind,
        args.name,
        args.tags,
        args.prefix,
        master_key,
    )
    .await?;
    match args.output {
        OutputMode::Json => {
            let obj: serde_json::Map<String, Value> = env_map
                .into_iter()
                .map(|(k, v)| (k, Value::String(v)))
                .collect();
            println!("{}", serde_json::to_string_pretty(&Value::Object(obj))?);
        }
        OutputMode::JsonCompact => {
            let obj: serde_json::Map<String, Value> = env_map
                .into_iter()
                .map(|(k, v)| (k, Value::String(v)))
                .collect();
            println!("{}", serde_json::to_string(&Value::Object(obj))?);
        }
        _ => {
            let mut pairs: Vec<(String, String)> = env_map.into_iter().collect();
            pairs.sort_by(|a, b| a.0.cmp(&b.0));
            for (k, v) in pairs {
                println!("{}={}", k, shell_quote(&v));
            }
        }
    }
    Ok(())
 }
 /// `run` command: inject secrets into a child process environment and execute.
 pub async fn run_exec(pool: &PgPool, args: RunArgs<'_>, master_key: &[u8; 32]) -> Result<()> {
    if args.command.is_empty() {
        anyhow::bail!(
            "No command specified. Usage: secrets run [filter flags] -- <command> [args]"
        );
    }
    let env_map = collect_env_map(
        pool,
        args.namespace,
        args.kind,
        args.name,
        args.tags,
        args.prefix,
        master_key,
    )
    .await?;
    tracing::debug!(
        vars = env_map.len(),
        cmd = args.command[0].as_str(),
        "injecting secrets into child process"
    );
    let status = std::process::Command::new(&args.command[0])
        .args(&args.command[1..])
        .envs(&env_map)
        .status()
        .map_err(|e| anyhow::anyhow!("Failed to execute '{}': {}", args.command[0], e))?;
    if !status.success() {
        let code = status.code().unwrap_or(1);
        std::process::exit(code);
    }
    Ok(())
 }
 fn shell_quote(s: &str) -> String {
    format!("'{}'", s.replace('\'', "'\\''"))
 }
--- a/src/commands/search.rs
+++ b/src/commands/search.rs
@@ -1,36 +1,203 @@
 use anyhow::Result;
 use serde_json::{Value, json};
 use sqlx::PgPool;
 use std::collections::HashMap;
-use crate::models::Secret;
+use crate::crypto;
 use crate::models::{Entry, SecretField};
 use crate::output::{OutputMode, format_local_time};
-pub async fn run(
+pub struct SearchArgs<'a> {
    pub namespace: Option<&'a str>,
    pub kind: Option<&'a str>,
    pub name: Option<&'a str>,
    pub tags: &'a [String],
    pub query: Option<&'a str>,
    pub fields: &'a [String],
    pub summary: bool,
    pub limit: u32,
    pub offset: u32,
    pub sort: &'a str,
    pub output: OutputMode,
 }
 pub async fn run(pool: &PgPool, args: SearchArgs<'_>) -> Result<()> {
    validate_safe_search_args(args.fields)?;
    let rows = fetch_entries_paged(
        pool,
        PagedFetchArgs {
            namespace: args.namespace,
            kind: args.kind,
            name: args.name,
            tags: args.tags,
            query: args.query,
            sort: args.sort,
            limit: args.limit,
            offset: args.offset,
        },
    )
    .await?;
    // -f/--field: extract specific metadata field values directly
    if !args.fields.is_empty() {
        return print_fields(&rows, args.fields);
    }
    // Fetch secret schemas for all returned entries (no master key needed).
    let entry_ids: Vec<uuid::Uuid> = rows.iter().map(|r| r.id).collect();
    let schema_map = if !args.summary && !entry_ids.is_empty() {
        fetch_secret_schemas(pool, &entry_ids).await?
    } else {
        HashMap::new()
    };
    match args.output {
        OutputMode::Json | OutputMode::JsonCompact => {
            let arr: Vec<Value> = rows
                .iter()
                .map(|r| to_json(r, args.summary, schema_map.get(&r.id).map(Vec::as_slice)))
                .collect();
            let out = if args.output == OutputMode::Json {
                serde_json::to_string_pretty(&arr)?
            } else {
                serde_json::to_string(&arr)?
            };
            println!("{}", out);
        }
        OutputMode::Text => {
            if rows.is_empty() {
                println!("No records found.");
                return Ok(());
            }
            for row in &rows {
                print_text(
                    row,
                    args.summary,
                    schema_map.get(&row.id).map(Vec::as_slice),
                )?;
            }
            println!("{} record(s) found.", rows.len());
            if rows.len() == args.limit as usize {
                println!(
                    "  (showing up to {}; use --offset {} to see more)",
                    args.limit,
                    args.offset + args.limit
                );
            }
        }
    }
    Ok(())
 }
 fn validate_safe_search_args(fields: &[String]) -> Result<()> {
    if let Some(field) = fields.iter().find(|field| is_secret_field(field)) {
        anyhow::bail!(
            "Field '{}' is sensitive. `search -f` only supports metadata.* fields; use `secrets inject` or `secrets run` for secrets.",
            field
        );
    }
    Ok(())
 }
 fn is_secret_field(field: &str) -> bool {
    matches!(
        field.split_once('.').map(|(section, _)| section),
        Some("secret" | "secrets" | "encrypted")
    )
 }
 // ── Entry fetching ────────────────────────────────────────────────────────────
 struct PagedFetchArgs<'a> {
    namespace: Option<&'a str>,
    kind: Option<&'a str>,
    name: Option<&'a str>,
    tags: &'a [String],
    query: Option<&'a str>,
    sort: &'a str,
    limit: u32,
    offset: u32,
 }
 /// A very large limit used when callers need all matching records (export, inject, run).
 /// Postgres will stop scanning when this many rows are found; adjust if needed.
 pub const FETCH_ALL_LIMIT: u32 = 100_000;
 /// Fetch entries matching the given filters (used by search, inject, run).
 /// `limit` caps the result set; pass `FETCH_ALL_LIMIT` when you need all matching records.
 pub async fn fetch_entries(
    pool: &PgPool,
    namespace: Option<&str>,
    kind: Option<&str>,
-    tag: Option<&str>,
+    name: Option<&str>,
    tags: &[String],
    query: Option<&str>,
-    show_secrets: bool,
+) -> Result<Vec<Entry>> {
-) -> Result<()> {
+    fetch_entries_with_limit(pool, namespace, kind, name, tags, query, FETCH_ALL_LIMIT).await
 }
 /// Like `fetch_entries` but with an explicit limit. Used internally by `search`.
 pub(crate) async fn fetch_entries_with_limit(
    pool: &PgPool,
    namespace: Option<&str>,
    kind: Option<&str>,
    name: Option<&str>,
    tags: &[String],
    query: Option<&str>,
    limit: u32,
 ) -> Result<Vec<Entry>> {
    fetch_entries_paged(
        pool,
        PagedFetchArgs {
            namespace,
            kind,
            name,
            tags,
            query,
            sort: "name",
            limit,
            offset: 0,
        },
    )
    .await
 }
 async fn fetch_entries_paged(pool: &PgPool, a: PagedFetchArgs<'_>) -> Result<Vec<Entry>> {
    let mut conditions: Vec<String> = Vec::new();
    let mut idx: i32 = 1;
-    if namespace.is_some() {
+    if a.namespace.is_some() {
        conditions.push(format!("namespace = ${}", idx));
        idx += 1;
    }
-    if kind.is_some() {
+    if a.kind.is_some() {
        conditions.push(format!("kind = ${}", idx));
        idx += 1;
    }
-    if tag.is_some() {
+    if a.name.is_some() {
-        conditions.push(format!("tags @> ARRAY[${}]", idx));
+        conditions.push(format!("name = ${}", idx));
        idx += 1;
    }
-    if query.is_some() {
+    if !a.tags.is_empty() {
        let placeholders: Vec<String> = a
            .tags
            .iter()
            .map(|_| {
                let p = format!("${}", idx);
                idx += 1;
                p
            })
            .collect();
        conditions.push(format!("tags @> ARRAY[{}]", placeholders.join(", ")));
    }
    if a.query.is_some() {
        conditions.push(format!(
-            "(name ILIKE ${i} OR namespace ILIKE ${i} OR kind ILIKE ${i} OR metadata::text ILIKE ${i} OR EXISTS (SELECT 1 FROM unnest(tags) t WHERE t ILIKE ${i}))",
+            "(name ILIKE ${i} ESCAPE '\\' OR namespace ILIKE ${i} ESCAPE '\\' OR kind ILIKE ${i} ESCAPE '\\' OR metadata::text ILIKE ${i} ESCAPE '\\' OR EXISTS (SELECT 1 FROM unnest(tags) t WHERE t ILIKE ${i} ESCAPE '\\'))",
            i = idx
        ));
        idx += 1;
    }
    let where_clause = if conditions.is_empty() {
@@ -39,72 +206,406 @@ pub async fn run(
        format!("WHERE {}", conditions.join(" AND "))
    };
    let order = match a.sort {
        "updated" => "updated_at DESC",
        "created" => "created_at DESC",
        _ => "namespace, kind, name",
    };
    let sql = format!(
-        "SELECT * FROM secrets {} ORDER BY namespace, kind, name",
+        "SELECT * FROM entries {} ORDER BY {} LIMIT ${} OFFSET ${}",
-        where_clause
+        where_clause,
        order,
        idx,
        idx + 1
    );
-    let mut q = sqlx::query_as::<_, Secret>(&sql);
+    tracing::debug!(sql, "executing search query");
-    if let Some(v) = namespace {
+
    let mut q = sqlx::query_as::<_, Entry>(&sql);
    if let Some(v) = a.namespace {
        q = q.bind(v);
    }
-    if let Some(v) = kind {
+    if let Some(v) = a.kind {
        q = q.bind(v);
    }
-    if let Some(v) = tag {
+    if let Some(v) = a.name {
        q = q.bind(v);
    }
-    if let Some(v) = query {
+    for v in a.tags {
-        q = q.bind(format!("%{}%", v));
+        q = q.bind(v.as_str());
    }
    if let Some(v) = a.query {
        q = q.bind(format!(
            "%{}%",
            v.replace('\\', "\\\\")
                .replace('%', "\\%")
                .replace('_', "\\_")
        ));
    }
    q = q.bind(a.limit as i64).bind(a.offset as i64);
    Ok(q.fetch_all(pool).await?)
 }
 // ── Secret schema fetching (no master key) ───────────────────────────────────
 /// Fetch secret field schemas (field_name, field_type, value_len) for a set of entry ids.
 /// Returns a map from entry_id to list of SecretField (encrypted field not used here).
 async fn fetch_secret_schemas(
    pool: &PgPool,
    entry_ids: &[uuid::Uuid],
 ) -> Result<HashMap<uuid::Uuid, Vec<SecretField>>> {
    if entry_ids.is_empty() {
        return Ok(HashMap::new());
    }
-    let rows = q.fetch_all(pool).await?;
+    let fields: Vec<SecretField> = sqlx::query_as(
        "SELECT * FROM secrets WHERE entry_id = ANY($1) ORDER BY entry_id, field_name",
    )
    .bind(entry_ids)
    .fetch_all(pool)
    .await?;
-    if rows.is_empty() {
+    let mut map: HashMap<uuid::Uuid, Vec<SecretField>> = HashMap::new();
-        println!("No records found.");
+    for f in fields {
-        return Ok(());
+        map.entry(f.entry_id).or_default().push(f);
    }
    Ok(map)
 }
 /// Fetch all secret fields (including encrypted bytes) for a set of entry ids.
 pub async fn fetch_secrets_for_entries(
    pool: &PgPool,
    entry_ids: &[uuid::Uuid],
 ) -> Result<HashMap<uuid::Uuid, Vec<SecretField>>> {
    if entry_ids.is_empty() {
        return Ok(HashMap::new());
    }
-    for row in &rows {
+    let fields: Vec<SecretField> = sqlx::query_as(
-        println!("[{}/{}] {}", row.namespace, row.kind, row.name,);
+        "SELECT * FROM secrets WHERE entry_id = ANY($1) ORDER BY entry_id, field_name",
-        println!("  id:       {}", row.id);
+    )
    .bind(entry_ids)
    .fetch_all(pool)
    .await?;
-        if !row.tags.is_empty() {
+    let mut map: HashMap<uuid::Uuid, Vec<SecretField>> = HashMap::new();
-            println!("  tags:     [{}]", row.tags.join(", "));
+    for f in fields {
        map.entry(f.entry_id).or_default().push(f);
    }
    Ok(map)
 }
 // ── Display helpers ───────────────────────────────────────────────────────────
 fn env_prefix(entry: &Entry, prefix: &str) -> String {
    let name_part = entry.name.to_uppercase().replace(['-', '.', ' '], "_");
    if prefix.is_empty() {
        name_part
    } else {
        format!(
            "{}_{}",
            prefix.to_uppercase().replace(['-', '.', ' '], "_"),
            name_part
        )
    }
 }
 /// Build a flat KEY=VALUE map from metadata only (no master key required).
 pub fn build_metadata_env_map(entry: &Entry, prefix: &str) -> HashMap<String, String> {
    let effective_prefix = env_prefix(entry, prefix);
    let mut map = HashMap::new();
    if let Some(meta) = entry.metadata.as_object() {
        for (k, v) in meta {
            let key = format!(
                "{}_{}",
                effective_prefix,
                k.to_uppercase().replace(['-', '.'], "_")
            );
            map.insert(key, json_value_to_env_string(v));
        }
    }
    map
 }
-        if row.metadata.as_object().is_some_and(|m| !m.is_empty()) {
+/// Build a flat KEY=VALUE map from metadata + decrypted secret fields.
 /// Resolves key_ref: if metadata.key_ref is set, merges secret fields from that key entry.
 pub async fn build_injected_env_map(
    pool: &PgPool,
    entry: &Entry,
    prefix: &str,
    master_key: &[u8; 32],
    fields: &[SecretField],
 ) -> Result<HashMap<String, String>> {
    let effective_prefix = env_prefix(entry, prefix);
    let mut map = build_metadata_env_map(entry, prefix);
    // Decrypt each secret field and add to env map.
    for f in fields {
        let decrypted = crypto::decrypt_json(master_key, &f.encrypted)?;
        let key = format!(
            "{}_{}",
            effective_prefix,
            f.field_name.to_uppercase().replace(['-', '.'], "_")
        );
        map.insert(key, json_value_to_env_string(&decrypted));
    }
    // Resolve key_ref: merge secrets from the referenced key entry.
    if let Some(key_ref) = entry.metadata.get("key_ref").and_then(|v| v.as_str()) {
        let key_entries = fetch_entries(
            pool,
            Some(&entry.namespace),
            Some("key"),
            Some(key_ref),
            &[],
            None,
        )
        .await?;
        if let Some(key_entry) = key_entries.first() {
            let key_ids = vec![key_entry.id];
            let key_fields_map = fetch_secrets_for_entries(pool, &key_ids).await?;
            let empty = vec![];
            let key_fields = key_fields_map.get(&key_entry.id).unwrap_or(&empty);
            let key_prefix = env_prefix(key_entry, prefix);
            for f in key_fields {
                let decrypted = crypto::decrypt_json(master_key, &f.encrypted)?;
                let key_var = format!(
                    "{}_{}",
                    key_prefix,
                    f.field_name.to_uppercase().replace(['-', '.'], "_")
                );
                map.insert(key_var, json_value_to_env_string(&decrypted));
            }
        } else {
            tracing::warn!(key_ref, "key_ref target not found");
        }
    }
    Ok(map)
 }
 fn json_value_to_env_string(v: &Value) -> String {
    match v {
        Value::String(s) => s.clone(),
        Value::Null => String::new(),
        other => other.to_string(),
    }
 }
 fn to_json(entry: &Entry, summary: bool, schema: Option<&[SecretField]>) -> Value {
    if summary {
        let desc = entry
            .metadata
            .get("desc")
            .or_else(|| entry.metadata.get("url"))
            .and_then(|v| v.as_str())
            .unwrap_or("")
            .to_string();
        return json!({
            "namespace": entry.namespace,
            "kind": entry.kind,
            "name": entry.name,
            "tags": entry.tags,
            "desc": desc,
            "updated_at": entry.updated_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
        });
    }
    let secrets_val: Value = match schema {
        Some(fields) if !fields.is_empty() => {
            let schema_arr: Vec<Value> = fields
                .iter()
                .map(|f| {
                    json!({
                        "field_name": f.field_name,
                        "field_type": f.field_type,
                        "value_len": f.value_len,
                    })
                })
                .collect();
            Value::Array(schema_arr)
        }
        _ => Value::Array(vec![]),
    };
    json!({
        "id": entry.id,
        "namespace": entry.namespace,
        "kind": entry.kind,
        "name": entry.name,
        "tags": entry.tags,
        "metadata": entry.metadata,
        "secrets": secrets_val,
        "version": entry.version,
        "created_at": entry.created_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
        "updated_at": entry.updated_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
    })
 }
 fn print_text(entry: &Entry, summary: bool, schema: Option<&[SecretField]>) -> Result<()> {
    println!("[{}/{}] {}", entry.namespace, entry.kind, entry.name);
    if summary {
        let desc = entry
            .metadata
            .get("desc")
            .or_else(|| entry.metadata.get("url"))
            .and_then(|v| v.as_str())
            .unwrap_or("-");
        if !entry.tags.is_empty() {
            println!("  tags:    [{}]", entry.tags.join(", "));
        }
        println!("  desc:    {}", desc);
        println!("  updated: {}", format_local_time(entry.updated_at));
    } else {
        println!("  id:       {}", entry.id);
        if !entry.tags.is_empty() {
            println!("  tags:     [{}]", entry.tags.join(", "));
        }
        if entry.metadata.as_object().is_some_and(|m| !m.is_empty()) {
            println!(
                "  metadata: {}",
-                serde_json::to_string_pretty(&row.metadata)?
+                serde_json::to_string_pretty(&entry.metadata)?
            );
        }
-
+        match schema {
-        if show_secrets {
+            Some(fields) if !fields.is_empty() => {
-            println!(
+                let schema_str: Vec<String> = fields
-                "  secrets:  {}",
+                    .iter()
-                serde_json::to_string_pretty(&row.encrypted)?
+                    .map(|f| format!("{}: {}({})", f.field_name, f.field_type, f.value_len))
-            );
+                    .collect();
-        } else {
+                println!("  secrets:  {}", schema_str.join(", "));
-            let keys: Vec<String> = row
+                println!("            (use `secrets inject` or `secrets run` to get values)");
                .encrypted
                .as_object()
                .map(|m| m.keys().cloned().collect())
                .unwrap_or_default();
            if !keys.is_empty() {
                println!(
                    "  secrets:  [{}]  (--show-secrets to reveal)",
                    keys.join(", ")
                );
            }
            _ => {}
        }
-
+        println!("  version:  {}", entry.version);
-        println!(
+        println!("  created:  {}", format_local_time(entry.created_at));
            "  created:  {}",
            row.created_at.format("%Y-%m-%d %H:%M:%S UTC")
        );
        println!();
    }
-    println!("{} record(s) found.", rows.len());
+    println!();
    Ok(())
 }
 /// Extract one or more metadata field paths like `metadata.url`.
 fn print_fields(rows: &[Entry], fields: &[String]) -> Result<()> {
    for row in rows {
        for field in fields {
            let val = extract_field(row, field)?;
            println!("{}", val);
        }
    }
    Ok(())
 }
 fn extract_field(entry: &Entry, field: &str) -> Result<String> {
    let (section, key) = field
        .split_once('.')
        .ok_or_else(|| anyhow::anyhow!("Invalid field path '{}'. Use metadata.<key>.", field))?;
    let obj = match section {
        "metadata" | "meta" => &entry.metadata,
        other => anyhow::bail!("Unknown field section '{}'. Use 'metadata'.", other),
    };
    obj.get(key)
        .and_then(|v| {
            v.as_str()
                .map(|s| s.to_string())
                .or_else(|| Some(v.to_string()))
        })
        .ok_or_else(|| {
            anyhow::anyhow!(
                "Field '{}' not found in record [{}/{}/{}]",
                field,
                entry.namespace,
                entry.kind,
                entry.name
            )
        })
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    use chrono::Utc;
    use serde_json::json;
    use uuid::Uuid;
    fn sample_entry() -> Entry {
        Entry {
            id: Uuid::nil(),
            namespace: "refining".to_string(),
            kind: "service".to_string(),
            name: "gitea.main".to_string(),
            tags: vec!["prod".to_string()],
            metadata: json!({"url": "https://gitea.refining.dev", "enabled": true}),
            version: 1,
            created_at: Utc::now(),
            updated_at: Utc::now(),
        }
    }
    fn sample_fields() -> Vec<SecretField> {
        let key = [0x42u8; 32];
        let enc = crypto::encrypt_json(&key, &json!("abc123")).unwrap();
        vec![SecretField {
            id: Uuid::nil(),
            entry_id: Uuid::nil(),
            field_name: "token".to_string(),
            field_type: "string".to_string(),
            value_len: 6,
            encrypted: enc,
            version: 1,
            created_at: Utc::now(),
            updated_at: Utc::now(),
        }]
    }
    #[test]
    fn rejects_secret_field_extraction() {
        let fields = vec!["secret.token".to_string()];
        let err = validate_safe_search_args(&fields).unwrap_err();
        assert!(err.to_string().contains("sensitive"));
    }
    #[test]
    fn metadata_env_map_excludes_secret_values() {
        let entry = sample_entry();
        let map = build_metadata_env_map(&entry, "");
        assert_eq!(
            map.get("GITEA_MAIN_URL").map(String::as_str),
            Some("https://gitea.refining.dev")
        );
        assert_eq!(
            map.get("GITEA_MAIN_ENABLED").map(String::as_str),
            Some("true")
        );
        assert!(!map.contains_key("GITEA_MAIN_TOKEN"));
    }
    #[test]
    fn to_json_full_includes_secrets_schema() {
        let entry = sample_entry();
        let fields = sample_fields();
        let v = to_json(&entry, false, Some(&fields));
        let secrets = v.get("secrets").unwrap().as_array().unwrap();
        assert_eq!(secrets.len(), 1);
        assert_eq!(secrets[0]["field_name"], "token");
        assert_eq!(secrets[0]["field_type"], "string");
        assert_eq!(secrets[0]["value_len"], 6);
    }
    #[test]
    fn to_json_summary_omits_secrets_schema() {
        let entry = sample_entry();
        let fields = sample_fields();
        let v = to_json(&entry, true, Some(&fields));
        assert!(v.get("secrets").is_none());
    }
 }
--- a/src/commands/update.rs
+++ b/src/commands/update.rs
@@ -1,8 +1,16 @@
 use anyhow::Result;
-use serde_json::{Map, Value};
+use serde_json::{Map, Value, json};
 use sqlx::PgPool;
 use uuid::Uuid;
-use super::add::parse_kv;
+use super::add::{
    collect_field_paths, collect_key_paths, compute_value_len, flatten_json_fields,
    infer_field_type, insert_path, parse_key_path, parse_kv, remove_path,
 };
 use crate::crypto;
 use crate::db;
 use crate::models::EntryRow;
 use crate::output::{OutputMode, print_json};
 pub struct UpdateArgs<'a> {
    pub namespace: &'a str,
@@ -14,20 +22,22 @@ pub struct UpdateArgs<'a> {
    pub remove_meta: &'a [String],
    pub secret_entries: &'a [String],
    pub remove_secrets: &'a [String],
    pub output: OutputMode,
 }
-pub async fn run(pool: &PgPool, args: UpdateArgs<'_>) -> Result<()> {
+pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) -> Result<()> {
-    let row = sqlx::query!(
+    let mut tx = pool.begin().await?;
-        r#"
+
-        SELECT id, tags, metadata, encrypted
+    let row: Option<EntryRow> = sqlx::query_as(
-        FROM secrets
+        "SELECT id, version, tags, metadata \
-        WHERE namespace = $1 AND kind = $2 AND name = $3
+         FROM entries \
-        "#,
+         WHERE namespace = $1 AND kind = $2 AND name = $3 \
-        args.namespace,
+         FOR UPDATE",
        args.kind,
        args.name,
    )
-    .fetch_optional(pool)
+    .bind(args.namespace)
    .bind(args.kind)
    .bind(args.name)
    .fetch_optional(&mut *tx)
    .await?;
    let row = row.ok_or_else(|| {
@@ -39,7 +49,26 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>) -> Result<()> {
        )
    })?;
-    // Merge tags
+    // Snapshot current entry state before modifying.
    if let Err(e) = db::snapshot_entry_history(
        &mut tx,
        db::EntrySnapshotParams {
            entry_id: row.id,
            namespace: args.namespace,
            kind: args.kind,
            name: args.name,
            version: row.version,
            action: "update",
            tags: &row.tags,
            metadata: &row.metadata,
        },
    )
    .await
    {
        tracing::warn!(error = %e, "failed to snapshot entry history before update");
    }
    // ── Merge tags ────────────────────────────────────────────────────────────
    let mut tags: Vec<String> = row.tags;
    for t in args.add_tags {
        if !tags.contains(t) {
@@ -48,77 +77,230 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>) -> Result<()> {
    }
    tags.retain(|t| !args.remove_tags.contains(t));
-    // Merge metadata
+    // ── Merge metadata ────────────────────────────────────────────────────────
    let mut meta_map: Map<String, Value> = match row.metadata {
        Value::Object(m) => m,
        _ => Map::new(),
    };
    for entry in args.meta_entries {
-        let (key, value) = parse_kv(entry)?;
+        let (path, value) = parse_kv(entry)?;
-        meta_map.insert(key, Value::String(value));
+        insert_path(&mut meta_map, &path, value)?;
    }
    for key in args.remove_meta {
-        meta_map.remove(key);
+        let path = parse_key_path(key)?;
        remove_path(&mut meta_map, &path)?;
    }
    let metadata = Value::Object(meta_map);
-    // Merge encrypted
+    // CAS update of the entry row.
-    let mut enc_map: Map<String, Value> = match row.encrypted {
+    let result = sqlx::query(
-        Value::Object(m) => m,
+        "UPDATE entries \
-        _ => Map::new(),
+         SET tags = $1, metadata = $2, version = version + 1, updated_at = NOW() \
-    };
+         WHERE id = $3 AND version = $4",
    for entry in args.secret_entries {
        let (key, value) = parse_kv(entry)?;
        enc_map.insert(key, Value::String(value));
    }
    for key in args.remove_secrets {
        enc_map.remove(key);
    }
    let encrypted = Value::Object(enc_map);
    sqlx::query!(
        r#"
        UPDATE secrets
        SET tags = $1, metadata = $2, encrypted = $3, updated_at = NOW()
        WHERE id = $4
        "#,
        &tags,
        metadata,
        encrypted,
        row.id,
    )
-    .execute(pool)
+    .bind(&tags)
    .bind(&metadata)
    .bind(row.id)
    .bind(row.version)
    .execute(&mut *tx)
    .await?;
-    println!("Updated: [{}/{}] {}", args.namespace, args.kind, args.name);
+    if result.rows_affected() == 0 {
        tx.rollback().await?;
        anyhow::bail!(
            "Concurrent modification detected for [{}/{}] {}. Please retry.",
            args.namespace,
            args.kind,
            args.name
        );
    }
-    if !args.add_tags.is_empty() {
+    let new_version = row.version + 1;
-        println!("  +tags:     {}", args.add_tags.join(", "));
+
    // ── Update secret fields ──────────────────────────────────────────────────
    for entry in args.secret_entries {
        let (path, field_value) = parse_kv(entry)?;
        // For nested paths (e.g. credentials:type), flatten into dot-separated names
        // and treat the sub-value as the individual field to store.
        let flat = flatten_json_fields("", &{
            let mut m = Map::new();
            insert_path(&mut m, &path, field_value)?;
            Value::Object(m)
        });
        for (field_name, fv) in &flat {
            let field_type = infer_field_type(fv);
            let value_len = compute_value_len(fv);
            let encrypted = crypto::encrypt_json(master_key, fv)?;
            // Snapshot existing field before replacing.
            #[derive(sqlx::FromRow)]
            struct ExistingField {
                id: Uuid,
                field_type: String,
                value_len: i32,
                encrypted: Vec<u8>,
            }
            let existing_field: Option<ExistingField> = sqlx::query_as(
                "SELECT id, field_type, value_len, encrypted \
                 FROM secrets WHERE entry_id = $1 AND field_name = $2",
            )
            .bind(row.id)
            .bind(field_name)
            .fetch_optional(&mut *tx)
            .await?;
            if let Some(ef) = &existing_field
                && let Err(e) = db::snapshot_secret_history(
                    &mut tx,
                    db::SecretSnapshotParams {
                        entry_id: row.id,
                        secret_id: ef.id,
                        entry_version: row.version,
                        field_name,
                        field_type: &ef.field_type,
                        value_len: ef.value_len,
                        encrypted: &ef.encrypted,
                        action: "update",
                    },
                )
                .await
            {
                tracing::warn!(error = %e, "failed to snapshot secret field history");
            }
            sqlx::query(
                "INSERT INTO secrets (entry_id, field_name, field_type, value_len, encrypted) \
                 VALUES ($1, $2, $3, $4, $5) \
                 ON CONFLICT (entry_id, field_name) DO UPDATE SET \
                     field_type = EXCLUDED.field_type, \
                     value_len  = EXCLUDED.value_len, \
                     encrypted  = EXCLUDED.encrypted, \
                     version    = secrets.version + 1, \
                     updated_at = NOW()",
            )
            .bind(row.id)
            .bind(field_name)
            .bind(field_type)
            .bind(value_len)
            .bind(&encrypted)
            .execute(&mut *tx)
            .await?;
        }
    }
-    if !args.remove_tags.is_empty() {
+
-        println!("  -tags:     {}", args.remove_tags.join(", "));
+    // ── Remove secret fields ──────────────────────────────────────────────────
    for key in args.remove_secrets {
        let path = parse_key_path(key)?;
        // Dot-join the path to match flattened field_name storage.
        let field_name = path.join(".");
        // Snapshot before delete.
        #[derive(sqlx::FromRow)]
        struct FieldToDelete {
            id: Uuid,
            field_type: String,
            value_len: i32,
            encrypted: Vec<u8>,
        }
        let field: Option<FieldToDelete> = sqlx::query_as(
            "SELECT id, field_type, value_len, encrypted \
             FROM secrets WHERE entry_id = $1 AND field_name = $2",
        )
        .bind(row.id)
        .bind(&field_name)
        .fetch_optional(&mut *tx)
        .await?;
        if let Some(f) = field {
            if let Err(e) = db::snapshot_secret_history(
                &mut tx,
                db::SecretSnapshotParams {
                    entry_id: row.id,
                    secret_id: f.id,
                    entry_version: new_version,
                    field_name: &field_name,
                    field_type: &f.field_type,
                    value_len: f.value_len,
                    encrypted: &f.encrypted,
                    action: "delete",
                },
            )
            .await
            {
                tracing::warn!(error = %e, "failed to snapshot secret field history before delete");
            }
            sqlx::query("DELETE FROM secrets WHERE id = $1")
                .bind(f.id)
                .execute(&mut *tx)
                .await?;
        }
    }
-    if !args.meta_entries.is_empty() {
+
-        let keys: Vec<&str> = args
+    let meta_keys = collect_key_paths(args.meta_entries)?;
-            .meta_entries
+    let remove_meta_keys = collect_field_paths(args.remove_meta)?;
-            .iter()
+    let secret_keys = collect_key_paths(args.secret_entries)?;
-            .filter_map(|s| s.split_once('=').map(|(k, _)| k))
+    let remove_secret_keys = collect_field_paths(args.remove_secrets)?;
-            .collect();
+
-        println!("  +metadata: {}", keys.join(", "));
+    crate::audit::log_tx(
-    }
+        &mut tx,
-    if !args.remove_meta.is_empty() {
+        "update",
-        println!("  -metadata: {}", args.remove_meta.join(", "));
+        args.namespace,
-    }
+        args.kind,
-    if !args.secret_entries.is_empty() {
+        args.name,
-        let keys: Vec<&str> = args
+        json!({
-            .secret_entries
+            "add_tags": args.add_tags,
-            .iter()
+            "remove_tags": args.remove_tags,
-            .filter_map(|s| s.split_once('=').map(|(k, _)| k))
+            "meta_keys": meta_keys,
-            .collect();
+            "remove_meta": remove_meta_keys,
-        println!("  +secrets:  {}", keys.join(", "));
+            "secret_keys": secret_keys,
-    }
+            "remove_secrets": remove_secret_keys,
-    if !args.remove_secrets.is_empty() {
+        }),
-        println!("  -secrets:  {}", args.remove_secrets.join(", "));
+    )
    .await;
    tx.commit().await?;
    let result_json = json!({
        "action": "updated",
        "namespace": args.namespace,
        "kind": args.kind,
        "name": args.name,
        "add_tags": args.add_tags,
        "remove_tags": args.remove_tags,
        "meta_keys": meta_keys,
        "remove_meta": remove_meta_keys,
        "secret_keys": secret_keys,
        "remove_secrets": remove_secret_keys,
    });
    match args.output {
        OutputMode::Json | OutputMode::JsonCompact => {
            print_json(&result_json, &args.output)?;
        }
        _ => {
            println!("Updated: [{}/{}] {}", args.namespace, args.kind, args.name);
            if !args.add_tags.is_empty() {
                println!("  +tags:     {}", args.add_tags.join(", "));
            }
            if !args.remove_tags.is_empty() {
                println!("  -tags:     {}", args.remove_tags.join(", "));
            }
            if !args.meta_entries.is_empty() {
                println!("  +metadata: {}", meta_keys.join(", "));
            }
            if !args.remove_meta.is_empty() {
                println!("  -metadata: {}", remove_meta_keys.join(", "));
            }
            if !args.secret_entries.is_empty() {
                println!("  +secrets:  {}", secret_keys.join(", "));
            }
            if !args.remove_secrets.is_empty() {
                println!("  -secrets:  {}", remove_secret_keys.join(", "));
            }
        }
    }
    Ok(())
--- a/src/commands/upgrade.rs
+++ b/src/commands/upgrade.rs
@@ -0,0 +1,394 @@
 use anyhow::{Context, Result, bail};
 use flate2::read::GzDecoder;
 use serde::Deserialize;
 use sha2::{Digest, Sha256};
 use std::io::{Cursor, Read, Write};
 use std::time::Duration;
 const GITEA_API: &str = "https://gitea.refining.dev/api/v1/repos/refining/secrets/releases/latest";
 const CURRENT_VERSION: &str = env!("CARGO_PKG_VERSION");
 #[derive(Debug, Deserialize)]
 struct Release {
    tag_name: String,
    assets: Vec<Asset>,
 }
 #[derive(Debug, Deserialize)]
 struct Asset {
    name: String,
    browser_download_url: String,
 }
 fn available_assets(assets: &[Asset]) -> String {
    assets
        .iter()
        .map(|a| a.name.as_str())
        .collect::<Vec<_>>()
        .join(", ")
 }
 fn release_asset_name(tag_name: &str, suffix: &str) -> String {
    format!("secrets-{tag_name}-{suffix}")
 }
 fn find_asset_by_name<'a>(assets: &'a [Asset], name: &str) -> Result<&'a Asset> {
    assets.iter().find(|a| a.name == name).with_context(|| {
        format!(
            "no matching release asset found: {name}\navailable: {}",
            available_assets(assets)
        )
    })
 }
 /// Detect the asset suffix for the current platform/arch at compile time.
 fn platform_asset_suffix() -> Result<&'static str> {
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    {
        Ok("x86_64-linux-musl.tar.gz")
    }
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    {
        Ok("aarch64-macos.tar.gz")
    }
    #[cfg(all(target_os = "macos", target_arch = "x86_64"))]
    {
        Ok("x86_64-macos.tar.gz")
    }
    #[cfg(all(target_os = "windows", target_arch = "x86_64"))]
    {
        Ok("x86_64-windows.zip")
    }
    #[cfg(not(any(
        all(target_os = "linux", target_arch = "x86_64"),
        all(target_os = "macos", target_arch = "aarch64"),
        all(target_os = "macos", target_arch = "x86_64"),
        all(target_os = "windows", target_arch = "x86_64"),
    )))]
    bail!(
        "Unsupported platform: {}/{}",
        std::env::consts::OS,
        std::env::consts::ARCH
    )
 }
 /// Strip the "secrets-" prefix from the tag and parse as semver.
 fn parse_tag_version(tag: &str) -> Result<semver::Version> {
    let ver_str = tag
        .strip_prefix("secrets-")
        .with_context(|| format!("unexpected tag format: {tag}"))?;
    semver::Version::parse(ver_str)
        .with_context(|| format!("failed to parse version from tag: {tag}"))
 }
 fn sha256_hex(bytes: &[u8]) -> String {
    let digest = Sha256::digest(bytes);
    format!("{digest:x}")
 }
 fn verify_checksum(asset_name: &str, archive: &[u8], checksum_contents: &str) -> Result<String> {
    let expected_checksum = parse_checksum_file(checksum_contents)?;
    let actual_checksum = sha256_hex(archive);
    if actual_checksum != expected_checksum {
        bail!(
            "checksum verification failed for {}: expected {}, got {}",
            asset_name,
            expected_checksum,
            actual_checksum
        );
    }
    Ok(actual_checksum)
 }
 fn parse_checksum_file(contents: &str) -> Result<String> {
    let checksum = contents
        .split_whitespace()
        .next()
        .context("checksum file is empty")?
        .trim()
        .to_ascii_lowercase();
    if checksum.len() != 64 || !checksum.bytes().all(|b| b.is_ascii_hexdigit()) {
        bail!("invalid SHA-256 checksum format")
    }
    Ok(checksum)
 }
 async fn download_bytes(client: &reqwest::Client, url: &str, context: &str) -> Result<Vec<u8>> {
    Ok(client
        .get(url)
        .send()
        .await
        .with_context(|| format!("{context}: request failed"))?
        .error_for_status()
        .with_context(|| format!("{context}: server returned an error"))?
        .bytes()
        .await
        .with_context(|| format!("{context}: failed to read response body"))?
        .to_vec())
 }
 /// Extract the binary from a tar.gz archive (first file whose name == "secrets").
 fn extract_from_targz(bytes: &[u8]) -> Result<Vec<u8>> {
    let gz = GzDecoder::new(Cursor::new(bytes));
    let mut archive = tar::Archive::new(gz);
    for entry in archive.entries().context("failed to read tar entries")? {
        let mut entry = entry.context("bad tar entry")?;
        let path = entry.path().context("bad tar entry path")?.into_owned();
        let fname = path
            .file_name()
            .and_then(|n| n.to_str())
            .unwrap_or_default();
        if fname == "secrets" || fname == "secrets.exe" {
            let mut buf = Vec::new();
            entry.read_to_end(&mut buf).context("read tar entry")?;
            return Ok(buf);
        }
    }
    bail!("binary not found inside tar.gz archive")
 }
 /// Extract the binary from a zip archive (first file whose name matches).
 #[cfg(target_os = "windows")]
 fn extract_from_zip(bytes: &[u8]) -> Result<Vec<u8>> {
    let reader = Cursor::new(bytes);
    let mut archive = zip::ZipArchive::new(reader).context("failed to open zip archive")?;
    for i in 0..archive.len() {
        let mut file = archive.by_index(i).context("bad zip entry")?;
        let fname = file.name().to_owned();
        if fname.ends_with("secrets.exe") || fname.ends_with("secrets") {
            let mut buf = Vec::new();
            file.read_to_end(&mut buf).context("read zip entry")?;
            return Ok(buf);
        }
    }
    bail!("binary not found inside zip archive")
 }
 pub async fn run(check_only: bool) -> Result<()> {
    let current = semver::Version::parse(CURRENT_VERSION).context("invalid current version")?;
    println!("Current version: v{current}");
    println!("Checking for updates...");
    let client = reqwest::Client::builder()
        .user_agent(format!("secrets-cli/{CURRENT_VERSION}"))
        .connect_timeout(Duration::from_secs(10))
        .timeout(Duration::from_secs(120))
        .build()
        .context("failed to build HTTP client")?;
    let release: Release = client
        .get(GITEA_API)
        .send()
        .await
        .context("failed to fetch release info from Gitea")?
        .error_for_status()
        .context("Gitea API returned an error")?
        .json()
        .await
        .context("failed to parse release JSON")?;
    let latest = parse_tag_version(&release.tag_name)?;
    if latest <= current {
        println!("Already up to date (v{current})");
        return Ok(());
    }
    println!("New version available: v{latest}");
    if check_only {
        println!("Run `secrets upgrade` to update.");
        return Ok(());
    }
    let suffix = platform_asset_suffix()?;
    let asset_name = release_asset_name(&release.tag_name, suffix);
    let asset = find_asset_by_name(&release.assets, &asset_name)?;
    let checksum_name = format!("{}.sha256", asset.name);
    let checksum_asset = find_asset_by_name(&release.assets, &checksum_name)?;
    println!("Downloading {}...", asset.name);
    let archive = download_bytes(&client, &asset.browser_download_url, "archive download").await?;
    let checksum_contents = download_bytes(
        &client,
        &checksum_asset.browser_download_url,
        "checksum download",
    )
    .await?;
    let actual_checksum = verify_checksum(
        &asset.name,
        &archive,
        std::str::from_utf8(&checksum_contents).context("checksum file is not valid UTF-8")?,
    )?;
    println!("Verified SHA-256: {actual_checksum}");
    println!("Extracting...");
    let binary = if suffix.ends_with(".tar.gz") {
        extract_from_targz(&archive)?
    } else {
        #[cfg(target_os = "windows")]
        {
            extract_from_zip(&archive)?
        }
        #[cfg(not(target_os = "windows"))]
        bail!("zip extraction is only supported on Windows")
    };
    // Write to a temporary file, set executable permission, then atomically replace.
    let mut tmp = tempfile::NamedTempFile::new().context("failed to create temp file")?;
    tmp.write_all(&binary)
        .context("failed to write temp binary")?;
    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        let perms = std::fs::Permissions::from_mode(0o755);
        std::fs::set_permissions(tmp.path(), perms).context("failed to chmod temp binary")?;
    }
    self_replace::self_replace(tmp.path()).context("failed to replace current binary")?;
    println!("Updated: v{current} → v{latest}");
    Ok(())
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    use flate2::Compression;
    use flate2::write::GzEncoder;
    use tar::Builder;
    #[test]
    fn parse_tag_version_accepts_release_tag() {
        let version = parse_tag_version("secrets-0.6.1").expect("version should parse");
        assert_eq!(version, semver::Version::new(0, 6, 1));
    }
    #[test]
    fn parse_tag_version_rejects_invalid_tag() {
        let err = parse_tag_version("v0.6.1").expect_err("tag should be rejected");
        assert!(err.to_string().contains("unexpected tag format"));
    }
    #[test]
    fn parse_checksum_file_accepts_sha256sum_format() {
        let checksum = parse_checksum_file(
            "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef  secrets.tar.gz",
        )
        .expect("checksum should parse");
        assert_eq!(
            checksum,
            "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
        );
    }
    #[test]
    fn parse_checksum_file_rejects_invalid_checksum() {
        let err = parse_checksum_file("not-a-sha256").expect_err("checksum should be rejected");
        assert!(err.to_string().contains("invalid SHA-256 checksum format"));
    }
    #[test]
    fn release_asset_name_matches_release_tag() {
        assert_eq!(
            release_asset_name("secrets-0.7.0", "x86_64-linux-musl.tar.gz"),
            "secrets-secrets-0.7.0-x86_64-linux-musl.tar.gz"
        );
    }
    #[test]
    fn find_asset_by_name_rejects_stale_platform_match() {
        let assets = vec![
            Asset {
                name: "secrets-secrets-0.6.9-x86_64-linux-musl.tar.gz".into(),
                browser_download_url: "https://example.invalid/old".into(),
            },
            Asset {
                name: "secrets-secrets-0.7.0-aarch64-macos.tar.gz".into(),
                browser_download_url: "https://example.invalid/other".into(),
            },
        ];
        let err = find_asset_by_name(&assets, "secrets-secrets-0.7.0-x86_64-linux-musl.tar.gz")
            .expect_err("stale asset should not match");
        assert!(err.to_string().contains("no matching release asset found"));
    }
    #[test]
    fn sha256_hex_matches_known_value() {
        assert_eq!(
            sha256_hex(b"abc"),
            "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad"
        );
    }
    #[test]
    fn verify_checksum_rejects_mismatch() {
        let err = verify_checksum(
            "secrets.tar.gz",
            b"abc",
            "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef  secrets.tar.gz",
        )
        .expect_err("checksum mismatch should fail");
        assert!(err.to_string().contains("checksum verification failed"));
    }
    #[test]
    fn extract_from_targz_reads_binary() {
        let payload = b"fake-secrets-binary";
        let archive = make_test_targz("secrets", payload);
        let extracted = extract_from_targz(&archive).expect("binary should extract");
        assert_eq!(extracted, payload);
    }
    fn make_test_targz(name: &str, payload: &[u8]) -> Vec<u8> {
        let encoder = GzEncoder::new(Vec::new(), Compression::default());
        let mut builder = Builder::new(encoder);
        let mut header = tar::Header::new_gnu();
        header.set_mode(0o755);
        header.set_size(payload.len() as u64);
        header.set_cksum();
        builder
            .append_data(&mut header, name, payload)
            .expect("append tar entry");
        let encoder = builder.into_inner().expect("finish tar builder");
        encoder.finish().expect("finish gzip")
    }
    #[cfg(target_os = "windows")]
    #[test]
    fn extract_from_zip_reads_binary() {
        use zip::write::SimpleFileOptions;
        let cursor = Cursor::new(Vec::<u8>::new());
        let mut writer = zip::ZipWriter::new(cursor);
        writer
            .start_file("secrets.exe", SimpleFileOptions::default())
            .expect("start zip file");
        writer
            .write_all(b"fake-secrets-binary")
            .expect("write zip payload");
        let bytes = writer.finish().expect("finish zip").into_inner();
        let extracted = extract_from_zip(&bytes).expect("binary should extract");
        assert_eq!(extracted, b"fake-secrets-binary");
    }
 }
--- a/src/config.rs
+++ b/src/config.rs
@@ -0,0 +1,77 @@
 use anyhow::{Context, Result};
 use serde::{Deserialize, Serialize};
 use std::fs;
 use std::path::PathBuf;
 #[derive(Debug, Serialize, Deserialize, Default)]
 pub struct Config {
    pub database_url: Option<String>,
 }
 pub fn config_dir() -> Result<PathBuf> {
    let dir = dirs::config_dir()
        .or_else(|| dirs::home_dir().map(|h| h.join(".config")))
        .context(
            "Cannot determine config directory: \
             neither XDG_CONFIG_HOME nor HOME is set",
        )?
        .join("secrets");
    Ok(dir)
 }
 pub fn config_path() -> Result<PathBuf> {
    Ok(config_dir()?.join("config.toml"))
 }
 pub fn load_config() -> Result<Config> {
    let path = config_path()?;
    if !path.exists() {
        return Ok(Config::default());
    }
    let content = fs::read_to_string(&path)
        .with_context(|| format!("failed to read config file: {}", path.display()))?;
    let config: Config = toml::from_str(&content)
        .with_context(|| format!("failed to parse config file: {}", path.display()))?;
    Ok(config)
 }
 pub fn save_config(config: &Config) -> Result<()> {
    let dir = config_dir()?;
    fs::create_dir_all(&dir)
        .with_context(|| format!("failed to create config dir: {}", dir.display()))?;
    let path = dir.join("config.toml");
    let content = toml::to_string_pretty(config).context("failed to serialize config")?;
    fs::write(&path, &content)
        .with_context(|| format!("failed to write config file: {}", path.display()))?;
    // Set file permissions to 0600 (owner read/write only)
    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        let perms = fs::Permissions::from_mode(0o600);
        fs::set_permissions(&path, perms)
            .with_context(|| format!("failed to set file permissions: {}", path.display()))?;
    }
    Ok(())
 }
 /// Resolve database URL by priority:
 /// 1. --db-url CLI flag (if non-empty)
 /// 2. database_url in ~/.config/secrets/config.toml
 /// 3. Error with setup instructions
 pub fn resolve_db_url(cli_db_url: &str) -> Result<String> {
    if !cli_db_url.is_empty() {
        return Ok(cli_db_url.to_string());
    }
    let config = load_config()?;
    if let Some(url) = config.database_url
        && !url.is_empty()
    {
        return Ok(url);
    }
    anyhow::bail!("Database not configured. Run:\n\n    secrets config set-db <DATABASE_URL>\n")
 }
--- a/src/crypto.rs
+++ b/src/crypto.rs
@@ -0,0 +1,195 @@
 use aes_gcm::{
    Aes256Gcm, Key, Nonce,
    aead::{Aead, AeadCore, KeyInit, OsRng},
 };
 use anyhow::{Context, Result, bail};
 use argon2::{Argon2, Params, Version};
 use serde_json::Value;
 const KEYRING_SERVICE: &str = "secrets-cli";
 const KEYRING_USER: &str = "master-key";
 const NONCE_LEN: usize = 12;
 // Argon2id parameters — OWASP recommended (m=64 MiB, t=3 iterations, p=4 threads, key=32 B)
 const ARGON2_M_COST: u32 = 65_536;
 const ARGON2_T_COST: u32 = 3;
 const ARGON2_P_COST: u32 = 4;
 const ARGON2_KEY_LEN: usize = 32;
 // ─── Argon2id key derivation ─────────────────────────────────────────────────
 /// Derive a 32-byte Master Key from a password and salt using Argon2id.
 /// Parameters: m=65536 KiB (64 MB), t=3, p=4 — OWASP recommended.
 pub fn derive_master_key(password: &str, salt: &[u8]) -> Result<[u8; 32]> {
    let params = Params::new(
        ARGON2_M_COST,
        ARGON2_T_COST,
        ARGON2_P_COST,
        Some(ARGON2_KEY_LEN),
    )
    .context("invalid Argon2id params")?;
    let argon2 = Argon2::new(argon2::Algorithm::Argon2id, Version::V0x13, params);
    let mut key = [0u8; 32];
    argon2
        .hash_password_into(password.as_bytes(), salt, &mut key)
        .map_err(|e| anyhow::anyhow!("Argon2id derivation failed: {}", e))?;
    Ok(key)
 }
 // ─── AES-256-GCM encrypt / decrypt ───────────────────────────────────────────
 /// Encrypt plaintext bytes with AES-256-GCM.
 /// Returns `nonce (12 B) || ciphertext+tag`.
 pub fn encrypt(master_key: &[u8; 32], plaintext: &[u8]) -> Result<Vec<u8>> {
    let key = Key::<Aes256Gcm>::from_slice(master_key);
    let cipher = Aes256Gcm::new(key);
    let nonce = Aes256Gcm::generate_nonce(&mut OsRng);
    let ciphertext = cipher
        .encrypt(&nonce, plaintext)
        .map_err(|e| anyhow::anyhow!("AES-256-GCM encryption failed: {}", e))?;
    let mut out = Vec::with_capacity(NONCE_LEN + ciphertext.len());
    out.extend_from_slice(&nonce);
    out.extend_from_slice(&ciphertext);
    Ok(out)
 }
 /// Decrypt `nonce (12 B) || ciphertext+tag` with AES-256-GCM.
 pub fn decrypt(master_key: &[u8; 32], data: &[u8]) -> Result<Vec<u8>> {
    if data.len() < NONCE_LEN {
        bail!(
            "encrypted data too short ({}B); possibly corrupted",
            data.len()
        );
    }
    let (nonce_bytes, ciphertext) = data.split_at(NONCE_LEN);
    let key = Key::<Aes256Gcm>::from_slice(master_key);
    let cipher = Aes256Gcm::new(key);
    let nonce = Nonce::from_slice(nonce_bytes);
    cipher
        .decrypt(nonce, ciphertext)
        .map_err(|_| anyhow::anyhow!("decryption failed — wrong master key or corrupted data"))
 }
 // ─── JSON helpers ─────────────────────────────────────────────────────────────
 /// Serialize a JSON Value and encrypt it. Returns the encrypted blob.
 pub fn encrypt_json(master_key: &[u8; 32], value: &Value) -> Result<Vec<u8>> {
    let bytes = serde_json::to_vec(value).context("serialize JSON for encryption")?;
    encrypt(master_key, &bytes)
 }
 /// Decrypt an encrypted blob and deserialize it as a JSON Value.
 pub fn decrypt_json(master_key: &[u8; 32], data: &[u8]) -> Result<Value> {
    let bytes = decrypt(master_key, data)?;
    serde_json::from_slice(&bytes).context("deserialize decrypted JSON")
 }
 // ─── OS Keychain ──────────────────────────────────────────────────────────────
 /// Load the Master Key from the OS Keychain.
 /// Returns an error with a helpful message if it hasn't been initialized.
 pub fn load_master_key() -> Result<[u8; 32]> {
    let entry =
        keyring::Entry::new(KEYRING_SERVICE, KEYRING_USER).context("create keychain entry")?;
    let hex = entry.get_password().map_err(|_| {
        anyhow::anyhow!("Master key not found in keychain. Run `secrets init` first.")
    })?;
    let bytes = hex::decode_hex(&hex)?;
    if bytes.len() != 32 {
        bail!(
            "stored master key has unexpected length {}; re-run `secrets init`",
            bytes.len()
        );
    }
    let mut key = [0u8; 32];
    key.copy_from_slice(&bytes);
    Ok(key)
 }
 /// Store the Master Key in the OS Keychain (overwrites any existing value).
 pub fn store_master_key(key: &[u8; 32]) -> Result<()> {
    let entry =
        keyring::Entry::new(KEYRING_SERVICE, KEYRING_USER).context("create keychain entry")?;
    let hex = hex::encode_hex(key);
    entry
        .set_password(&hex)
        .map_err(|e| anyhow::anyhow!("keychain write failed: {}", e))?;
    Ok(())
 }
 // ─── Minimal hex helpers (avoid extra dep) ────────────────────────────────────
 mod hex {
    use anyhow::{Result, bail};
    pub fn encode_hex(bytes: &[u8]) -> String {
        bytes.iter().map(|b| format!("{:02x}", b)).collect()
    }
    pub fn decode_hex(s: &str) -> Result<Vec<u8>> {
        if !s.len().is_multiple_of(2) {
            bail!("hex string has odd length");
        }
        (0..s.len())
            .step_by(2)
            .map(|i| u8::from_str_radix(&s[i..i + 2], 16).map_err(|e| anyhow::anyhow!("{}", e)))
            .collect()
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn roundtrip_encrypt_decrypt() {
        let key = [0x42u8; 32];
        let plaintext = b"hello world";
        let enc = encrypt(&key, plaintext).unwrap();
        let dec = decrypt(&key, &enc).unwrap();
        assert_eq!(dec, plaintext);
    }
    #[test]
    fn encrypt_produces_different_ciphertexts() {
        let key = [0x42u8; 32];
        let plaintext = b"hello world";
        let enc1 = encrypt(&key, plaintext).unwrap();
        let enc2 = encrypt(&key, plaintext).unwrap();
        // Different nonces → different ciphertexts
        assert_ne!(enc1, enc2);
    }
    #[test]
    fn wrong_key_fails_decryption() {
        let key1 = [0x42u8; 32];
        let key2 = [0x43u8; 32];
        let enc = encrypt(&key1, b"secret").unwrap();
        assert!(decrypt(&key2, &enc).is_err());
    }
    #[test]
    fn json_roundtrip() {
        let key = [0x42u8; 32];
        let value = serde_json::json!({"token": "abc123", "password": "hunter2"});
        let enc = encrypt_json(&key, &value).unwrap();
        let dec = decrypt_json(&key, &enc).unwrap();
        assert_eq!(dec, value);
    }
    #[test]
    fn derive_master_key_deterministic() {
        let salt = b"fixed_test_salt_";
        let k1 = derive_master_key("password", salt).unwrap();
        let k2 = derive_master_key("password", salt).unwrap();
        assert_eq!(k1, k2);
    }
    #[test]
    fn derive_master_key_different_passwords() {
        let salt = b"fixed_test_salt_";
        let k1 = derive_master_key("password1", salt).unwrap();
        let k2 = derive_master_key("password2", salt).unwrap();
        assert_ne!(k1, k2);
    }
 }
--- a/src/db.rs
+++ b/src/db.rs
@@ -1,44 +1,223 @@
 use anyhow::Result;
 use serde_json::Value;
 use sqlx::PgPool;
 use sqlx::postgres::PgPoolOptions;
 use crate::audit::current_actor;
 pub async fn create_pool(database_url: &str) -> Result<PgPool> {
    tracing::debug!("connecting to database");
    let pool = PgPoolOptions::new()
        .max_connections(5)
        .acquire_timeout(std::time::Duration::from_secs(5))
        .connect(database_url)
        .await?;
    tracing::debug!("database connection established");
    Ok(pool)
 }
 pub async fn migrate(pool: &PgPool) -> Result<()> {
    tracing::debug!("running migrations");
    sqlx::raw_sql(
        r#"
-        CREATE TABLE IF NOT EXISTS secrets (
+        -- ── entries: top-level entities (server, service, key, …) ──────────────
        CREATE TABLE IF NOT EXISTS entries (
            id          UUID PRIMARY KEY DEFAULT uuidv7(),
            namespace   VARCHAR(64)  NOT NULL,
            kind        VARCHAR(64)  NOT NULL,
            name        VARCHAR(256) NOT NULL,
            tags        TEXT[]       NOT NULL DEFAULT '{}',
            metadata    JSONB        NOT NULL DEFAULT '{}',
-            encrypted   JSONB        NOT NULL DEFAULT '{}',
+            version     BIGINT       NOT NULL DEFAULT 1,
            created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
            updated_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
            UNIQUE(namespace, kind, name)
        );
-        -- idempotent column add for existing tables
+        CREATE INDEX IF NOT EXISTS idx_entries_namespace ON entries(namespace);
-        DO $$ BEGIN
+        CREATE INDEX IF NOT EXISTS idx_entries_kind      ON entries(kind);
-            ALTER TABLE secrets ADD COLUMN IF NOT EXISTS metadata JSONB NOT NULL DEFAULT '{}';
+        CREATE INDEX IF NOT EXISTS idx_entries_tags      ON entries USING GIN(tags);
-        EXCEPTION WHEN OTHERS THEN NULL;
+        CREATE INDEX IF NOT EXISTS idx_entries_metadata  ON entries USING GIN(metadata jsonb_path_ops);
        END $$;
-        CREATE INDEX IF NOT EXISTS idx_secrets_namespace ON secrets(namespace);
+        -- ── secrets: one row per encrypted field, plaintext schema metadata ────
-        CREATE INDEX IF NOT EXISTS idx_secrets_kind ON secrets(kind);
+        CREATE TABLE IF NOT EXISTS secrets (
-        CREATE INDEX IF NOT EXISTS idx_secrets_tags ON secrets USING GIN(tags);
+            id          UUID PRIMARY KEY DEFAULT uuidv7(),
-        CREATE INDEX IF NOT EXISTS idx_secrets_metadata ON secrets USING GIN(metadata jsonb_path_ops);
+            entry_id    UUID         NOT NULL REFERENCES entries(id) ON DELETE CASCADE,
            field_name  VARCHAR(256) NOT NULL,
            field_type  VARCHAR(32)  NOT NULL DEFAULT 'string',
            value_len   INT          NOT NULL DEFAULT 0,
            encrypted   BYTEA        NOT NULL DEFAULT '\x',
            version     BIGINT       NOT NULL DEFAULT 1,
            created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
            updated_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
            UNIQUE(entry_id, field_name)
        );
        CREATE INDEX IF NOT EXISTS idx_secrets_entry_id ON secrets(entry_id);
        -- ── kv_config: global key-value store (Argon2id salt, etc.) ────────────
        CREATE TABLE IF NOT EXISTS kv_config (
            key   TEXT PRIMARY KEY,
            value BYTEA NOT NULL
        );
        -- ── audit_log: append-only operation log ────────────────────────────────
        CREATE TABLE IF NOT EXISTS audit_log (
            id          BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
            action      VARCHAR(32)  NOT NULL,
            namespace   VARCHAR(64)  NOT NULL,
            kind        VARCHAR(64)  NOT NULL,
            name        VARCHAR(256) NOT NULL,
            detail      JSONB        NOT NULL DEFAULT '{}',
            actor       VARCHAR(128) NOT NULL DEFAULT '',
            created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
        );
        CREATE INDEX IF NOT EXISTS idx_audit_log_created  ON audit_log(created_at DESC);
        CREATE INDEX IF NOT EXISTS idx_audit_log_ns_kind  ON audit_log(namespace, kind);
        -- ── entries_history: entry-level snapshot (tags + metadata) ─────────────
        CREATE TABLE IF NOT EXISTS entries_history (
            id          BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
            entry_id    UUID         NOT NULL,
            namespace   VARCHAR(64)  NOT NULL,
            kind        VARCHAR(64)  NOT NULL,
            name        VARCHAR(256) NOT NULL,
            version     BIGINT       NOT NULL,
            action      VARCHAR(16)  NOT NULL,
            tags        TEXT[]       NOT NULL DEFAULT '{}',
            metadata    JSONB        NOT NULL DEFAULT '{}',
            actor       VARCHAR(128) NOT NULL DEFAULT '',
            created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
        );
        CREATE INDEX IF NOT EXISTS idx_entries_history_entry_id
            ON entries_history(entry_id, version DESC);
        CREATE INDEX IF NOT EXISTS idx_entries_history_ns_kind_name
            ON entries_history(namespace, kind, name, version DESC);
        -- ── secrets_history: field-level snapshot ───────────────────────────────
        CREATE TABLE IF NOT EXISTS secrets_history (
            id              BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
            entry_id        UUID         NOT NULL,
            secret_id       UUID         NOT NULL,
            entry_version   BIGINT       NOT NULL,
            field_name      VARCHAR(256) NOT NULL,
            field_type      VARCHAR(32)  NOT NULL DEFAULT 'string',
            value_len       INT          NOT NULL DEFAULT 0,
            encrypted       BYTEA        NOT NULL DEFAULT '\x',
            action          VARCHAR(16)  NOT NULL,
            actor           VARCHAR(128) NOT NULL DEFAULT '',
            created_at      TIMESTAMPTZ  NOT NULL DEFAULT NOW()
        );
        CREATE INDEX IF NOT EXISTS idx_secrets_history_entry_id
            ON secrets_history(entry_id, entry_version DESC);
        CREATE INDEX IF NOT EXISTS idx_secrets_history_secret_id
            ON secrets_history(secret_id);
        "#,
    )
    .execute(pool)
    .await?;
    tracing::debug!("migrations complete");
    Ok(())
 }
 // ── Entry-level history snapshot ────────────────────────────────────────────
 pub struct EntrySnapshotParams<'a> {
    pub entry_id: uuid::Uuid,
    pub namespace: &'a str,
    pub kind: &'a str,
    pub name: &'a str,
    pub version: i64,
    pub action: &'a str,
    pub tags: &'a [String],
    pub metadata: &'a Value,
 }
 /// Snapshot an entry row into `entries_history` before a write operation.
 pub async fn snapshot_entry_history(
    tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
    p: EntrySnapshotParams<'_>,
 ) -> Result<()> {
    let actor = current_actor();
    sqlx::query(
        "INSERT INTO entries_history \
         (entry_id, namespace, kind, name, version, action, tags, metadata, actor) \
         VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
    )
    .bind(p.entry_id)
    .bind(p.namespace)
    .bind(p.kind)
    .bind(p.name)
    .bind(p.version)
    .bind(p.action)
    .bind(p.tags)
    .bind(p.metadata)
    .bind(&actor)
    .execute(&mut **tx)
    .await?;
    Ok(())
 }
 // ── Secret field-level history snapshot ─────────────────────────────────────
 pub struct SecretSnapshotParams<'a> {
    pub entry_id: uuid::Uuid,
    pub secret_id: uuid::Uuid,
    pub entry_version: i64,
    pub field_name: &'a str,
    pub field_type: &'a str,
    pub value_len: i32,
    pub encrypted: &'a [u8],
    pub action: &'a str,
 }
 /// Snapshot a single secret field into `secrets_history`.
 pub async fn snapshot_secret_history(
    tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
    p: SecretSnapshotParams<'_>,
 ) -> Result<()> {
    let actor = current_actor();
    sqlx::query(
        "INSERT INTO secrets_history \
         (entry_id, secret_id, entry_version, field_name, field_type, value_len, encrypted, action, actor) \
         VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
    )
    .bind(p.entry_id)
    .bind(p.secret_id)
    .bind(p.entry_version)
    .bind(p.field_name)
    .bind(p.field_type)
    .bind(p.value_len)
    .bind(p.encrypted)
    .bind(p.action)
    .bind(&actor)
    .execute(&mut **tx)
    .await?;
    Ok(())
 }
 // ── Argon2 salt helpers ──────────────────────────────────────────────────────
 /// Load the Argon2id salt from the database.
 pub async fn load_argon2_salt(pool: &PgPool) -> Result<Option<Vec<u8>>> {
    let row: Option<(Vec<u8>,)> =
        sqlx::query_as("SELECT value FROM kv_config WHERE key = 'argon2_salt'")
            .fetch_optional(pool)
            .await?;
    Ok(row.map(|(v,)| v))
 }
 /// Store the Argon2id salt in the database (only called once on first device init).
 pub async fn store_argon2_salt(pool: &PgPool, salt: &[u8]) -> Result<()> {
    sqlx::query(
        "INSERT INTO kv_config (key, value) VALUES ('argon2_salt', $1) \
         ON CONFLICT (key) DO NOTHING",
    )
    .bind(salt)
    .execute(pool)
    .await?;
    Ok(())
 }
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,132 +1,572 @@
 mod audit;
 mod commands;
 mod config;
 mod crypto;
 mod db;
 mod models;
 mod output;
 use anyhow::Result;
 use clap::{Parser, Subcommand};
-use dotenvy::dotenv;
+use tracing_subscriber::EnvFilter;
 use output::resolve_output_mode;
 #[derive(Parser)]
 #[command(
    name = "secrets",
    version,
-    about = "Secrets & config manager backed by PostgreSQL"
+    about = "Secrets & config manager backed by PostgreSQL — optimised for AI agents",
    after_help = "QUICK START:
  # 1. Configure database (once per device)
  secrets config set-db \"postgres://postgres:<password>@<host>:<port>/secrets\"
  # 2. Initialize master key (once per device)
  secrets init
  # Discover what namespaces / kinds exist
  secrets search --summary --limit 20
  # Precise lookup (JSON output for easy parsing)
  secrets search -n refining --kind service --name gitea -o json
  # Extract a single metadata field directly
  secrets search -n refining --kind service --name gitea -f metadata.url
  # Pipe-friendly (non-TTY defaults to json-compact automatically)
  secrets search -n refining --kind service | jq '.[].name'
  # Inject secrets into environment variables when you really need them
  secrets inject -n refining --kind service --name gitea"
 )]
 struct Cli {
-    /// Database URL (or set DATABASE_URL env var)
+    /// Database URL, overrides saved config (one-time override)
-    #[arg(long, env = "DATABASE_URL", global = true, default_value = "")]
+    #[arg(long, global = true, default_value = "")]
    db_url: String,
    /// Enable verbose debug output
    #[arg(long, short, global = true)]
    verbose: bool,
    #[command(subcommand)]
    command: Commands,
 }
 #[derive(Subcommand)]
 enum Commands {
-    /// Add or update a record (upsert)
+    /// Initialize master key on this device (run once per device).
    ///
    /// Prompts for a master password, derives a key with Argon2id, and stores
    /// it in the OS Keychain. Use the same password on every device.
    ///
    /// NOTE: Run `secrets config set-db <URL>` first if database is not configured.
    #[command(after_help = "PREREQUISITE:
  Database must be configured first. Run: secrets config set-db <DATABASE_URL>
 EXAMPLES:
  # First device: generates a new Argon2id salt and stores master key
  secrets init
  # Subsequent devices: reuses existing salt from the database
  secrets init")]
    Init,
    /// Add or update a record (upsert). Use -m for plaintext metadata, -s for secrets.
    #[command(after_help = "EXAMPLES:
  # Add a server
  secrets add -n refining --kind server --name my-server \\
    --tag aliyun --tag shanghai \\
    -m ip=47.117.131.22 -m desc=\"Aliyun Shanghai ECS\" \\
    -s username=root -s ssh_key=@./keys/server.pem
  # Add a service credential
  secrets add -n refining --kind service --name gitea \\
    --tag gitea \\
    -m url=https://gitea.refining.dev -m default_org=refining \\
    -s token=<token>
  # Add typed JSON metadata
  secrets add -n refining --kind service --name gitea \\
    -m port:=3000 \\
    -m enabled:=true \\
    -m domains:='[\"gitea.refining.dev\",\"git.refining.dev\"]' \\
    -m tls:='{\"enabled\":true,\"redirect_http\":true}'
  # Add with token read from a file
  secrets add -n ricnsmart --kind service --name mqtt \\
    -m host=mqtt.ricnsmart.com -m port=1883 \\
    -s password=@./mqtt_password.txt
  # Add typed JSON secrets
  secrets add -n refining --kind service --name deploy-bot \\
    -s enabled:=true \\
    -s retry_count:=3 \\
    -s scopes:='[\"repo\",\"workflow\"]' \\
    -s extra:='{\"region\":\"ap-east-1\",\"verify_tls\":true}'
  # Write a multiline file into a nested secret field
  secrets add -n refining --kind server --name my-server \\
    -s credentials:content@./keys/server.pem")]
    Add {
-        /// Namespace (e.g. refining, ricnsmart)
+        /// Namespace, e.g. refining, ricnsmart
        #[arg(short, long)]
        namespace: String,
-        /// Kind of record (server, service, key, ...)
+        /// Kind of record: server, service, key, ...
        #[arg(long)]
        kind: String,
-        /// Human-readable name
+        /// Human-readable unique name, e.g. gitea, i-uf63f2uookgs5uxmrdyc
        #[arg(long)]
        name: String,
-        /// Tags for categorization (repeatable)
+        /// Tag for categorization (repeatable), e.g. --tag aliyun --tag hongkong
        #[arg(long = "tag")]
        tags: Vec<String>,
-        /// Plaintext metadata entry: key=value (repeatable, key=@file reads from file)
+        /// Plaintext metadata: key=value, key:=<json>, key=@file, or nested:path@file
        #[arg(long = "meta", short = 'm')]
        meta: Vec<String>,
-        /// Secret entry: key=value (repeatable, key=@file reads from file)
+        /// Secret entry: key=value, key:=<json>, key=@file, or nested:path@file
        #[arg(long = "secret", short = 's')]
        secrets: Vec<String>,
        /// Output format: text (default on TTY), json, json-compact
        #[arg(short, long = "output")]
        output: Option<String>,
    },
-    /// Search records
+    /// Search / read records. This is the primary read command for AI agents.
    ///
    /// Supports fuzzy search (-q), exact lookup (--name), field extraction (-f),
    /// summary view (--summary), pagination (--limit / --offset), and structured
    /// output (-o json / json-compact). When stdout is not a TTY, output
    /// defaults to json-compact automatically.
    #[command(after_help = "EXAMPLES:
  # Discover all records (summary, safe default limit)
  secrets search --summary --limit 20
  # Filter by namespace and kind
  secrets search -n refining --kind service
  # Exact lookup — returns 0 or 1 record
  secrets search -n refining --kind service --name gitea
  # Fuzzy keyword search (matches name, namespace, kind, tags, metadata)
  secrets search -q mqtt
  # Extract a single metadata field value
  secrets search -n refining --kind service --name gitea -f metadata.url
  # Multiple fields at once
  secrets search -n refining --kind service --name gitea \\
    -f metadata.url -f metadata.default_org
  # Inject decrypted secrets only when needed
  secrets inject -n refining --kind service --name gitea
  secrets run -n refining --kind service --name gitea -- printenv
  # Paginate large result sets
  secrets search -n refining --summary --limit 10 --offset 0
  secrets search -n refining --summary --limit 10 --offset 10
  # Sort by most recently updated
  secrets search --sort updated --limit 5 --summary
  # Non-TTY / pipe: output is json-compact by default
  secrets search -n refining --kind service | jq '.[].name'")]
    Search {
-        /// Filter by namespace
+        /// Filter by namespace, e.g. refining, ricnsmart
        #[arg(short, long)]
        namespace: Option<String>,
-        /// Filter by kind
+        /// Filter by kind, e.g. server, service
        #[arg(long)]
        kind: Option<String>,
-        /// Filter by tag
+        /// Exact name filter, e.g. gitea, i-uf63f2uookgs5uxmrdyc
        #[arg(long)]
-        tag: Option<String>,
+        name: Option<String>,
-        /// Search by keyword (matches name, namespace, kind)
+        /// Filter by tag, e.g. --tag aliyun (repeatable for AND intersection)
        #[arg(long)]
        tag: Vec<String>,
        /// Fuzzy keyword (matches name, namespace, kind, tags, metadata text)
        #[arg(short, long)]
        query: Option<String>,
-        /// Reveal encrypted secret values
+        /// Extract metadata field value(s) directly: metadata.<key> (repeatable)
        #[arg(short = 'f', long = "field")]
        fields: Vec<String>,
        /// Return lightweight summary only (namespace, kind, name, tags, desc, updated_at)
        #[arg(long)]
-        show_secrets: bool,
+        summary: bool,
        /// Maximum number of records to return [default: 50]
        #[arg(long, default_value = "50")]
        limit: u32,
        /// Skip this many records (for pagination)
        #[arg(long, default_value = "0")]
        offset: u32,
        /// Sort order: name (default), updated, created
        #[arg(long, default_value = "name")]
        sort: String,
        /// Output format: text (default on TTY), json, json-compact
        #[arg(short, long = "output")]
        output: Option<String>,
    },
-    /// Delete a record
+    /// Delete a record permanently. Requires exact namespace + kind + name.
    #[command(after_help = "EXAMPLES:
  # Delete a service credential
  secrets delete -n refining --kind service --name legacy-mqtt
  # Delete a server record
  secrets delete -n ricnsmart --kind server --name i-old-server-id")]
    Delete {
-        /// Namespace
+        /// Namespace, e.g. refining
        #[arg(short, long)]
        namespace: String,
-        /// Kind
+        /// Kind, e.g. server, service
        #[arg(long)]
        kind: String,
-        /// Name
+        /// Exact name of the record to delete
        #[arg(long)]
        name: String,
        /// Output format: text (default on TTY), json, json-compact
        #[arg(short, long = "output")]
        output: Option<String>,
    },
-    /// Incrementally update an existing record (merge semantics)
+    /// Incrementally update an existing record (merge semantics; record must exist).
    ///
    /// Only the fields you pass are changed — everything else is preserved.
    /// Use --add-tag / --remove-tag to modify tags without touching other fields.
    #[command(after_help = "EXAMPLES:
  # Update a single metadata field (all other fields unchanged)
  secrets update -n refining --kind server --name my-server -m ip=10.0.0.1
  # Rotate a secret token
  secrets update -n refining --kind service --name gitea -s token=<new-token>
  # Update typed JSON metadata
  secrets update -n refining --kind service --name gitea \\
    -m deploy:strategy:='{\"type\":\"rolling\",\"batch\":2}' \\
    -m runtime:max_open_conns:=20
  # Add a tag and rotate password at the same time
  secrets update -n refining --kind service --name gitea \\
    --add-tag production -s token=<new-token>
  # Remove a deprecated metadata field and a stale secret key
  secrets update -n refining --kind service --name mqtt \\
    --remove-meta old_port --remove-secret old_password
  # Remove a nested field
  secrets update -n refining --kind server --name my-server \\
    --remove-secret credentials:content
  # Remove a tag
  secrets update -n refining --kind service --name gitea --remove-tag staging
  # Update a nested secret field from a file
  secrets update -n refining --kind server --name my-server \\
    -s credentials:content@./keys/server.pem
  # Update nested typed JSON fields
  secrets update -n refining --kind service --name deploy-bot \\
    -s auth:config:='{\"issuer\":\"gitea\",\"rotate\":true}' \\
    -s auth:retry:=5")]
    Update {
-        /// Namespace (e.g. refining, ricnsmart)
+        /// Namespace, e.g. refining, ricnsmart
        #[arg(short, long)]
        namespace: String,
-        /// Kind of record (server, service, key, ...)
+        /// Kind of record: server, service, key, ...
        #[arg(long)]
        kind: String,
-        /// Human-readable name
+        /// Human-readable unique name
        #[arg(long)]
        name: String,
-        /// Add a tag (repeatable)
+        /// Add a tag (repeatable; does not affect existing tags)
        #[arg(long = "add-tag")]
        add_tags: Vec<String>,
        /// Remove a tag (repeatable)
        #[arg(long = "remove-tag")]
        remove_tags: Vec<String>,
-        /// Set or overwrite a metadata field: key=value (repeatable, @file supported)
+        /// Set or overwrite a metadata field: key=value, key:=<json>, key=@file, or nested:path@file
        #[arg(long = "meta", short = 'm')]
        meta: Vec<String>,
-        /// Remove a metadata field by key (repeatable)
+        /// Delete a metadata field by key or nested path, e.g. old_port or credentials:content
        #[arg(long = "remove-meta")]
        remove_meta: Vec<String>,
-        /// Set or overwrite a secret field: key=value (repeatable, @file supported)
+        /// Set or overwrite a secret field: key=value, key:=<json>, key=@file, or nested:path@file
        #[arg(long = "secret", short = 's')]
        secrets: Vec<String>,
-        /// Remove a secret field by key (repeatable)
+        /// Delete a secret field by key or nested path, e.g. old_password or credentials:content
        #[arg(long = "remove-secret")]
        remove_secrets: Vec<String>,
        /// Output format: text (default on TTY), json, json-compact
        #[arg(short, long = "output")]
        output: Option<String>,
    },
    /// Manage CLI configuration (database connection, etc.)
    #[command(after_help = "EXAMPLES:
  # Configure the database URL (run once per device; persisted to config file)
  secrets config set-db \"postgres://postgres:<password>@<host>:<port>/secrets\"
  # Show current config (password is masked)
  secrets config show
  # Print path to the config file
  secrets config path")]
    Config {
        #[command(subcommand)]
        action: ConfigAction,
    },
    /// Show the change history for a record.
    #[command(after_help = "EXAMPLES:
  # Show last 20 versions for a service record
  secrets history -n refining --kind service --name gitea
  # Show last 5 versions
  secrets history -n refining --kind service --name gitea --limit 5")]
    History {
        #[arg(short, long)]
        namespace: String,
        #[arg(long)]
        kind: String,
        #[arg(long)]
        name: String,
        /// Number of history entries to show [default: 20]
        #[arg(long, default_value = "20")]
        limit: u32,
        /// Output format: text (default on TTY), json, json-compact
        #[arg(short, long = "output")]
        output: Option<String>,
    },
    /// Roll back a record to a previous version.
    #[command(after_help = "EXAMPLES:
  # Roll back to the most recent snapshot (undo last change)
  secrets rollback -n refining --kind service --name gitea
  # Roll back to a specific version number
  secrets rollback -n refining --kind service --name gitea --to-version 3")]
    Rollback {
        #[arg(short, long)]
        namespace: String,
        #[arg(long)]
        kind: String,
        #[arg(long)]
        name: String,
        /// Target version to restore. Omit to restore the most recent snapshot.
        #[arg(long)]
        to_version: Option<i64>,
        /// Output format: text (default on TTY), json, json-compact
        #[arg(short, long = "output")]
        output: Option<String>,
    },
    /// Print secrets as environment variables (stdout only, nothing persisted).
    ///
    /// Outputs KEY=VALUE pairs for all matched records. Safe to pipe or eval.
    #[command(after_help = "EXAMPLES:
  # Print env vars for a single service
  secrets inject -n refining --kind service --name gitea
  # With a custom prefix
  secrets inject -n refining --kind service --name gitea --prefix GITEA
  # JSON output (all vars as a JSON object)
  secrets inject -n refining --kind service --name gitea -o json
  # Eval into current shell (use with caution)
  eval $(secrets inject -n refining --kind service --name gitea)")]
    Inject {
        #[arg(short, long)]
        namespace: Option<String>,
        #[arg(long)]
        kind: Option<String>,
        #[arg(long)]
        name: Option<String>,
        #[arg(long)]
        tag: Vec<String>,
        /// Prefix to prepend to every variable name (uppercased automatically)
        #[arg(long, default_value = "")]
        prefix: String,
        /// Output format: text/KEY=VALUE (default), json, json-compact
        #[arg(short, long = "output")]
        output: Option<String>,
    },
    /// Run a command with secrets injected as environment variables.
    ///
    /// Secrets are available only to the child process; the current shell
    /// environment is not modified. The process exit code is propagated.
    #[command(after_help = "EXAMPLES:
  # Run a script with a single service's secrets injected
  secrets run -n refining --kind service --name gitea -- ./deploy.sh
  # Run with a tag filter (all matched records merged)
  secrets run --tag production -- env | grep GITEA
  # With prefix
  secrets run -n refining --kind service --name gitea --prefix GITEA -- printenv")]
    Run {
        #[arg(short, long)]
        namespace: Option<String>,
        #[arg(long)]
        kind: Option<String>,
        #[arg(long)]
        name: Option<String>,
        #[arg(long)]
        tag: Vec<String>,
        /// Prefix to prepend to every variable name (uppercased automatically)
        #[arg(long, default_value = "")]
        prefix: String,
        /// Command and arguments to execute with injected environment
        #[arg(last = true, required = true)]
        command: Vec<String>,
    },
    /// Check for a newer version and update the binary in-place.
    ///
    /// Downloads the latest release from Gitea and replaces the current binary.
    /// No database connection or master key required.
    #[command(after_help = "EXAMPLES:
  # Check for updates only (no download)
  secrets upgrade --check
  # Download and install the latest version
  secrets upgrade")]
    Upgrade {
        /// Only check if a newer version is available; do not download
        #[arg(long)]
        check: bool,
    },
    /// Export records to a file (JSON, TOML, or YAML).
    ///
    /// Decrypts and exports all matched records. Requires master key unless --no-secrets is used.
    #[command(after_help = "EXAMPLES:
  # Export everything to JSON
  secrets export --file backup.json
  # Export a specific namespace to TOML
  secrets export -n refining --file refining.toml
  # Export a specific kind
  secrets export -n refining --kind service --file services.yaml
  # Export by tag
  secrets export --tag production --file prod.json
  # Export schema only (no decryption needed)
  secrets export --no-secrets --file schema.json
  # Print to stdout in YAML
  secrets export -n refining --format yaml")]
    Export {
        /// Filter by namespace
        #[arg(short, long)]
        namespace: Option<String>,
        /// Filter by kind, e.g. server, service
        #[arg(long)]
        kind: Option<String>,
        /// Exact name filter
        #[arg(long)]
        name: Option<String>,
        /// Filter by tag (repeatable)
        #[arg(long)]
        tag: Vec<String>,
        /// Fuzzy keyword search
        #[arg(short, long)]
        query: Option<String>,
        /// Output file path (format inferred from extension: .json / .toml / .yaml / .yml)
        #[arg(long)]
        file: Option<String>,
        /// Explicit format: json, toml, or yaml (overrides file extension; required for stdout)
        #[arg(long)]
        format: Option<String>,
        /// Omit secrets from output (no master key required)
        #[arg(long)]
        no_secrets: bool,
    },
    /// Import records from a file (JSON, TOML, or YAML).
    ///
    /// Reads an export file and inserts or updates entries. Requires master key to re-encrypt secrets.
    #[command(after_help = "EXAMPLES:
  # Import a JSON backup (conflict = error by default)
  secrets import backup.json
  # Import and overwrite existing records
  secrets import --force refining.toml
  # Preview what would be imported (no writes)
  secrets import --dry-run backup.yaml
  # JSON output for the import summary
  secrets import backup.json -o json")]
    Import {
        /// Input file path (format inferred from extension: .json / .toml / .yaml / .yml)
        file: String,
        /// Overwrite existing records on conflict (default: error and abort)
        #[arg(long)]
        force: bool,
        /// Preview operations without writing to the database
        #[arg(long)]
        dry_run: bool,
        /// Output format: text (default on TTY), json, json-compact
        #[arg(short, long = "output")]
        output: Option<String>,
    },
 }
 #[derive(Subcommand)]
 enum ConfigAction {
    /// Save database URL to config file (~/.config/secrets/config.toml)
    SetDb {
        /// PostgreSQL connection string, e.g. postgres://user:pass@<host>:<port>/dbname
        url: String,
    },
    /// Show current configuration (password masked)
    Show,
    /// Print path to the config file
    Path,
 }
 #[tokio::main]
 async fn main() -> Result<()> {
    dotenv().ok();
    let cli = Cli::parse();
-    let db_url = if cli.db_url.is_empty() {
+    let filter = if cli.verbose {
-        std::env::var("DATABASE_URL").map_err(|_| {
+        EnvFilter::new("secrets=debug")
            anyhow::anyhow!("DATABASE_URL not set. Use --db-url or set DATABASE_URL env var.")
        })?
    } else {
-        cli.db_url.clone()
+        EnvFilter::try_from_default_env().unwrap_or_else(|_| EnvFilter::new("secrets=warn"))
    };
    tracing_subscriber::fmt()
        .with_env_filter(filter)
        .with_target(false)
        .init();
    // config subcommand needs no database or master key
    if let Commands::Config { action } = cli.command {
        return commands::config::run(action).await;
    }
    // upgrade needs no database or master key either
    if let Commands::Upgrade { check } = cli.command {
        return commands::upgrade::run(check).await;
    }
    let db_url = config::resolve_db_url(&cli.db_url)?;
    let pool = db::create_pool(&db_url).await?;
    db::migrate(&pool).await?;
-    match &cli.command {
+    // init needs a pool but sets up the master key — handle before loading it
    if let Commands::Init = cli.command {
        return commands::init::run(&pool).await;
    }
    // All remaining commands require the master key from the OS Keychain,
    // except delete which operates on plaintext metadata only.
    match cli.command {
        Commands::Init | Commands::Config { .. } | Commands::Upgrade { .. } => unreachable!(),
        Commands::Add {
            namespace,
            kind,
@@ -134,33 +574,83 @@ async fn main() -> Result<()> {
            tags,
            meta,
            secrets,
            output,
        } => {
-            commands::add::run(&pool, namespace, kind, name, tags, meta, secrets).await?;
+            let master_key = crypto::load_master_key()?;
-        }
+            let _span =
-        Commands::Search {
+                tracing::info_span!("cmd", command = "add", %namespace, %kind, %name).entered();
-            namespace,
+            let out = resolve_output_mode(output.as_deref())?;
-            kind,
+            commands::add::run(
            tag,
            query,
            show_secrets,
        } => {
            commands::search::run(
                &pool,
-                namespace.as_deref(),
+                commands::add::AddArgs {
-                kind.as_deref(),
+                    namespace: &namespace,
-                tag.as_deref(),
+                    kind: &kind,
-                query.as_deref(),
+                    name: &name,
-                *show_secrets,
+                    tags: &tags,
                    meta_entries: &meta,
                    secret_entries: &secrets,
                    output: out,
                },
                &master_key,
            )
            .await?;
        }
        Commands::Search {
            namespace,
            kind,
            name,
            tag,
            query,
            fields,
            summary,
            limit,
            offset,
            sort,
            output,
        } => {
            let _span = tracing::info_span!("cmd", command = "search").entered();
            let out = resolve_output_mode(output.as_deref())?;
            commands::search::run(
                &pool,
                commands::search::SearchArgs {
                    namespace: namespace.as_deref(),
                    kind: kind.as_deref(),
                    name: name.as_deref(),
                    tags: &tag,
                    query: query.as_deref(),
                    fields: &fields,
                    summary,
                    limit,
                    offset,
                    sort: &sort,
                    output: out,
                },
            )
            .await?;
        }
        Commands::Delete {
            namespace,
            kind,
            name,
            output,
        } => {
-            commands::delete::run(&pool, namespace, kind, name).await?;
+            let _span =
                tracing::info_span!("cmd", command = "delete", %namespace, %kind, %name).entered();
            let out = resolve_output_mode(output.as_deref())?;
            commands::delete::run(
                &pool,
                commands::delete::DeleteArgs {
                    namespace: &namespace,
                    kind: &kind,
                    name: &name,
                    output: out,
                },
            )
            .await?;
        }
        Commands::Update {
            namespace,
            kind,
@@ -171,20 +661,175 @@ async fn main() -> Result<()> {
            remove_meta,
            secrets,
            remove_secrets,
            output,
        } => {
            let master_key = crypto::load_master_key()?;
            let _span =
                tracing::info_span!("cmd", command = "update", %namespace, %kind, %name).entered();
            let out = resolve_output_mode(output.as_deref())?;
            commands::update::run(
                &pool,
                commands::update::UpdateArgs {
-                    namespace,
+                    namespace: &namespace,
-                    kind,
+                    kind: &kind,
-                    name,
+                    name: &name,
-                    add_tags,
+                    add_tags: &add_tags,
-                    remove_tags,
+                    remove_tags: &remove_tags,
-                    meta_entries: meta,
+                    meta_entries: &meta,
-                    remove_meta,
+                    remove_meta: &remove_meta,
-                    secret_entries: secrets,
+                    secret_entries: &secrets,
-                    remove_secrets,
+                    remove_secrets: &remove_secrets,
                    output: out,
                },
                &master_key,
            )
            .await?;
        }
        Commands::History {
            namespace,
            kind,
            name,
            limit,
            output,
        } => {
            let out = resolve_output_mode(output.as_deref())?;
            commands::history::run(
                &pool,
                commands::history::HistoryArgs {
                    namespace: &namespace,
                    kind: &kind,
                    name: &name,
                    limit,
                    output: out,
                },
            )
            .await?;
        }
        Commands::Rollback {
            namespace,
            kind,
            name,
            to_version,
            output,
        } => {
            let master_key = crypto::load_master_key()?;
            let out = resolve_output_mode(output.as_deref())?;
            commands::rollback::run(
                &pool,
                commands::rollback::RollbackArgs {
                    namespace: &namespace,
                    kind: &kind,
                    name: &name,
                    to_version,
                    output: out,
                },
                &master_key,
            )
            .await?;
        }
        Commands::Inject {
            namespace,
            kind,
            name,
            tag,
            prefix,
            output,
        } => {
            let master_key = crypto::load_master_key()?;
            let out = resolve_output_mode(output.as_deref())?;
            commands::run::run_inject(
                &pool,
                commands::run::InjectArgs {
                    namespace: namespace.as_deref(),
                    kind: kind.as_deref(),
                    name: name.as_deref(),
                    tags: &tag,
                    prefix: &prefix,
                    output: out,
                },
                &master_key,
            )
            .await?;
        }
        Commands::Run {
            namespace,
            kind,
            name,
            tag,
            prefix,
            command,
        } => {
            let master_key = crypto::load_master_key()?;
            commands::run::run_exec(
                &pool,
                commands::run::RunArgs {
                    namespace: namespace.as_deref(),
                    kind: kind.as_deref(),
                    name: name.as_deref(),
                    tags: &tag,
                    prefix: &prefix,
                    command: &command,
                },
                &master_key,
            )
            .await?;
        }
        Commands::Export {
            namespace,
            kind,
            name,
            tag,
            query,
            file,
            format,
            no_secrets,
        } => {
            let master_key = if no_secrets {
                None
            } else {
                Some(crypto::load_master_key()?)
            };
            let _span = tracing::info_span!("cmd", command = "export").entered();
            commands::export_cmd::run(
                &pool,
                commands::export_cmd::ExportArgs {
                    namespace: namespace.as_deref(),
                    kind: kind.as_deref(),
                    name: name.as_deref(),
                    tags: &tag,
                    query: query.as_deref(),
                    file: file.as_deref(),
                    format: format.as_deref(),
                    no_secrets,
                },
                master_key.as_ref(),
            )
            .await?;
        }
        Commands::Import {
            file,
            force,
            dry_run,
            output,
        } => {
            let master_key = crypto::load_master_key()?;
            let _span = tracing::info_span!("cmd", command = "import").entered();
            let out = resolve_output_mode(output.as_deref())?;
            commands::import_cmd::run(
                &pool,
                commands::import_cmd::ImportArgs {
                    file: &file,
                    force,
                    dry_run,
                    output: out,
                },
                &master_key,
            )
            .await?;
        }
--- a/src/models.rs
+++ b/src/models.rs
@@ -1,17 +1,219 @@
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
 use std::collections::BTreeMap;
 use uuid::Uuid;
 /// A top-level entry (server, service, key, …).
 /// Sensitive fields are stored separately in `secrets`.
 #[derive(Debug, Serialize, Deserialize, sqlx::FromRow)]
-pub struct Secret {
+pub struct Entry {
    pub id: Uuid,
    pub namespace: String,
    pub kind: String,
    pub name: String,
    pub tags: Vec<String>,
    pub metadata: Value,
-    pub encrypted: Value,
+    pub version: i64,
    pub created_at: DateTime<Utc>,
    pub updated_at: DateTime<Utc>,
 }
 /// A single encrypted field belonging to an Entry.
 /// field_name, field_type, and value_len are stored in plaintext so that
 /// `search` can show the schema without requiring the master key.
 #[derive(Debug, Serialize, Deserialize, sqlx::FromRow)]
 pub struct SecretField {
    pub id: Uuid,
    pub entry_id: Uuid,
    pub field_name: String,
    /// Inferred type: "string", "number", "boolean", "json"
    pub field_type: String,
    /// Length of the plaintext value in characters (0 for binary-like PEM)
    pub value_len: i32,
    /// AES-256-GCM ciphertext: nonce(12B) || ciphertext+tag
    pub encrypted: Vec<u8>,
    pub version: i64,
    pub created_at: DateTime<Utc>,
    pub updated_at: DateTime<Utc>,
 }
 // ── Internal query row types (shared across commands) ─────────────────────────
 /// Minimal entry row fetched for write operations (add / update / delete / rollback).
 #[derive(Debug, sqlx::FromRow)]
 pub struct EntryRow {
    pub id: Uuid,
    pub version: i64,
    pub tags: Vec<String>,
    pub metadata: Value,
 }
 /// Minimal secret field row fetched before snapshots or cascade deletes.
 #[derive(Debug, sqlx::FromRow)]
 pub struct SecretFieldRow {
    pub id: Uuid,
    pub field_name: String,
    pub field_type: String,
    pub value_len: i32,
    pub encrypted: Vec<u8>,
 }
 // ── Export / Import types ──────────────────────────────────────────────────────
 /// Supported file formats for export/import.
 #[derive(Debug, Clone, Copy, PartialEq)]
 pub enum ExportFormat {
    Json,
    Toml,
    Yaml,
 }
 impl ExportFormat {
    /// Infer format from file extension (.json / .toml / .yaml / .yml).
    pub fn from_extension(path: &str) -> anyhow::Result<Self> {
        let ext = path.rsplit('.').next().unwrap_or("").to_lowercase();
        Self::from_str(&ext).map_err(|_| {
            anyhow::anyhow!(
                "Cannot infer format from extension '.{}'. Use --format json|toml|yaml",
                ext
            )
        })
    }
    /// Parse from --format CLI value.
    pub fn from_str(s: &str) -> anyhow::Result<Self> {
        match s.to_lowercase().as_str() {
            "json" => Ok(Self::Json),
            "toml" => Ok(Self::Toml),
            "yaml" | "yml" => Ok(Self::Yaml),
            other => anyhow::bail!("Unknown format '{}'. Expected: json, toml, or yaml", other),
        }
    }
    /// Serialize ExportData to a string in this format.
    pub fn serialize(&self, data: &ExportData) -> anyhow::Result<String> {
        match self {
            Self::Json => Ok(serde_json::to_string_pretty(data)?),
            Self::Toml => {
                let toml_val = json_to_toml_value(&serde_json::to_value(data)?)?;
                toml::to_string_pretty(&toml_val)
                    .map_err(|e| anyhow::anyhow!("TOML serialization failed: {}", e))
            }
            Self::Yaml => serde_yaml::to_string(data)
                .map_err(|e| anyhow::anyhow!("YAML serialization failed: {}", e)),
        }
    }
    /// Deserialize ExportData from a string in this format.
    pub fn deserialize(&self, content: &str) -> anyhow::Result<ExportData> {
        match self {
            Self::Json => Ok(serde_json::from_str(content)?),
            Self::Toml => {
                let toml_val: toml::Value = toml::from_str(content)
                    .map_err(|e| anyhow::anyhow!("TOML parse error: {}", e))?;
                let json_val = toml_to_json_value(&toml_val);
                Ok(serde_json::from_value(json_val)?)
            }
            Self::Yaml => serde_yaml::from_str(content)
                .map_err(|e| anyhow::anyhow!("YAML parse error: {}", e)),
        }
    }
 }
 /// Top-level structure for export/import files.
 #[derive(Debug, Serialize, Deserialize)]
 pub struct ExportData {
    pub version: u32,
    pub exported_at: String,
    pub entries: Vec<ExportEntry>,
 }
 /// A single entry with decrypted secrets for export/import.
 #[derive(Debug, Serialize, Deserialize)]
 pub struct ExportEntry {
    pub namespace: String,
    pub kind: String,
    pub name: String,
    #[serde(default)]
    pub tags: Vec<String>,
    #[serde(default)]
    pub metadata: Value,
    /// Decrypted secret fields. None means no secrets in this export (--no-secrets).
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub secrets: Option<BTreeMap<String, Value>>,
 }
 // ── TOML ↔ JSON value conversion ──────────────────────────────────────────────
 /// Convert a serde_json Value to a toml Value.
 /// `null` values are filtered out (TOML does not support null).
 /// Mixed-type arrays are serialised as JSON strings.
 pub fn json_to_toml_value(v: &Value) -> anyhow::Result<toml::Value> {
    match v {
        Value::Null => anyhow::bail!("TOML does not support null values"),
        Value::Bool(b) => Ok(toml::Value::Boolean(*b)),
        Value::Number(n) => {
            if let Some(i) = n.as_i64() {
                Ok(toml::Value::Integer(i))
            } else if let Some(f) = n.as_f64() {
                Ok(toml::Value::Float(f))
            } else {
                anyhow::bail!("unsupported number: {}", n)
            }
        }
        Value::String(s) => Ok(toml::Value::String(s.clone())),
        Value::Array(arr) => {
            let items: anyhow::Result<Vec<toml::Value>> =
                arr.iter().map(json_to_toml_value).collect();
            match items {
                Ok(vals) => Ok(toml::Value::Array(vals)),
                Err(e) => {
                    tracing::debug!(error = %e, "mixed-type array; falling back to JSON string");
                    Ok(toml::Value::String(serde_json::to_string(v)?))
                }
            }
        }
        Value::Object(map) => {
            let mut toml_map = toml::map::Map::new();
            for (k, val) in map {
                if val.is_null() {
                    // Skip null entries
                    continue;
                }
                match json_to_toml_value(val) {
                    Ok(tv) => {
                        toml_map.insert(k.clone(), tv);
                    }
                    Err(e) => {
                        tracing::debug!(key = %k, error = %e, "field not representable in TOML; falling back to JSON string");
                        toml_map
                            .insert(k.clone(), toml::Value::String(serde_json::to_string(val)?));
                    }
                }
            }
            Ok(toml::Value::Table(toml_map))
        }
    }
 }
 /// Convert a toml Value back to a serde_json Value.
 pub fn toml_to_json_value(v: &toml::Value) -> Value {
    match v {
        toml::Value::Boolean(b) => Value::Bool(*b),
        toml::Value::Integer(i) => Value::Number((*i).into()),
        toml::Value::Float(f) => serde_json::Number::from_f64(*f)
            .map(Value::Number)
            .unwrap_or(Value::Null),
        toml::Value::String(s) => Value::String(s.clone()),
        toml::Value::Datetime(dt) => Value::String(dt.to_string()),
        toml::Value::Array(arr) => Value::Array(arr.iter().map(toml_to_json_value).collect()),
        toml::Value::Table(map) => {
            let obj: serde_json::Map<String, Value> = map
                .iter()
                .map(|(k, v)| (k.clone(), toml_to_json_value(v)))
                .collect();
            Value::Object(obj)
        }
    }
 }
--- a/src/output.rs
+++ b/src/output.rs
@@ -0,0 +1,65 @@
 use chrono::{DateTime, Local, Utc};
 use std::io::IsTerminal;
 use std::str::FromStr;
 /// Output format for all commands.
 #[derive(Debug, Clone, Default, PartialEq)]
 pub enum OutputMode {
    /// Human-readable text (default when stdout is a TTY)
    #[default]
    Text,
    /// Pretty-printed JSON
    Json,
    /// Single-line JSON (default when stdout is NOT a TTY, e.g. piped to jq)
    JsonCompact,
 }
 impl FromStr for OutputMode {
    type Err = anyhow::Error;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        match s {
            "text" => Ok(Self::Text),
            "json" => Ok(Self::Json),
            "json-compact" => Ok(Self::JsonCompact),
            other => Err(anyhow::anyhow!(
                "Unknown output format '{}'. Valid: text, json, json-compact",
                other
            )),
        }
    }
 }
 /// Resolve the effective output mode.
 /// - Explicit value from `--output` takes priority.
 /// - TTY → text; non-TTY (piped/redirected) → json-compact.
 pub fn resolve_output_mode(explicit: Option<&str>) -> anyhow::Result<OutputMode> {
    if let Some(s) = explicit {
        return s.parse();
    }
    if std::io::stdout().is_terminal() {
        Ok(OutputMode::Text)
    } else {
        Ok(OutputMode::JsonCompact)
    }
 }
 /// Format a UTC timestamp for local human-readable output.
 pub fn format_local_time(dt: DateTime<Utc>) -> String {
    dt.with_timezone(&Local)
        .format("%Y-%m-%d %H:%M:%S %:z")
        .to_string()
 }
 /// Print a JSON value to stdout in the requested output mode.
 /// - `Json`        → pretty-printed
 /// - `JsonCompact` → single line
 /// - `Text`        → no-op (caller is responsible for the text branch)
 pub fn print_json(value: &serde_json::Value, mode: &OutputMode) -> anyhow::Result<()> {
    match mode {
        OutputMode::Json => println!("{}", serde_json::to_string_pretty(value)?),
        OutputMode::JsonCompact => println!("{}", serde_json::to_string(value)?),
        OutputMode::Text => {}
    }
    Ok(())
 }