refining/secrets
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 63 Wiki Activity

Compare commits

base: refining:secrets-0.3.0
Branches Tags
refining:main refining:cli
refining:secrets-mcp-0.5.19 refining:secrets-mcp-0.5.18 refining:secrets-mcp-0.5.17 refining:secrets-mcp-0.5.16 refining:secrets-mcp-0.5.15 refining:secrets-mcp-0.5.14 refining:secrets-mcp-0.5.13 refining:secrets-mcp-0.5.12 refining:secrets-mcp-0.5.11 refining:secrets-mcp-0.5.10 refining:secrets-mcp-0.5.9 refining:secrets-mcp-0.5.8 refining:secrets-mcp-0.5.7 refining:secrets-mcp-0.5.6 refining:secrets-mcp-0.5.5 refining:secrets-mcp-0.5.4 refining:secrets-mcp-0.5.2 refining:secrets-mcp-0.5.1 refining:secrets-mcp-0.5.0 refining:secrets-mcp-0.4.0 refining:secrets-mcp-0.3.9 refining:secrets-mcp-0.3.8 refining:secrets-mcp-0.3.7 refining:secrets-mcp-0.3.6 refining:secrets-mcp-0.3.4 refining:secrets-mcp-0.3.2 refining:secrets-mcp-0.3.1 refining:secrets-mcp-0.3.0 refining:secrets-mcp-0.2.2 refining:secrets-mcp-0.2.1 refining:secrets-mcp-0.2.0 refining:secrets-mcp-0.1.11 refining:secrets-mcp-0.1.10 refining:secrets-mcp-0.1.9 refining:secrets-mcp-0.1.8 refining:secrets-mcp-0.1.7 refining:secrets-mcp-0.1.6 refining:secrets-mcp-0.1.5 refining:secrets-mcp-0.1.4 refining:secrets-mcp-0.1.3 refining:secrets-mcp-0.1.2 refining:secrets-mcp-0.1.1 refining:secrets-mcp-0.1.0 refining:secrets-0.9.6 refining:secrets-0.9.5 refining:secrets-0.9.4 refining:secrets-0.9.3 refining:secrets-0.9.1 refining:secrets-0.9.0 refining:secrets-0.8.0 refining:secrets-0.7.5 refining:secrets-0.7.4 refining:secrets-0.7.3 refining:secrets-0.7.2 refining:secrets-0.7.1 refining:secrets-0.7.0 refining:secrets-0.6.1 refining:secrets-0.6.0 refining:secrets-0.5.0 refining:secrets-0.4.0 refining:secrets-0.3.0 refining:secrets-0.2.0 refining:secrets-0.1.0 refining:secrets-mcp-0.3.3
...
compare: refining:secrets-0.4.0
Branches Tags
refining:main refining:cli
refining:secrets-mcp-0.5.19 refining:secrets-mcp-0.5.18 refining:secrets-mcp-0.5.17 refining:secrets-mcp-0.5.16 refining:secrets-mcp-0.5.15 refining:secrets-mcp-0.5.14 refining:secrets-mcp-0.5.13 refining:secrets-mcp-0.5.12 refining:secrets-mcp-0.5.11 refining:secrets-mcp-0.5.10 refining:secrets-mcp-0.5.9 refining:secrets-mcp-0.5.8 refining:secrets-mcp-0.5.7 refining:secrets-mcp-0.5.6 refining:secrets-mcp-0.5.5 refining:secrets-mcp-0.5.4 refining:secrets-mcp-0.5.2 refining:secrets-mcp-0.5.1 refining:secrets-mcp-0.5.0 refining:secrets-mcp-0.4.0 refining:secrets-mcp-0.3.9 refining:secrets-mcp-0.3.8 refining:secrets-mcp-0.3.7 refining:secrets-mcp-0.3.6 refining:secrets-mcp-0.3.4 refining:secrets-mcp-0.3.2 refining:secrets-mcp-0.3.1 refining:secrets-mcp-0.3.0 refining:secrets-mcp-0.2.2 refining:secrets-mcp-0.2.1 refining:secrets-mcp-0.2.0 refining:secrets-mcp-0.1.11 refining:secrets-mcp-0.1.10 refining:secrets-mcp-0.1.9 refining:secrets-mcp-0.1.8 refining:secrets-mcp-0.1.7 refining:secrets-mcp-0.1.6 refining:secrets-mcp-0.1.5 refining:secrets-mcp-0.1.4 refining:secrets-mcp-0.1.3 refining:secrets-mcp-0.1.2 refining:secrets-mcp-0.1.1 refining:secrets-mcp-0.1.0 refining:secrets-0.9.6 refining:secrets-0.9.5 refining:secrets-0.9.4 refining:secrets-0.9.3 refining:secrets-0.9.1 refining:secrets-0.9.0 refining:secrets-0.8.0 refining:secrets-0.7.5 refining:secrets-0.7.4 refining:secrets-0.7.3 refining:secrets-0.7.2 refining:secrets-0.7.1 refining:secrets-0.7.0 refining:secrets-0.6.1 refining:secrets-0.6.0 refining:secrets-0.5.0 refining:secrets-0.4.0 refining:secrets-0.3.0 refining:secrets-0.2.0 refining:secrets-0.1.0 refining:secrets-mcp-0.3.3

2 Commits
secrets-0. ... secrets-0.

Author SHA1 Message Date
voson
1f7984d798 feat: AI 优先的 search 增强与结构化输出 (v0.4.0)
Some checks failed
Secrets CLI - Build & Release / 质量检查 (fmt / clippy / test) (push) Successful in 57s
Details
Secrets CLI - Build & Release / Build (aarch64-apple-darwin) (push) Successful in 33s
Details
Secrets CLI - Build & Release / 版本 & Release (push) Successful in 2s
Details
Secrets CLI - Build & Release / Build (x86_64-unknown-linux-musl) (push) Successful in 44s
Details
Secrets CLI - Build & Release / 发布草稿 Release (push) Successful in 2s
Details
Secrets CLI - Build & Release / Build (x86_64-pc-windows-msvc) (push) Has been cancelled
Details 
- search: 新增 --name、-f/--field、-o/--output、--summary、--limit、--offset、--sort
- search: 非 TTY 自动输出 json-compact,便于 AI 解析
- search: -f secret.* 自动解锁 secrets
- add: 支持 -o json/json-compact 输出
- add: 重构为 AddArgs 结构体
- 全局: 各子命令 after_help 补充典型值示例
- output.rs: OutputMode 枚举 + TTY 检测
- 文档: README/AGENTS 面向 AI 的用法,连接串改为 <host>:<port>

Made-with: Cursor
 2026-03-18 17:17:43 +08:00
voson
140162f39a ci(secrets): 飞书通知分散到各构建 job,放宽超时与构建条件
Some checks failed
Secrets CLI - Build & Release / 版本 & Release (push) Successful in 2s
Details
Secrets CLI - Build & Release / 质量检查 (fmt / clippy / test) (push) Successful in 29s
Details
Secrets CLI - Build & Release / Build (aarch64-apple-darwin) (push) Successful in 45s
Details
Secrets CLI - Build & Release / Build (x86_64-unknown-linux-musl) (push) Successful in 1m18s
Details
Secrets CLI - Build & Release / 发布草稿 Release (push) Successful in 2s
Details
Secrets CLI - Build & Release / Build (x86_64-pc-windows-msvc) (push) Has been cancelled
Details 
- 各 build job 超时 10→15min,publish-release 2→5min
- 移除 build-macos/build-windows 的 if 条件,默认全平台构建
- 删除独立 notify job,在各 build job 内增加飞书单 job 通知
- 汇总通知并入 publish-release,用 needs 取状态不再调 API
- publish-release 增加 if: always() 与 checkout 步骤

Made-with: Cursor
 2026-03-18 16:32:45 +08:00
10 changed files with 871 additions and 252 deletions
Expand all files Collapse all files

143
.gitea/workflows/secrets.yml
View File

@@ -164,7 +164,7 @@ jobs:
name: Build (x86_64-unknown-linux-musl) name: Build (x86_64-unknown-linux-musl)
needs: [version, check] needs: [version, check]
runs-on: debian runs-on: debian
timeout-minutes: 10 timeout-minutes: 15
steps: steps:
- name: 安装依赖 - name: 安装依赖
run: | run: |
@@ -208,12 +208,31 @@ jobs:
-F "attachment=@${archive}" \ -F "attachment=@${archive}" \
"${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}/assets" "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}/assets"
- name: 飞书通知
if: always()
env:
WEBHOOK_URL: ${{ vars.WEBHOOK_URL }}
run: |
[ -z "$WEBHOOK_URL" ] && exit 0
command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq)
tag="${{ needs.version.outputs.tag }}"
commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A")
url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
result="${{ job.status }}"
if [ "$result" = "success" ]; then icon="✅"; else icon="❌"; fi
msg="secrets linux 构建${icon}
版本:${tag}
提交:${commit}
作者:${{ github.actor }}
详情:${url}"
payload=$(jq -n --arg text "$msg" '{msg_type: "text", content: {text: $text}}')
curl -sS -H "Content-Type: application/json" -X POST -d "$payload" "$WEBHOOK_URL"
build-macos: build-macos:
name: Build (aarch64-apple-darwin) name: Build (aarch64-apple-darwin)
needs: [version, check] needs: [version, check]
if: vars.BUILD_MACOS != 'false'
runs-on: darwin-arm64 runs-on: darwin-arm64
timeout-minutes: 10 timeout-minutes: 15
steps: steps:
- name: 安装依赖 - name: 安装依赖
run: | run: |
@@ -255,12 +274,30 @@ jobs:
-F "attachment=@${archive}" \ -F "attachment=@${archive}" \
"${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}/assets" "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}/assets"
- name: 飞书通知
if: always()
env:
WEBHOOK_URL: ${{ vars.WEBHOOK_URL }}
run: |
[ -z "$WEBHOOK_URL" ] && exit 0
tag="${{ needs.version.outputs.tag }}"
commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A")
url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
result="${{ job.status }}"
if [ "$result" = "success" ]; then icon="✅"; else icon="❌"; fi
msg="secrets macOS 构建${icon}
版本:${tag}
提交:${commit}
作者:${{ github.actor }}
详情:${url}"
payload=$(python3 -c "import json,sys; print(json.dumps({'msg_type':'text','content':{'text':sys.argv[1]}}))" "$msg")
curl -sS -H "Content-Type: application/json" -X POST -d "$payload" "$WEBHOOK_URL"
build-windows: build-windows:
name: Build (x86_64-pc-windows-msvc) name: Build (x86_64-pc-windows-msvc)
needs: [version, check] needs: [version, check]
if: vars.BUILD_WINDOWS == 'true'
runs-on: windows runs-on: windows
timeout-minutes: 10 timeout-minutes: 15
steps: steps:
- name: 安装依赖 - name: 安装依赖
shell: pwsh shell: pwsh
@@ -306,13 +343,32 @@ jobs:
-Headers @{ "Authorization" = "token $env:RELEASE_TOKEN" } ` -Headers @{ "Authorization" = "token $env:RELEASE_TOKEN" } `
-Form @{ attachment = Get-Item $archive } -Form @{ attachment = Get-Item $archive }
- name: 飞书通知
if: always()
shell: pwsh
env:
WEBHOOK_URL: ${{ vars.WEBHOOK_URL }}
run: |
if (-not $env:WEBHOOK_URL) { exit 0 }
$tag = "${{ needs.version.outputs.tag }}"
$commit = (git log -1 --pretty=format:"%s" 2>$null) ?? "N/A"
$url = "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
$result = "${{ job.status }}"
$icon = if ($result -eq "success") { "✅" } else { "❌" }
$msg = "secrets windows 构建${icon}`n版本${tag}`n提交${commit}`n作者${{ github.actor }}`n详情${url}"
$payload = @{ msg_type = "text"; content = @{ text = $msg } } | ConvertTo-Json
Invoke-RestMethod -Uri $env:WEBHOOK_URL -Method Post `
-ContentType "application/json" -Body $payload
publish-release: publish-release:
name: 发布草稿 Release name: 发布草稿 Release
needs: [version, build-linux] needs: [version, build-linux]
if: needs.version.outputs.release_id != '' if: always() && needs.version.outputs.release_id != ''
runs-on: debian runs-on: debian
timeout-minutes: 2 timeout-minutes: 5
steps: steps:
- uses: actions/checkout@v4
- name: 发布草稿 - name: 发布草稿
env: env:
RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }} RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
@@ -337,21 +393,12 @@ jobs:
cat /tmp/publish-release.json 2>/dev/null || true cat /tmp/publish-release.json 2>/dev/null || true
exit 1 exit 1
fi fi
echo "Release 已发布"
notify: - name: 飞书汇总通知
name: 通知 if: always()
needs: [version, check]
if: always() && github.event_name == 'push'
runs-on: debian
timeout-minutes: 1
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: 发送飞书通知
env: env:
WEBHOOK_URL: ${{ vars.WEBHOOK_URL }} WEBHOOK_URL: ${{ vars.WEBHOOK_URL }}
RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
run: | run: |
[ -z "$WEBHOOK_URL" ] && exit 0 [ -z "$WEBHOOK_URL" ] && exit 0
command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq) command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq)
@@ -361,59 +408,29 @@ jobs:
commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A") commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A")
url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}" url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
version_r="${{ needs.version.result }}" check_r="${{ needs.version.result }}"
check_r="${{ needs.check.result }}" linux_r="${{ needs.build-linux.result }}"
publish_r="${{ job.status }}"
# 通过 API 查询当前 run 的构建 job 状态best-effort icon() { case "$1" in success) echo "✅";; skipped) echo "⏭";; *) echo "❌";; esac; }
linux_r="unknown"; macos_r="unknown"; windows_r="unknown"; publish_r="unknown"
if [ -n "$RELEASE_TOKEN" ]; then
sleep 3
run_api="${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/tasks"
http_code=$(curl -sS -o /tmp/jobs.json -w '%{http_code}' \
-H "Authorization: token $RELEASE_TOKEN" "$run_api" 2>/dev/null) || true
if [ "$http_code" = "200" ] && [ -f /tmp/jobs.json ]; then
get_status() {
jq -r --arg name "$1" '
(.workflow_runs // .task_runs // . // [])[]?
| select(.name == $name)
| .status // "unknown"
' /tmp/jobs.json 2>/dev/null | head -1
}
s=$(get_status "Build (x86_64-unknown-linux-musl)"); [ -n "$s" ] && linux_r="$s"
s=$(get_status "Build (aarch64-apple-darwin)"); [ -n "$s" ] && macos_r="$s"
s=$(get_status "Build (x86_64-pc-windows-msvc)"); [ -n "$s" ] && windows_r="$s"
s=$(get_status "发布草稿 Release"); [ -n "$s" ] && publish_r="$s"
fi
fi
if [ "$version_r" = "success" ] && [ "$check_r" = "success" ]; then if [ "$linux_r" = "success" ] && [ "$publish_r" = "success" ]; then
status="检查通过 ✅" status="发布成功 ✅"
elif [ "$linux_r" != "success" ]; then
status="构建失败 ❌"
else else
status="检查失败 ❌" status="发布失败 ❌"
fi fi
icon() {
case "$1" in
success) echo "✅" ;;
skipped) echo "⏭" ;;
unknown) echo "⏳" ;;
*) echo "❌" ;;
esac
}
msg="${{ env.BINARY_NAME }} ${status}"
if [ "$tag_exists" = "false" ]; then if [ "$tag_exists" = "false" ]; then
msg="${msg} version_line="🆕 新版本 ${tag}"
🆕 新版本 ${tag}"
else else
msg="${msg} version_line="🔄 重复构建 ${tag}"
🔄 重复构建 ${tag}"
fi fi
msg="${msg} msg="secrets ${status}
质量检查:$(icon "$check_r") ${version_line}
构建结果:linux$(icon "$linux_r") macOS$(icon "$macos_r") windows$(icon "$windows_r") linux $(icon "$linux_r") | Release $(icon "$publish_r")
Release$(icon "$publish_r")
提交:${commit} 提交:${commit}
作者:${{ github.actor }} 作者:${{ github.actor }}
详情:${url}" 详情:${url}"

1
.gitignore vendored
View File

@@ -1,3 +1,4 @@
/target /target
.env .env
.DS_Store .DS_Store
.cursor/

217
AGENTS.md
View File

@@ -8,14 +8,15 @@
secrets/ secrets/
src/ src/
main.rs # CLI 入口clap 命令定义auto-migrate--verbose 全局参数 main.rs # CLI 入口clap 命令定义auto-migrate--verbose 全局参数
output.rs # OutputMode 枚举 + TTY 检测TTY→text非 TTY→json-compact
config.rs # 配置读写:~/.config/secrets/config.tomldatabase_url config.rs # 配置读写:~/.config/secrets/config.tomldatabase_url
db.rs # PgPool 创建 + 建表/索引(幂等,含 audit_log db.rs # PgPool 创建 + 建表/索引(幂等,含 audit_log
models.rs # Secret 结构体sqlx::FromRow + serde models.rs # Secret 结构体sqlx::FromRow + serde
audit.rs # 审计写入:向 audit_log 表记录所有写操作 audit.rs # 审计写入:向 audit_log 表记录所有写操作
commands/ commands/
add.rs # add 命令upsert支持 --meta key=value / --secret key=@file add.rs # add 命令upsert支持 --meta key=value / --secret key=@file / -o json
config.rs # config 命令set-db / show / path持久化 database_url config.rs # config 命令set-db / show / path持久化 database_url
search.rs # search 命令:多条件动态查询 search.rs # search 命令:多条件查询-f/-o/--summary/--limit/--offset/--sort
delete.rs # delete 命令 delete.rs # delete 命令
update.rs # update 命令:增量更新(合并 tags/metadata/encrypted update.rs # update 命令:增量更新(合并 tags/metadata/encrypted
scripts/ scripts/
@@ -27,9 +28,9 @@ secrets/
## 数据库 ## 数据库
- **Host**: `47.117.131.22:5432`(阿里云上海 ECSPostgreSQL 18 with io_uring - **Host**: `<host>:<port>`
- **Database**: `secrets` - **Database**: `secrets`
- **连接串**: `postgres://postgres:<password>@47.117.131.22:5432/secrets` - **连接串**: `postgres://postgres:<password>@<host>:<port>/secrets`
- **表**: `secrets`(主表)+ `audit_log`审计表首次连接自动建表auto-migrate - **表**: `secrets`(主表)+ `audit_log`审计表首次连接自动建表auto-migrate
### 表结构 ### 表结构
@@ -80,8 +81,8 @@ audit_log (
首次使用需显式配置数据库连接,设置一次后在该设备上持久生效: 首次使用需显式配置数据库连接,设置一次后在该设备上持久生效:
```bash ```bash
secrets config set-db "postgres://postgres:<password>@47.117.131.22:5432/secrets" secrets config set-db "postgres://postgres:<password>@<host>:<port>/secrets"
secrets config show # 查看当前配置(密码脱敏) secrets config show # 查看当前配置(密码脱敏)
secrets config path # 打印配置文件路径 secrets config path # 打印配置文件路径
``` ```
@@ -89,50 +90,90 @@ secrets config path # 打印配置文件路径
## CLI 命令 ## CLI 命令
### AI 使用主路径
**读取一律用 `search`,写入用 `add` / `update`,避免反复查帮助。**
输出格式规则:
- TTY终端直接运行→ 默认 `text`
- 非 TTY管道/重定向/AI 调用)→ 自动 `json-compact`
- 显式 `-o json` → 美化 JSON
- 显式 `-o env` → KEY=VALUE可 source
---
### search — 发现与读取
```bash ```bash
# 查看版本 # 参数说明(带典型值)
secrets -V / --version # -n / --namespace refining | ricnsmart
# --kind server | service
# --name gitea | i-uf63f2uookgs5uxmrdyc | mqtt
# --tag aliyun | hongkong | production
# -q / --query mqtt | grafana | gitea (模糊匹配 name/namespace/kind/tags/metadata
# --show-secrets 不带值的 flag显示 encrypted 字段内容
# -f / --field metadata.ip | metadata.url | secret.token | secret.ssh_key
# --summary 不带值的 flag仅返回摘要name/tags/desc/updated_at
# --limit 20 | 50默认 50
# --offset 0 | 10 | 20分页偏移
# --sort name默认| updated | created
# -o / --output text | json | json-compact | env
# 查看帮助 # 发现概览(起步推荐)
secrets -h / --help secrets search --summary --limit 20
secrets help <subcommand> # 子命令详细帮助,如 secrets help add secrets search -n refining --summary --limit 20
secrets search --sort updated --limit 10 --summary
# 添加或更新记录upsert # 精确定位单条记录
secrets add -n <namespace> --kind <kind> --name <name> \ secrets search -n refining --kind service --name gitea
[--tag <tag>]... # 可重复 secrets search -n refining --kind server --name i-uf63f2uookgs5uxmrdyc
[-m key=value]... # --meta 明文字段,-m 是短标志
[-s key=value]... # --secret 敏感字段value 以 @ 开头表示从文件读取
# 搜索(默认隐藏 encrypted 内容 # 精确定位并获取完整内容(含 secrets
secrets search [-n <namespace>] [--kind <kind>] [--tag <tag>] [-q <keyword>] [--show-secrets] secrets search -n refining --kind service --name gitea -o json --show-secrets
# -q 匹配范围name、namespace、kind、metadata 全文内容、tags
# 开启 debug 级别日志(全局参数,位于子命令之前 # 直接提取字段值(最短路径,-f secret.* 自动解锁 secrets
secrets --verbose <subcommand> secrets search -n refining --kind service --name gitea -f secret.token
secrets -v <subcommand> secrets search -n refining --kind service --name gitea -f metadata.url
# 或通过环境变量控制RUST_LOG=secrets=trace secrets search secrets search -n refining --kind service --name gitea \
-f metadata.url -f metadata.default_org -f secret.token
# 增量更新已有记录(合并语义,记录不存在则报错) # 模糊关键词搜索
secrets update -n <namespace> --kind <kind> --name <name> \ secrets search -q mqtt
[--add-tag <tag>]... # 添加标签(不影响已有标签) secrets search -q grafana
[--remove-tag <tag>]... # 移除标签 secrets search -q 47.117
[-m key=value]... # 新增或覆盖 metadata 字段(不影响其他字段)
[--remove-meta <key>]... # 删除 metadata 字段
[-s key=value]... # 新增或覆盖 encrypted 字段(不影响其他字段)
[--remove-secret <key>]... # 删除 encrypted 字段
# 删除 # 按条件过滤
secrets delete -n <namespace> --kind <kind> --name <name> secrets search -n refining --kind service
secrets search -n ricnsmart --kind server
secrets search --tag hongkong
secrets search --tag aliyun --summary
# 配置(持久化 database_url设置一次即可 # 分页
secrets config set-db <url> secrets search -n refining --summary --limit 10 --offset 0
secrets config show secrets search -n refining --summary --limit 10 --offset 10
secrets config path
# 管道 / AI 调用(非 TTY 自动 json-compact
secrets search -n refining --kind service | jq '.[].name'
secrets search -n refining --kind service --name gitea --show-secrets | jq '.secrets.token'
# 导出为 env 文件(单条记录)
secrets search -n refining --kind service --name gitea -o env --show-secrets \
> ~/.config/gitea/config.env
``` ```
### 示例 ---
### add — 新增或全量覆盖upsert
```bash ```bash
# 参数说明(带典型值)
# -n / --namespace refining | ricnsmart
# --kind server | service
# --name gitea | i-uf63f2uookgs5uxmrdyc
# --tag aliyun | hongkong可重复
# -m / --meta ip=47.117.131.22 | desc="Aliyun ECS" | url=https://...(可重复)
# -s / --secret token=<value> | ssh_key=@./key.pem | password=secret123可重复
# 添加服务器 # 添加服务器
secrets add -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \ secrets add -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
--tag aliyun --tag shanghai \ --tag aliyun --tag shanghai \
@@ -142,30 +183,101 @@ secrets add -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
# 添加服务凭据 # 添加服务凭据
secrets add -n refining --kind service --name gitea \ secrets add -n refining --kind service --name gitea \
--tag gitea \ --tag gitea \
-m url=https://gitea.refining.dev \ -m url=https://gitea.refining.dev -m default_org=refining -m username=voson \
-s token=<token> -s token=<token> -s runner_token=<runner_token>
# 搜索含 mqtt 的所有记录 # 从文件读取 token
secrets search -q mqtt secrets add -n ricnsmart --kind service --name mqtt \
-m host=mqtt.ricnsmart.com -m port=1883 \
-s password=@./mqtt_password.txt
```
# 查看 refining 的全部服务配置(显示 secrets ---
secrets search -n refining --kind service --show-secrets
# 按 tag 筛选 ### update — 增量更新(记录必须已存在)
secrets search --tag hongkong
# 只更新一个 IP不影响其他 metadata/secrets/tags 只有传入的字段才会变动,其余全部保留。
```bash
# 参数说明(带典型值)
# -n / --namespace refining | ricnsmart
# --kind server | service
# --name gitea | i-uf63f2uookgs5uxmrdyc
# --add-tag production | backup不影响已有 tag可重复
# --remove-tag staging | deprecated可重复
# -m / --meta ip=10.0.0.1 | desc="新描述"(新增或覆盖,可重复)
# --remove-meta old_port | legacy_key删除 metadata 字段,可重复)
# -s / --secret token=<new> | ssh_key=@./new.pem新增或覆盖可重复
# --remove-secret old_password | deprecated_key删除 secret 字段,可重复)
# 更新单个 metadata 字段
secrets update -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \ secrets update -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
-m ip=10.0.0.1 -m ip=10.0.0.1
# 给一条记录新增 tag 并轮换密码 # 轮换 token
secrets update -n refining --kind service --name gitea \
-s token=<new-token>
# 新增 tag 并轮换 token
secrets update -n refining --kind service --name gitea \ secrets update -n refining --kind service --name gitea \
--add-tag production \ --add-tag production \
-s token=<new-token> -s token=<new-token>
# 移除一个废弃的 metadata 字段 # 移除废弃字段
secrets update -n refining --kind service --name mqtt \ secrets update -n refining --kind service --name mqtt \
--remove-meta old_port --remove-meta old_port --remove-secret old_password
# 移除 tag
secrets update -n refining --kind service --name gitea --remove-tag staging
```
---
### delete — 删除记录
```bash
# 参数说明(带典型值)
# -n / --namespace refining | ricnsmart
# --kind server | service
# --name gitea | i-uf63f2uookgs5uxmrdyc必须精确匹配
# 删除服务凭据
secrets delete -n refining --kind service --name legacy-mqtt
# 删除服务器记录
secrets delete -n ricnsmart --kind server --name i-old-server-id
```
---
### config — 配置管理
```bash
# 设置数据库连接(每台设备执行一次,之后永久生效)
secrets config set-db "postgres://postgres:<password>@<host>:<port>/secrets"
# 查看当前配置(密码脱敏)
secrets config show
# 打印配置文件路径
secrets config path
# 输出: /Users/<user>/.config/secrets/config.toml
```
---
### 全局参数
```bash
# debug 日志(位于子命令之前)
secrets --verbose search -q mqtt
secrets -v add -n refining --kind service --name gitea -m url=xxx -s token=yyy
# 或通过环境变量精细控制
RUST_LOG=secrets=trace secrets search
# 一次性覆盖数据库连接
secrets --db-url "postgres://..." search -n refining
``` ```
## 代码规范 ## 代码规范
@@ -174,9 +286,10 @@ secrets update -n refining --kind service --name mqtt \
- 异步:全程 `tokio`,数据库操作 `sqlx` async - 异步:全程 `tokio`,数据库操作 `sqlx` async
- SQL使用 `sqlx::query` / `sqlx::query_as` 绑定参数,禁止字符串拼接(搜索的动态 WHERE 子句除外,需使用参数绑定 `$1/$2` - SQL使用 `sqlx::query` / `sqlx::query_as` 绑定参数,禁止字符串拼接(搜索的动态 WHERE 子句除外,需使用参数绑定 `$1/$2`
- 新增 `kind` 类型时:只需在 `add` 调用时传入,无需改代码 - 新增 `kind` 类型时:只需在 `add` 调用时传入,无需改代码
- 字段命名CLI 短标志 `-n`=namespace`-m`=meta`-s`=secret`-q`=query`-v`=verbose - 字段命名CLI 短标志 `-n`=namespace`-m`=meta`-s`=secret`-q`=query`-v`=verbose`-f`=field`-o`=output
- 日志:用户可见输出用 `println!`;调试/运维信息用 `tracing::debug!`/`info!`/`warn!`/`error!` - 日志:用户可见输出用 `println!`;调试/运维信息用 `tracing::debug!`/`info!`/`warn!`/`error!`
- 审计:`add`/`update`/`delete` 成功后调用 `audit::log()`,写入 `audit_log` 表;失败只 warn 不中断 - 审计:`add`/`update`/`delete` 成功后调用 `audit::log()`,写入 `audit_log` 表;失败只 warn 不中断
- 输出:读命令通过 `OutputMode` 支持 text/json/json-compact/env写命令 `add` 同样支持 `-o json`
## 提交前检查(必须全部通过) ## 提交前检查(必须全部通过)
@@ -194,7 +307,7 @@ grep '^version' Cargo.toml
git tag -l 'secrets-*' git tag -l 'secrets-*'
``` ```
若当前版本已被 tag例如已有 `secrets-0.1.0``Cargo.toml` 仍为 `0.1.0`),则应在 `Cargo.toml` 中 bump 版本号后再提交,以便 CI 自动打新 Tag 并发布 Release。 若当前版本已被 tag例如已有 `secrets-0.3.0``Cargo.toml` 仍为 `0.3.0`),则应在 `Cargo.toml` 中 bump 版本号后再提交,以便 CI 自动打新 Tag 并发布 Release。
### 2. 格式、Lint、测试 ### 2. 格式、Lint、测试

2
Cargo.lock generated
View File

@@ -1245,7 +1245,7 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
[[package]] [[package]]
name = "secrets" name = "secrets"
version = "0.3.0" version = "0.4.0"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"chrono", "chrono",

2
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "secrets" name = "secrets"
version = "0.3.0" version = "0.4.0"
edition = "2024" edition = "2024"
[dependencies] [dependencies]

137
README.md
View File

@@ -14,60 +14,116 @@ cargo build --release
配置数据库连接(首次使用需执行一次,之后在该设备上持久生效): 配置数据库连接(首次使用需执行一次,之后在该设备上持久生效):
```bash ```bash
secrets config set-db "postgres://postgres:<password>@<host>:5432/secrets" secrets config set-db "postgres://postgres:<password>@<host>:<port>/secrets"
``` ```
## 使用 ## AI Agent 快速指南
这个 CLI 以 AI 使用优先设计。核心路径只有一条:**读取用 `search`,写入用 `add` / `update`**。
### 第一步:发现有哪些数据
```bash ```bash
# 查看版本 # 列出所有记录摘要(默认最多 50 条,安全起步)
secrets -V secrets search --summary --limit 20
secrets --version
# 查看帮助 # 按 namespace 过滤
secrets search -n refining --summary --limit 20
# 按最近更新排序
secrets search --sort updated --limit 10 --summary
```
`--summary` 只返回轻量字段namespace、kind、name、tags、desc、updated_at不含完整 metadata 和 secrets。
### 第二步:精确读取单条记录
```bash
# 精确定位namespace + kind + name 三元组)
secrets search -n refining --kind service --name gitea
# 获取完整记录含 secretsJSON 格式AI 最易解析)
secrets search -n refining --kind service --name gitea -o json --show-secrets
# 直接提取单个字段值(最短路径)
secrets search -n refining --kind service --name gitea -f secret.token
secrets search -n refining --kind service --name gitea -f metadata.url
# 同时提取多个字段
secrets search -n refining --kind service --name gitea \
-f metadata.url -f metadata.default_org -f secret.token
```
`-f secret.*` 会自动解锁 secrets无需额外加 `--show-secrets`
### 输出格式
| 场景 | 推荐命令 |
|------|----------|
| AI 解析 / 管道处理 | `-o json``-o json-compact` |
| 写入 `.env` 文件 | `-o env --show-secrets` |
| 人类查看 | 默认 `text`TTY 下自动启用) |
| 非 TTY管道/重定向) | 自动 `json-compact` |
```bash
# 管道直接 jq 解析(非 TTY 自动 json-compact
secrets search -n refining --kind service | jq '.[].name'
secrets search -n refining --kind service --name gitea --show-secrets | jq '.secrets.token'
# 导出为可 source 的 env 文件(单条记录)
secrets search -n refining --kind service --name gitea -o env --show-secrets \
> ~/.config/gitea/config.env
```
## 完整命令参考
```bash
# 查看帮助(包含各子命令 EXAMPLES
secrets --help secrets --help
secrets -h secrets search --help
secrets add --help
secrets update --help
secrets delete --help
secrets config --help
# 查看子命令帮助 # ── search ──────────────────────────────────────────────────────────────────
secrets help config secrets search --summary --limit 20 # 发现概览
secrets help add secrets search -n refining --kind service # 按 namespace + kind
secrets help search secrets search -n refining --kind service --name gitea # 精确查找
secrets help delete secrets search -q mqtt # 关键词模糊搜索
secrets help update secrets search --tag hongkong # 按 tag 过滤
secrets search -n refining --kind service --name gitea -f secret.token # 提取字段
secrets search -n refining --kind service --name gitea -o json --show-secrets # 完整 JSON
secrets search --sort updated --limit 10 --summary # 最近改动
secrets search -n refining --summary --limit 10 --offset 10 # 翻页
# 添加服务器 # ── add ──────────────────────────────────────────────────────────────────────
secrets add -n refining --kind server --name my-server \ secrets add -n refining --kind server --name my-server \
--tag aliyun --tag shanghai \ --tag aliyun --tag shanghai \
-m ip=1.2.3.4 -m desc="My Server" \ -m ip=47.117.131.22 -m desc="Aliyun Shanghai ECS" \
-s username=root \ -s username=root -s ssh_key=@./keys/server.pem
-s ssh_key=@./keys/my.pem
# 添加服务凭据
secrets add -n refining --kind service --name gitea \ secrets add -n refining --kind service --name gitea \
-m url=https://gitea.example.com \ --tag gitea \
-m url=https://gitea.refining.dev -m default_org=refining \
-s token=<token> -s token=<token>
# 搜索(默认隐藏敏感字段) # ── update ───────────────────────────────────────────────────────────────────
secrets search
secrets search -n refining --kind server
secrets search --tag hongkong
secrets search -q mqtt # 关键词匹配 name / metadata / tags
secrets search -n refining --kind service --name gitea --show-secrets
# 开启 debug 级别日志(--verbose / -v全局参数
secrets --verbose search -q mqtt
secrets -v add -n refining --kind service --name gitea -m url=xxx -s token=yyy
# 或通过环境变量精细控制日志级别
RUST_LOG=secrets=trace secrets search
# 增量更新已有记录(合并语义,记录不存在则报错)
secrets update -n refining --kind server --name my-server -m ip=10.0.0.1 secrets update -n refining --kind server --name my-server -m ip=10.0.0.1
secrets update -n refining --kind service --name gitea --add-tag production -s token=<new-token> secrets update -n refining --kind service --name gitea --add-tag production -s token=<new>
secrets update -n refining --kind service --name mqtt --remove-meta old_port --remove-secret old_key secrets update -n refining --kind service --name mqtt --remove-meta old_port --remove-secret old_key
# 删除 # ── delete ───────────────────────────────────────────────────────────────────
secrets delete -n refining --kind server --name my-server secrets delete -n refining --kind service --name legacy-mqtt
# ── config ───────────────────────────────────────────────────────────────────
secrets config set-db "postgres://postgres:<password>@<host>:<port>/secrets"
secrets config show # 密码脱敏展示
secrets config path # 打印配置文件路径
# ── 调试 ──────────────────────────────────────────────────────────────────────
secrets --verbose search -q mqtt
RUST_LOG=secrets=trace secrets search
``` ```
## 数据模型 ## 数据模型
@@ -101,15 +157,16 @@ LIMIT 20;
``` ```
src/ src/
main.rs # CLI 入口clap main.rs # CLI 入口clap,含各子命令 after_help 示例
output.rs # OutputMode 枚举 + TTY 检测
config.rs # 配置读写(~/.config/secrets/config.toml config.rs # 配置读写(~/.config/secrets/config.toml
db.rs # 连接池 + auto-migratesecrets + audit_log db.rs # 连接池 + auto-migratesecrets + audit_log
models.rs # Secret 结构体 models.rs # Secret 结构体
audit.rs # 审计日志写入audit_log 表) audit.rs # 审计日志写入audit_log 表)
commands/ commands/
add.rs # upsert add.rs # upsert,支持 -o json
config.rs # config set-db/show/path config.rs # config set-db/show/path
search.rs # 多条件查询 search.rs # 多条件查询,支持 -f/-o/--summary/--limit/--offset/--sort
delete.rs # 删除 delete.rs # 删除
update.rs # 增量更新(合并 tags/metadata/encrypted update.rs # 增量更新(合并 tags/metadata/encrypted
scripts/ scripts/

88
src/commands/add.rs
View File

@@ -3,6 +3,8 @@ use serde_json::{Map, Value, json};
use sqlx::PgPool; use sqlx::PgPool;
use std::fs; use std::fs;
use crate::output::OutputMode;
/// Parse "key=value" entries. Value starting with '@' reads from file. /// Parse "key=value" entries. Value starting with '@' reads from file.
pub(crate) fn parse_kv(entry: &str) -> Result<(String, String)> { pub(crate) fn parse_kv(entry: &str) -> Result<(String, String)> {
let (key, raw_val) = entry.split_once('=').ok_or_else(|| { let (key, raw_val) = entry.split_once('=').ok_or_else(|| {
@@ -31,19 +33,21 @@ fn build_json(entries: &[String]) -> Result<Value> {
Ok(Value::Object(map)) Ok(Value::Object(map))
} }
pub async fn run( pub struct AddArgs<'a> {
pool: &PgPool, pub namespace: &'a str,
namespace: &str, pub kind: &'a str,
kind: &str, pub name: &'a str,
name: &str, pub tags: &'a [String],
tags: &[String], pub meta_entries: &'a [String],
meta_entries: &[String], pub secret_entries: &'a [String],
secret_entries: &[String], pub output: OutputMode,
) -> Result<()> { }
let metadata = build_json(meta_entries)?;
let encrypted = build_json(secret_entries)?;
tracing::debug!(namespace, kind, name, "upserting record"); pub async fn run(pool: &PgPool, args: AddArgs<'_>) -> Result<()> {
let metadata = build_json(args.meta_entries)?;
let encrypted = build_json(args.secret_entries)?;
tracing::debug!(args.namespace, args.kind, args.name, "upserting record");
sqlx::query( sqlx::query(
r#" r#"
@@ -57,20 +61,22 @@ pub async fn run(
updated_at = NOW() updated_at = NOW()
"#, "#,
) )
.bind(namespace) .bind(args.namespace)
.bind(kind) .bind(args.kind)
.bind(name) .bind(args.name)
.bind(tags) .bind(args.tags)
.bind(&metadata) .bind(&metadata)
.bind(&encrypted) .bind(&encrypted)
.execute(pool) .execute(pool)
.await?; .await?;
let meta_keys: Vec<&str> = meta_entries let meta_keys: Vec<&str> = args
.meta_entries
.iter() .iter()
.filter_map(|s| s.split_once('=').map(|(k, _)| k)) .filter_map(|s| s.split_once('=').map(|(k, _)| k))
.collect(); .collect();
let secret_keys: Vec<&str> = secret_entries let secret_keys: Vec<&str> = args
.secret_entries
.iter() .iter()
.filter_map(|s| s.split_once('=').map(|(k, _)| k)) .filter_map(|s| s.split_once('=').map(|(k, _)| k))
.collect(); .collect();
@@ -78,26 +84,46 @@ pub async fn run(
crate::audit::log( crate::audit::log(
pool, pool,
"add", "add",
namespace, args.namespace,
kind, args.kind,
name, args.name,
json!({ json!({
"tags": tags, "tags": args.tags,
"meta_keys": meta_keys, "meta_keys": meta_keys,
"secret_keys": secret_keys, "secret_keys": secret_keys,
}), }),
) )
.await; .await;
println!("Added: [{}/{}] {}", namespace, kind, name); let result_json = json!({
if !tags.is_empty() { "action": "added",
println!(" tags: {}", tags.join(", ")); "namespace": args.namespace,
} "kind": args.kind,
if !meta_entries.is_empty() { "name": args.name,
println!(" metadata: {}", meta_keys.join(", ")); "tags": args.tags,
} "meta_keys": meta_keys,
if !secret_entries.is_empty() { "secret_keys": secret_keys,
println!(" secrets: {}", secret_keys.join(", ")); });
match args.output {
OutputMode::Json => {
println!("{}", serde_json::to_string_pretty(&result_json)?);
}
OutputMode::JsonCompact => {
println!("{}", serde_json::to_string(&result_json)?);
}
_ => {
println!("Added: [{}/{}] {}", args.namespace, args.kind, args.name);
if !args.tags.is_empty() {
println!(" tags: {}", args.tags.join(", "));
}
if !args.meta_entries.is_empty() {
println!(" metadata: {}", meta_keys.join(", "));
}
if !args.secret_entries.is_empty() {
println!(" secrets: {}", secret_keys.join(", "));
}
}
} }
Ok(()) Ok(())

250
src/commands/search.rs
View File

@@ -1,36 +1,51 @@
use anyhow::Result; use anyhow::Result;
use serde_json::{Value, json};
use sqlx::PgPool; use sqlx::PgPool;
use crate::models::Secret; use crate::models::Secret;
use crate::output::OutputMode;
pub async fn run( pub struct SearchArgs<'a> {
pool: &PgPool, pub namespace: Option<&'a str>,
namespace: Option<&str>, pub kind: Option<&'a str>,
kind: Option<&str>, pub name: Option<&'a str>,
tag: Option<&str>, pub tag: Option<&'a str>,
query: Option<&str>, pub query: Option<&'a str>,
show_secrets: bool, pub show_secrets: bool,
) -> Result<()> { pub fields: &'a [String],
pub summary: bool,
pub limit: u32,
pub offset: u32,
pub sort: &'a str,
pub output: OutputMode,
}
pub async fn run(pool: &PgPool, args: SearchArgs<'_>) -> Result<()> {
let mut conditions: Vec<String> = Vec::new(); let mut conditions: Vec<String> = Vec::new();
let mut idx: i32 = 1; let mut idx: i32 = 1;
if namespace.is_some() { if args.namespace.is_some() {
conditions.push(format!("namespace = ${}", idx)); conditions.push(format!("namespace = ${}", idx));
idx += 1; idx += 1;
} }
if kind.is_some() { if args.kind.is_some() {
conditions.push(format!("kind = ${}", idx)); conditions.push(format!("kind = ${}", idx));
idx += 1; idx += 1;
} }
if tag.is_some() { if args.name.is_some() {
conditions.push(format!("name = ${}", idx));
idx += 1;
}
if args.tag.is_some() {
conditions.push(format!("tags @> ARRAY[${}]", idx)); conditions.push(format!("tags @> ARRAY[${}]", idx));
idx += 1; idx += 1;
} }
if query.is_some() { if args.query.is_some() {
conditions.push(format!( conditions.push(format!(
"(name ILIKE ${i} OR namespace ILIKE ${i} OR kind ILIKE ${i} OR metadata::text ILIKE ${i} OR EXISTS (SELECT 1 FROM unnest(tags) t WHERE t ILIKE ${i}))", "(name ILIKE ${i} OR namespace ILIKE ${i} OR kind ILIKE ${i} OR metadata::text ILIKE ${i} OR EXISTS (SELECT 1 FROM unnest(tags) t WHERE t ILIKE ${i}))",
i = idx i = idx
)); ));
idx += 1;
} }
let where_clause = if conditions.is_empty() { let where_clause = if conditions.is_empty() {
@@ -39,49 +54,166 @@ pub async fn run(
format!("WHERE {}", conditions.join(" AND ")) format!("WHERE {}", conditions.join(" AND "))
}; };
let order = match args.sort {
"updated" => "updated_at DESC",
"created" => "created_at DESC",
_ => "namespace, kind, name",
};
let sql = format!( let sql = format!(
"SELECT * FROM secrets {} ORDER BY namespace, kind, name", "SELECT * FROM secrets {} ORDER BY {} LIMIT ${} OFFSET ${}",
where_clause where_clause,
order,
idx,
idx + 1
); );
tracing::debug!(sql, "executing search query"); tracing::debug!(sql, "executing search query");
let mut q = sqlx::query_as::<_, Secret>(&sql); let mut q = sqlx::query_as::<_, Secret>(&sql);
if let Some(v) = namespace { if let Some(v) = args.namespace {
q = q.bind(v); q = q.bind(v);
} }
if let Some(v) = kind { if let Some(v) = args.kind {
q = q.bind(v); q = q.bind(v);
} }
if let Some(v) = tag { if let Some(v) = args.name {
q = q.bind(v); q = q.bind(v);
} }
if let Some(v) = query { if let Some(v) = args.tag {
q = q.bind(v);
}
if let Some(v) = args.query {
q = q.bind(format!("%{}%", v)); q = q.bind(format!("%{}%", v));
} }
q = q.bind(args.limit as i64).bind(args.offset as i64);
let rows = q.fetch_all(pool).await?; let rows = q.fetch_all(pool).await?;
if rows.is_empty() { // -f/--field: extract specific field values directly
println!("No records found."); if !args.fields.is_empty() {
return Ok(()); return print_fields(&rows, args.fields);
} }
for row in &rows { match args.output {
println!("[{}/{}] {}", row.namespace, row.kind, row.name,); OutputMode::Json | OutputMode::JsonCompact => {
println!(" id: {}", row.id); let arr: Vec<Value> = rows
.iter()
.map(|r| to_json(r, args.show_secrets, args.summary))
.collect();
let out = if args.output == OutputMode::Json {
serde_json::to_string_pretty(&arr)?
} else {
serde_json::to_string(&arr)?
};
println!("{}", out);
}
OutputMode::Env => {
if rows.len() > 1 {
anyhow::bail!(
"env output requires exactly one record; got {}. Add more filters.",
rows.len()
);
}
if let Some(row) = rows.first() {
print_env(row, args.show_secrets)?;
} else {
eprintln!("No records found.");
}
}
OutputMode::Text => {
if rows.is_empty() {
println!("No records found.");
return Ok(());
}
for row in &rows {
print_text(row, args.show_secrets, args.summary)?;
}
println!("{} record(s) found.", rows.len());
if rows.len() == args.limit as usize {
println!(
" (showing up to {}; use --offset {} to see more)",
args.limit,
args.offset + args.limit
);
}
}
}
Ok(())
}
fn to_json(row: &Secret, show_secrets: bool, summary: bool) -> Value {
if summary {
let desc = row
.metadata
.get("desc")
.or_else(|| row.metadata.get("url"))
.and_then(|v| v.as_str())
.unwrap_or("")
.to_string();
return json!({
"namespace": row.namespace,
"kind": row.kind,
"name": row.name,
"tags": row.tags,
"desc": desc,
"updated_at": row.updated_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
});
}
let secrets_val = if show_secrets {
row.encrypted.clone()
} else {
let keys: Vec<&str> = row
.encrypted
.as_object()
.map(|m| m.keys().map(|k| k.as_str()).collect())
.unwrap_or_default();
json!({"_hidden_keys": keys})
};
json!({
"id": row.id,
"namespace": row.namespace,
"kind": row.kind,
"name": row.name,
"tags": row.tags,
"metadata": row.metadata,
"secrets": secrets_val,
"created_at": row.created_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
"updated_at": row.updated_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
})
}
fn print_text(row: &Secret, show_secrets: bool, summary: bool) -> Result<()> {
println!("[{}/{}] {}", row.namespace, row.kind, row.name);
if summary {
let desc = row
.metadata
.get("desc")
.or_else(|| row.metadata.get("url"))
.and_then(|v| v.as_str())
.unwrap_or("-");
if !row.tags.is_empty() {
println!(" tags: [{}]", row.tags.join(", "));
}
println!(" desc: {}", desc);
println!(
" updated: {}",
row.updated_at.format("%Y-%m-%d %H:%M:%S UTC")
);
} else {
println!(" id: {}", row.id);
if !row.tags.is_empty() { if !row.tags.is_empty() {
println!(" tags: [{}]", row.tags.join(", ")); println!(" tags: [{}]", row.tags.join(", "));
} }
if row.metadata.as_object().is_some_and(|m| !m.is_empty()) { if row.metadata.as_object().is_some_and(|m| !m.is_empty()) {
println!( println!(
" metadata: {}", " metadata: {}",
serde_json::to_string_pretty(&row.metadata)? serde_json::to_string_pretty(&row.metadata)?
); );
} }
if show_secrets { if show_secrets {
println!( println!(
" secrets: {}", " secrets: {}",
@@ -100,13 +232,73 @@ pub async fn run(
); );
} }
} }
println!( println!(
" created: {}", " created: {}",
row.created_at.format("%Y-%m-%d %H:%M:%S UTC") row.created_at.format("%Y-%m-%d %H:%M:%S UTC")
); );
println!();
} }
println!("{} record(s) found.", rows.len()); println!();
Ok(()) Ok(())
} }
fn print_env(row: &Secret, show_secrets: bool) -> Result<()> {
let prefix = row.name.to_uppercase().replace(['-', '.'], "_");
if let Some(meta) = row.metadata.as_object() {
for (k, v) in meta {
let key = format!("{}_{}", prefix, k.to_uppercase().replace('-', "_"));
println!("{}={}", key, v.as_str().unwrap_or(&v.to_string()));
}
}
if show_secrets && let Some(enc) = row.encrypted.as_object() {
for (k, v) in enc {
let key = format!("{}_{}", prefix, k.to_uppercase().replace('-', "_"));
println!("{}={}", key, v.as_str().unwrap_or(&v.to_string()));
}
}
Ok(())
}
/// Extract one or more field paths like `metadata.url` or `secret.token`.
fn print_fields(rows: &[Secret], fields: &[String]) -> Result<()> {
for row in rows {
for field in fields {
let val = extract_field(row, field)?;
println!("{}", val);
}
}
Ok(())
}
fn extract_field(row: &Secret, field: &str) -> Result<String> {
let (section, key) = field.split_once('.').ok_or_else(|| {
anyhow::anyhow!(
"Invalid field path '{}'. Use metadata.<key> or secret.<key>",
field
)
})?;
let obj = match section {
"metadata" | "meta" => &row.metadata,
"secret" | "secrets" | "encrypted" => &row.encrypted,
other => anyhow::bail!(
"Unknown field section '{}'. Use 'metadata' or 'secret'",
other
),
};
obj.get(key)
.and_then(|v| {
v.as_str()
.map(|s| s.to_string())
.or_else(|| Some(v.to_string()))
})
.ok_or_else(|| {
anyhow::anyhow!(
"Field '{}' not found in record [{}/{}/{}]",
field,
row.namespace,
row.kind,
row.name
)
})
}

234
src/main.rs
View File

@@ -3,16 +3,31 @@ mod commands;
mod config; mod config;
mod db; mod db;
mod models; mod models;
mod output;
use anyhow::Result; use anyhow::Result;
use clap::{Parser, Subcommand}; use clap::{Parser, Subcommand};
use tracing_subscriber::EnvFilter; use tracing_subscriber::EnvFilter;
use output::resolve_output_mode;
#[derive(Parser)] #[derive(Parser)]
#[command( #[command(
name = "secrets", name = "secrets",
version, version,
about = "Secrets & config manager backed by PostgreSQL" about = "Secrets & config manager backed by PostgreSQL — optimised for AI agents",
after_help = "QUICK START (AI agents):
# Discover what namespaces / kinds exist
secrets search --summary --limit 20
# Precise lookup (JSON output for easy parsing)
secrets search -n refining --kind service --name gitea -o json --show-secrets
# Extract a single field value directly
secrets search -n refining --kind service --name gitea -f secret.token
# Pipe-friendly (non-TTY defaults to json-compact automatically)
secrets search -n refining --kind service | jq '.[].name'"
)] )]
struct Cli { struct Cli {
/// Database URL, overrides saved config (one-time override) /// Database URL, overrides saved config (one-time override)
@@ -29,72 +44,181 @@ struct Cli {
#[derive(Subcommand)] #[derive(Subcommand)]
enum Commands { enum Commands {
/// Add or update a record (upsert) /// Add or update a record (upsert). Use -m for plaintext metadata, -s for secrets.
#[command(after_help = "EXAMPLES:
# Add a server
secrets add -n refining --kind server --name my-server \\
--tag aliyun --tag shanghai \\
-m ip=47.117.131.22 -m desc=\"Aliyun Shanghai ECS\" \\
-s username=root -s ssh_key=@./keys/server.pem
# Add a service credential
secrets add -n refining --kind service --name gitea \\
--tag gitea \\
-m url=https://gitea.refining.dev -m default_org=refining \\
-s token=<token>
# Add with token read from a file
secrets add -n ricnsmart --kind service --name mqtt \\
-m host=mqtt.ricnsmart.com -m port=1883 \\
-s password=@./mqtt_password.txt")]
Add { Add {
/// Namespace (e.g. refining, ricnsmart) /// Namespace, e.g. refining, ricnsmart
#[arg(short, long)] #[arg(short, long)]
namespace: String, namespace: String,
/// Kind of record (server, service, key, ...) /// Kind of record: server, service, key, ...
#[arg(long)] #[arg(long)]
kind: String, kind: String,
/// Human-readable name /// Human-readable unique name, e.g. gitea, i-uf63f2uookgs5uxmrdyc
#[arg(long)] #[arg(long)]
name: String, name: String,
/// Tags for categorization (repeatable) /// Tag for categorization (repeatable), e.g. --tag aliyun --tag hongkong
#[arg(long = "tag")] #[arg(long = "tag")]
tags: Vec<String>, tags: Vec<String>,
/// Plaintext metadata entry: key=value (repeatable, key=@file reads from file) /// Plaintext metadata: key=value (repeatable; value=@file reads from file)
#[arg(long = "meta", short = 'm')] #[arg(long = "meta", short = 'm')]
meta: Vec<String>, meta: Vec<String>,
/// Secret entry: key=value (repeatable, key=@file reads from file) /// Secret entry: key=value (repeatable; value=@file reads from file)
#[arg(long = "secret", short = 's')] #[arg(long = "secret", short = 's')]
secrets: Vec<String>, secrets: Vec<String>,
/// Output format: text (default on TTY), json, json-compact, env
#[arg(short, long = "output")]
output: Option<String>,
}, },
/// Search records /// Search / read records. This is the primary read command for AI agents.
///
/// Supports fuzzy search (-q), exact lookup (--name), field extraction (-f),
/// summary view (--summary), pagination (--limit / --offset), and structured
/// output (-o json / json-compact / env). When stdout is not a TTY, output
/// defaults to json-compact automatically.
#[command(after_help = "EXAMPLES:
# Discover all records (summary, safe default limit)
secrets search --summary --limit 20
# Filter by namespace and kind
secrets search -n refining --kind service
# Exact lookup — returns 0 or 1 record
secrets search -n refining --kind service --name gitea
# Fuzzy keyword search (matches name, namespace, kind, tags, metadata)
secrets search -q mqtt
# Extract a single field value (implies --show-secrets for secret.*)
secrets search -n refining --kind service --name gitea -f secret.token
secrets search -n refining --kind service --name gitea -f metadata.url
# Multiple fields at once
secrets search -n refining --kind service --name gitea \\
-f metadata.url -f metadata.default_org -f secret.token
# Full JSON output with secrets revealed (ideal for AI parsing)
secrets search -n refining --kind service --name gitea -o json --show-secrets
# Export as env vars (source-able; single record only)
secrets search -n refining --kind service --name gitea -o env --show-secrets
# Paginate large result sets
secrets search -n refining --summary --limit 10 --offset 0
secrets search -n refining --summary --limit 10 --offset 10
# Sort by most recently updated
secrets search --sort updated --limit 5 --summary
# Non-TTY / pipe: output is json-compact by default
secrets search -n refining --kind service | jq '.[].name'
secrets search -n refining --kind service --name gitea --show-secrets | jq '.secrets.token'")]
Search { Search {
/// Filter by namespace /// Filter by namespace, e.g. refining, ricnsmart
#[arg(short, long)] #[arg(short, long)]
namespace: Option<String>, namespace: Option<String>,
/// Filter by kind /// Filter by kind, e.g. server, service
#[arg(long)] #[arg(long)]
kind: Option<String>, kind: Option<String>,
/// Filter by tag /// Exact name filter, e.g. gitea, i-uf63f2uookgs5uxmrdyc
#[arg(long)]
name: Option<String>,
/// Filter by tag, e.g. --tag aliyun
#[arg(long)] #[arg(long)]
tag: Option<String>, tag: Option<String>,
/// Search by keyword (matches name, namespace, kind) /// Fuzzy keyword (matches name, namespace, kind, tags, metadata text)
#[arg(short, long)] #[arg(short, long)]
query: Option<String>, query: Option<String>,
/// Reveal encrypted secret values /// Reveal encrypted secret values in output
#[arg(long)] #[arg(long)]
show_secrets: bool, show_secrets: bool,
/// Extract field value(s) directly: metadata.<key> or secret.<key> (repeatable)
#[arg(short = 'f', long = "field")]
fields: Vec<String>,
/// Return lightweight summary only (namespace, kind, name, tags, desc, updated_at)
#[arg(long)]
summary: bool,
/// Maximum number of records to return [default: 50]
#[arg(long, default_value = "50")]
limit: u32,
/// Skip this many records (for pagination)
#[arg(long, default_value = "0")]
offset: u32,
/// Sort order: name (default), updated, created
#[arg(long, default_value = "name")]
sort: String,
/// Output format: text (default on TTY), json, json-compact, env
#[arg(short, long = "output")]
output: Option<String>,
}, },
/// Delete a record /// Delete a record permanently. Requires exact namespace + kind + name.
#[command(after_help = "EXAMPLES:
# Delete a service credential
secrets delete -n refining --kind service --name legacy-mqtt
# Delete a server record
secrets delete -n ricnsmart --kind server --name i-old-server-id")]
Delete { Delete {
/// Namespace /// Namespace, e.g. refining
#[arg(short, long)] #[arg(short, long)]
namespace: String, namespace: String,
/// Kind /// Kind, e.g. server, service
#[arg(long)] #[arg(long)]
kind: String, kind: String,
/// Name /// Exact name of the record to delete
#[arg(long)] #[arg(long)]
name: String, name: String,
}, },
/// Incrementally update an existing record (merge semantics) /// Incrementally update an existing record (merge semantics; record must exist).
///
/// Only the fields you pass are changed — everything else is preserved.
/// Use --add-tag / --remove-tag to modify tags without touching other fields.
#[command(after_help = "EXAMPLES:
# Update a single metadata field (all other fields unchanged)
secrets update -n refining --kind server --name my-server -m ip=10.0.0.1
# Rotate a secret token
secrets update -n refining --kind service --name gitea -s token=<new-token>
# Add a tag and rotate password at the same time
secrets update -n refining --kind service --name gitea \\
--add-tag production -s token=<new-token>
# Remove a deprecated metadata field and a stale secret key
secrets update -n refining --kind service --name mqtt \\
--remove-meta old_port --remove-secret old_password
# Remove a tag
secrets update -n refining --kind service --name gitea --remove-tag staging")]
Update { Update {
/// Namespace (e.g. refining, ricnsmart) /// Namespace, e.g. refining, ricnsmart
#[arg(short, long)] #[arg(short, long)]
namespace: String, namespace: String,
/// Kind of record (server, service, key, ...) /// Kind of record: server, service, key, ...
#[arg(long)] #[arg(long)]
kind: String, kind: String,
/// Human-readable name /// Human-readable unique name
#[arg(long)] #[arg(long)]
name: String, name: String,
/// Add a tag (repeatable) /// Add a tag (repeatable; does not affect existing tags)
#[arg(long = "add-tag")] #[arg(long = "add-tag")]
add_tags: Vec<String>, add_tags: Vec<String>,
/// Remove a tag (repeatable) /// Remove a tag (repeatable)
@@ -103,18 +227,27 @@ enum Commands {
/// Set or overwrite a metadata field: key=value (repeatable, @file supported) /// Set or overwrite a metadata field: key=value (repeatable, @file supported)
#[arg(long = "meta", short = 'm')] #[arg(long = "meta", short = 'm')]
meta: Vec<String>, meta: Vec<String>,
/// Remove a metadata field by key (repeatable) /// Delete a metadata field by key (repeatable)
#[arg(long = "remove-meta")] #[arg(long = "remove-meta")]
remove_meta: Vec<String>, remove_meta: Vec<String>,
/// Set or overwrite a secret field: key=value (repeatable, @file supported) /// Set or overwrite a secret field: key=value (repeatable, @file supported)
#[arg(long = "secret", short = 's')] #[arg(long = "secret", short = 's')]
secrets: Vec<String>, secrets: Vec<String>,
/// Remove a secret field by key (repeatable) /// Delete a secret field by key (repeatable)
#[arg(long = "remove-secret")] #[arg(long = "remove-secret")]
remove_secrets: Vec<String>, remove_secrets: Vec<String>,
}, },
/// Manage CLI configuration (database connection, etc.) /// Manage CLI configuration (database connection, etc.)
#[command(after_help = "EXAMPLES:
# Configure the database URL (run once per device; persisted to config file)
secrets config set-db \"postgres://postgres:<password>@<host>:<port>/secrets\"
# Show current config (password is masked)
secrets config show
# Print path to the config file
secrets config path")]
Config { Config {
#[command(subcommand)] #[command(subcommand)]
action: ConfigAction, action: ConfigAction,
@@ -125,12 +258,12 @@ enum Commands {
enum ConfigAction { enum ConfigAction {
/// Save database URL to config file (~/.config/secrets/config.toml) /// Save database URL to config file (~/.config/secrets/config.toml)
SetDb { SetDb {
/// PostgreSQL connection string /// PostgreSQL connection string, e.g. postgres://user:pass@<host>:<port>/dbname
url: String, url: String,
}, },
/// Show current configuration /// Show current configuration (password masked)
Show, Show,
/// Print path to config file /// Print path to the config file
Path, Path,
} }
@@ -172,26 +305,59 @@ async fn main() -> Result<()> {
tags, tags,
meta, meta,
secrets, secrets,
output,
} => { } => {
let _span = let _span =
tracing::info_span!("cmd", command = "add", %namespace, %kind, %name).entered(); tracing::info_span!("cmd", command = "add", %namespace, %kind, %name).entered();
commands::add::run(&pool, namespace, kind, name, tags, meta, secrets).await?; let out = resolve_output_mode(output.as_deref())?;
commands::add::run(
&pool,
commands::add::AddArgs {
namespace,
kind,
name,
tags,
meta_entries: meta,
secret_entries: secrets,
output: out,
},
)
.await?;
} }
Commands::Search { Commands::Search {
namespace, namespace,
kind, kind,
name,
tag, tag,
query, query,
show_secrets, show_secrets,
fields,
summary,
limit,
offset,
sort,
output,
} => { } => {
let _span = tracing::info_span!("cmd", command = "search").entered(); let _span = tracing::info_span!("cmd", command = "search").entered();
// -f implies --show-secrets when any field path starts with "secret"
let show = *show_secrets || fields.iter().any(|f| f.starts_with("secret"));
let out = resolve_output_mode(output.as_deref())?;
commands::search::run( commands::search::run(
&pool, &pool,
namespace.as_deref(), commands::search::SearchArgs {
kind.as_deref(), namespace: namespace.as_deref(),
tag.as_deref(), kind: kind.as_deref(),
query.as_deref(), name: name.as_deref(),
*show_secrets, tag: tag.as_deref(),
query: query.as_deref(),
show_secrets: show,
fields,
summary: *summary,
limit: *limit,
offset: *offset,
sort,
output: out,
},
) )
.await?; .await?;
} }

47
src/output.rs Normal file
View File

@@ -0,0 +1,47 @@
use std::io::IsTerminal;
use std::str::FromStr;
/// Output format for all commands.
#[derive(Debug, Clone, Default, PartialEq)]
pub enum OutputMode {
/// Human-readable text (default when stdout is a TTY)
#[default]
Text,
/// Pretty-printed JSON
Json,
/// Single-line JSON (default when stdout is NOT a TTY, e.g. piped to jq)
JsonCompact,
/// KEY=VALUE pairs suitable for `source` or `.env` files
Env,
}
impl FromStr for OutputMode {
type Err = anyhow::Error;
fn from_str(s: &str) -> Result<Self, Self::Err> {
match s {
"text" => Ok(Self::Text),
"json" => Ok(Self::Json),
"json-compact" => Ok(Self::JsonCompact),
"env" => Ok(Self::Env),
other => Err(anyhow::anyhow!(
"Unknown output format '{}'. Valid: text, json, json-compact, env",
other
)),
}
}
}
/// Resolve the effective output mode.
/// - Explicit value from `--output` takes priority.
/// - TTY → text; non-TTY (piped/redirected) → json-compact.
pub fn resolve_output_mode(explicit: Option<&str>) -> anyhow::Result<OutputMode> {
if let Some(s) = explicit {
return s.parse();
}
if std::io::stdout().is_terminal() {
Ok(OutputMode::Text)
} else {
Ok(OutputMode::JsonCompact)
}
}