refining/secrets
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 61 Wiki Activity

Compare commits

base: refining:secrets-0.6.1
Branches Tags
refining:main refining:cli
refining:secrets-mcp-0.5.17 refining:secrets-mcp-0.5.16 refining:secrets-mcp-0.5.15 refining:secrets-mcp-0.5.14 refining:secrets-mcp-0.5.13 refining:secrets-mcp-0.5.12 refining:secrets-mcp-0.5.11 refining:secrets-mcp-0.5.10 refining:secrets-mcp-0.5.9 refining:secrets-mcp-0.5.8 refining:secrets-mcp-0.5.7 refining:secrets-mcp-0.5.6 refining:secrets-mcp-0.5.5 refining:secrets-mcp-0.5.4 refining:secrets-mcp-0.5.2 refining:secrets-mcp-0.5.1 refining:secrets-mcp-0.5.0 refining:secrets-mcp-0.4.0 refining:secrets-mcp-0.3.9 refining:secrets-mcp-0.3.8 refining:secrets-mcp-0.3.7 refining:secrets-mcp-0.3.6 refining:secrets-mcp-0.3.4 refining:secrets-mcp-0.3.2 refining:secrets-mcp-0.3.1 refining:secrets-mcp-0.3.0 refining:secrets-mcp-0.2.2 refining:secrets-mcp-0.2.1 refining:secrets-mcp-0.2.0 refining:secrets-mcp-0.1.11 refining:secrets-mcp-0.1.10 refining:secrets-mcp-0.1.9 refining:secrets-mcp-0.1.8 refining:secrets-mcp-0.1.7 refining:secrets-mcp-0.1.6 refining:secrets-mcp-0.1.5 refining:secrets-mcp-0.1.4 refining:secrets-mcp-0.1.3 refining:secrets-mcp-0.1.2 refining:secrets-mcp-0.1.1 refining:secrets-mcp-0.1.0 refining:secrets-0.9.6 refining:secrets-0.9.5 refining:secrets-0.9.4 refining:secrets-0.9.3 refining:secrets-0.9.1 refining:secrets-0.9.0 refining:secrets-0.8.0 refining:secrets-0.7.5 refining:secrets-0.7.4 refining:secrets-0.7.3 refining:secrets-0.7.2 refining:secrets-0.7.1 refining:secrets-0.7.0 refining:secrets-0.6.1 refining:secrets-0.6.0 refining:secrets-0.5.0 refining:secrets-0.4.0 refining:secrets-0.3.0 refining:secrets-0.2.0 refining:secrets-0.1.0 refining:secrets-mcp-0.3.3
...
compare: refining:secrets-0.7.3
Branches Tags
refining:main refining:cli
refining:secrets-mcp-0.5.17 refining:secrets-mcp-0.5.16 refining:secrets-mcp-0.5.15 refining:secrets-mcp-0.5.14 refining:secrets-mcp-0.5.13 refining:secrets-mcp-0.5.12 refining:secrets-mcp-0.5.11 refining:secrets-mcp-0.5.10 refining:secrets-mcp-0.5.9 refining:secrets-mcp-0.5.8 refining:secrets-mcp-0.5.7 refining:secrets-mcp-0.5.6 refining:secrets-mcp-0.5.5 refining:secrets-mcp-0.5.4 refining:secrets-mcp-0.5.2 refining:secrets-mcp-0.5.1 refining:secrets-mcp-0.5.0 refining:secrets-mcp-0.4.0 refining:secrets-mcp-0.3.9 refining:secrets-mcp-0.3.8 refining:secrets-mcp-0.3.7 refining:secrets-mcp-0.3.6 refining:secrets-mcp-0.3.4 refining:secrets-mcp-0.3.2 refining:secrets-mcp-0.3.1 refining:secrets-mcp-0.3.0 refining:secrets-mcp-0.2.2 refining:secrets-mcp-0.2.1 refining:secrets-mcp-0.2.0 refining:secrets-mcp-0.1.11 refining:secrets-mcp-0.1.10 refining:secrets-mcp-0.1.9 refining:secrets-mcp-0.1.8 refining:secrets-mcp-0.1.7 refining:secrets-mcp-0.1.6 refining:secrets-mcp-0.1.5 refining:secrets-mcp-0.1.4 refining:secrets-mcp-0.1.3 refining:secrets-mcp-0.1.2 refining:secrets-mcp-0.1.1 refining:secrets-mcp-0.1.0 refining:secrets-0.9.6 refining:secrets-0.9.5 refining:secrets-0.9.4 refining:secrets-0.9.3 refining:secrets-0.9.1 refining:secrets-0.9.0 refining:secrets-0.8.0 refining:secrets-0.7.5 refining:secrets-0.7.4 refining:secrets-0.7.3 refining:secrets-0.7.2 refining:secrets-0.7.1 refining:secrets-0.7.0 refining:secrets-0.6.1 refining:secrets-0.6.0 refining:secrets-0.5.0 refining:secrets-0.4.0 refining:secrets-0.3.0 refining:secrets-0.2.0 refining:secrets-0.1.0 refining:secrets-mcp-0.3.3

9 Commits
secrets-0. ... secrets-0.

Author SHA1 Message Date
voson
5a5867adc1 chore: local timezone in text output, search metadata-only, bump 0.7.3
Some checks failed
Secrets CLI - Build & Release / 版本 & Release (push) Successful in 3s
Details
Secrets CLI - Build & Release / Build (x86_64-unknown-linux-musl) (push) Successful in 2m15s
Details
Secrets CLI - Build & Release / 质量检查 (fmt / clippy / test) (push) Successful in 1m50s
Details
Secrets CLI - Build & Release / Build (macOS aarch64 + x86_64) (push) Successful in 44s
Details
Secrets CLI - Build & Release / Build (x86_64-pc-windows-msvc) (push) Has been cancelled
Details
Secrets CLI - Build & Release / 发布草稿 Release (push) Has been cancelled
Details 
Made-with: Cursor
 2026-03-19 12:24:20 +08:00
voson
4ddafbe4b6 chore: remove dead code, bump to 0.7.2
Some checks failed
Secrets CLI - Build & Release / 版本 & Release (push) Successful in 3s
Details
Secrets CLI - Build & Release / 质量检查 (fmt / clippy / test) (push) Successful in 1m49s
Details
Secrets CLI - Build & Release / Build (macOS aarch64 + x86_64) (push) Successful in 43s
Details
Secrets CLI - Build & Release / Build (x86_64-unknown-linux-musl) (push) Successful in 1m2s
Details
Secrets CLI - Build & Release / 发布草稿 Release (push) Has been cancelled
Details
Secrets CLI - Build & Release / Build (x86_64-pc-windows-msvc) (push) Has been cancelled
Details 
- Remove unused delete_master_key from crypto.rs
- Remove unused audit::log from audit.rs
- Simplify HistoryRow in rollback.rs (drop unused namespace/kind/name)
- Update AGENTS.md: audit::log → audit::log_tx

Made-with: Cursor
 2026-03-19 11:43:01 +08:00
voson
6ea9f0861b chore: bump to 0.7.1, workflow/readme/init/upgrade updates, fix clippy needless_borrows
Some checks failed
Secrets CLI - Build & Release / 版本 & Release (push) Successful in 3s
Details
Secrets CLI - Build & Release / 质量检查 (fmt / clippy / test) (push) Successful in 1m47s
Details
Secrets CLI - Build & Release / Build (macOS aarch64 + x86_64) (push) Successful in 48s
Details
Secrets CLI - Build & Release / Build (x86_64-unknown-linux-musl) (push) Successful in 1m2s
Details
Secrets CLI - Build & Release / 发布草稿 Release (push) Has been cancelled
Details
Secrets CLI - Build & Release / Build (x86_64-pc-windows-msvc) (push) Has been cancelled
Details 
Made-with: Cursor
 2026-03-19 11:34:10 +08:00
voson
3973295d6a chore(release): enforce version bump checks 
Fail fast when a release tag already exists, and add a local release-check script so version mistakes are caught before commit and publish.

Made-with: Cursor
 2026-03-19 11:17:23 +08:00
voson
c371da95c3 chore: bump version to 0.7.0 for upgrade feature
Some checks failed
Secrets CLI - Build & Release / 版本 & Release (push) Successful in 3s
Details
Secrets CLI - Build & Release / 质量检查 (fmt / clippy / test) (push) Successful in 2m39s
Details
Secrets CLI - Build & Release / Build (macOS aarch64 + x86_64) (push) Successful in 2m11s
Details
Secrets CLI - Build & Release / Build (x86_64-unknown-linux-musl) (push) Successful in 2m17s
Details
Secrets CLI - Build & Release / 发布草稿 Release (push) Has been cancelled
Details
Secrets CLI - Build & Release / Build (x86_64-pc-windows-msvc) (push) Has been cancelled
Details 
Made-with: Cursor
 2026-03-19 11:06:59 +08:00
voson
baad623efe feat(upgrade): SHA-256校验、Intel mac 交叉编译、全平台后发布
Some checks failed
Secrets CLI - Build & Release / 版本 & Release (push) Successful in 2s
Details
Secrets CLI - Build & Release / Build (x86_64-unknown-linux-musl) (push) Has been cancelled
Details
Secrets CLI - Build & Release / Build (macOS aarch64 + x86_64) (push) Has been cancelled
Details
Secrets CLI - Build & Release / Build (x86_64-pc-windows-msvc) (push) Has been cancelled
Details
Secrets CLI - Build & Release / 发布草稿 Release (push) Has been cancelled
Details
Secrets CLI - Build & Release / 质量检查 (fmt / clippy / test) (push) Has been cancelled
Details 
- upgrade: 下载后校验 .sha256 摘要再安装
- workflow: ARM mac 同时产出 aarch64/x86_64 双架构,补全 Intel mac 产物
- workflow: 各平台上传主资产及 .sha256,Linux/macOS/Windows 全成功才发布 Release
- upgrade: 补充 parse_tag_version、parse_checksum_file、extract_from_targz 单元测试
- docs: README/AGENTS 同步 upgrade 与平台说明

Made-with: Cursor
 2026-03-19 11:06:10 +08:00
voson
2da7aab3e5 feat(upgrade): add self-update command from Gitea Release
Some checks failed
Secrets CLI - Build & Release / Build (x86_64-unknown-linux-musl) (push) Has been cancelled
Details
Secrets CLI - Build & Release / Build (aarch64-apple-darwin) (push) Has been cancelled
Details
Secrets CLI - Build & Release / Build (x86_64-pc-windows-msvc) (push) Has been cancelled
Details
Secrets CLI - Build & Release / 发布草稿 Release (push) Has been cancelled
Details
Secrets CLI - Build & Release / 版本 & Release (push) Successful in 2s
Details
Secrets CLI - Build & Release / 质量检查 (fmt / clippy / test) (push) Has been cancelled
Details 
- Add secrets upgrade command: --check to verify, default to download and replace binary
- No database or master key required
- Support tar.gz and zip artifacts from Gitea Release

Made-with: Cursor
 2026-03-19 11:01:43 +08:00
voson
fcac14a8c4 docs(AGENTS): clarify version bump must update Cargo.lock too 
Made-with: Cursor
 2026-03-19 10:41:49 +08:00
voson
ff79a3a9cc chore: sync Cargo.lock for 0.6.1
Some checks failed
Secrets CLI - Build & Release / 版本 & Release (push) Successful in 2s
Details
Secrets CLI - Build & Release / 质量检查 (fmt / clippy / test) (push) Successful in 1m40s
Details
Secrets CLI - Build & Release / Build (aarch64-apple-darwin) (push) Successful in 34s
Details
Secrets CLI - Build & Release / Build (x86_64-unknown-linux-musl) (push) Successful in 51s
Details
Secrets CLI - Build & Release / Build (x86_64-pc-windows-msvc) (push) Has been cancelled
Details
Secrets CLI - Build & Release / 发布草稿 Release (push) Successful in 2s
Details 
Made-with: Cursor
 2026-03-19 10:40:30 +08:00
19 changed files with 1363 additions and 229 deletions
Expand all files Collapse all files

77
.gitea/workflows/secrets.yml
View File

@@ -7,7 +7,6 @@ on:
- 'src/**' - 'src/**'
- 'Cargo.toml' - 'Cargo.toml'
- 'Cargo.lock' - 'Cargo.lock'
- '.gitea/workflows/secrets.yml'
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
@@ -56,6 +55,13 @@ jobs:
echo "将创建新版本 ${tag}" echo "将创建新版本 ${tag}"
fi fi
- name: 严格拦截重复版本
if: steps.ver.outputs.tag_exists == 'true'
run: |
echo "错误: 版本 ${{ steps.ver.outputs.tag }} 已存在,禁止重复发版。"
echo "请先 bump Cargo.toml 中的 version并执行 cargo build 同步 Cargo.lock。"
exit 1
- name: 创建 Tag - name: 创建 Tag
if: steps.ver.outputs.tag_exists == 'false' if: steps.ver.outputs.tag_exists == 'false'
run: | run: |
@@ -204,9 +210,13 @@ jobs:
bin="target/x86_64-unknown-linux-musl/release/${{ env.BINARY_NAME }}" bin="target/x86_64-unknown-linux-musl/release/${{ env.BINARY_NAME }}"
archive="${{ env.BINARY_NAME }}-${tag}-x86_64-linux-musl.tar.gz" archive="${{ env.BINARY_NAME }}-${tag}-x86_64-linux-musl.tar.gz"
tar -czf "$archive" -C "$(dirname "$bin")" "$(basename "$bin")" tar -czf "$archive" -C "$(dirname "$bin")" "$(basename "$bin")"
sha256sum "$archive" > "${archive}.sha256"
curl -fsS -H "Authorization: token $RELEASE_TOKEN" \ curl -fsS -H "Authorization: token $RELEASE_TOKEN" \
-F "attachment=@${archive}" \ -F "attachment=@${archive}" \
"${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}/assets" "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}/assets"
curl -fsS -H "Authorization: token $RELEASE_TOKEN" \
-F "attachment=@${archive}.sha256" \
"${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}/assets"
- name: 飞书通知 - name: 飞书通知
if: always() if: always()
@@ -229,7 +239,7 @@ jobs:
curl -sS -H "Content-Type: application/json" -X POST -d "$payload" "$WEBHOOK_URL" curl -sS -H "Content-Type: application/json" -X POST -d "$payload" "$WEBHOOK_URL"
build-macos: build-macos:
name: Build (aarch64-apple-darwin) name: Build (macOS aarch64 + x86_64)
needs: [version, check] needs: [version, check]
runs-on: darwin-arm64 runs-on: darwin-arm64
timeout-minutes: 15 timeout-minutes: 15
@@ -241,6 +251,7 @@ jobs:
fi fi
source "$HOME/.cargo/env" 2>/dev/null || true source "$HOME/.cargo/env" 2>/dev/null || true
rustup target add aarch64-apple-darwin rustup target add aarch64-apple-darwin
rustup target add x86_64-apple-darwin
echo "$HOME/.cargo/bin" >> "$GITHUB_PATH" echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@@ -253,12 +264,14 @@ jobs:
~/.cargo/registry/cache ~/.cargo/registry/cache
~/.cargo/git/db ~/.cargo/git/db
target target
key: cargo-aarch64-apple-darwin-${{ hashFiles('Cargo.lock') }} key: cargo-macos-${{ hashFiles('Cargo.lock') }}
restore-keys: | restore-keys: |
cargo-aarch64-apple-darwin- cargo-macos-
- run: cargo build --release --locked --target aarch64-apple-darwin - run: cargo build --release --locked --target aarch64-apple-darwin
- run: cargo build --release --locked --target x86_64-apple-darwin
- run: strip -x target/aarch64-apple-darwin/release/${{ env.BINARY_NAME }} - run: strip -x target/aarch64-apple-darwin/release/${{ env.BINARY_NAME }}
- run: strip -x target/x86_64-apple-darwin/release/${{ env.BINARY_NAME }}
- name: 上传 Release 产物 - name: 上传 Release 产物
if: needs.version.outputs.release_id != '' if: needs.version.outputs.release_id != ''
@@ -267,12 +280,29 @@ jobs:
run: | run: |
[ -z "$RELEASE_TOKEN" ] && exit 0 [ -z "$RELEASE_TOKEN" ] && exit 0
tag="${{ needs.version.outputs.tag }}" tag="${{ needs.version.outputs.tag }}"
bin="target/aarch64-apple-darwin/release/${{ env.BINARY_NAME }}" release_id="${{ needs.version.outputs.release_id }}"
archive="${{ env.BINARY_NAME }}-${tag}-aarch64-macos.tar.gz"
tar -czf "$archive" -C "$(dirname "$bin")" "$(basename "$bin")" arm_bin="target/aarch64-apple-darwin/release/${{ env.BINARY_NAME }}"
arm_archive="${{ env.BINARY_NAME }}-${tag}-aarch64-macos.tar.gz"
tar -czf "$arm_archive" -C "$(dirname "$arm_bin")" "$(basename "$arm_bin")"
shasum -a 256 "$arm_archive" > "${arm_archive}.sha256"
curl -fsS -H "Authorization: token $RELEASE_TOKEN" \ curl -fsS -H "Authorization: token $RELEASE_TOKEN" \
-F "attachment=@${archive}" \ -F "attachment=@${arm_archive}" \
"${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}/assets" "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${release_id}/assets"
curl -fsS -H "Authorization: token $RELEASE_TOKEN" \
-F "attachment=@${arm_archive}.sha256" \
"${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${release_id}/assets"
intel_bin="target/x86_64-apple-darwin/release/${{ env.BINARY_NAME }}"
intel_archive="${{ env.BINARY_NAME }}-${tag}-x86_64-macos.tar.gz"
tar -czf "$intel_archive" -C "$(dirname "$intel_bin")" "$(basename "$intel_bin")"
shasum -a 256 "$intel_archive" > "${intel_archive}.sha256"
curl -fsS -H "Authorization: token $RELEASE_TOKEN" \
-F "attachment=@${intel_archive}" \
"${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${release_id}/assets"
curl -fsS -H "Authorization: token $RELEASE_TOKEN" \
-F "attachment=@${intel_archive}.sha256" \
"${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${release_id}/assets"
- name: 飞书通知 - name: 飞书通知
if: always() if: always()
@@ -285,8 +315,9 @@ jobs:
url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}" url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
result="${{ job.status }}" result="${{ job.status }}"
if [ "$result" = "success" ]; then icon="✅"; else icon="❌"; fi if [ "$result" = "success" ]; then icon="✅"; else icon="❌"; fi
msg="secrets macOS 构建${icon} msg="secrets macOS 双架构构建${icon}
版本:${tag} 版本:${tag}
目标aarch64-apple-darwin, x86_64-apple-darwin
提交:${commit} 提交:${commit}
作者:${{ github.actor }} 作者:${{ github.actor }}
详情:${url}" 详情:${url}"
@@ -302,11 +333,14 @@ jobs:
- name: 安装依赖 - name: 安装依赖
shell: pwsh shell: pwsh
run: | run: |
$cargoBin = Join-Path $env:USERPROFILE ".cargo\bin"
if (-not (Get-Command cargo -ErrorAction SilentlyContinue)) { if (-not (Get-Command cargo -ErrorAction SilentlyContinue)) {
Invoke-WebRequest -Uri "https://win.rustup.rs/x86_64" -OutFile rustup-init.exe Invoke-WebRequest -Uri "https://win.rustup.rs/x86_64" -OutFile rustup-init.exe
.\rustup-init.exe -y --default-toolchain stable .\rustup-init.exe -y --default-toolchain stable
Remove-Item rustup-init.exe Remove-Item rustup-init.exe
} }
$env:Path = "$cargoBin;$env:Path"
Add-Content -Path $env:GITHUB_PATH -Value $cargoBin
rustup target add x86_64-pc-windows-msvc rustup target add x86_64-pc-windows-msvc
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@@ -338,10 +372,15 @@ jobs:
$bin = "target\x86_64-pc-windows-msvc\release\${{ env.BINARY_NAME }}.exe" $bin = "target\x86_64-pc-windows-msvc\release\${{ env.BINARY_NAME }}.exe"
$archive = "${{ env.BINARY_NAME }}-${tag}-x86_64-windows.zip" $archive = "${{ env.BINARY_NAME }}-${tag}-x86_64-windows.zip"
Compress-Archive -Path $bin -DestinationPath $archive -Force Compress-Archive -Path $bin -DestinationPath $archive -Force
$hash = (Get-FileHash -Algorithm SHA256 $archive).Hash.ToLower()
Set-Content -Path "${archive}.sha256" -Value "$hash $archive" -NoNewline
$url = "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}/assets" $url = "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}/assets"
Invoke-RestMethod -Uri $url -Method Post ` Invoke-RestMethod -Uri $url -Method Post `
-Headers @{ "Authorization" = "token $env:RELEASE_TOKEN" } ` -Headers @{ "Authorization" = "token $env:RELEASE_TOKEN" } `
-Form @{ attachment = Get-Item $archive } -Form @{ attachment = Get-Item $archive }
Invoke-RestMethod -Uri $url -Method Post `
-Headers @{ "Authorization" = "token $env:RELEASE_TOKEN" } `
-Form @{ attachment = Get-Item "${archive}.sha256" }
- name: 飞书通知 - name: 飞书通知
if: always() if: always()
@@ -362,7 +401,7 @@ jobs:
publish-release: publish-release:
name: 发布草稿 Release name: 发布草稿 Release
needs: [version, build-linux] needs: [version, build-linux, build-macos, build-windows]
if: always() && needs.version.outputs.release_id != '' if: always() && needs.version.outputs.release_id != ''
runs-on: debian runs-on: debian
timeout-minutes: 5 timeout-minutes: 5
@@ -376,8 +415,11 @@ jobs:
[ -z "$RELEASE_TOKEN" ] && exit 0 [ -z "$RELEASE_TOKEN" ] && exit 0
linux_r="${{ needs.build-linux.result }}" linux_r="${{ needs.build-linux.result }}"
if [ "$linux_r" != "success" ]; then macos_r="${{ needs.build-macos.result }}"
echo "Linux 构建未成功 (${linux_r}),保留草稿 Release" windows_r="${{ needs.build-windows.result }}"
if [ "$linux_r" != "success" ] || [ "$macos_r" != "success" ] || [ "$windows_r" != "success" ]; then
echo "存在未成功的构建任务,保留草稿 Release"
echo "linux=${linux_r} macos=${macos_r} windows=${windows_r}"
exit 0 exit 0
fi fi
@@ -408,15 +450,16 @@ jobs:
commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A") commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A")
url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}" url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
check_r="${{ needs.version.result }}"
linux_r="${{ needs.build-linux.result }}" linux_r="${{ needs.build-linux.result }}"
macos_r="${{ needs.build-macos.result }}"
windows_r="${{ needs.build-windows.result }}"
publish_r="${{ job.status }}" publish_r="${{ job.status }}"
icon() { case "$1" in success) echo "✅";; skipped) echo "⏭";; *) echo "❌";; esac; } icon() { case "$1" in success) echo "✅";; skipped) echo "⏭";; *) echo "❌";; esac; }
if [ "$linux_r" = "success" ] && [ "$publish_r" = "success" ]; then if [ "$linux_r" = "success" ] && [ "$macos_r" = "success" ] && [ "$windows_r" = "success" ] && [ "$publish_r" = "success" ]; then
status="发布成功 ✅" status="发布成功 ✅"
elif [ "$linux_r" != "success" ]; then elif [ "$linux_r" != "success" ] || [ "$macos_r" != "success" ] || [ "$windows_r" != "success" ]; then
status="构建失败 ❌" status="构建失败 ❌"
else else
status="发布失败 ❌" status="发布失败 ❌"
@@ -430,7 +473,7 @@ jobs:
msg="secrets ${status} msg="secrets ${status}
${version_line} ${version_line}
linux $(icon "$linux_r") | Release $(icon "$publish_r") linux $(icon "$linux_r") | macOS $(icon "$macos_r") | windows $(icon "$windows_r") | Release $(icon "$publish_r")
提交:${commit} 提交:${commit}
作者:${{ github.actor }} 作者:${{ github.actor }}
详情:${url}" 详情:${url}"

8
.vscode/tasks.json vendored
View File

@@ -104,9 +104,9 @@
"dependsOn": "build" "dependsOn": "build"
}, },
{ {
"label": "test: search with secrets revealed", "label": "test: inject service secrets",
"type": "shell", "type": "shell",
"command": "./target/debug/secrets search -n refining --kind service --show-secrets", "command": "./target/debug/secrets inject -n refining --kind service --name gitea",
"dependsOn": "build" "dependsOn": "build"
}, },
{ {
@@ -118,7 +118,7 @@
{ {
"label": "test: add + delete roundtrip", "label": "test: add + delete roundtrip",
"type": "shell", "type": "shell",
"command": "echo '--- add ---' && ./target/debug/secrets add -n test --kind demo --name roundtrip-test --tag test -m foo=bar -s password=secret123 && echo '--- search ---' && ./target/debug/secrets search -n test --show-secrets && echo '--- delete ---' && ./target/debug/secrets delete -n test --kind demo --name roundtrip-test && echo '--- verify deleted ---' && ./target/debug/secrets search -n test", "command": "echo '--- add ---' && ./target/debug/secrets add -n test --kind demo --name roundtrip-test --tag test -m foo=bar -s password=secret123 && echo '--- search metadata ---' && ./target/debug/secrets search -n test && echo '--- inject secrets ---' && ./target/debug/secrets inject -n test --kind demo --name roundtrip-test && echo '--- delete ---' && ./target/debug/secrets delete -n test --kind demo --name roundtrip-test && echo '--- verify deleted ---' && ./target/debug/secrets search -n test",
"dependsOn": "build" "dependsOn": "build"
}, },
{ {
@@ -142,7 +142,7 @@
{ {
"label": "test: add with file secret", "label": "test: add with file secret",
"type": "shell", "type": "shell",
"command": "echo '--- add key from file ---' && ./target/debug/secrets add -n test --kind key --name test-key --tag test -s content=@./refining/keys/Vultr && echo '--- verify ---' && ./target/debug/secrets search -n test --kind key --show-secrets && echo '--- cleanup ---' && ./target/debug/secrets delete -n test --kind key --name test-key", "command": "echo '--- add key from file ---' && ./target/debug/secrets add -n test --kind key --name test-key --tag test -s content=@./refining/keys/Vultr && echo '--- verify metadata ---' && ./target/debug/secrets search -n test --kind key && echo '--- verify inject ---' && ./target/debug/secrets inject -n test --kind key --name test-key && echo '--- cleanup ---' && ./target/debug/secrets delete -n test --kind key --name test-key",
"dependsOn": "build" "dependsOn": "build"
} }
] ]

66
AGENTS.md
View File

@@ -1,5 +1,12 @@
# Secrets CLI — AGENTS.md # Secrets CLI — AGENTS.md
## 提交 / 发版硬规则(优先于下文其他说明)
1. 涉及 `src/**``Cargo.toml``Cargo.lock`、CLI 行为变更的提交,默认视为**需要发版**,除非用户明确说明“本次不发版”。
2. 发版前必须先检查 `Cargo.toml` 中的 `version`,再检查是否已存在对应 tag`git tag -l 'secrets-*'`
3. 若当前版本对应 tag 已存在,必须先 bump `Cargo.toml``version`,再执行 `cargo build` 同步 `Cargo.lock`,然后才能提交。
4. 提交前优先运行 `./scripts/release-check.sh`;该脚本会检查重复版本并执行 `cargo fmt -- --check && cargo clippy --locked -- -D warnings && cargo test --locked`
跨设备密钥与配置管理 CLI 工具,将 refining / ricnsmart 两个项目的服务器信息、服务凭据存储到 PostgreSQL 18供 AI 工具读取上下文。敏感数据encrypted 字段)使用 AES-256-GCM 加密,主密钥由 Argon2id 从主密码派生并存入平台安全存储macOS Keychain / Windows Credential Manager / Linux keyutils 跨设备密钥与配置管理 CLI 工具,将 refining / ricnsmart 两个项目的服务器信息、服务凭据存储到 PostgreSQL 18供 AI 工具读取上下文。敏感数据encrypted 字段)使用 AES-256-GCM 加密,主密钥由 Argon2id 从主密码派生并存入平台安全存储macOS Keychain / Windows Credential Manager / Linux keyutils
## 项目结构 ## 项目结构
@@ -23,7 +30,9 @@ secrets/
update.rs # update 命令增量更新CAS 并发保护,含历史快照 update.rs # update 命令增量更新CAS 并发保护,含历史快照
rollback.rs # rollback / history 命令:版本回滚与历史查看 rollback.rs # rollback / history 命令:版本回滚与历史查看
run.rs # inject / run 命令:临时环境变量注入 run.rs # inject / run 命令:临时环境变量注入
upgrade.rs # upgrade 命令:检查、校验摘要并下载最新版本,自动替换二进制
scripts/ scripts/
release-check.sh # 发版前检查版本号/tag 是否重复,并执行 fmt/clippy/test
setup-gitea-actions.sh # 配置 Gitea Actions 变量与 Secrets setup-gitea-actions.sh # 配置 Gitea Actions 变量与 Secrets
.gitea/workflows/ .gitea/workflows/
secrets.yml # CIfmt + clippy + musl 构建 + Release 上传 + 飞书通知 secrets.yml # CIfmt + clippy + musl 构建 + Release 上传 + 飞书通知
@@ -167,8 +176,8 @@ secrets init
# --name gitea | i-uf63f2uookgs5uxmrdyc | mqtt # --name gitea | i-uf63f2uookgs5uxmrdyc | mqtt
# --tag aliyun | hongkong | production # --tag aliyun | hongkong | production
# -q / --query mqtt | grafana | gitea (模糊匹配 name/namespace/kind/tags/metadata # -q / --query mqtt | grafana | gitea (模糊匹配 name/namespace/kind/tags/metadata
# --show-secrets 不带值的 flag显示 encrypted 字段内容 # --show-secrets 已弃用search 不再直接展示 secrets
# -f / --field metadata.ip | metadata.url | secret.token | secret.ssh_key # -f / --field metadata.ip | metadata.url | metadata.default_org
# --summary 不带值的 flag仅返回摘要name/tags/desc/updated_at # --summary 不带值的 flag仅返回摘要name/tags/desc/updated_at
# --limit 20 | 50默认 50 # --limit 20 | 50默认 50
# --offset 0 | 10 | 20分页偏移 # --offset 0 | 10 | 20分页偏移
@@ -184,14 +193,17 @@ secrets search --sort updated --limit 10 --summary
secrets search -n refining --kind service --name gitea secrets search -n refining --kind service --name gitea
secrets search -n refining --kind server --name i-uf63f2uookgs5uxmrdyc secrets search -n refining --kind server --name i-uf63f2uookgs5uxmrdyc
# 精确定位并获取完整内容(secrets # 精确定位并获取完整内容secrets 保持加密占位
secrets search -n refining --kind service --name gitea -o json --show-secrets secrets search -n refining --kind service --name gitea -o json
# 直接提取字段值(最短路径-f secret.* 自动解锁 secrets # 直接提取 metadata 字段值(最短路径)
secrets search -n refining --kind service --name gitea -f secret.token
secrets search -n refining --kind service --name gitea -f metadata.url secrets search -n refining --kind service --name gitea -f metadata.url
secrets search -n refining --kind service --name gitea \ secrets search -n refining --kind service --name gitea \
-f metadata.url -f metadata.default_org -f secret.token -f metadata.url -f metadata.default_org
# 需要 secrets 时,改用 inject / run
secrets inject -n refining --kind service --name gitea
secrets run -n refining --kind service --name gitea -- printenv
# 模糊关键词搜索 # 模糊关键词搜索
secrets search -q mqtt secrets search -q mqtt
@@ -210,10 +222,9 @@ secrets search -n refining --summary --limit 10 --offset 10
# 管道 / AI 调用(非 TTY 自动 json-compact # 管道 / AI 调用(非 TTY 自动 json-compact
secrets search -n refining --kind service | jq '.[].name' secrets search -n refining --kind service | jq '.[].name'
secrets search -n refining --kind service --name gitea --show-secrets | jq '.secrets.token'
# 导出为 env 文件(单条记录) # 导出 metadata 为 env 文件(单条记录)
secrets search -n refining --kind service --name gitea -o env --show-secrets \ secrets search -n refining --kind service --name gitea -o env \
> ~/.config/gitea/config.env > ~/.config/gitea/config.env
``` ```
@@ -405,6 +416,20 @@ secrets run -n refining --kind service --name gitea -- printenv
--- ---
### upgrade — 自动更新 CLI 二进制
从 Gitea Release 下载最新版本,校验对应 `.sha256` 摘要后替换当前二进制,无需数据库连接或主密钥。
```bash
# 检查是否有新版本(不下载)
secrets upgrade --check
# 下载、校验 SHA-256 并安装最新版本
secrets upgrade
```
---
### config — 配置管理(无需主密钥) ### config — 配置管理(无需主密钥)
```bash ```bash
@@ -443,7 +468,7 @@ secrets --db-url "postgres://..." search -n refining
- 新增 `kind` 类型时:只需在 `add` 调用时传入,无需改代码 - 新增 `kind` 类型时:只需在 `add` 调用时传入,无需改代码
- 字段命名CLI 短标志 `-n`=namespace`-m`=meta`-s`=secret`-q`=query`-v`=verbose`-f`=field`-o`=output - 字段命名CLI 短标志 `-n`=namespace`-m`=meta`-s`=secret`-q`=query`-v`=verbose`-f`=field`-o`=output
- 日志:用户可见输出用 `println!`;调试/运维信息用 `tracing::debug!`/`info!`/`warn!`/`error!` - 日志:用户可见输出用 `println!`;调试/运维信息用 `tracing::debug!`/`info!`/`warn!`/`error!`
- 审计:`add`/`update`/`delete` 成功后调用 `audit::log()`,写入 `audit_log` 表;失败只 warn 不中断 - 审计:`add`/`update`/`delete` 成功后调用 `audit::log_tx`,写入 `audit_log` 表;失败只 warn 不中断
- 加密:`encrypted` 列存储 AES-256-GCM 密文;`add`/`update`/`search`/`delete` 需主密钥(`secrets init` 后从 OS 钥匙串加载) - 加密:`encrypted` 列存储 AES-256-GCM 密文;`add`/`update`/`search`/`delete` 需主密钥(`secrets init` 后从 OS 钥匙串加载)
- 输出:读命令通过 `OutputMode` 支持 text/json/json-compact/env写命令 `add` 同样支持 `-o json` - 输出:读命令通过 `OutputMode` 支持 text/json/json-compact/env写命令 `add` 同样支持 `-o json`
@@ -451,9 +476,17 @@ secrets --db-url "postgres://..." search -n refining
每次提交代码前,请在本地依次执行以下检查,**全部通过后再 push** 每次提交代码前,请在本地依次执行以下检查,**全部通过后再 push**
优先使用:
```bash
./scripts/release-check.sh
```
它等价于先检查版本号 / tag再执行下面的格式、Lint、测试。
### 1. 版本号(按需) ### 1. 版本号(按需)
若本次改动需要发版,请先确认 `Cargo.toml` 中的 `version` 已提升,避免 CI 打出的 Tag 与已有版本重复。可通过 git tag 判断: 若本次改动需要发版,请先确认 `Cargo.toml` 中的 `version` 已提升,避免 CI 打出的 Tag 与已有版本重复。**升级版本后需同时更新 `Cargo.lock`**(运行 `cargo build` 即可自动同步),否则 CI 中 `cargo clippy --locked` 会因 lock 与 manifest 不一致而失败。可通过 git tag 判断:
```bash ```bash
# 查看当前 Cargo.toml 版本 # 查看当前 Cargo.toml 版本
@@ -463,7 +496,7 @@ grep '^version' Cargo.toml
git tag -l 'secrets-*' git tag -l 'secrets-*'
``` ```
若当前版本已被 tag例如已有 `secrets-0.3.0``Cargo.toml` 仍为 `0.3.0`),则应在 `Cargo.toml` 中 bump 版本号后再提交,以便 CI 自动打新 Tag 并发布 Release。 若当前版本已被 tag例如已有 `secrets-0.3.0``Cargo.toml` 仍为 `0.3.0`),则应在 `Cargo.toml` 中 bump 版本号,再执行 `cargo build` 同步 `Cargo.lock`,最后一并提交,以便 CI 自动打新 Tag 并发布 Release。
### 2. 格式、Lint、测试 ### 2. 格式、Lint、测试
@@ -481,10 +514,11 @@ cargo fmt -- --check && cargo clippy -- -D warnings && cargo test
## CI/CD ## CI/CD
- Gitea Actionsrunner: debian - Gitea Actionsrunners: debian / darwin-arm64 / windows
- 触发:`src/**``Cargo.toml``Cargo.lock` 变更推送到 main - 触发:`src/**``Cargo.toml``Cargo.lock` 变更推送到 main
- 构建目标:`x86_64-unknown-linux-musl`(静态链接,无 glibc 依赖) - 构建目标:`x86_64-unknown-linux-musl``aarch64-apple-darwin``x86_64-apple-darwin`(由 ARM mac runner 交叉编译)、`x86_64-pc-windows-msvc`
- 新版本自动打 Tag格式 `secrets-<version>`)并上传二进制到 Gitea Release - 新版本自动打 Tag格式 `secrets-<version>`)并上传二进制与对应 `.sha256` 摘要到 Gitea Release
- Release 仅在 Linux/macOS/Windows 构建全部成功后才会从 draft 发布
- 通知:飞书 Webhook`vars.WEBHOOK_URL` - 通知:飞书 Webhook`vars.WEBHOOK_URL`
- 所需 secrets/vars`RELEASE_TOKEN`Release 上传Gitea PAT`vars.WEBHOOK_URL`(通知,可选) - 所需 secrets/vars`RELEASE_TOKEN`Release 上传Gitea PAT`vars.WEBHOOK_URL`(通知,可选)
- **注意**Gitea Actions 的 Secret/Variable 创建时,`data`/`value` 字段需传入**原始值**,不要使用 base64 编码 - **注意**Gitea Actions 的 Secret/Variable 创建时,`data`/`value` 字段需传入**原始值**,不要使用 base64 编码

579
Cargo.lock generated
View File

@@ -2,6 +2,12 @@
# It is not intended for manual editing. # It is not intended for manual editing.
version = 4 version = 4
[[package]]
name = "adler2"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
[[package]] [[package]]
name = "aead" name = "aead"
version = "0.5.2" version = "0.5.2"
@@ -138,6 +144,12 @@ dependencies = [
"num-traits", "num-traits",
] ]
[[package]]
name = "atomic-waker"
version = "1.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
[[package]] [[package]]
name = "autocfg" name = "autocfg"
version = "1.5.0" version = "1.5.0"
@@ -217,6 +229,12 @@ version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801" checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
[[package]]
name = "cfg_aliases"
version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
[[package]] [[package]]
name = "chacha20" name = "chacha20"
version = "0.10.0" version = "0.10.0"
@@ -372,6 +390,15 @@ version = "2.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "19d374276b40fb8bbdee95aef7c7fa6b5316ec764510eb64b8dd0e2ed0d7e7f5" checksum = "19d374276b40fb8bbdee95aef7c7fa6b5316ec764510eb64b8dd0e2ed0d7e7f5"
[[package]]
name = "crc32fast"
version = "1.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511"
dependencies = [
"cfg-if",
]
[[package]] [[package]]
name = "crossbeam-queue" name = "crossbeam-queue"
version = "0.3.12" version = "0.3.12"
@@ -515,12 +542,40 @@ dependencies = [
"pin-project-lite", "pin-project-lite",
] ]
[[package]]
name = "fastrand"
version = "2.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
[[package]]
name = "filetime"
version = "0.2.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f98844151eee8917efc50bd9e8318cb963ae8b297431495d3f758616ea5c57db"
dependencies = [
"cfg-if",
"libc",
"libredox",
]
[[package]] [[package]]
name = "find-msvc-tools" name = "find-msvc-tools"
version = "0.1.9" version = "0.1.9"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582" checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
[[package]]
name = "flate2"
version = "1.1.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "843fba2746e448b37e26a819579957415c8cef339bf08564fe8b7ddbd959573c"
dependencies = [
"crc32fast",
"miniz_oxide",
"zlib-rs",
]
[[package]] [[package]]
name = "flume" name = "flume"
version = "0.11.1" version = "0.11.1"
@@ -635,8 +690,24 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0" checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
dependencies = [ dependencies = [
"cfg-if", "cfg-if",
"js-sys",
"libc", "libc",
"wasi", "wasi",
"wasm-bindgen",
]
[[package]]
name = "getrandom"
version = "0.3.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
dependencies = [
"cfg-if",
"js-sys",
"libc",
"r-efi 5.3.0",
"wasip2",
"wasm-bindgen",
] ]
[[package]] [[package]]
@@ -647,7 +718,7 @@ checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555"
dependencies = [ dependencies = [
"cfg-if", "cfg-if",
"libc", "libc",
"r-efi", "r-efi 6.0.0",
"rand_core 0.10.0", "rand_core 0.10.0",
"wasip2", "wasip2",
"wasip3", "wasip3",
@@ -728,6 +799,106 @@ dependencies = [
"windows-sys 0.61.2", "windows-sys 0.61.2",
] ]
[[package]]
name = "http"
version = "1.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3ba2a386d7f85a81f119ad7498ebe444d2e22c2af0b86b069416ace48b3311a"
dependencies = [
"bytes",
"itoa",
]
[[package]]
name = "http-body"
version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184"
dependencies = [
"bytes",
"http",
]
[[package]]
name = "http-body-util"
version = "0.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b021d93e26becf5dc7e1b75b1bed1fd93124b374ceb73f43d4d4eafec896a64a"
dependencies = [
"bytes",
"futures-core",
"http",
"http-body",
"pin-project-lite",
]
[[package]]
name = "httparse"
version = "1.10.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87"
[[package]]
name = "hyper"
version = "1.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2ab2d4f250c3d7b1c9fcdff1cece94ea4e2dfbec68614f7b87cb205f24ca9d11"
dependencies = [
"atomic-waker",
"bytes",
"futures-channel",
"futures-core",
"http",
"http-body",
"httparse",
"itoa",
"pin-project-lite",
"pin-utils",
"smallvec",
"tokio",
"want",
]
[[package]]
name = "hyper-rustls"
version = "0.27.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3c93eb611681b207e1fe55d5a71ecf91572ec8a6705cdb6857f7d8d5242cf58"
dependencies = [
"http",
"hyper",
"hyper-util",
"rustls",
"rustls-pki-types",
"tokio",
"tokio-rustls",
"tower-service",
"webpki-roots 1.0.6",
]
[[package]]
name = "hyper-util"
version = "0.1.20"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "96547c2556ec9d12fb1578c4eaf448b04993e7fb79cbaad930a656880a6bdfa0"
dependencies = [
"base64",
"bytes",
"futures-channel",
"futures-util",
"http",
"http-body",
"hyper",
"ipnet",
"libc",
"percent-encoding",
"pin-project-lite",
"socket2",
"tokio",
"tower-service",
"tracing",
]
[[package]] [[package]]
name = "iana-time-zone" name = "iana-time-zone"
version = "0.1.65" version = "0.1.65"
@@ -881,6 +1052,22 @@ dependencies = [
"generic-array", "generic-array",
] ]
[[package]]
name = "ipnet"
version = "2.12.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2"
[[package]]
name = "iri-string"
version = "0.7.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c91338f0783edbd6195decb37bae672fd3b165faffb89bf7b9e6942f8b1a731a"
dependencies = [
"memchr",
"serde",
]
[[package]] [[package]]
name = "is_terminal_polyfill" name = "is_terminal_polyfill"
version = "1.70.2" version = "1.70.2"
@@ -977,6 +1164,12 @@ dependencies = [
"libc", "libc",
] ]
[[package]]
name = "linux-raw-sys"
version = "0.12.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53"
[[package]] [[package]]
name = "litemap" name = "litemap"
version = "0.8.1" version = "0.8.1"
@@ -998,6 +1191,12 @@ version = "0.4.29"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897" checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
[[package]]
name = "lru-slab"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154"
[[package]] [[package]]
name = "matchers" name = "matchers"
version = "0.2.0" version = "0.2.0"
@@ -1023,6 +1222,16 @@ version = "2.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79" checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
[[package]]
name = "miniz_oxide"
version = "0.8.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
dependencies = [
"adler2",
"simd-adler32",
]
[[package]] [[package]]
name = "mio" name = "mio"
version = "1.1.1" version = "1.1.1"
@@ -1174,6 +1383,12 @@ version = "0.2.17"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd" checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd"
[[package]]
name = "pin-utils"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
[[package]] [[package]]
name = "pkcs1" name = "pkcs1"
version = "0.7.5" version = "0.7.5"
@@ -1256,6 +1471,61 @@ dependencies = [
"unicode-ident", "unicode-ident",
] ]
[[package]]
name = "quinn"
version = "0.11.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b9e20a958963c291dc322d98411f541009df2ced7b5a4f2bd52337638cfccf20"
dependencies = [
"bytes",
"cfg_aliases",
"pin-project-lite",
"quinn-proto",
"quinn-udp",
"rustc-hash",
"rustls",
"socket2",
"thiserror",
"tokio",
"tracing",
"web-time",
]
[[package]]
name = "quinn-proto"
version = "0.11.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
dependencies = [
"bytes",
"getrandom 0.3.4",
"lru-slab",
"rand 0.9.2",
"ring",
"rustc-hash",
"rustls",
"rustls-pki-types",
"slab",
"thiserror",
"tinyvec",
"tracing",
"web-time",
]
[[package]]
name = "quinn-udp"
version = "0.5.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "addec6a0dcad8a8d96a771f815f0eaf55f9d1805756410b39f5fa81332574cbd"
dependencies = [
"cfg_aliases",
"libc",
"once_cell",
"socket2",
"tracing",
"windows-sys 0.60.2",
]
[[package]] [[package]]
name = "quote" name = "quote"
version = "1.0.45" version = "1.0.45"
@@ -1265,6 +1535,12 @@ dependencies = [
"proc-macro2", "proc-macro2",
] ]
[[package]]
name = "r-efi"
version = "5.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
[[package]] [[package]]
name = "r-efi" name = "r-efi"
version = "6.0.0" version = "6.0.0"
@@ -1278,10 +1554,20 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
dependencies = [ dependencies = [
"libc", "libc",
"rand_chacha", "rand_chacha 0.3.1",
"rand_core 0.6.4", "rand_core 0.6.4",
] ]
[[package]]
name = "rand"
version = "0.9.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
dependencies = [
"rand_chacha 0.9.0",
"rand_core 0.9.5",
]
[[package]] [[package]]
name = "rand" name = "rand"
version = "0.10.0" version = "0.10.0"
@@ -1303,6 +1589,16 @@ dependencies = [
"rand_core 0.6.4", "rand_core 0.6.4",
] ]
[[package]]
name = "rand_chacha"
version = "0.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
dependencies = [
"ppv-lite86",
"rand_core 0.9.5",
]
[[package]] [[package]]
name = "rand_core" name = "rand_core"
version = "0.6.4" version = "0.6.4"
@@ -1312,6 +1608,15 @@ dependencies = [
"getrandom 0.2.17", "getrandom 0.2.17",
] ]
[[package]]
name = "rand_core"
version = "0.9.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c"
dependencies = [
"getrandom 0.3.4",
]
[[package]] [[package]]
name = "rand_core" name = "rand_core"
version = "0.10.0" version = "0.10.0"
@@ -1364,6 +1669,44 @@ version = "0.8.10"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a" checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
[[package]]
name = "reqwest"
version = "0.12.28"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147"
dependencies = [
"base64",
"bytes",
"futures-core",
"http",
"http-body",
"http-body-util",
"hyper",
"hyper-rustls",
"hyper-util",
"js-sys",
"log",
"percent-encoding",
"pin-project-lite",
"quinn",
"rustls",
"rustls-pki-types",
"serde",
"serde_json",
"serde_urlencoded",
"sync_wrapper",
"tokio",
"tokio-rustls",
"tower",
"tower-http",
"tower-service",
"url",
"wasm-bindgen",
"wasm-bindgen-futures",
"web-sys",
"webpki-roots 1.0.6",
]
[[package]] [[package]]
name = "ring" name = "ring"
version = "0.17.14" version = "0.17.14"
@@ -1419,6 +1762,25 @@ dependencies = [
"windows-sys 0.52.0", "windows-sys 0.52.0",
] ]
[[package]]
name = "rustc-hash"
version = "2.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
[[package]]
name = "rustix"
version = "1.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190"
dependencies = [
"bitflags",
"errno",
"libc",
"linux-raw-sys",
"windows-sys 0.61.2",
]
[[package]] [[package]]
name = "rustls" name = "rustls"
version = "0.23.36" version = "0.23.36"
@@ -1439,6 +1801,7 @@ version = "1.14.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd" checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd"
dependencies = [ dependencies = [
"web-time",
"zeroize", "zeroize",
] ]
@@ -1473,7 +1836,7 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
[[package]] [[package]]
name = "secrets" name = "secrets"
version = "0.6.0" version = "0.7.3"
dependencies = [ dependencies = [
"aes-gcm", "aes-gcm",
"anyhow", "anyhow",
@@ -1481,17 +1844,25 @@ dependencies = [
"chrono", "chrono",
"clap", "clap",
"dirs", "dirs",
"flate2",
"keyring", "keyring",
"rand 0.10.0", "rand 0.10.0",
"reqwest",
"rpassword", "rpassword",
"self-replace",
"semver",
"serde", "serde",
"serde_json", "serde_json",
"sha2",
"sqlx", "sqlx",
"tar",
"tempfile",
"tokio", "tokio",
"toml", "toml",
"tracing", "tracing",
"tracing-subscriber", "tracing-subscriber",
"uuid", "uuid",
"zip",
] ]
[[package]] [[package]]
@@ -1530,6 +1901,17 @@ dependencies = [
"libc", "libc",
] ]
[[package]]
name = "self-replace"
version = "1.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "03ec815b5eab420ab893f63393878d89c90fdd94c0bcc44c07abb8ad95552fb7"
dependencies = [
"fastrand",
"tempfile",
"windows-sys 0.52.0",
]
[[package]] [[package]]
name = "semver" name = "semver"
version = "1.0.27" version = "1.0.27"
@@ -1657,6 +2039,12 @@ dependencies = [
"rand_core 0.6.4", "rand_core 0.6.4",
] ]
[[package]]
name = "simd-adler32"
version = "0.3.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e320a6c5ad31d271ad523dcf3ad13e2767ad8b1cb8f047f75a8aeaf8da139da2"
[[package]] [[package]]
name = "slab" name = "slab"
version = "0.4.12" version = "0.4.12"
@@ -1939,6 +2327,15 @@ dependencies = [
"unicode-ident", "unicode-ident",
] ]
[[package]]
name = "sync_wrapper"
version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263"
dependencies = [
"futures-core",
]
[[package]] [[package]]
name = "synstructure" name = "synstructure"
version = "0.13.2" version = "0.13.2"
@@ -1950,6 +2347,30 @@ dependencies = [
"syn", "syn",
] ]
[[package]]
name = "tar"
version = "0.4.44"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1d863878d212c87a19c1a610eb53bb01fe12951c0501cf5a0d65f724914a667a"
dependencies = [
"filetime",
"libc",
"xattr",
]
[[package]]
name = "tempfile"
version = "3.27.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
dependencies = [
"fastrand",
"getrandom 0.4.2",
"once_cell",
"rustix",
"windows-sys 0.61.2",
]
[[package]] [[package]]
name = "thiserror" name = "thiserror"
version = "2.0.18" version = "2.0.18"
@@ -2032,6 +2453,16 @@ dependencies = [
"syn", "syn",
] ]
[[package]]
name = "tokio-rustls"
version = "0.26.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
dependencies = [
"rustls",
"tokio",
]
[[package]] [[package]]
name = "tokio-stream" name = "tokio-stream"
version = "0.1.18" version = "0.1.18"
@@ -2082,6 +2513,51 @@ version = "1.0.7+spec-1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f17aaa1c6e3dc22b1da4b6bba97d066e354c7945cac2f7852d4e4e7ca7a6b56d" checksum = "f17aaa1c6e3dc22b1da4b6bba97d066e354c7945cac2f7852d4e4e7ca7a6b56d"
[[package]]
name = "tower"
version = "0.5.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ebe5ef63511595f1344e2d5cfa636d973292adc0eec1f0ad45fae9f0851ab1d4"
dependencies = [
"futures-core",
"futures-util",
"pin-project-lite",
"sync_wrapper",
"tokio",
"tower-layer",
"tower-service",
]
[[package]]
name = "tower-http"
version = "0.6.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
dependencies = [
"bitflags",
"bytes",
"futures-util",
"http",
"http-body",
"iri-string",
"pin-project-lite",
"tower",
"tower-layer",
"tower-service",
]
[[package]]
name = "tower-layer"
version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "121c2a6cda46980bb0fcd1647ffaf6cd3fc79a013de288782836f6df9c48780e"
[[package]]
name = "tower-service"
version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"
[[package]] [[package]]
name = "tracing" name = "tracing"
version = "0.1.44" version = "0.1.44"
@@ -2144,6 +2620,18 @@ dependencies = [
"tracing-log", "tracing-log",
] ]
[[package]]
name = "try-lock"
version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
[[package]]
name = "typed-path"
version = "0.12.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8e28f89b80c87b8fb0cf04ab448d5dd0dd0ade2f8891bae878de66a75a28600e"
[[package]] [[package]]
name = "typenum" name = "typenum"
version = "1.19.0" version = "1.19.0"
@@ -2252,6 +2740,15 @@ version = "0.9.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a" checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
[[package]]
name = "want"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bfa7760aed19e106de2c7c0b581b509f2f25d3dacaf737cb82ac61bc6d760b0e"
dependencies = [
"try-lock",
]
[[package]] [[package]]
name = "wasi" name = "wasi"
version = "0.11.1+wasi-snapshot-preview1" version = "0.11.1+wasi-snapshot-preview1"
@@ -2295,6 +2792,20 @@ dependencies = [
"wasm-bindgen-shared", "wasm-bindgen-shared",
] ]
[[package]]
name = "wasm-bindgen-futures"
version = "0.4.64"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e9c5522b3a28661442748e09d40924dfb9ca614b21c00d3fd135720e48b67db8"
dependencies = [
"cfg-if",
"futures-util",
"js-sys",
"once_cell",
"wasm-bindgen",
"web-sys",
]
[[package]] [[package]]
name = "wasm-bindgen-macro" name = "wasm-bindgen-macro"
version = "0.2.114" version = "0.2.114"
@@ -2361,6 +2872,26 @@ dependencies = [
"semver", "semver",
] ]
[[package]]
name = "web-sys"
version = "0.3.91"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "854ba17bb104abfb26ba36da9729addc7ce7f06f5c0f90f3c391f8461cca21f9"
dependencies = [
"js-sys",
"wasm-bindgen",
]
[[package]]
name = "web-time"
version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb"
dependencies = [
"js-sys",
"wasm-bindgen",
]
[[package]] [[package]]
name = "webpki-roots" name = "webpki-roots"
version = "0.26.11" version = "0.26.11"
@@ -2779,6 +3310,16 @@ version = "0.6.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9" checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"
[[package]]
name = "xattr"
version = "1.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "32e45ad4206f6d2479085147f02bc2ef834ac85886624a23575ae137c8aa8156"
dependencies = [
"libc",
"rustix",
]
[[package]] [[package]]
name = "yoke" name = "yoke"
version = "0.8.1" version = "0.8.1"
@@ -2882,8 +3423,40 @@ dependencies = [
"syn", "syn",
] ]
[[package]]
name = "zip"
version = "8.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b680f2a0cd479b4cff6e1233c483fdead418106eae419dc60200ae9850f6d004"
dependencies = [
"crc32fast",
"flate2",
"indexmap",
"memchr",
"typed-path",
"zopfli",
]
[[package]]
name = "zlib-rs"
version = "0.6.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3be3d40e40a133f9c916ee3f9f4fa2d9d63435b5fbe1bfc6d9dae0aa0ada1513"
[[package]] [[package]]
name = "zmij" name = "zmij"
version = "1.0.21" version = "1.0.21"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa" checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa"
[[package]]
name = "zopfli"
version = "0.8.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f05cd8797d63865425ff89b5c4a48804f35ba0ce8d125800027ad6017d2b5249"
dependencies = [
"bumpalo",
"crc32fast",
"log",
"simd-adler32",
]

10
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "secrets" name = "secrets"
version = "0.6.1" version = "0.7.3"
edition = "2024" edition = "2024"
[dependencies] [dependencies]
@@ -10,14 +10,22 @@ argon2 = { version = "0.5.3", features = ["std"] }
chrono = { version = "0.4.44", features = ["serde"] } chrono = { version = "0.4.44", features = ["serde"] }
clap = { version = "4.6.0", features = ["derive"] } clap = { version = "4.6.0", features = ["derive"] }
dirs = "6.0.0" dirs = "6.0.0"
flate2 = "1.1.9"
keyring = { version = "3.6.3", features = ["apple-native", "windows-native", "linux-native"] } keyring = { version = "3.6.3", features = ["apple-native", "windows-native", "linux-native"] }
rand = "0.10.0" rand = "0.10.0"
reqwest = { version = "0.12", default-features = false, features = ["rustls-tls", "json"] }
rpassword = "7.4.0" rpassword = "7.4.0"
self-replace = "1.5.0"
semver = "1.0.27"
serde = { version = "1.0.228", features = ["derive"] } serde = { version = "1.0.228", features = ["derive"] }
serde_json = "1.0.149" serde_json = "1.0.149"
sha2 = "0.10.9"
sqlx = { version = "0.8.6", features = ["runtime-tokio", "tls-rustls", "postgres", "uuid", "json", "chrono"] } sqlx = { version = "0.8.6", features = ["runtime-tokio", "tls-rustls", "postgres", "uuid", "json", "chrono"] }
tar = "0.4.44"
tempfile = "3.19"
tokio = { version = "1.50.0", features = ["full"] } tokio = { version = "1.50.0", features = ["full"] }
toml = "1.0.7" toml = "1.0.7"
tracing = "0.1" tracing = "0.1"
tracing-subscriber = { version = "0.3", features = ["env-filter"] } tracing-subscriber = { version = "0.3", features = ["env-filter"] }
uuid = { version = "1.22.0", features = ["serde"] } uuid = { version = "1.22.0", features = ["serde"] }
zip = { version = "8.2.0", default-features = false, features = ["deflate"] }

57
README.md
View File

@@ -11,17 +11,19 @@ cargo build --release
# 或从 Release 页面下载预编译二进制 # 或从 Release 页面下载预编译二进制
``` ```
已有旧版本时,可执行 `secrets upgrade` 自动下载最新版并替换。该命令会校验 Release 附带的 `.sha256` 摘要后再安装。
## 首次使用(每台设备各执行一次) ## 首次使用(每台设备各执行一次)
```bash ```bash
# 1. 配置数据库连接(会先验证连接可用再写入) # 1. 配置数据库连接(会先验证连接可用再写入)
secrets config set-db "postgres://postgres:<password>@<host>:<port>/secrets" secrets config set-db "postgres://postgres:<password>@<host>:<port>/secrets"
# 2. 初始化主密钥(提示输入主密码,派生后存入 OS 钥匙串) # 2. 初始化主密钥(提示输入至少 8 位的主密码,派生后存入 OS 钥匙串)
secrets init secrets init
``` ```
主密码不会存储仅用于派生主密钥。同一主密码在所有设备上会得到相同主密钥salt 存于数据库,首台设备生成后共享)。 主密码不会存储,仅用于派生主密钥,且至少需 8 位。同一主密码在所有设备上会得到相同主密钥salt 存于数据库,首台设备生成后共享)。
**主密钥存储**macOS → KeychainWindows → Credential ManagerLinux → keyutils会话级重启后需再次 `secrets init`)。 **主密钥存储**macOS → KeychainWindows → Credential ManagerLinux → keyutils会话级重启后需再次 `secrets init`)。
@@ -52,37 +54,46 @@ secrets search --sort updated --limit 10 --summary
# 精确定位namespace + kind + name 三元组) # 精确定位namespace + kind + name 三元组)
secrets search -n refining --kind service --name gitea secrets search -n refining --kind service --name gitea
# 获取完整记录secretsJSON 格式AI 最易解析 # 获取完整记录secrets 保持加密占位
secrets search -n refining --kind service --name gitea -o json --show-secrets secrets search -n refining --kind service --name gitea -o json
# 直接提取单个字段值(最短路径) # 直接提取单个 metadata 字段值(最短路径)
secrets search -n refining --kind service --name gitea -f secret.token
secrets search -n refining --kind service --name gitea -f metadata.url secrets search -n refining --kind service --name gitea -f metadata.url
# 同时提取多个字段 # 同时提取多个 metadata 字段
secrets search -n refining --kind service --name gitea \ secrets search -n refining --kind service --name gitea \
-f metadata.url -f metadata.default_org -f secret.token -f metadata.url -f metadata.default_org
# 需要 secrets 时,改用 inject / run
secrets inject -n refining --kind service --name gitea
secrets run -n refining --kind service --name gitea -- printenv
``` ```
`-f secret.*` 会自动解锁 secrets无需额外加 `--show-secrets` `search` 只负责发现、定位和读取 metadata不直接展示 secrets。
### 输出格式 ### 输出格式
| 场景 | 推荐命令 | | 场景 | 推荐命令 |
|------|----------| |------|----------|
| AI 解析 / 管道处理 | `-o json``-o json-compact` | | AI 解析 / 管道处理 | `-o json``-o json-compact` |
| 写入 `.env` 文件 | `-o env --show-secrets` | | 写入 metadata `.env` 文件 | `-o env` |
| 注入 secrets 到环境变量 | `inject` / `run` |
| 人类查看 | 默认 `text`TTY 下自动启用) | | 人类查看 | 默认 `text`TTY 下自动启用) |
| 非 TTY管道/重定向) | 自动 `json-compact` | | 非 TTY管道/重定向) | 自动 `json-compact` |
说明:`text` 输出中的时间会按当前机器本地时区显示;`json/json-compact` 继续使用 UTCRFC3339 风格)以便脚本和 AI 稳定解析。
```bash ```bash
# 管道直接 jq 解析(非 TTY 自动 json-compact # 管道直接 jq 解析(非 TTY 自动 json-compact
secrets search -n refining --kind service | jq '.[].name' secrets search -n refining --kind service | jq '.[].name'
secrets search -n refining --kind service --name gitea --show-secrets | jq '.secrets.token'
# 导出为可 source 的 env 文件(单条记录) # 导出 metadata 为可 source 的 env 文件(单条记录)
secrets search -n refining --kind service --name gitea -o env --show-secrets \ secrets search -n refining --kind service --name gitea -o env \
> ~/.config/gitea/config.env > ~/.config/gitea/config.env
# 需要 secrets 时,使用 inject / run
secrets inject -n refining --kind service --name gitea > ~/.config/gitea/secrets.env
secrets run -n refining --kind service --name gitea -- ./deploy.sh
``` ```
## 完整命令参考 ## 完整命令参考
@@ -96,6 +107,7 @@ secrets add --help
secrets update --help secrets update --help
secrets delete --help secrets delete --help
secrets config --help secrets config --help
secrets upgrade --help # 检查并更新 CLI 版本
# ── search ────────────────────────────────────────────────────────────────── # ── search ──────────────────────────────────────────────────────────────────
secrets search --summary --limit 20 # 发现概览 secrets search --summary --limit 20 # 发现概览
@@ -103,8 +115,8 @@ secrets search -n refining --kind service # 按 namespace + kin
secrets search -n refining --kind service --name gitea # 精确查找 secrets search -n refining --kind service --name gitea # 精确查找
secrets search -q mqtt # 关键词模糊搜索 secrets search -q mqtt # 关键词模糊搜索
secrets search --tag hongkong # 按 tag 过滤 secrets search --tag hongkong # 按 tag 过滤
secrets search -n refining --kind service --name gitea -f secret.token # 提取字段 secrets search -n refining --kind service --name gitea -f metadata.url # 提取 metadata 字段
secrets search -n refining --kind service --name gitea -o json --show-secrets # 完整 JSON secrets search -n refining --kind service --name gitea -o json # 完整记录secrets 保持占位)
secrets search --sort updated --limit 10 --summary # 最近改动 secrets search --sort updated --limit 10 --summary # 最近改动
secrets search -n refining --summary --limit 10 --offset 10 # 翻页 secrets search -n refining --summary --limit 10 --offset 10 # 翻页
@@ -128,13 +140,17 @@ secrets update -n refining --kind service --name mqtt --remove-meta old_port --r
secrets delete -n refining --kind service --name legacy-mqtt secrets delete -n refining --kind service --name legacy-mqtt
# ── init ───────────────────────────────────────────────────────────────────── # ── init ─────────────────────────────────────────────────────────────────────
secrets init # 主密钥初始化(每台设备一次,主密码派生后存钥匙串) secrets init # 主密钥初始化(每台设备一次,主密码至少 8 位,派生后存钥匙串)
# ── config ─────────────────────────────────────────────────────────────────── # ── config ───────────────────────────────────────────────────────────────────
secrets config set-db "postgres://postgres:<password>@<host>:<port>/secrets" # 先验证再写入 secrets config set-db "postgres://postgres:<password>@<host>:<port>/secrets" # 先验证再写入
secrets config show # 密码脱敏展示 secrets config show # 密码脱敏展示
secrets config path # 打印配置文件路径 secrets config path # 打印配置文件路径
# ── upgrade ──────────────────────────────────────────────────────────────────
secrets upgrade --check # 仅检查是否有新版本
secrets upgrade # 下载、校验 SHA-256 并安装最新版(从 Gitea Release
# ── 调试 ────────────────────────────────────────────────────────────────────── # ── 调试 ──────────────────────────────────────────────────────────────────────
secrets --verbose search -q mqtt secrets --verbose search -q mqtt
RUST_LOG=secrets=trace secrets search RUST_LOG=secrets=trace secrets search
@@ -185,13 +201,14 @@ src/
search.rs # 多条件查询,支持 -f/-o/--summary/--limit/--offset/--sort search.rs # 多条件查询,支持 -f/-o/--summary/--limit/--offset/--sort
delete.rs # 删除 delete.rs # 删除
update.rs # 增量更新(合并 tags/metadata/encrypted update.rs # 增量更新(合并 tags/metadata/encrypted
upgrade.rs # 从 Gitea Release 自更新
scripts/ scripts/
setup-gitea-actions.sh # 配置 Gitea Actions 变量与 Secrets setup-gitea-actions.sh # 配置 Gitea Actions 变量与 Secrets
``` ```
## CI/CDGitea Actions ## CI/CDGitea Actions
推送 `main` 分支时自动fmt/clippy 检查 → musl 构建 → 创建 Release 并上传二进制 推送 `main` 分支时自动fmt/clippy/test 检查 → Linux/macOS/Windows 构建 → 上传二进制与 `.sha256` 摘要 → 所有平台成功后发布 Release。
**首次使用需配置 Actions 变量和 Secrets** **首次使用需配置 Actions 变量和 Secrets**
@@ -204,4 +221,10 @@ scripts/
- `WEBHOOK_URL`Variable飞书通知可选 - `WEBHOOK_URL`Variable飞书通知可选
- **注意**Secret/Variable 的 `data`/`value` 字段需传入原始值,不要 base64 编码 - **注意**Secret/Variable 的 `data`/`value` 字段需传入原始值,不要 base64 编码
当前 Release 预编译产物覆盖:
- Linux `x86_64-unknown-linux-musl`
- macOS Apple Silicon `aarch64-apple-darwin`
- macOS Intel `x86_64-apple-darwin`(由 ARM mac runner 交叉编译)
- Windows `x86_64-pc-windows-msvc`
详见 [AGENTS.md](AGENTS.md)。 详见 [AGENTS.md](AGENTS.md)。

23
scripts/release-check.sh Executable file
View File

@@ -0,0 +1,23 @@
#!/usr/bin/env bash
set -euo pipefail
repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "$repo_root"
version="$(grep -m1 '^version' Cargo.toml | sed 's/.*"\(.*\)".*/\1/')"
tag="secrets-${version}"
echo "==> 当前版本: ${version}"
echo "==> 检查是否已存在 tag: ${tag}"
if git rev-parse "refs/tags/${tag}" >/dev/null 2>&1; then
echo "错误: 已存在 tag ${tag}"
echo "请先 bump Cargo.toml 中的 version再执行 cargo build 同步 Cargo.lock。"
exit 1
fi
echo "==> 未发现重复 tag开始执行检查"
cargo fmt -- --check
cargo clippy --locked -- -D warnings
cargo test --locked

34
src/audit.rs
View File

@@ -1,5 +1,5 @@
use serde_json::Value; use serde_json::Value;
use sqlx::{PgPool, Postgres, Transaction}; use sqlx::{Postgres, Transaction};
/// Write an audit entry within an existing transaction. /// Write an audit entry within an existing transaction.
pub async fn log_tx( pub async fn log_tx(
@@ -30,35 +30,3 @@ pub async fn log_tx(
tracing::debug!(action, namespace, kind, name, actor, "audit logged"); tracing::debug!(action, namespace, kind, name, actor, "audit logged");
} }
} }
/// Write an audit entry using the pool (fire-and-forget, non-fatal).
/// Kept for future use or scenarios without an active transaction.
#[allow(dead_code)]
pub async fn log(
pool: &PgPool,
action: &str,
namespace: &str,
kind: &str,
name: &str,
detail: Value,
) {
let actor = std::env::var("USER").unwrap_or_default();
let result: Result<_, sqlx::Error> = sqlx::query(
"INSERT INTO audit_log (action, namespace, kind, name, detail, actor) \
VALUES ($1, $2, $3, $4, $5, $6)",
)
.bind(action)
.bind(namespace)
.bind(kind)
.bind(name)
.bind(&detail)
.bind(&actor)
.execute(pool)
.await;
if let Err(e) = result {
tracing::warn!(error = %e, "failed to write audit log");
} else {
tracing::debug!(action, namespace, kind, name, actor, "audit logged");
}
}

1
src/commands/config.rs
View File

@@ -9,6 +9,7 @@ pub async fn run(action: crate::ConfigAction) -> Result<()> {
.await .await
.map_err(|e| anyhow::anyhow!("Database connection failed: {}", e))?; .map_err(|e| anyhow::anyhow!("Database connection failed: {}", e))?;
drop(pool); drop(pool);
println!("Database connection successful.");
let cfg = Config { let cfg = Config {
database_url: Some(url.clone()), database_url: Some(url.clone()),

16
src/commands/init.rs
View File

@@ -4,15 +4,23 @@ use sqlx::PgPool;
use crate::{crypto, db}; use crate::{crypto, db};
const MIN_MASTER_PASSWORD_LEN: usize = 8;
pub async fn run(pool: &PgPool) -> Result<()> { pub async fn run(pool: &PgPool) -> Result<()> {
println!("Initializing secrets master key..."); println!("Initializing secrets master key...");
println!(); println!();
// Read password (no echo) // Read password (no echo)
let password = let password = rpassword::prompt_password(format!(
rpassword::prompt_password("Enter master password: ").context("failed to read password")?; "Enter master password (at least {} characters): ",
if password.is_empty() { MIN_MASTER_PASSWORD_LEN
anyhow::bail!("Master password must not be empty."); ))
.context("failed to read password")?;
if password.chars().count() < MIN_MASTER_PASSWORD_LEN {
anyhow::bail!(
"Master password must be at least {} characters.",
MIN_MASTER_PASSWORD_LEN
);
} }
let confirm = rpassword::prompt_password("Confirm master password: ") let confirm = rpassword::prompt_password("Confirm master password: ")
.context("failed to read password confirmation")?; .context("failed to read password confirmation")?;

1
src/commands/mod.rs
View File

@@ -6,3 +6,4 @@ pub mod rollback;
pub mod run; pub mod run;
pub mod search; pub mod search;
pub mod update; pub mod update;
pub mod upgrade;

14
src/commands/rollback.rs
View File

@@ -3,17 +3,11 @@ use serde_json::{Value, json};
use sqlx::{FromRow, PgPool}; use sqlx::{FromRow, PgPool};
use uuid::Uuid; use uuid::Uuid;
use crate::output::OutputMode; use crate::output::{OutputMode, format_local_time};
#[derive(FromRow)] #[derive(FromRow)]
struct HistoryRow { struct HistoryRow {
secret_id: Uuid, secret_id: Uuid,
#[allow(dead_code)]
namespace: String,
#[allow(dead_code)]
kind: String,
#[allow(dead_code)]
name: String,
version: i64, version: i64,
action: String, action: String,
tags: Vec<String>, tags: Vec<String>,
@@ -33,7 +27,7 @@ pub struct RollbackArgs<'a> {
pub async fn run(pool: &PgPool, args: RollbackArgs<'_>, master_key: &[u8; 32]) -> Result<()> { pub async fn run(pool: &PgPool, args: RollbackArgs<'_>, master_key: &[u8; 32]) -> Result<()> {
let snap: Option<HistoryRow> = if let Some(ver) = args.to_version { let snap: Option<HistoryRow> = if let Some(ver) = args.to_version {
sqlx::query_as( sqlx::query_as(
"SELECT secret_id, namespace, kind, name, version, action, tags, metadata, encrypted \ "SELECT secret_id, version, action, tags, metadata, encrypted \
FROM secrets_history \ FROM secrets_history \
WHERE namespace = $1 AND kind = $2 AND name = $3 AND version = $4 \ WHERE namespace = $1 AND kind = $2 AND name = $3 AND version = $4 \
ORDER BY id DESC LIMIT 1", ORDER BY id DESC LIMIT 1",
@@ -46,7 +40,7 @@ pub async fn run(pool: &PgPool, args: RollbackArgs<'_>, master_key: &[u8; 32]) -
.await? .await?
} else { } else {
sqlx::query_as( sqlx::query_as(
"SELECT secret_id, namespace, kind, name, version, action, tags, metadata, encrypted \ "SELECT secret_id, version, action, tags, metadata, encrypted \
FROM secrets_history \ FROM secrets_history \
WHERE namespace = $1 AND kind = $2 AND name = $3 \ WHERE namespace = $1 AND kind = $2 AND name = $3 \
ORDER BY id DESC LIMIT 1", ORDER BY id DESC LIMIT 1",
@@ -234,7 +228,7 @@ pub async fn list_history(
r.version, r.version,
r.action, r.action,
r.actor, r.actor,
r.created_at.format("%Y-%m-%d %H:%M:%S UTC") format_local_time(r.created_at)
); );
} }
println!(" (use `secrets rollback --to-version <N>` to restore)"); println!(" (use `secrets rollback --to-version <N>` to restore)");

4
src/commands/run.rs
View File

@@ -3,7 +3,7 @@ use serde_json::Value;
use sqlx::PgPool; use sqlx::PgPool;
use std::collections::HashMap; use std::collections::HashMap;
use crate::commands::search::build_env_map; use crate::commands::search::build_injected_env_map;
use crate::output::OutputMode; use crate::output::OutputMode;
pub struct InjectArgs<'a> { pub struct InjectArgs<'a> {
@@ -48,7 +48,7 @@ pub async fn collect_env_map(
} }
let mut map = HashMap::new(); let mut map = HashMap::new();
for row in &rows { for row in &rows {
let row_map = build_env_map(row, prefix, Some(master_key))?; let row_map = build_injected_env_map(row, prefix, master_key)?;
for (k, v) in row_map { for (k, v) in row_map {
map.insert(k, v); map.insert(k, v);
} }

229
src/commands/search.rs
View File

@@ -5,7 +5,7 @@ use std::collections::HashMap;
use crate::crypto; use crate::crypto;
use crate::models::Secret; use crate::models::Secret;
use crate::output::OutputMode; use crate::output::{OutputMode, format_local_time};
pub struct SearchArgs<'a> { pub struct SearchArgs<'a> {
pub namespace: Option<&'a str>, pub namespace: Option<&'a str>,
@@ -22,7 +22,9 @@ pub struct SearchArgs<'a> {
pub output: OutputMode, pub output: OutputMode,
} }
pub async fn run(pool: &PgPool, args: SearchArgs<'_>, master_key: Option<&[u8; 32]>) -> Result<()> { pub async fn run(pool: &PgPool, args: SearchArgs<'_>) -> Result<()> {
validate_safe_search_args(args.show_secrets, args.fields)?;
let rows = fetch_rows_paged( let rows = fetch_rows_paged(
pool, pool,
PagedFetchArgs { PagedFetchArgs {
@@ -40,15 +42,12 @@ pub async fn run(pool: &PgPool, args: SearchArgs<'_>, master_key: Option<&[u8; 3
// -f/--field: extract specific field values directly // -f/--field: extract specific field values directly
if !args.fields.is_empty() { if !args.fields.is_empty() {
return print_fields(&rows, args.fields, master_key); return print_fields(&rows, args.fields);
} }
match args.output { match args.output {
OutputMode::Json | OutputMode::JsonCompact => { OutputMode::Json | OutputMode::JsonCompact => {
let arr: Vec<Value> = rows let arr: Vec<Value> = rows.iter().map(|r| to_json(r, args.summary)).collect();
.iter()
.map(|r| to_json(r, args.show_secrets, args.summary, master_key))
.collect();
let out = if args.output == OutputMode::Json { let out = if args.output == OutputMode::Json {
serde_json::to_string_pretty(&arr)? serde_json::to_string_pretty(&arr)?
} else { } else {
@@ -64,7 +63,7 @@ pub async fn run(pool: &PgPool, args: SearchArgs<'_>, master_key: Option<&[u8; 3
); );
} }
if let Some(row) = rows.first() { if let Some(row) = rows.first() {
let map = build_env_map(row, "", master_key)?; let map = build_metadata_env_map(row, "");
let mut pairs: Vec<(String, String)> = map.into_iter().collect(); let mut pairs: Vec<(String, String)> = map.into_iter().collect();
pairs.sort_by(|a, b| a.0.cmp(&b.0)); pairs.sort_by(|a, b| a.0.cmp(&b.0));
for (k, v) in pairs { for (k, v) in pairs {
@@ -80,7 +79,7 @@ pub async fn run(pool: &PgPool, args: SearchArgs<'_>, master_key: Option<&[u8; 3
return Ok(()); return Ok(());
} }
for row in &rows { for row in &rows {
print_text(row, args.show_secrets, args.summary, master_key)?; print_text(row, args.summary)?;
} }
println!("{} record(s) found.", rows.len()); println!("{} record(s) found.", rows.len());
if rows.len() == args.limit as usize { if rows.len() == args.limit as usize {
@@ -96,6 +95,30 @@ pub async fn run(pool: &PgPool, args: SearchArgs<'_>, master_key: Option<&[u8; 3
Ok(()) Ok(())
} }
fn validate_safe_search_args(show_secrets: bool, fields: &[String]) -> Result<()> {
if show_secrets {
anyhow::bail!(
"`search` no longer reveals secrets. Use `secrets inject` or `secrets run` instead."
);
}
if let Some(field) = fields.iter().find(|field| is_secret_field(field)) {
anyhow::bail!(
"Field '{}' is sensitive. `search -f` only supports metadata.* fields; use `secrets inject` or `secrets run` for secrets.",
field
);
}
Ok(())
}
fn is_secret_field(field: &str) -> bool {
matches!(
field.split_once('.').map(|(section, _)| section),
Some("secret" | "secrets" | "encrypted")
)
}
/// Fetch rows with simple equality/tag filters (no pagination). Used by inject/run. /// Fetch rows with simple equality/tag filters (no pagination). Used by inject/run.
pub async fn fetch_rows( pub async fn fetch_rows(
pool: &PgPool, pool: &PgPool,
@@ -218,16 +241,9 @@ async fn fetch_rows_paged(pool: &PgPool, a: PagedFetchArgs<'_>) -> Result<Vec<Se
Ok(rows) Ok(rows)
} }
/// Build a flat `KEY=VALUE` map from a record's metadata and decrypted secrets. fn env_prefix(row: &Secret, prefix: &str) -> String {
/// Variable names: `<PREFIX><NAME>_<FIELD>` (all uppercased, hyphens/dots → underscores).
/// If `prefix` is empty, the name segment alone is used as the prefix.
pub fn build_env_map(
row: &Secret,
prefix: &str,
master_key: Option<&[u8; 32]>,
) -> Result<HashMap<String, String>> {
let name_part = row.name.to_uppercase().replace(['-', '.', ' '], "_"); let name_part = row.name.to_uppercase().replace(['-', '.', ' '], "_");
let effective_prefix = if prefix.is_empty() { if prefix.is_empty() {
name_part name_part
} else { } else {
format!( format!(
@@ -235,7 +251,14 @@ pub fn build_env_map(
prefix.to_uppercase().replace(['-', '.', ' '], "_"), prefix.to_uppercase().replace(['-', '.', ' '], "_"),
name_part name_part
) )
}; }
}
/// Build a flat `KEY=VALUE` map from metadata only.
/// Variable names: `<PREFIX><NAME>_<FIELD>` (all uppercased, hyphens/dots → underscores).
/// If `prefix` is empty, the name segment alone is used as the prefix.
pub fn build_metadata_env_map(row: &Secret, prefix: &str) -> HashMap<String, String> {
let effective_prefix = env_prefix(row, prefix);
let mut map = HashMap::new(); let mut map = HashMap::new();
@@ -250,9 +273,19 @@ pub fn build_env_map(
} }
} }
if let Some(master_key) = master_key map
&& !row.encrypted.is_empty() }
{
/// Build a flat `KEY=VALUE` map from metadata and decrypted secrets.
pub fn build_injected_env_map(
row: &Secret,
prefix: &str,
master_key: &[u8; 32],
) -> Result<HashMap<String, String>> {
let effective_prefix = env_prefix(row, prefix);
let mut map = build_metadata_env_map(row, prefix);
if !row.encrypted.is_empty() {
let decrypted = crypto::decrypt_json(master_key, &row.encrypted)?; let decrypted = crypto::decrypt_json(master_key, &row.encrypted)?;
if let Some(enc) = decrypted.as_object() { if let Some(enc) = decrypted.as_object() {
for (k, v) in enc { for (k, v) in enc {
@@ -284,23 +317,7 @@ fn json_value_to_env_string(v: &Value) -> String {
} }
} }
/// Decrypt the encrypted blob for a row. Returns an empty object on empty blobs. fn to_json(row: &Secret, summary: bool) -> Value {
fn try_decrypt(row: &Secret, master_key: Option<&[u8; 32]>) -> Result<Value> {
if row.encrypted.is_empty() {
return Ok(Value::Object(Default::default()));
}
let key = master_key.ok_or_else(|| {
anyhow::anyhow!("master key required to decrypt secrets (run `secrets init`)")
})?;
crypto::decrypt_json(key, &row.encrypted)
}
fn to_json(
row: &Secret,
show_secrets: bool,
summary: bool,
master_key: Option<&[u8; 32]>,
) -> Value {
if summary { if summary {
let desc = row let desc = row
.metadata .metadata
@@ -319,11 +336,8 @@ fn to_json(
}); });
} }
let secrets_val = if show_secrets { let secrets_val = if row.encrypted.is_empty() {
match try_decrypt(row, master_key) { Value::Object(Default::default())
Ok(v) => v,
Err(e) => json!({"_error": e.to_string()}),
}
} else { } else {
json!({"_encrypted": true}) json!({"_encrypted": true})
}; };
@@ -342,12 +356,7 @@ fn to_json(
}) })
} }
fn print_text( fn print_text(row: &Secret, summary: bool) -> Result<()> {
row: &Secret,
show_secrets: bool,
summary: bool,
master_key: Option<&[u8; 32]>,
) -> Result<()> {
println!("[{}/{}] {}", row.namespace, row.kind, row.name); println!("[{}/{}] {}", row.namespace, row.kind, row.name);
if summary { if summary {
let desc = row let desc = row
@@ -360,10 +369,7 @@ fn print_text(
println!(" tags: [{}]", row.tags.join(", ")); println!(" tags: [{}]", row.tags.join(", "));
} }
println!(" desc: {}", desc); println!(" desc: {}", desc);
println!( println!(" updated: {}", format_local_time(row.updated_at));
" updated: {}",
row.updated_at.format("%Y-%m-%d %H:%M:%S UTC")
);
} else { } else {
println!(" id: {}", row.id); println!(" id: {}", row.id);
if !row.tags.is_empty() { if !row.tags.is_empty() {
@@ -376,61 +382,33 @@ fn print_text(
); );
} }
if !row.encrypted.is_empty() { if !row.encrypted.is_empty() {
if show_secrets { println!(" secrets: [encrypted] (use `secrets inject` or `secrets run`)");
match try_decrypt(row, master_key) {
Ok(v) => println!(" secrets: {}", serde_json::to_string_pretty(&v)?),
Err(e) => println!(" secrets: [decrypt error: {}]", e),
}
} else {
println!(" secrets: [encrypted] (--show-secrets to reveal)");
}
} }
println!( println!(" created: {}", format_local_time(row.created_at));
" created: {}",
row.created_at.format("%Y-%m-%d %H:%M:%S UTC")
);
} }
println!(); println!();
Ok(()) Ok(())
} }
/// Extract one or more field paths like `metadata.url` or `secret.token`. /// Extract one or more field paths like `metadata.url`.
fn print_fields(rows: &[Secret], fields: &[String], master_key: Option<&[u8; 32]>) -> Result<()> { fn print_fields(rows: &[Secret], fields: &[String]) -> Result<()> {
for row in rows { for row in rows {
let decrypted: Option<Value> = if fields
.iter()
.any(|f| f.starts_with("secret") || f.starts_with("encrypted"))
{
Some(try_decrypt(row, master_key)?)
} else {
None
};
for field in fields { for field in fields {
let val = extract_field(row, field, decrypted.as_ref())?; let val = extract_field(row, field)?;
println!("{}", val); println!("{}", val);
} }
} }
Ok(()) Ok(())
} }
fn extract_field(row: &Secret, field: &str, decrypted: Option<&Value>) -> Result<String> { fn extract_field(row: &Secret, field: &str) -> Result<String> {
let (section, key) = field.split_once('.').ok_or_else(|| { let (section, key) = field
anyhow::anyhow!( .split_once('.')
"Invalid field path '{}'. Use metadata.<key> or secret.<key>", .ok_or_else(|| anyhow::anyhow!("Invalid field path '{}'. Use metadata.<key>.", field))?;
field
)
})?;
let obj = match section { let obj = match section {
"metadata" | "meta" => &row.metadata, "metadata" | "meta" => &row.metadata,
"secret" | "secrets" | "encrypted" => { other => anyhow::bail!("Unknown field section '{}'. Use 'metadata'.", other),
decrypted.ok_or_else(|| anyhow::anyhow!("secret field requires master key"))?
}
other => anyhow::bail!(
"Unknown field section '{}'. Use 'metadata' or 'secret'",
other
),
}; };
obj.get(key) obj.get(key)
@@ -449,3 +427,70 @@ fn extract_field(row: &Secret, field: &str, decrypted: Option<&Value>) -> Result
) )
}) })
} }
#[cfg(test)]
mod tests {
use super::*;
use chrono::Utc;
use serde_json::json;
use uuid::Uuid;
fn sample_secret() -> Secret {
let key = [0x42u8; 32];
let encrypted = crypto::encrypt_json(&key, &json!({"token": "abc123"})).unwrap();
Secret {
id: Uuid::nil(),
namespace: "refining".to_string(),
kind: "service".to_string(),
name: "gitea.main".to_string(),
tags: vec!["prod".to_string()],
metadata: json!({"url": "https://gitea.refining.dev", "enabled": true}),
encrypted,
version: 1,
created_at: Utc::now(),
updated_at: Utc::now(),
}
}
#[test]
fn rejects_show_secrets_flag() {
let err = validate_safe_search_args(true, &[]).unwrap_err();
assert!(err.to_string().contains("no longer reveals secrets"));
}
#[test]
fn rejects_secret_field_extraction() {
let fields = vec!["secret.token".to_string()];
let err = validate_safe_search_args(false, &fields).unwrap_err();
assert!(err.to_string().contains("sensitive"));
}
#[test]
fn metadata_env_map_excludes_secret_values() {
let row = sample_secret();
let map = build_metadata_env_map(&row, "");
assert_eq!(
map.get("GITEA_MAIN_URL").map(String::as_str),
Some("https://gitea.refining.dev")
);
assert_eq!(
map.get("GITEA_MAIN_ENABLED").map(String::as_str),
Some("true")
);
assert!(!map.contains_key("GITEA_MAIN_TOKEN"));
}
#[test]
fn injected_env_map_includes_secret_values() {
let row = sample_secret();
let key = [0x42u8; 32];
let map = build_injected_env_map(&row, "", &key).unwrap();
assert_eq!(
map.get("GITEA_MAIN_TOKEN").map(String::as_str),
Some("abc123")
);
}
}

394
src/commands/upgrade.rs Normal file
View File

@@ -0,0 +1,394 @@
use anyhow::{Context, Result, bail};
use flate2::read::GzDecoder;
use serde::Deserialize;
use sha2::{Digest, Sha256};
use std::io::{Cursor, Read, Write};
use std::time::Duration;
const GITEA_API: &str = "https://gitea.refining.dev/api/v1/repos/refining/secrets/releases/latest";
const CURRENT_VERSION: &str = env!("CARGO_PKG_VERSION");
#[derive(Debug, Deserialize)]
struct Release {
tag_name: String,
assets: Vec<Asset>,
}
#[derive(Debug, Deserialize)]
struct Asset {
name: String,
browser_download_url: String,
}
fn available_assets(assets: &[Asset]) -> String {
assets
.iter()
.map(|a| a.name.as_str())
.collect::<Vec<_>>()
.join(", ")
}
fn release_asset_name(tag_name: &str, suffix: &str) -> String {
format!("secrets-{tag_name}-{suffix}")
}
fn find_asset_by_name<'a>(assets: &'a [Asset], name: &str) -> Result<&'a Asset> {
assets.iter().find(|a| a.name == name).with_context(|| {
format!(
"no matching release asset found: {name}\navailable: {}",
available_assets(assets)
)
})
}
/// Detect the asset suffix for the current platform/arch at compile time.
fn platform_asset_suffix() -> Result<&'static str> {
#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
{
Ok("x86_64-linux-musl.tar.gz")
}
#[cfg(all(target_os = "macos", target_arch = "aarch64"))]
{
Ok("aarch64-macos.tar.gz")
}
#[cfg(all(target_os = "macos", target_arch = "x86_64"))]
{
Ok("x86_64-macos.tar.gz")
}
#[cfg(all(target_os = "windows", target_arch = "x86_64"))]
{
Ok("x86_64-windows.zip")
}
#[cfg(not(any(
all(target_os = "linux", target_arch = "x86_64"),
all(target_os = "macos", target_arch = "aarch64"),
all(target_os = "macos", target_arch = "x86_64"),
all(target_os = "windows", target_arch = "x86_64"),
)))]
bail!(
"Unsupported platform: {}/{}",
std::env::consts::OS,
std::env::consts::ARCH
)
}
/// Strip the "secrets-" prefix from the tag and parse as semver.
fn parse_tag_version(tag: &str) -> Result<semver::Version> {
let ver_str = tag
.strip_prefix("secrets-")
.with_context(|| format!("unexpected tag format: {tag}"))?;
semver::Version::parse(ver_str)
.with_context(|| format!("failed to parse version from tag: {tag}"))
}
fn sha256_hex(bytes: &[u8]) -> String {
let digest = Sha256::digest(bytes);
format!("{digest:x}")
}
fn verify_checksum(asset_name: &str, archive: &[u8], checksum_contents: &str) -> Result<String> {
let expected_checksum = parse_checksum_file(checksum_contents)?;
let actual_checksum = sha256_hex(archive);
if actual_checksum != expected_checksum {
bail!(
"checksum verification failed for {}: expected {}, got {}",
asset_name,
expected_checksum,
actual_checksum
);
}
Ok(actual_checksum)
}
fn parse_checksum_file(contents: &str) -> Result<String> {
let checksum = contents
.split_whitespace()
.next()
.context("checksum file is empty")?
.trim()
.to_ascii_lowercase();
if checksum.len() != 64 || !checksum.bytes().all(|b| b.is_ascii_hexdigit()) {
bail!("invalid SHA-256 checksum format")
}
Ok(checksum)
}
async fn download_bytes(client: &reqwest::Client, url: &str, context: &str) -> Result<Vec<u8>> {
Ok(client
.get(url)
.send()
.await
.with_context(|| format!("{context}: request failed"))?
.error_for_status()
.with_context(|| format!("{context}: server returned an error"))?
.bytes()
.await
.with_context(|| format!("{context}: failed to read response body"))?
.to_vec())
}
/// Extract the binary from a tar.gz archive (first file whose name == "secrets").
fn extract_from_targz(bytes: &[u8]) -> Result<Vec<u8>> {
let gz = GzDecoder::new(Cursor::new(bytes));
let mut archive = tar::Archive::new(gz);
for entry in archive.entries().context("failed to read tar entries")? {
let mut entry = entry.context("bad tar entry")?;
let path = entry.path().context("bad tar entry path")?.into_owned();
let fname = path
.file_name()
.and_then(|n| n.to_str())
.unwrap_or_default();
if fname == "secrets" || fname == "secrets.exe" {
let mut buf = Vec::new();
entry.read_to_end(&mut buf).context("read tar entry")?;
return Ok(buf);
}
}
bail!("binary not found inside tar.gz archive")
}
/// Extract the binary from a zip archive (first file whose name matches).
#[cfg(target_os = "windows")]
fn extract_from_zip(bytes: &[u8]) -> Result<Vec<u8>> {
let reader = Cursor::new(bytes);
let mut archive = zip::ZipArchive::new(reader).context("failed to open zip archive")?;
for i in 0..archive.len() {
let mut file = archive.by_index(i).context("bad zip entry")?;
let fname = file.name().to_owned();
if fname.ends_with("secrets.exe") || fname.ends_with("secrets") {
let mut buf = Vec::new();
file.read_to_end(&mut buf).context("read zip entry")?;
return Ok(buf);
}
}
bail!("binary not found inside zip archive")
}
pub async fn run(check_only: bool) -> Result<()> {
let current = semver::Version::parse(CURRENT_VERSION).context("invalid current version")?;
println!("Current version: v{current}");
println!("Checking for updates...");
let client = reqwest::Client::builder()
.user_agent(format!("secrets-cli/{CURRENT_VERSION}"))
.connect_timeout(Duration::from_secs(10))
.timeout(Duration::from_secs(120))
.build()
.context("failed to build HTTP client")?;
let release: Release = client
.get(GITEA_API)
.send()
.await
.context("failed to fetch release info from Gitea")?
.error_for_status()
.context("Gitea API returned an error")?
.json()
.await
.context("failed to parse release JSON")?;
let latest = parse_tag_version(&release.tag_name)?;
if latest <= current {
println!("Already up to date (v{current})");
return Ok(());
}
println!("New version available: v{latest}");
if check_only {
println!("Run `secrets upgrade` to update.");
return Ok(());
}
let suffix = platform_asset_suffix()?;
let asset_name = release_asset_name(&release.tag_name, suffix);
let asset = find_asset_by_name(&release.assets, &asset_name)?;
let checksum_name = format!("{}.sha256", asset.name);
let checksum_asset = find_asset_by_name(&release.assets, &checksum_name)?;
println!("Downloading {}...", asset.name);
let archive = download_bytes(&client, &asset.browser_download_url, "archive download").await?;
let checksum_contents = download_bytes(
&client,
&checksum_asset.browser_download_url,
"checksum download",
)
.await?;
let actual_checksum = verify_checksum(
&asset.name,
&archive,
std::str::from_utf8(&checksum_contents).context("checksum file is not valid UTF-8")?,
)?;
println!("Verified SHA-256: {actual_checksum}");
println!("Extracting...");
let binary = if suffix.ends_with(".tar.gz") {
extract_from_targz(&archive)?
} else {
#[cfg(target_os = "windows")]
{
extract_from_zip(&archive)?
}
#[cfg(not(target_os = "windows"))]
bail!("zip extraction is only supported on Windows")
};
// Write to a temporary file, set executable permission, then atomically replace.
let mut tmp = tempfile::NamedTempFile::new().context("failed to create temp file")?;
tmp.write_all(&binary)
.context("failed to write temp binary")?;
#[cfg(unix)]
{
use std::os::unix::fs::PermissionsExt;
let perms = std::fs::Permissions::from_mode(0o755);
std::fs::set_permissions(tmp.path(), perms).context("failed to chmod temp binary")?;
}
self_replace::self_replace(tmp.path()).context("failed to replace current binary")?;
println!("Updated: v{current} → v{latest}");
Ok(())
}
#[cfg(test)]
mod tests {
use super::*;
use flate2::Compression;
use flate2::write::GzEncoder;
use tar::Builder;
#[test]
fn parse_tag_version_accepts_release_tag() {
let version = parse_tag_version("secrets-0.6.1").expect("version should parse");
assert_eq!(version, semver::Version::new(0, 6, 1));
}
#[test]
fn parse_tag_version_rejects_invalid_tag() {
let err = parse_tag_version("v0.6.1").expect_err("tag should be rejected");
assert!(err.to_string().contains("unexpected tag format"));
}
#[test]
fn parse_checksum_file_accepts_sha256sum_format() {
let checksum = parse_checksum_file(
"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef secrets.tar.gz",
)
.expect("checksum should parse");
assert_eq!(
checksum,
"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
);
}
#[test]
fn parse_checksum_file_rejects_invalid_checksum() {
let err = parse_checksum_file("not-a-sha256").expect_err("checksum should be rejected");
assert!(err.to_string().contains("invalid SHA-256 checksum format"));
}
#[test]
fn release_asset_name_matches_release_tag() {
assert_eq!(
release_asset_name("secrets-0.7.0", "x86_64-linux-musl.tar.gz"),
"secrets-secrets-0.7.0-x86_64-linux-musl.tar.gz"
);
}
#[test]
fn find_asset_by_name_rejects_stale_platform_match() {
let assets = vec![
Asset {
name: "secrets-secrets-0.6.9-x86_64-linux-musl.tar.gz".into(),
browser_download_url: "https://example.invalid/old".into(),
},
Asset {
name: "secrets-secrets-0.7.0-aarch64-macos.tar.gz".into(),
browser_download_url: "https://example.invalid/other".into(),
},
];
let err = find_asset_by_name(&assets, "secrets-secrets-0.7.0-x86_64-linux-musl.tar.gz")
.expect_err("stale asset should not match");
assert!(err.to_string().contains("no matching release asset found"));
}
#[test]
fn sha256_hex_matches_known_value() {
assert_eq!(
sha256_hex(b"abc"),
"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad"
);
}
#[test]
fn verify_checksum_rejects_mismatch() {
let err = verify_checksum(
"secrets.tar.gz",
b"abc",
"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef secrets.tar.gz",
)
.expect_err("checksum mismatch should fail");
assert!(err.to_string().contains("checksum verification failed"));
}
#[test]
fn extract_from_targz_reads_binary() {
let payload = b"fake-secrets-binary";
let archive = make_test_targz("secrets", payload);
let extracted = extract_from_targz(&archive).expect("binary should extract");
assert_eq!(extracted, payload);
}
fn make_test_targz(name: &str, payload: &[u8]) -> Vec<u8> {
let encoder = GzEncoder::new(Vec::new(), Compression::default());
let mut builder = Builder::new(encoder);
let mut header = tar::Header::new_gnu();
header.set_mode(0o755);
header.set_size(payload.len() as u64);
header.set_cksum();
builder
.append_data(&mut header, name, payload)
.expect("append tar entry");
let encoder = builder.into_inner().expect("finish tar builder");
encoder.finish().expect("finish gzip")
}
#[cfg(target_os = "windows")]
#[test]
fn extract_from_zip_reads_binary() {
use zip::write::SimpleFileOptions;
let cursor = Cursor::new(Vec::<u8>::new());
let mut writer = zip::ZipWriter::new(cursor);
writer
.start_file("secrets.exe", SimpleFileOptions::default())
.expect("start zip file");
writer
.write_all(b"fake-secrets-binary")
.expect("write zip payload");
let bytes = writer.finish().expect("finish zip").into_inner();
let extracted = extract_from_zip(&bytes).expect("binary should extract");
assert_eq!(extracted, b"fake-secrets-binary");
}
}

9
src/crypto.rs
View File

@@ -105,15 +105,6 @@ pub fn store_master_key(key: &[u8; 32]) -> Result<()> {
Ok(()) Ok(())
} }
/// Delete the Master Key from the OS Keychain (used by tests / reset).
#[cfg(test)]
pub fn delete_master_key() -> Result<()> {
let entry =
keyring::Entry::new(KEYRING_SERVICE, KEYRING_USER).context("create keychain entry")?;
let _ = entry.delete_credential();
Ok(())
}
// ─── Minimal hex helpers (avoid extra dep) ──────────────────────────────────── // ─── Minimal hex helpers (avoid extra dep) ────────────────────────────────────
mod hex { mod hex {

2
src/db.rs
View File

@@ -6,7 +6,7 @@ pub async fn create_pool(database_url: &str) -> Result<PgPool> {
tracing::debug!("connecting to database"); tracing::debug!("connecting to database");
let pool = PgPoolOptions::new() let pool = PgPoolOptions::new()
.max_connections(5) .max_connections(5)
.acquire_timeout(std::time::Duration::from_secs(10)) .acquire_timeout(std::time::Duration::from_secs(5))
.connect(database_url) .connect(database_url)
.await?; .await?;
tracing::debug!("database connection established"); tracing::debug!("database connection established");

60
src/main.rs
View File

@@ -28,13 +28,16 @@ use output::resolve_output_mode;
secrets search --summary --limit 20 secrets search --summary --limit 20
# Precise lookup (JSON output for easy parsing) # Precise lookup (JSON output for easy parsing)
secrets search -n refining --kind service --name gitea -o json --show-secrets secrets search -n refining --kind service --name gitea -o json
# Extract a single field value directly # Extract a single metadata field directly
secrets search -n refining --kind service --name gitea -f secret.token secrets search -n refining --kind service --name gitea -f metadata.url
# Pipe-friendly (non-TTY defaults to json-compact automatically) # Pipe-friendly (non-TTY defaults to json-compact automatically)
secrets search -n refining --kind service | jq '.[].name'" secrets search -n refining --kind service | jq '.[].name'
# Inject secrets into environment variables when you really need them
secrets inject -n refining --kind service --name gitea"
)] )]
struct Cli { struct Cli {
/// Database URL, overrides saved config (one-time override) /// Database URL, overrides saved config (one-time override)
@@ -129,19 +132,19 @@ EXAMPLES:
# Fuzzy keyword search (matches name, namespace, kind, tags, metadata) # Fuzzy keyword search (matches name, namespace, kind, tags, metadata)
secrets search -q mqtt secrets search -q mqtt
# Extract a single field value (implies --show-secrets for secret.*) # Extract a single metadata field value
secrets search -n refining --kind service --name gitea -f secret.token
secrets search -n refining --kind service --name gitea -f metadata.url secrets search -n refining --kind service --name gitea -f metadata.url
# Multiple fields at once # Multiple fields at once
secrets search -n refining --kind service --name gitea \\ secrets search -n refining --kind service --name gitea \\
-f metadata.url -f metadata.default_org -f secret.token -f metadata.url -f metadata.default_org
# Full JSON output with secrets revealed (ideal for AI parsing) # Export metadata as env vars (single record only)
secrets search -n refining --kind service --name gitea -o json --show-secrets secrets search -n refining --kind service --name gitea -o env
# Export as env vars (source-able; single record only) # Inject decrypted secrets only when needed
secrets search -n refining --kind service --name gitea -o env --show-secrets secrets inject -n refining --kind service --name gitea
secrets run -n refining --kind service --name gitea -- printenv
# Paginate large result sets # Paginate large result sets
secrets search -n refining --summary --limit 10 --offset 0 secrets search -n refining --summary --limit 10 --offset 0
@@ -151,8 +154,7 @@ EXAMPLES:
secrets search --sort updated --limit 5 --summary secrets search --sort updated --limit 5 --summary
# Non-TTY / pipe: output is json-compact by default # Non-TTY / pipe: output is json-compact by default
secrets search -n refining --kind service | jq '.[].name' secrets search -n refining --kind service | jq '.[].name'")]
secrets search -n refining --kind service --name gitea --show-secrets | jq '.secrets.token'")]
Search { Search {
/// Filter by namespace, e.g. refining, ricnsmart /// Filter by namespace, e.g. refining, ricnsmart
#[arg(short, long)] #[arg(short, long)]
@@ -169,10 +171,10 @@ EXAMPLES:
/// Fuzzy keyword (matches name, namespace, kind, tags, metadata text) /// Fuzzy keyword (matches name, namespace, kind, tags, metadata text)
#[arg(short, long)] #[arg(short, long)]
query: Option<String>, query: Option<String>,
/// Reveal encrypted secret values in output /// Deprecated: search never reveals secrets; use inject/run instead
#[arg(long)] #[arg(long)]
show_secrets: bool, show_secrets: bool,
/// Extract field value(s) directly: metadata.<key> or secret.<key> (repeatable) /// Extract metadata field value(s) directly: metadata.<key> (repeatable)
#[arg(short = 'f', long = "field")] #[arg(short = 'f', long = "field")]
fields: Vec<String>, fields: Vec<String>,
/// Return lightweight summary only (namespace, kind, name, tags, desc, updated_at) /// Return lightweight summary only (namespace, kind, name, tags, desc, updated_at)
@@ -388,6 +390,22 @@ EXAMPLES:
#[arg(last = true, required = true)] #[arg(last = true, required = true)]
command: Vec<String>, command: Vec<String>,
}, },
/// Check for a newer version and update the binary in-place.
///
/// Downloads the latest release from Gitea and replaces the current binary.
/// No database connection or master key required.
#[command(after_help = "EXAMPLES:
# Check for updates only (no download)
secrets upgrade --check
# Download and install the latest version
secrets upgrade")]
Upgrade {
/// Only check if a newer version is available; do not download
#[arg(long)]
check: bool,
},
} }
#[derive(Subcommand)] #[derive(Subcommand)]
@@ -422,6 +440,11 @@ async fn main() -> Result<()> {
return commands::config::run(action).await; return commands::config::run(action).await;
} }
// upgrade needs no database or master key either
if let Commands::Upgrade { check } = cli.command {
return commands::upgrade::run(check).await;
}
let db_url = config::resolve_db_url(&cli.db_url)?; let db_url = config::resolve_db_url(&cli.db_url)?;
let pool = db::create_pool(&db_url).await?; let pool = db::create_pool(&db_url).await?;
db::migrate(&pool).await?; db::migrate(&pool).await?;
@@ -435,7 +458,7 @@ async fn main() -> Result<()> {
// except delete which operates on plaintext metadata only. // except delete which operates on plaintext metadata only.
match cli.command { match cli.command {
Commands::Init | Commands::Config { .. } => unreachable!(), Commands::Init | Commands::Config { .. } | Commands::Upgrade { .. } => unreachable!(),
Commands::Add { Commands::Add {
namespace, namespace,
@@ -480,9 +503,7 @@ async fn main() -> Result<()> {
sort, sort,
output, output,
} => { } => {
let master_key = crypto::load_master_key()?;
let _span = tracing::info_span!("cmd", command = "search").entered(); let _span = tracing::info_span!("cmd", command = "search").entered();
let show = show_secrets || fields.iter().any(|f| f.starts_with("secret"));
let out = resolve_output_mode(output.as_deref())?; let out = resolve_output_mode(output.as_deref())?;
commands::search::run( commands::search::run(
&pool, &pool,
@@ -492,7 +513,7 @@ async fn main() -> Result<()> {
name: name.as_deref(), name: name.as_deref(),
tags: &tag, tags: &tag,
query: query.as_deref(), query: query.as_deref(),
show_secrets: show, show_secrets,
fields: &fields, fields: &fields,
summary, summary,
limit, limit,
@@ -500,7 +521,6 @@ async fn main() -> Result<()> {
sort: &sort, sort: &sort,
output: out, output: out,
}, },
Some(&master_key),
) )
.await?; .await?;
} }

8
src/output.rs
View File

@@ -1,3 +1,4 @@
use chrono::{DateTime, Local, Utc};
use std::io::IsTerminal; use std::io::IsTerminal;
use std::str::FromStr; use std::str::FromStr;
@@ -45,3 +46,10 @@ pub fn resolve_output_mode(explicit: Option<&str>) -> anyhow::Result<OutputMode>
Ok(OutputMode::JsonCompact) Ok(OutputMode::JsonCompact)
} }
} }
/// Format a UTC timestamp for local human-readable output.
pub fn format_local_time(dt: DateTime<Utc>) -> String {
dt.with_timezone(&Local)
.format("%Y-%m-%d %H:%M:%S %:z")
.to_string()
}