chore: bump to 0.7.1, workflow/readme/init/upgrade updates, fix clippy needless_borrows

Made-with: Cursor

.gitea/workflows/secrets.yml

@@ -7,7 +7,6 @@ on:
       - 'src/**'
       - 'Cargo.toml'
       - 'Cargo.lock'
-      - '.gitea/workflows/secrets.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -56,6 +55,13 @@ jobs:
             echo "将创建新版本 ${tag}"
           fi
 
+      - name: 严格拦截重复版本
+        if: steps.ver.outputs.tag_exists == 'true'
+        run: |
+          echo "错误: 版本 ${{ steps.ver.outputs.tag }} 已存在，禁止重复发版。"
+          echo "请先 bump Cargo.toml 中的 version，并执行 cargo build 同步 Cargo.lock。"
+          exit 1
+
       - name: 创建 Tag
         if: steps.ver.outputs.tag_exists == 'false'
         run: |
@@ -327,11 +333,14 @@ jobs:
       - name: 安装依赖
         shell: pwsh
         run: |
+          $cargoBin = Join-Path $env:USERPROFILE ".cargo\bin"
           if (-not (Get-Command cargo -ErrorAction SilentlyContinue)) {
             Invoke-WebRequest -Uri "https://win.rustup.rs/x86_64" -OutFile rustup-init.exe
             .\rustup-init.exe -y --default-toolchain stable
             Remove-Item rustup-init.exe
           }
+          $env:Path = "$cargoBin;$env:Path"
+          Add-Content -Path $env:GITHUB_PATH -Value $cargoBin
           rustup target add x86_64-pc-windows-msvc
 
       - uses: actions/checkout@v4

AGENTS.md

@@ -1,5 +1,12 @@
 # Secrets CLI — AGENTS.md
 
+## 提交 / 发版硬规则（优先于下文其他说明）
+
+1. 涉及 `src/**`、`Cargo.toml`、`Cargo.lock`、CLI 行为变更的提交，默认视为**需要发版**，除非用户明确说明“本次不发版”。
+2. 发版前必须先检查 `Cargo.toml` 中的 `version`，再检查是否已存在对应 tag：`git tag -l 'secrets-*'`。
+3. 若当前版本对应 tag 已存在，必须先 bump `Cargo.toml` 的 `version`，再执行 `cargo build` 同步 `Cargo.lock`，然后才能提交。
+4. 提交前优先运行 `./scripts/release-check.sh`；该脚本会检查重复版本并执行 `cargo fmt -- --check && cargo clippy --locked -- -D warnings && cargo test --locked`。
+
 跨设备密钥与配置管理 CLI 工具，将 refining / ricnsmart 两个项目的服务器信息、服务凭据存储到 PostgreSQL 18，供 AI 工具读取上下文。敏感数据（encrypted 字段）使用 AES-256-GCM 加密，主密钥由 Argon2id 从主密码派生并存入平台安全存储（macOS Keychain / Windows Credential Manager / Linux keyutils）。
 
 ## 项目结构
@@ -25,6 +32,7 @@ secrets/
       run.rs             # inject / run 命令：临时环境变量注入
       upgrade.rs         # upgrade 命令：检查、校验摘要并下载最新版本，自动替换二进制
   scripts/
+    release-check.sh        # 发版前检查版本号/tag 是否重复，并执行 fmt/clippy/test
     setup-gitea-actions.sh  # 配置 Gitea Actions 变量与 Secrets
   .gitea/workflows/
     secrets.yml          # CI：fmt + clippy + musl 构建 + Release 上传 + 飞书通知
@@ -466,6 +474,14 @@ secrets --db-url "postgres://..." search -n refining
 
 每次提交代码前，请在本地依次执行以下检查，**全部通过后再 push**：
 
+优先使用：
+
+```bash
+./scripts/release-check.sh
+```
+
+它等价于先检查版本号 / tag，再执行下面的格式、Lint、测试。
+
 ### 1. 版本号（按需）
 
 若本次改动需要发版，请先确认 `Cargo.toml` 中的 `version` 已提升，避免 CI 打出的 Tag 与已有版本重复。**升级版本后需同时更新 `Cargo.lock`**（运行 `cargo build` 即可自动同步），否则 CI 中 `cargo clippy --locked` 会因 lock 与 manifest 不一致而失败。可通过 git tag 判断：

Cargo.lock

@@ -1836,7 +1836,7 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
 [[package]]
 name = "secrets"
-version = "0.7.0"
+version = "0.7.1"
 dependencies = [
  "aes-gcm",
  "anyhow",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "secrets"
-version = "0.7.0"
+version = "0.7.1"
 edition = "2024"
 
 [dependencies]

README.md

@@ -19,11 +19,11 @@ cargo build --release
 # 1. 配置数据库连接（会先验证连接可用再写入）
 secrets config set-db "postgres://postgres:<password>@<host>:<port>/secrets"
 
-# 2. 初始化主密钥（提示输入主密码，派生后存入 OS 钥匙串）
+# 2. 初始化主密钥（提示输入至少 8 位的主密码，派生后存入 OS 钥匙串）
 secrets init
 ```
 
-主密码不会存储，仅用于派生主密钥。同一主密码在所有设备上会得到相同主密钥（salt 存于数据库，首台设备生成后共享）。
+主密码不会存储，仅用于派生主密钥，且至少需 8 位。同一主密码在所有设备上会得到相同主密钥（salt 存于数据库，首台设备生成后共享）。
 
 **主密钥存储**：macOS → Keychain；Windows → Credential Manager；Linux → keyutils（会话级，重启后需再次 `secrets init`）。
 
@@ -131,7 +131,7 @@ secrets update -n refining --kind service --name mqtt --remove-meta old_port --r
 secrets delete -n refining --kind service --name legacy-mqtt
 
 # ── init ─────────────────────────────────────────────────────────────────────
-secrets init              # 主密钥初始化（每台设备一次，主密码派生后存钥匙串）
+secrets init              # 主密钥初始化（每台设备一次，主密码至少 8 位，派生后存钥匙串）
 
 # ── config ───────────────────────────────────────────────────────────────────
 secrets config set-db "postgres://postgres:<password>@<host>:<port>/secrets"   # 先验证再写入

scripts/release-check.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$repo_root"
+
+version="$(grep -m1 '^version' Cargo.toml | sed 's/.*"\(.*\)".*/\1/')"
+tag="secrets-${version}"
+
+echo "==> 当前版本: ${version}"
+echo "==> 检查是否已存在 tag: ${tag}"
+
+if git rev-parse "refs/tags/${tag}" >/dev/null 2>&1; then
+  echo "错误: 已存在 tag ${tag}"
+  echo "请先 bump Cargo.toml 中的 version，再执行 cargo build 同步 Cargo.lock。"
+  exit 1
+fi
+
+echo "==> 未发现重复 tag，开始执行检查"
+cargo fmt -- --check
+cargo clippy --locked -- -D warnings
+cargo test --locked

src/commands/init.rs

@@ -4,15 +4,23 @@ use sqlx::PgPool;
 
 use crate::{crypto, db};
 
+const MIN_MASTER_PASSWORD_LEN: usize = 8;
+
 pub async fn run(pool: &PgPool) -> Result<()> {
     println!("Initializing secrets master key...");
     println!();
 
     // Read password (no echo)
-    let password =
-        rpassword::prompt_password("Enter master password: ").context("failed to read password")?;
-    if password.is_empty() {
-        anyhow::bail!("Master password must not be empty.");
+    let password = rpassword::prompt_password(format!(
+        "Enter master password (at least {} characters): ",
+        MIN_MASTER_PASSWORD_LEN
+    ))
+    .context("failed to read password")?;
+    if password.chars().count() < MIN_MASTER_PASSWORD_LEN {
+        anyhow::bail!(
+            "Master password must be at least {} characters.",
+            MIN_MASTER_PASSWORD_LEN
+        );
     }
     let confirm = rpassword::prompt_password("Confirm master password: ")
         .context("failed to read password confirmation")?;

src/commands/upgrade.rs

@@ -3,6 +3,7 @@ use flate2::read::GzDecoder;
 use serde::Deserialize;
 use sha2::{Digest, Sha256};
 use std::io::{Cursor, Read, Write};
+use std::time::Duration;
 
 const GITEA_API: &str = "https://gitea.refining.dev/api/v1/repos/refining/secrets/releases/latest";
 
@@ -28,13 +29,14 @@ fn available_assets(assets: &[Asset]) -> String {
         .join(", ")
 }
 
-fn find_asset_by_suffix<'a>(assets: &'a [Asset], suffix: &str) -> Result<&'a Asset> {
-    assets
-        .iter()
-        .find(|a| a.name.ends_with(suffix))
-        .with_context(|| {
+fn release_asset_name(tag_name: &str, suffix: &str) -> String {
+    format!("secrets-{tag_name}-{suffix}")
+}
+
+fn find_asset_by_name<'a>(assets: &'a [Asset], name: &str) -> Result<&'a Asset> {
+    assets.iter().find(|a| a.name == name).with_context(|| {
         format!(
-                "no asset found for this platform (looking for suffix: {suffix})\navailable: {}",
+            "no matching release asset found: {name}\navailable: {}",
             available_assets(assets)
         )
     })
@@ -89,6 +91,22 @@ fn sha256_hex(bytes: &[u8]) -> String {
     format!("{digest:x}")
 }
 
+fn verify_checksum(asset_name: &str, archive: &[u8], checksum_contents: &str) -> Result<String> {
+    let expected_checksum = parse_checksum_file(checksum_contents)?;
+    let actual_checksum = sha256_hex(archive);
+
+    if actual_checksum != expected_checksum {
+        bail!(
+            "checksum verification failed for {}: expected {}, got {}",
+            asset_name,
+            expected_checksum,
+            actual_checksum
+        );
+    }
+
+    Ok(actual_checksum)
+}
+
 fn parse_checksum_file(contents: &str) -> Result<String> {
     let checksum = contents
         .split_whitespace()
@@ -163,6 +181,8 @@ pub async fn run(check_only: bool) -> Result<()> {
 
     let client = reqwest::Client::builder()
         .user_agent(format!("secrets-cli/{CURRENT_VERSION}"))
+        .connect_timeout(Duration::from_secs(10))
+        .timeout(Duration::from_secs(120))
         .build()
         .context("failed to build HTTP client")?;
 
@@ -192,18 +212,10 @@ pub async fn run(check_only: bool) -> Result<()> {
     }
 
     let suffix = platform_asset_suffix()?;
-    let asset = find_asset_by_suffix(&release.assets, suffix)?;
+    let asset_name = release_asset_name(&release.tag_name, suffix);
+    let asset = find_asset_by_name(&release.assets, &asset_name)?;
     let checksum_name = format!("{}.sha256", asset.name);
-    let checksum_asset = release
-        .assets
-        .iter()
-        .find(|a| a.name == checksum_name)
-        .with_context(|| {
-            format!(
-                "missing checksum asset for download: {checksum_name}\navailable: {}",
-                available_assets(&release.assets)
-            )
-        })?;
+    let checksum_asset = find_asset_by_name(&release.assets, &checksum_name)?;
 
     println!("Downloading {}...", asset.name);
 
@@ -214,19 +226,11 @@ pub async fn run(check_only: bool) -> Result<()> {
         "checksum download",
     )
     .await?;
-    let expected_checksum = parse_checksum_file(
+    let actual_checksum = verify_checksum(
+        &asset.name,
+        &archive,
         std::str::from_utf8(&checksum_contents).context("checksum file is not valid UTF-8")?,
     )?;
-    let actual_checksum = sha256_hex(&archive);
-
-    if actual_checksum != expected_checksum {
-        bail!(
-            "checksum verification failed for {}: expected {}, got {}",
-            asset.name,
-            expected_checksum,
-            actual_checksum
-        );
-    }
 
     println!("Verified SHA-256: {actual_checksum}");
 
@@ -298,6 +302,33 @@ mod tests {
         assert!(err.to_string().contains("invalid SHA-256 checksum format"));
     }
 
+    #[test]
+    fn release_asset_name_matches_release_tag() {
+        assert_eq!(
+            release_asset_name("secrets-0.7.0", "x86_64-linux-musl.tar.gz"),
+            "secrets-secrets-0.7.0-x86_64-linux-musl.tar.gz"
+        );
+    }
+
+    #[test]
+    fn find_asset_by_name_rejects_stale_platform_match() {
+        let assets = vec![
+            Asset {
+                name: "secrets-secrets-0.6.9-x86_64-linux-musl.tar.gz".into(),
+                browser_download_url: "https://example.invalid/old".into(),
+            },
+            Asset {
+                name: "secrets-secrets-0.7.0-aarch64-macos.tar.gz".into(),
+                browser_download_url: "https://example.invalid/other".into(),
+            },
+        ];
+
+        let err = find_asset_by_name(&assets, "secrets-secrets-0.7.0-x86_64-linux-musl.tar.gz")
+            .expect_err("stale asset should not match");
+
+        assert!(err.to_string().contains("no matching release asset found"));
+    }
+
     #[test]
     fn sha256_hex_matches_known_value() {
         assert_eq!(
@@ -306,6 +337,18 @@ mod tests {
         );
     }
 
+    #[test]
+    fn verify_checksum_rejects_mismatch() {
+        let err = verify_checksum(
+            "secrets.tar.gz",
+            b"abc",
+            "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef  secrets.tar.gz",
+        )
+        .expect_err("checksum mismatch should fail");
+
+        assert!(err.to_string().contains("checksum verification failed"));
+    }
+
     #[test]
     fn extract_from_targz_reads_binary() {
         let payload = b"fake-secrets-binary";