feat: add export/import commands for batch backup (JSON/TOML/YAML)

- export: filter by namespace/kind/name/tag/query, decrypt secrets, write to file or stdout
- import: parse file, conflict check (error by default, --force to overwrite), --dry-run preview
- Add ExportFormat enum, ExportData/ExportEntry in models.rs with TOML↔JSON conversion
- Bump version to 0.9.0

Made-with: Cursor

AGENTS.md

@@ -7,7 +7,7 @@
 3. 若当前版本对应 tag 已存在，必须先 bump `Cargo.toml` 的 `version`，再执行 `cargo build` 同步 `Cargo.lock`，然后才能提交。
 4. 提交前优先运行 `./scripts/release-check.sh`；该脚本会检查重复版本并执行 `cargo fmt -- --check && cargo clippy --locked -- -D warnings && cargo test --locked`。
 
-跨设备密钥与配置管理 CLI 工具，将 refining / ricnsmart 两个项目的服务器信息、服务凭据存储到 PostgreSQL 18，供 AI 工具读取上下文。敏感数据（encrypted 字段）使用 AES-256-GCM 加密，主密钥由 Argon2id 从主密码派生并存入平台安全存储（macOS Keychain / Windows Credential Manager / Linux keyutils）。
+跨设备密钥与配置管理 CLI 工具，将服务器信息、服务凭据等存储到 PostgreSQL 18，供 AI 工具读取上下文。每个加密字段单独行存储（`secrets` 子表），字段名、类型、长度以明文保存，主密钥由 Argon2id 从主密码派生并存入平台安全存储（macOS Keychain / Windows Credential Manager / Linux keyutils）。
 
 ## 项目结构
 
@@ -17,20 +17,22 @@ secrets/
     main.rs              # CLI 入口，clap 命令定义，auto-migrate，--verbose 全局参数
     output.rs            # OutputMode 枚举 + TTY 检测（TTY→text，非 TTY→json-compact）
     config.rs            # 配置读写：~/.config/secrets/config.toml（database_url）
-    db.rs                # PgPool 创建 + 建表/索引（幂等，含 audit_log + kv_config + secrets_history）
+    db.rs                # PgPool 创建 + 建表/索引（DROP+CREATE，含所有表）
     crypto.rs            # AES-256-GCM 加解密、Argon2id 派生、OS 钥匙串
-    models.rs            # Secret 结构体（sqlx::FromRow + serde，含 version 字段）
+    models.rs            # Entry + SecretField 结构体（sqlx::FromRow + serde）
-    audit.rs             # 审计写入：log_tx（事务内）/ log（池，保留备用）
+    audit.rs             # 审计写入：log_tx（事务内）
     commands/
       init.rs            # init 命令：主密钥初始化（每台设备一次）
-      add.rs             # add 命令：upsert，事务化，含历史快照，支持 key:=json 类型化值与嵌套路径写入
+      add.rs             # add 命令：upsert entries + 逐字段写入 secrets，含历史快照
       config.rs          # config 命令：set-db / show / path（持久化 database_url）
-      search.rs          # search 命令：多条件查询，公开 fetch_rows / build_env_map
+      search.rs          # search 命令：多条件查询，展示 secrets 字段 schema（无需 master_key）
-      delete.rs          # delete 命令：事务化，含历史快照
+      delete.rs          # delete 命令：事务化，CASCADE 删除 secrets，含历史快照
-      update.rs          # update 命令：增量更新，CAS 并发保护，含历史快照
+      update.rs          # update 命令：增量更新，secrets 行级 UPSERT/DELETE，CAS 并发保护
-      rollback.rs        # rollback / history 命令：版本回滚与历史查看
+      rollback.rs        # rollback / history 命令：按 entry_version 恢复 entry + secrets
-      run.rs             # inject / run 命令：临时环境变量注入
+      run.rs             # inject / run 命令：逐字段解密 + key_ref 引用解析
       upgrade.rs         # upgrade 命令：检查、校验摘要并下载最新版本，自动替换二进制
+      export_cmd.rs      # export 命令：批量导出记录，支持 JSON/TOML/YAML，含解密明文
+      import_cmd.rs      # import 命令：批量导入记录，冲突检测，dry-run，重新加密写入
   scripts/
     release-check.sh        # 发版前检查版本号/tag 是否重复，并执行 fmt/clippy/test
     setup-gitea-actions.sh  # 配置 Gitea Actions 变量与 Secrets
@@ -44,19 +46,18 @@ secrets/
 - **Host**: `<host>:<port>`
 - **Database**: `secrets`
 - **连接串**: `postgres://postgres:<password>@<host>:<port>/secrets`
-- **表**: `secrets`（主表）+ `audit_log`（审计表）+ `kv_config`（Argon2 salt 等），首次连接自动建表（auto-migrate）
+- **表**: `entries`（主表）+ `secrets`（加密字段子表）+ `entries_history` + `secrets_history` + `audit_log` + `kv_config`，首次连接自动建表（auto-migrate）
 
 ### 表结构
 
 ```sql
-secrets (
+entries (
   id          UUID PRIMARY KEY DEFAULT uuidv7(),  -- PG18 时间有序 UUID
   namespace   VARCHAR(64)   NOT NULL,              -- 一级隔离: "refining" | "ricnsmart"
-  kind        VARCHAR(64)   NOT NULL,              -- 类型: "server" | "service"（可扩展）
+  kind        VARCHAR(64)   NOT NULL,              -- 类型: "server" | "service" | "key"（可扩展）
   name        VARCHAR(256)  NOT NULL,              -- 人类可读标识
   tags        TEXT[]        NOT NULL DEFAULT '{}', -- 灵活标签: ["aliyun","hongkong"]
   metadata    JSONB         NOT NULL DEFAULT '{}', -- 明文描述: ip, desc, domains, location...
-  encrypted   BYTEA         NOT NULL DEFAULT '\x', -- AES-256-GCM 密文: nonce(12B)||ciphertext+tag
   version     BIGINT        NOT NULL DEFAULT 1,    -- 乐观锁版本号，每次写操作自增
   created_at  TIMESTAMPTZ   NOT NULL DEFAULT NOW(),
   updated_at  TIMESTAMPTZ   NOT NULL DEFAULT NOW(),
@@ -65,19 +66,17 @@ secrets (
 ```
 
 ```sql
-secrets_history (
+secrets (
-  id          BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
+  id          UUID PRIMARY KEY DEFAULT uuidv7(),
-  secret_id   UUID         NOT NULL,   -- 对应 secrets.id
+  entry_id    UUID         NOT NULL REFERENCES entries(id) ON DELETE CASCADE,
-  namespace   VARCHAR(64)  NOT NULL,
+  field_name  VARCHAR(256) NOT NULL,              -- 明文字段名: "username", "token", "ssh_key"
-  kind        VARCHAR(64)  NOT NULL,
+  field_type  VARCHAR(32)  NOT NULL DEFAULT 'string', -- 明文类型: "string"|"number"|"boolean"|"json"
-  name        VARCHAR(256) NOT NULL,
+  value_len   INT          NOT NULL DEFAULT 0,    -- 明文原始值字符数（PEM≈4096，token≈40）
-  version     BIGINT       NOT NULL,   -- 被快照时的版本号
+  encrypted   BYTEA        NOT NULL DEFAULT '\x', -- 仅加密值本身：nonce(12B)||ciphertext+tag
-  action      VARCHAR(16)  NOT NULL,   -- 'add' | 'update' | 'delete' | 'rollback'
+  version     BIGINT       NOT NULL DEFAULT 1,
-  tags        TEXT[]       NOT NULL DEFAULT '{}',
+  created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
-  metadata    JSONB        NOT NULL DEFAULT '{}',
+  updated_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
-  encrypted   BYTEA        NOT NULL DEFAULT '\x', -- 快照时的加密密文
+  UNIQUE(entry_id, field_name)
-  actor       VARCHAR(128) NOT NULL DEFAULT '',
-  created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
 )
 ```
 
@@ -93,7 +92,7 @@ kv_config (
 ```sql
 audit_log (
   id          BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
-  action      VARCHAR(32)   NOT NULL,              -- 'add' | 'update' | 'delete'
+  action      VARCHAR(32)   NOT NULL,              -- 'add' | 'update' | 'delete' | 'rollback'
   namespace   VARCHAR(64)   NOT NULL,
   kind        VARCHAR(64)   NOT NULL,
   name        VARCHAR(256)  NOT NULL,
@@ -103,16 +102,75 @@ audit_log (
 )
 ```
 
+### entries_history 表结构
+
+```sql
+entries_history (
+  id          BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
+  entry_id    UUID         NOT NULL,
+  namespace   VARCHAR(64)  NOT NULL,
+  kind        VARCHAR(64)  NOT NULL,
+  name        VARCHAR(256) NOT NULL,
+  version     BIGINT       NOT NULL,   -- 被快照时的版本号
+  action      VARCHAR(16)  NOT NULL,   -- 'add' | 'update' | 'delete' | 'rollback'
+  tags        TEXT[]       NOT NULL DEFAULT '{}',
+  metadata    JSONB        NOT NULL DEFAULT '{}',
+  actor       VARCHAR(128) NOT NULL DEFAULT '',
+  created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
+)
+```
+
+### secrets_history 表结构
+
+```sql
+secrets_history (
+  id              BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
+  entry_id        UUID         NOT NULL,
+  secret_id       UUID         NOT NULL,  -- 对应 secrets.id
+  entry_version   BIGINT       NOT NULL,  -- 关联 entries_history 的版本号
+  field_name      VARCHAR(256) NOT NULL,
+  field_type      VARCHAR(32)  NOT NULL DEFAULT 'string',
+  value_len       INT          NOT NULL DEFAULT 0,
+  encrypted       BYTEA        NOT NULL DEFAULT '\x',
+  action          VARCHAR(16)  NOT NULL,   -- 'add' | 'update' | 'delete' | 'rollback'
+  actor           VARCHAR(128) NOT NULL DEFAULT '',
+  created_at      TIMESTAMPTZ  NOT NULL DEFAULT NOW()
+)
+```
+
 ### 字段职责划分
 
 | 字段 | 存什么 | 示例 |
 |------|--------|------|
 | `namespace` | 项目/团队隔离 | `refining`, `ricnsmart` |
-| `kind` | 记录类型 | `server`, `service` |
+| `kind` | 记录类型 | `server`, `service`, `key` |
 | `name` | 唯一标识名 | `i-uf63f2uookgs5uxmrdyc`, `gitea` |
 | `tags` | 多维分类标签 | `["aliyun","hongkong","ricn"]` |
-| `metadata` | 明文非敏感信息 | `{"ip":"47.243.154.187","desc":"Grafana","domains":["..."]}` |
+| `metadata` | 明文非敏感信息 | `{"ip":"47.243.154.187","desc":"Grafana","key_ref":"ricn-hk-260127"}` |
-| `encrypted` | 敏感凭据，AES-256-GCM 加密存储 | 二进制密文，解密后为 `{"ssh_key":"...","password":"..."}` |
+| `secrets.field_name` | 加密字段名（明文） | `"username"`, `"token"`, `"ssh_key"` |
+| `secrets.field_type` | 值类型（明文） | `"string"`, `"number"`, `"boolean"`, `"json"` |
+| `secrets.value_len` | 原始值字符数（明文） | `4`（root），`40`（token），`4096`（PEM） |
+| `secrets.encrypted` | 仅加密值本身 | AES-256-GCM 密文 |
+
+### PEM 共享机制（key_ref）
+
+同一 PEM 被多台服务器共享时，将 PEM 存为独立的 `kind=key` 记录，服务器通过 `metadata.key_ref` 引用：
+
+```bash
+# 1. 存共享 PEM
+secrets add -n refining --kind key --name ricn-hk-260127 \
+  --tag aliyun --tag hongkong \
+  -s content=@./keys/ricn-hk-260127.pem
+
+# 2. 服务器通过 metadata.key_ref 引用（inject/run 时自动合并 key 的 secrets）
+secrets add -n refining --kind server --name i-j6c39dmtkr26vztii0ox \
+  -m ip=47.243.154.187 -m key_ref=ricn-hk-260127 \
+  -s username=ecs-user
+
+# 3. 轮换只需更新 key 记录，所有引用服务器自动生效
+secrets update -n refining --kind key --name ricn-hk-260127 \
+  -s content=@./keys/new-key.pem
+```
 
 ## 数据库配置
 
@@ -153,7 +211,6 @@ secrets init   # 提示输入主密码，Argon2id 派生主密钥后存入 OS
 - TTY（终端直接运行）→ 默认 `text`
 - 非 TTY（管道/重定向/AI 调用）→ 自动 `json-compact`
 - 显式 `-o json` → 美化 JSON
-- 显式 `-o env` → KEY=VALUE（可 source）
 
 ---
 
@@ -176,13 +233,13 @@ secrets init
 #   --name             gitea | i-uf63f2uookgs5uxmrdyc | mqtt
 #   --tag              aliyun | hongkong | production
 #   -q / --query       mqtt | grafana | gitea   （模糊匹配 name/namespace/kind/tags/metadata）
-#   --show-secrets     已弃用；search 不再直接展示 secrets
+#   secrets schema  search 默认展示 secrets 字段名、类型与长度（无需 master_key）
 #   -f / --field       metadata.ip | metadata.url | metadata.default_org
 #   --summary          不带值的 flag，仅返回摘要（name/tags/desc/updated_at）
 #   --limit            20 | 50（默认 50）
 #   --offset           0 | 10 | 20（分页偏移）
 #   --sort             name（默认）| updated | created
-#   -o / --output      text | json | json-compact | env
+#   -o / --output      text | json | json-compact
 
 # 发现概览（起步推荐）
 secrets search --summary --limit 20
@@ -222,10 +279,6 @@ secrets search -n refining --summary --limit 10 --offset 10
 
 # 管道 / AI 调用（非 TTY 自动 json-compact）
 secrets search -n refining --kind service | jq '.[].name'
-
-# 导出 metadata 为 env 文件（单条记录）
-secrets search -n refining --kind service --name gitea -o env \
-  > ~/.config/gitea/config.env
 ```
 
 ---
@@ -442,6 +495,75 @@ secrets upgrade
 
 ---
 
+### export — 批量导出记录
+
+将匹配的记录（含解密后的明文 secrets）导出到文件或 stdout。支持 JSON、TOML、YAML 三种格式，文件格式由扩展名自动推断。使用 `--no-secrets` 时无需主密钥。
+
+```bash
+# 参数说明
+# -n / --namespace refining | ricnsmart
+# --kind server | service
+# --name gitea | i-uf63f2uookgs5uxmrdyc
+# --tag aliyun | production（可重复）
+# -q / --query 模糊关键词
+# --file <path>   输出文件路径，格式由扩展名推断（.json / .toml / .yaml / .yml）
+# --format json | toml | yaml   显式指定格式（输出到 stdout 时必须指定）
+# --no-secrets    不导出 secrets，无需主密钥
+
+# 全量导出到 JSON 文件
+secrets export --file backup.json
+
+# 按 namespace 导出为 TOML
+secrets export -n refining --file refining.toml
+
+# 按 kind 导出为 YAML
+secrets export -n refining --kind service --file services.yaml
+
+# 按 tag 过滤导出
+secrets export --tag production --file prod.json
+
+# 模糊关键词导出
+secrets export -q mqtt --file mqtt.json
+
+# 仅导出 schema（不含 secrets，无需主密钥）
+secrets export --no-secrets --file schema.json
+
+# 输出到 stdout（必须指定 --format）
+secrets export -n refining --format yaml
+secrets export --format json | jq '.'
+```
+
+---
+
+### import — 批量导入记录
+
+从导出文件读取记录并写入数据库，自动重新加密 secrets。支持 JSON、TOML、YAML 三种格式，文件格式由扩展名自动推断。
+
+```bash
+# 参数说明
+# <file>        必选，输入文件路径（格式由扩展名推断）
+# --force       冲突时覆盖已有记录（默认：报错并停止）
+# --dry-run     预览将执行的操作，不写入数据库
+# -o / --output text | json | json-compact
+
+# 导入 JSON 文件（遇到已存在记录报错）
+secrets import backup.json
+
+# 导入 TOML 文件，冲突时覆盖
+secrets import --force refining.toml
+
+# 导入 YAML 文件，冲突时覆盖
+secrets import --force services.yaml
+
+# 预览将执行的操作（不写入）
+secrets import --dry-run backup.json
+
+# JSON 格式输出导入摘要
+secrets import backup.json -o json
+```
+
+---
+
 ### config — 配置管理（无需主密钥）
 
 ```bash

Cargo.lock

@@ -1836,7 +1836,7 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
 [[package]]
 name = "secrets"
-version = "0.7.4"
+version = "0.9.0"
 dependencies = [
  "aes-gcm",
  "anyhow",
@@ -1853,6 +1853,7 @@ dependencies = [
  "semver",
  "serde",
  "serde_json",
+ "serde_yaml",
  "sha2",
  "sqlx",
  "tar",
@@ -1982,6 +1983,19 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "serde_yaml"
+version = "0.9.34+deprecated"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
+dependencies = [
+ "indexmap",
+ "itoa",
+ "ryu",
+ "serde",
+ "unsafe-libyaml",
+]
+
 [[package]]
 name = "sha1"
 version = "0.10.6"
@@ -2681,6 +2695,12 @@ dependencies = [
  "subtle",
 ]
 
+[[package]]
+name = "unsafe-libyaml"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
+
 [[package]]
 name = "untrusted"
 version = "0.9.0"

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "secrets"
-version = "0.7.4"
+version = "0.9.0"
 edition = "2024"
 
 [dependencies]
@@ -19,6 +19,7 @@ self-replace = "1.5.0"
 semver = "1.0.27"
 serde = { version = "1.0.228", features = ["derive"] }
 serde_json = "1.0.149"
+serde_yaml = "0.9"
 sha2 = "0.10.9"
 sqlx = { version = "0.8.6", features = ["runtime-tokio", "tls-rustls", "postgres", "uuid", "json", "chrono"] }
 tar = "0.4.44"

README.md

@@ -2,7 +2,7 @@
 
 跨设备密钥与配置管理 CLI，基于 Rust + PostgreSQL 18。
 
-将服务器信息、服务凭据统一存入数据库，供本地工具和 AI 读取上下文。敏感数据（`encrypted` 字段）使用 AES-256-GCM 加密存储，主密钥由 Argon2id 从主密码派生并存入系统钥匙串。
+将服务器信息、服务凭据统一存入数据库，供本地工具和 AI 读取上下文。每个敏感字段单独行存储（`secrets` 子表），字段名、类型、长度以明文保存便于 AI 理解，仅值本身使用 AES-256-GCM 加密；主密钥由 Argon2id 从主密码派生并存入系统钥匙串。
 
 ## 安装
 
@@ -54,7 +54,7 @@ secrets search --sort updated --limit 10 --summary
 # 精确定位（namespace + kind + name 三元组）
 secrets search -n refining --kind service --name gitea
 
-# 获取完整记录（secrets 保持加密占位）
+# 获取完整记录（含 secrets 字段 schema：field_name、field_type、value_len，无需 master_key）
 secrets search -n refining --kind service --name gitea -o json
 
 # 直接提取单个 metadata 字段值（最短路径）
@@ -69,14 +69,13 @@ secrets inject -n refining --kind service --name gitea
 secrets run -n refining --kind service --name gitea -- printenv
 ```
 
-`search` 只负责发现、定位和读取 metadata，不直接展示 secrets。
+`search` 展示 metadata 与 secrets 的字段 schema（字段名、类型、长度），不展示 secret 值本身；需要值时用 `inject` / `run`。
 
 ### 输出格式
 
 | 场景 | 推荐命令 |
 |------|----------|
 | AI 解析 / 管道处理 | `-o json` 或 `-o json-compact` |
-| 写入 metadata `.env` 文件 | `-o env` |
 | 注入 secrets 到环境变量 | `inject` / `run` |
 | 人类查看 | 默认 `text`（TTY 下自动启用） |
 | 非 TTY（管道/重定向） | 自动 `json-compact` |
@@ -87,10 +86,6 @@ secrets run -n refining --kind service --name gitea -- printenv
 # 管道直接 jq 解析（非 TTY 自动 json-compact）
 secrets search -n refining --kind service | jq '.[].name'
 
-# 导出 metadata 为可 source 的 env 文件（单条记录）
-secrets search -n refining --kind service --name gitea -o env \
-  > ~/.config/gitea/config.env
-
 # 需要 secrets 时，使用 inject / run
 secrets inject -n refining --kind service --name gitea > ~/.config/gitea/secrets.env
 secrets run -n refining --kind service --name gitea -- ./deploy.sh
@@ -108,6 +103,8 @@ secrets update --help
 secrets delete --help
 secrets config --help
 secrets upgrade --help     # 检查并更新 CLI 版本
+secrets export --help      # 批量导出（JSON/TOML/YAML）
+secrets import --help      # 批量导入（JSON/TOML/YAML）
 
 # ── search ──────────────────────────────────────────────────────────────────
 secrets search --summary --limit 20                        # 发现概览
@@ -116,7 +113,7 @@ secrets search -n refining --kind service --name gitea     # 精确查找
 secrets search -q mqtt                                     # 关键词模糊搜索
 secrets search --tag hongkong                              # 按 tag 过滤
 secrets search -n refining --kind service --name gitea -f metadata.url   # 提取 metadata 字段
-secrets search -n refining --kind service --name gitea -o json            # 完整记录（secrets 保持占位）
+secrets search -n refining --kind service --name gitea -o json            # 完整记录（含 secrets schema）
 secrets search --sort updated --limit 10 --summary         # 最近改动
 secrets search -n refining --summary --limit 10 --offset 10  # 翻页
 
@@ -163,6 +160,20 @@ secrets config path    # 打印配置文件路径
 secrets upgrade --check   # 仅检查是否有新版本
 secrets upgrade           # 下载、校验 SHA-256 并安装最新版（从 Gitea Release）
 
+# ── export ────────────────────────────────────────────────────────────────────
+secrets export --file backup.json                        # 全量导出到 JSON
+secrets export -n refining --file refining.toml          # 按 namespace 导出为 TOML
+secrets export -n refining --kind service --file svc.yaml   # 按 kind 导出为 YAML
+secrets export --tag production --file prod.json         # 按 tag 过滤
+secrets export -q mqtt --file mqtt.json                   # 模糊搜索导出
+secrets export --no-secrets --file schema.json           # 仅导出 schema（无需主密钥）
+secrets export -n refining --format yaml                  # 输出到 stdout，指定格式
+
+# ── import ────────────────────────────────────────────────────────────────────
+secrets import backup.json                               # 导入（冲突时报错）
+secrets import --force refining.toml                     # 冲突时覆盖已有记录
+secrets import --dry-run backup.yaml                     # 预览将要执行的操作（不写入）
+
 # ── 调试 ──────────────────────────────────────────────────────────────────────
 secrets --verbose search -q mqtt
 RUST_LOG=secrets=trace secrets search
@@ -170,18 +181,21 @@ RUST_LOG=secrets=trace secrets search
 
 ## 数据模型
 
-单张 `secrets` 表，首次连接自动建表；同时自动创建 `audit_log` 表，记录所有写操作。
+主表 `entries`（namespace、kind、name、tags、metadata）+ 子表 `secrets`（每个加密字段一行，含 field_name、field_type、value_len、encrypted）。首次连接自动建表；同时创建 `audit_log`、`entries_history`、`secrets_history` 等表。
 
-| 字段 | 说明 |
+| 位置 | 字段 | 说明 |
-|------|------|
+|------|------|------|
-| `namespace` | 一级隔离，如 `refining`、`ricnsmart` |
+| entries | namespace | 一级隔离，如 `refining`、`ricnsmart` |
-| `kind` | 记录类型，如 `server`、`service`（可自由扩展） |
+| entries | kind | 记录类型，如 `server`、`service`、`key`（可自由扩展） |
-| `name` | 人类可读唯一标识 |
+| entries | name | 人类可读唯一标识 |
-| `tags` | 多维标签，如 `["aliyun","hongkong"]` |
+| entries | tags | 多维标签，如 `["aliyun","hongkong"]` |
-| `metadata` | 明文描述信息（ip、desc、domains 等） |
+| entries | metadata | 明文描述（ip、desc、domains、key_ref 等） |
-| `encrypted` | 敏感凭据（ssh_key、password、token 等），AES-256-GCM 加密存储 |
+| secrets | field_name / field_type / value_len | 明文，search 可见，AI 可推断 inject 会生成什么变量 |
+| secrets | encrypted | 仅加密值本身，AES-256-GCM |
 
-`-m` / `--meta` 写入 `metadata`，`-s` / `--secret` 写入 `encrypted`。支持 `key=value`、`key=@file`、`key:=<json>`，也支持 `credentials:content@./key.pem` 这种嵌套字段文件写入语法，避免手动转义多行文本；删除时也支持 `--remove-secret credentials:content` 和 `--remove-meta credentials:content`。加解密使用主密钥（由 `secrets init` 设置）。
+`-m` / `--meta` 写入 `metadata`，`-s` / `--secret` 写入 `secrets` 表的独立行。支持 `key=value`、`key=@file`、`key:=<json>`，也支持 `credentials:content@./key.pem` 这类嵌套字段文件写入；删除时支持 `--remove-secret credentials:content`。加解密使用主密钥（由 `secrets init` 设置）。
+
+**PEM 共享**：同一 PEM 被多台服务器共享时，可存为 `kind=key` 记录，服务器通过 `metadata.key_ref` 引用；轮换只需 update 一条 key 记录，所有引用自动生效。详见 [AGENTS.md](AGENTS.md)。
 
 ### `-m` / `--meta` JSON 语法速查
 
@@ -285,18 +299,22 @@ src/
   main.rs          # CLI 入口（clap），含各子命令 after_help 示例
   output.rs        # OutputMode 枚举 + TTY 检测
   config.rs        # 配置读写（~/.config/secrets/config.toml）
-  db.rs            # 连接池 + auto-migrate（secrets + audit_log + kv_config）
+  db.rs            # 连接池 + auto-migrate（entries + secrets + entries_history + secrets_history + audit_log + kv_config）
   crypto.rs        # AES-256-GCM 加解密、Argon2id 派生、OS 钥匙串
-  models.rs        # Secret 结构体
+  models.rs        # Entry + SecretField 结构体
   audit.rs         # 审计日志写入（audit_log 表）
   commands/
     init.rs        # 主密钥初始化（首次/新设备）
-    add.rs         # upsert，支持 -o json
+    add.rs         # upsert entries + secrets 行，支持 -o json
     config.rs      # config set-db/show/path
-    search.rs      # 多条件查询，支持 -f/-o/--summary/--limit/--offset/--sort
+    search.rs      # 多条件查询，展示 secrets schema（-f/-o/--summary/--limit/--offset/--sort）
-    delete.rs      # 删除
+    delete.rs      # 删除（CASCADE 删除 secrets）
-    update.rs      # 增量更新（合并 tags/metadata/encrypted）
+    update.rs      # 增量更新（tags/metadata + secrets 行级 UPSERT/DELETE）
+    rollback.rs    # rollback / history：按 entry_version 恢复
+    run.rs         # inject / run，逐字段解密 + key_ref 引用解析
     upgrade.rs     # 从 Gitea Release 自更新
+    export_cmd.rs  # export：批量导出，支持 JSON/TOML/YAML，含解密明文
+    import_cmd.rs  # import：批量导入，冲突检测，dry-run，重新加密写入
 scripts/
   setup-gitea-actions.sh  # 配置 Gitea Actions 变量与 Secrets
 ```

src/commands/add.rs

@@ -7,6 +7,8 @@ use crate::crypto;
 use crate::db;
 use crate::output::OutputMode;
 
+// ── Key/value parsing helpers (shared with update.rs) ───────────────────────
+
 /// Parse secret / metadata entries into a nested key path and JSON value.
 /// - `key=value`        → stores the literal string `value`
 /// - `key:=<json>`      → parses `<json>` as a typed JSON value
@@ -158,6 +160,52 @@ pub(crate) fn remove_path(map: &mut Map<String, Value>, path: &[String]) -> Resu
     Ok(removed)
 }
 
+// ── field_type inference and value_len ──────────────────────────────────────
+
+/// Infer the field type string from a JSON value.
+pub(crate) fn infer_field_type(v: &Value) -> &'static str {
+    match v {
+        Value::String(_) => "string",
+        Value::Number(_) => "number",
+        Value::Bool(_) => "boolean",
+        Value::Null => "string",
+        Value::Array(_) | Value::Object(_) => "json",
+    }
+}
+
+/// Compute the plaintext length of a JSON value (chars for string, serialized length otherwise).
+pub(crate) fn compute_value_len(v: &Value) -> i32 {
+    match v {
+        Value::String(s) => s.chars().count() as i32,
+        Value::Null => 0,
+        other => other.to_string().chars().count() as i32,
+    }
+}
+
+/// Flatten a (potentially nested) JSON object into dot-separated field entries.
+/// e.g. `{"credentials": {"type": "ssh", "content": "..."}}` →
+///   `[("credentials.type", "ssh"), ("credentials.content", "...")]`
+/// Top-level non-object values are emitted directly.
+pub(crate) fn flatten_json_fields(prefix: &str, value: &Value) -> Vec<(String, Value)> {
+    match value {
+        Value::Object(map) => {
+            let mut out = Vec::new();
+            for (k, v) in map {
+                let full_key = if prefix.is_empty() {
+                    k.clone()
+                } else {
+                    format!("{}.{}", prefix, k)
+                };
+                out.extend(flatten_json_fields(&full_key, v));
+            }
+            out
+        }
+        other => vec![(prefix.to_string(), other.clone())],
+    }
+}
+
+// ── Add command ──────────────────────────────────────────────────────────────
+
 pub struct AddArgs<'a> {
     pub namespace: &'a str,
     pub kind: &'a str,
@@ -171,26 +219,24 @@ pub struct AddArgs<'a> {
 pub async fn run(pool: &PgPool, args: AddArgs<'_>, master_key: &[u8; 32]) -> Result<()> {
     let metadata = build_json(args.meta_entries)?;
     let secret_json = build_json(args.secret_entries)?;
-    let encrypted_bytes = crypto::encrypt_json(master_key, &secret_json)?;
 
-    tracing::debug!(args.namespace, args.kind, args.name, "upserting record");
+    tracing::debug!(args.namespace, args.kind, args.name, "upserting entry");
 
     let meta_keys = collect_key_paths(args.meta_entries)?;
     let secret_keys = collect_key_paths(args.secret_entries)?;
 
     let mut tx = pool.begin().await?;
 
-    // Snapshot existing row into history before overwriting (if it exists).
+    // Upsert the entry row (tags + metadata).
     #[derive(sqlx::FromRow)]
-    struct ExistingRow {
+    struct EntryRow {
         id: uuid::Uuid,
         version: i64,
         tags: Vec<String>,
-        metadata: serde_json::Value,
+        metadata: Value,
-        encrypted: Vec<u8>,
     }
-    let existing: Option<ExistingRow> = sqlx::query_as(
+    let existing: Option<EntryRow> = sqlx::query_as(
-        "SELECT id, version, tags, metadata, encrypted FROM secrets \
+        "SELECT id, version, tags, metadata FROM entries \
          WHERE namespace = $1 AND kind = $2 AND name = $3",
     )
     .bind(args.namespace)
@@ -199,11 +245,12 @@ pub async fn run(pool: &PgPool, args: AddArgs<'_>, master_key: &[u8; 32]) -> Res
     .fetch_optional(&mut *tx)
     .await?;
 
-    if let Some(ex) = existing
+    // Snapshot the current entry state before overwriting.
-        && let Err(e) = db::snapshot_history(
+    if let Some(ref ex) = existing
+        && let Err(e) = db::snapshot_entry_history(
             &mut tx,
-            db::SnapshotParams {
+            db::EntrySnapshotParams {
-                secret_id: ex.id,
+                entry_id: ex.id,
                 namespace: args.namespace,
                 kind: args.kind,
                 name: args.name,
@@ -211,25 +258,24 @@ pub async fn run(pool: &PgPool, args: AddArgs<'_>, master_key: &[u8; 32]) -> Res
                 action: "add",
                 tags: &ex.tags,
                 metadata: &ex.metadata,
-                encrypted: &ex.encrypted,
             },
         )
         .await
     {
-        tracing::warn!(error = %e, "failed to snapshot history before upsert");
+        tracing::warn!(error = %e, "failed to snapshot entry history before upsert");
     }
 
-    sqlx::query(
+    let entry_id: uuid::Uuid = sqlx::query_scalar(
         r#"
-        INSERT INTO secrets (namespace, kind, name, tags, metadata, encrypted, version, updated_at)
+        INSERT INTO entries (namespace, kind, name, tags, metadata, version, updated_at)
-        VALUES ($1, $2, $3, $4, $5, $6, 1, NOW())
+        VALUES ($1, $2, $3, $4, $5, 1, NOW())
         ON CONFLICT (namespace, kind, name)
         DO UPDATE SET
             tags       = EXCLUDED.tags,
             metadata   = EXCLUDED.metadata,
-            encrypted  = EXCLUDED.encrypted,
+            version    = entries.version + 1,
-            version    = secrets.version + 1,
             updated_at = NOW()
+        RETURNING id
         "#,
     )
     .bind(args.namespace)
@@ -237,9 +283,78 @@ pub async fn run(pool: &PgPool, args: AddArgs<'_>, master_key: &[u8; 32]) -> Res
     .bind(args.name)
     .bind(args.tags)
     .bind(&metadata)
-    .bind(&encrypted_bytes)
+    .fetch_one(&mut *tx)
+    .await?;
+
+    let new_entry_version: i64 = sqlx::query_scalar("SELECT version FROM entries WHERE id = $1")
+        .bind(entry_id)
+        .fetch_one(&mut *tx)
+        .await?;
+
+    // Snapshot existing secret fields before replacing.
+    if existing.is_some() {
+        #[derive(sqlx::FromRow)]
+        struct ExistingField {
+            id: uuid::Uuid,
+            field_name: String,
+            field_type: String,
+            value_len: i32,
+            encrypted: Vec<u8>,
+        }
+        let existing_fields: Vec<ExistingField> = sqlx::query_as(
+            "SELECT id, field_name, field_type, value_len, encrypted \
+             FROM secrets WHERE entry_id = $1",
+        )
+        .bind(entry_id)
+        .fetch_all(&mut *tx)
+        .await?;
+
+        for f in &existing_fields {
+            if let Err(e) = db::snapshot_secret_history(
+                &mut tx,
+                db::SecretSnapshotParams {
+                    entry_id,
+                    secret_id: f.id,
+                    entry_version: new_entry_version - 1,
+                    field_name: &f.field_name,
+                    field_type: &f.field_type,
+                    value_len: f.value_len,
+                    encrypted: &f.encrypted,
+                    action: "add",
+                },
+            )
+            .await
+            {
+                tracing::warn!(error = %e, "failed to snapshot secret field history");
+            }
+        }
+
+        // Delete existing secret fields so we can re-insert the full set.
+        sqlx::query("DELETE FROM secrets WHERE entry_id = $1")
+            .bind(entry_id)
             .execute(&mut *tx)
             .await?;
+    }
+
+    // Insert new secret fields.
+    let flat_fields = flatten_json_fields("", &secret_json);
+    for (field_name, field_value) in &flat_fields {
+        let field_type = infer_field_type(field_value);
+        let value_len = compute_value_len(field_value);
+        let encrypted = crypto::encrypt_json(master_key, field_value)?;
+
+        sqlx::query(
+            "INSERT INTO secrets (entry_id, field_name, field_type, value_len, encrypted) \
+             VALUES ($1, $2, $3, $4, $5)",
+        )
+        .bind(entry_id)
+        .bind(field_name)
+        .bind(field_type)
+        .bind(value_len)
+        .bind(&encrypted)
+        .execute(&mut *tx)
+        .await?;
+    }
 
     crate::audit::log_tx(
         &mut tx,
@@ -293,7 +408,10 @@ pub async fn run(pool: &PgPool, args: AddArgs<'_>, master_key: &[u8; 32]) -> Res
 
 #[cfg(test)]
 mod tests {
-    use super::{build_json, key_path_to_string, parse_kv, remove_path};
+    use super::{
+        build_json, compute_value_len, flatten_json_fields, infer_field_type, key_path_to_string,
+        parse_kv, remove_path,
+    };
     use serde_json::Value;
     use std::fs;
     use std::path::PathBuf;
@@ -363,4 +481,36 @@ mod tests {
         assert!(removed);
         assert_eq!(value, serde_json::json!({ "username": "root" }));
     }
+
+    #[test]
+    fn flatten_json_fields_nested() {
+        let v = serde_json::json!({
+            "username": "root",
+            "credentials": {
+                "type": "ssh",
+                "content": "pem-data"
+            }
+        });
+        let mut fields = flatten_json_fields("", &v);
+        fields.sort_by(|a, b| a.0.cmp(&b.0));
+
+        assert_eq!(fields[0].0, "credentials.content");
+        assert_eq!(fields[1].0, "credentials.type");
+        assert_eq!(fields[2].0, "username");
+    }
+
+    #[test]
+    fn infer_field_types() {
+        assert_eq!(infer_field_type(&Value::String("x".into())), "string");
+        assert_eq!(infer_field_type(&serde_json::json!(42)), "number");
+        assert_eq!(infer_field_type(&Value::Bool(true)), "boolean");
+        assert_eq!(infer_field_type(&serde_json::json!(["a"])), "json");
+    }
+
+    #[test]
+    fn compute_value_len_string() {
+        assert_eq!(compute_value_len(&Value::String("root".into())), 4);
+        assert_eq!(compute_value_len(&Value::Null), 0);
+        assert_eq!(compute_value_len(&serde_json::json!(1234)), 4);
+    }
 }

src/commands/delete.rs

@@ -7,11 +7,19 @@ use crate::db;
 use crate::output::OutputMode;
 
 #[derive(FromRow)]
-struct DeleteRow {
+struct EntryRow {
     id: Uuid,
     version: i64,
     tags: Vec<String>,
     metadata: Value,
+}
+
+#[derive(FromRow)]
+struct SecretFieldRow {
+    id: Uuid,
+    field_name: String,
+    field_type: String,
+    value_len: i32,
     encrypted: Vec<u8>,
 }
 
@@ -22,12 +30,12 @@ pub async fn run(
     name: &str,
     output: OutputMode,
 ) -> Result<()> {
-    tracing::debug!(namespace, kind, name, "deleting record");
+    tracing::debug!(namespace, kind, name, "deleting entry");
 
     let mut tx = pool.begin().await?;
 
-    let row: Option<DeleteRow> = sqlx::query_as(
+    let row: Option<EntryRow> = sqlx::query_as(
-        "SELECT id, version, tags, metadata, encrypted FROM secrets \
+        "SELECT id, version, tags, metadata FROM entries \
          WHERE namespace = $1 AND kind = $2 AND name = $3 \
          FOR UPDATE",
     )
@@ -39,7 +47,7 @@ pub async fn run(
 
     let Some(row) = row else {
         tx.rollback().await?;
-        tracing::warn!(namespace, kind, name, "record not found for deletion");
+        tracing::warn!(namespace, kind, name, "entry not found for deletion");
         match output {
             OutputMode::Json => println!(
                 "{}",
@@ -58,11 +66,11 @@ pub async fn run(
         return Ok(());
     };
 
-    // Snapshot before physical delete so the row can be restored via rollback.
+    // Snapshot entry history before deleting.
-    if let Err(e) = db::snapshot_history(
+    if let Err(e) = db::snapshot_entry_history(
         &mut tx,
-        db::SnapshotParams {
+        db::EntrySnapshotParams {
-            secret_id: row.id,
+            entry_id: row.id,
             namespace,
             kind,
             name,
@@ -70,15 +78,44 @@ pub async fn run(
             action: "delete",
             tags: &row.tags,
             metadata: &row.metadata,
-            encrypted: &row.encrypted,
         },
     )
     .await
     {
-        tracing::warn!(error = %e, "failed to snapshot history before delete");
+        tracing::warn!(error = %e, "failed to snapshot entry history before delete");
     }
 
-    sqlx::query("DELETE FROM secrets WHERE id = $1")
+    // Snapshot all secret fields before cascade delete.
+    let fields: Vec<SecretFieldRow> = sqlx::query_as(
+        "SELECT id, field_name, field_type, value_len, encrypted \
+         FROM secrets WHERE entry_id = $1",
+    )
+    .bind(row.id)
+    .fetch_all(&mut *tx)
+    .await?;
+
+    for f in &fields {
+        if let Err(e) = db::snapshot_secret_history(
+            &mut tx,
+            db::SecretSnapshotParams {
+                entry_id: row.id,
+                secret_id: f.id,
+                entry_version: row.version,
+                field_name: &f.field_name,
+                field_type: &f.field_type,
+                value_len: f.value_len,
+                encrypted: &f.encrypted,
+                action: "delete",
+            },
+        )
+        .await
+        {
+            tracing::warn!(error = %e, "failed to snapshot secret field history before delete");
+        }
+    }
+
+    // Delete the entry — secrets rows are removed via ON DELETE CASCADE.
+    sqlx::query("DELETE FROM entries WHERE id = $1")
         .bind(row.id)
         .execute(&mut *tx)
         .await?;

src/commands/export_cmd.rs

@@ -0,0 +1,109 @@
+use anyhow::Result;
+use sqlx::PgPool;
+use std::collections::BTreeMap;
+use std::io::Write;
+
+use crate::commands::search::{fetch_entries, fetch_secrets_for_entries};
+use crate::crypto;
+use crate::models::{ExportData, ExportEntry, ExportFormat};
+
+pub struct ExportArgs<'a> {
+    pub namespace: Option<&'a str>,
+    pub kind: Option<&'a str>,
+    pub name: Option<&'a str>,
+    pub tags: &'a [String],
+    pub query: Option<&'a str>,
+    /// Output file path. None means write to stdout.
+    pub file: Option<&'a str>,
+    /// Explicit format override (e.g. from --format flag).
+    pub format: Option<&'a str>,
+    /// When true, secrets are omitted and master_key is not used.
+    pub no_secrets: bool,
+}
+
+pub async fn run(pool: &PgPool, args: ExportArgs<'_>, master_key: Option<&[u8; 32]>) -> Result<()> {
+    // Determine output format: --format > file extension > default JSON.
+    let format = if let Some(fmt_str) = args.format {
+        ExportFormat::from_str(fmt_str)?
+    } else if let Some(path) = args.file {
+        ExportFormat::from_extension(path).unwrap_or(ExportFormat::Json)
+    } else {
+        ExportFormat::Json
+    };
+
+    let entries = fetch_entries(
+        pool,
+        args.namespace,
+        args.kind,
+        args.name,
+        args.tags,
+        args.query,
+    )
+    .await?;
+
+    let entry_ids: Vec<uuid::Uuid> = entries.iter().map(|e| e.id).collect();
+
+    let secrets_map = if !args.no_secrets && !entry_ids.is_empty() {
+        fetch_secrets_for_entries(pool, &entry_ids).await?
+    } else {
+        std::collections::HashMap::new()
+    };
+
+    let key = if !args.no_secrets { master_key } else { None };
+
+    let mut export_entries: Vec<ExportEntry> = Vec::with_capacity(entries.len());
+    for entry in &entries {
+        let secrets = if args.no_secrets {
+            None
+        } else {
+            let fields = secrets_map.get(&entry.id).map(Vec::as_slice).unwrap_or(&[]);
+            if fields.is_empty() {
+                Some(BTreeMap::new())
+            } else {
+                let mk =
+                    key.ok_or_else(|| anyhow::anyhow!("master key required to decrypt secrets"))?;
+                let mut map = BTreeMap::new();
+                for f in fields {
+                    let decrypted = crypto::decrypt_json(mk, &f.encrypted)?;
+                    map.insert(f.field_name.clone(), decrypted);
+                }
+                Some(map)
+            }
+        };
+
+        export_entries.push(ExportEntry {
+            namespace: entry.namespace.clone(),
+            kind: entry.kind.clone(),
+            name: entry.name.clone(),
+            tags: entry.tags.clone(),
+            metadata: entry.metadata.clone(),
+            secrets,
+        });
+    }
+
+    let data = ExportData {
+        version: 1,
+        exported_at: chrono::Utc::now().format("%Y-%m-%dT%H:%M:%SZ").to_string(),
+        entries: export_entries,
+    };
+
+    let serialized = format.serialize(&data)?;
+
+    if let Some(path) = args.file {
+        std::fs::write(path, &serialized)?;
+        println!(
+            "Exported {} record(s) to {} ({:?})",
+            data.entries.len(),
+            path,
+            format
+        );
+    } else {
+        std::io::stdout().write_all(serialized.as_bytes())?;
+        // Ensure trailing newline on stdout.
+        if !serialized.ends_with('\n') {
+            println!();
+        }
+    }
+
+    Ok(())
+}

src/commands/import_cmd.rs

@@ -0,0 +1,233 @@
+use anyhow::Result;
+use serde_json::Value;
+use sqlx::PgPool;
+use std::collections::BTreeMap;
+
+use crate::commands::add::{self, AddArgs};
+use crate::models::ExportFormat;
+use crate::output::OutputMode;
+
+pub struct ImportArgs<'a> {
+    pub file: &'a str,
+    /// Overwrite existing records when there is a conflict (upsert).
+    pub force: bool,
+    /// Check and preview operations without writing to the database.
+    pub dry_run: bool,
+    pub output: OutputMode,
+}
+
+pub async fn run(pool: &PgPool, args: ImportArgs<'_>, master_key: &[u8; 32]) -> Result<()> {
+    let format = ExportFormat::from_extension(args.file)?;
+    let content = std::fs::read_to_string(args.file)
+        .map_err(|e| anyhow::anyhow!("Cannot read file '{}': {}", args.file, e))?;
+    let data = format.deserialize(&content)?;
+
+    if data.version != 1 {
+        anyhow::bail!(
+            "Unsupported export version {}. Only version 1 is supported.",
+            data.version
+        );
+    }
+
+    let total = data.entries.len();
+    let mut inserted = 0usize;
+    let mut skipped = 0usize;
+    let mut failed = 0usize;
+
+    for entry in &data.entries {
+        // Check if record already exists.
+        let exists: bool = sqlx::query_scalar(
+            "SELECT EXISTS(SELECT 1 FROM entries \
+             WHERE namespace = $1 AND kind = $2 AND name = $3)",
+        )
+        .bind(&entry.namespace)
+        .bind(&entry.kind)
+        .bind(&entry.name)
+        .fetch_one(pool)
+        .await
+        .unwrap_or(false);
+
+        if exists && !args.force {
+            let msg = format!(
+                "[{}/{}/{}] conflict — record already exists (use --force to overwrite)",
+                entry.namespace, entry.kind, entry.name
+            );
+            match args.output {
+                OutputMode::Json | OutputMode::JsonCompact => {
+                    let v = serde_json::json!({
+                        "action": "conflict",
+                        "namespace": entry.namespace,
+                        "kind": entry.kind,
+                        "name": entry.name,
+                    });
+                    let s = if args.output == OutputMode::Json {
+                        serde_json::to_string_pretty(&v)?
+                    } else {
+                        serde_json::to_string(&v)?
+                    };
+                    eprintln!("{}", s);
+                }
+                _ => eprintln!("{}", msg),
+            }
+            return Err(anyhow::anyhow!(
+                "Import aborted: conflict on [{}/{}/{}]",
+                entry.namespace,
+                entry.kind,
+                entry.name
+            ));
+        }
+
+        let action = if exists { "upsert" } else { "insert" };
+
+        if args.dry_run {
+            match args.output {
+                OutputMode::Json | OutputMode::JsonCompact => {
+                    let v = serde_json::json!({
+                        "action": action,
+                        "namespace": entry.namespace,
+                        "kind": entry.kind,
+                        "name": entry.name,
+                        "dry_run": true,
+                    });
+                    let s = if args.output == OutputMode::Json {
+                        serde_json::to_string_pretty(&v)?
+                    } else {
+                        serde_json::to_string(&v)?
+                    };
+                    println!("{}", s);
+                }
+                _ => println!(
+                    "[dry-run] {} [{}/{}/{}]",
+                    action, entry.namespace, entry.kind, entry.name
+                ),
+            }
+            if exists {
+                skipped += 1;
+            } else {
+                inserted += 1;
+            }
+            continue;
+        }
+
+        // Build secret_entries: convert BTreeMap<String, Value> to Vec<String> ("key:=json")
+        let secret_entries = build_secret_entries(entry.secrets.as_ref());
+
+        // Build meta_entries from metadata JSON object.
+        let meta_entries = build_meta_entries(&entry.metadata);
+
+        match add::run(
+            pool,
+            AddArgs {
+                namespace: &entry.namespace,
+                kind: &entry.kind,
+                name: &entry.name,
+                tags: &entry.tags,
+                meta_entries: &meta_entries,
+                secret_entries: &secret_entries,
+                output: OutputMode::Text,
+            },
+            master_key,
+        )
+        .await
+        {
+            Ok(()) => {
+                match args.output {
+                    OutputMode::Json | OutputMode::JsonCompact => {
+                        let v = serde_json::json!({
+                            "action": action,
+                            "namespace": entry.namespace,
+                            "kind": entry.kind,
+                            "name": entry.name,
+                        });
+                        let s = if args.output == OutputMode::Json {
+                            serde_json::to_string_pretty(&v)?
+                        } else {
+                            serde_json::to_string(&v)?
+                        };
+                        println!("{}", s);
+                    }
+                    _ => println!(
+                        "Imported [{}/{}/{}]",
+                        entry.namespace, entry.kind, entry.name
+                    ),
+                }
+                inserted += 1;
+            }
+            Err(e) => {
+                eprintln!(
+                    "Error importing [{}/{}/{}]: {}",
+                    entry.namespace, entry.kind, entry.name, e
+                );
+                failed += 1;
+            }
+        }
+    }
+
+    match args.output {
+        OutputMode::Json | OutputMode::JsonCompact => {
+            let v = serde_json::json!({
+                "total": total,
+                "inserted": inserted,
+                "skipped": skipped,
+                "failed": failed,
+                "dry_run": args.dry_run,
+            });
+            let s = if args.output == OutputMode::Json {
+                serde_json::to_string_pretty(&v)?
+            } else {
+                serde_json::to_string(&v)?
+            };
+            println!("{}", s);
+        }
+        _ => {
+            if args.dry_run {
+                println!(
+                    "\n[dry-run] {} total: {} would insert, {} would skip, {} would fail",
+                    total, inserted, skipped, failed
+                );
+            } else {
+                println!(
+                    "\nImport done: {} total — {} inserted, {} skipped, {} failed",
+                    total, inserted, skipped, failed
+                );
+            }
+        }
+    }
+
+    if failed > 0 {
+        anyhow::bail!("{} record(s) failed to import", failed);
+    }
+
+    Ok(())
+}
+
+/// Convert metadata JSON object into Vec<String> of "key:=json_value" entries.
+fn build_meta_entries(metadata: &Value) -> Vec<String> {
+    let mut entries = Vec::new();
+    if let Some(obj) = metadata.as_object() {
+        for (k, v) in obj {
+            entries.push(value_to_kv_entry(k, v));
+        }
+    }
+    entries
+}
+
+/// Convert a BTreeMap<String, Value> (secrets) into Vec<String> of "key:=json_value" entries.
+fn build_secret_entries(secrets: Option<&BTreeMap<String, Value>>) -> Vec<String> {
+    let mut entries = Vec::new();
+    if let Some(map) = secrets {
+        for (k, v) in map {
+            entries.push(value_to_kv_entry(k, v));
+        }
+    }
+    entries
+}
+
+/// Convert a key/value pair to a CLI-style entry string.
+/// Strings use `key=value`; everything else uses `key:=<json>`.
+fn value_to_kv_entry(key: &str, value: &Value) -> String {
+    match value {
+        Value::String(s) => format!("{}={}", key, s),
+        other => format!("{}:={}", key, other),
+    }
+}

src/commands/mod.rs

@@ -1,6 +1,8 @@
 pub mod add;
 pub mod config;
 pub mod delete;
+pub mod export_cmd;
+pub mod import_cmd;
 pub mod init;
 pub mod rollback;
 pub mod run;

src/commands/rollback.rs

@@ -3,32 +3,34 @@ use serde_json::{Value, json};
 use sqlx::{FromRow, PgPool};
 use uuid::Uuid;
 
+use crate::crypto;
+use crate::db;
 use crate::output::{OutputMode, format_local_time};
 
-#[derive(FromRow)]
-struct HistoryRow {
-    secret_id: Uuid,
-    version: i64,
-    action: String,
-    tags: Vec<String>,
-    metadata: Value,
-    encrypted: Vec<u8>,
-}
-
 pub struct RollbackArgs<'a> {
     pub namespace: &'a str,
     pub kind: &'a str,
     pub name: &'a str,
-    /// Target version to restore. None → restore the most recent history entry.
+    /// Target entry version to restore. None → restore the most recent history entry.
     pub to_version: Option<i64>,
     pub output: OutputMode,
 }
 
 pub async fn run(pool: &PgPool, args: RollbackArgs<'_>, master_key: &[u8; 32]) -> Result<()> {
-    let snap: Option<HistoryRow> = if let Some(ver) = args.to_version {
+    // ── Find the target entry history snapshot ────────────────────────────────
+    #[derive(FromRow)]
+    struct EntryHistoryRow {
+        entry_id: Uuid,
+        version: i64,
+        action: String,
+        tags: Vec<String>,
+        metadata: Value,
+    }
+
+    let snap: Option<EntryHistoryRow> = if let Some(ver) = args.to_version {
         sqlx::query_as(
-            "SELECT secret_id, version, action, tags, metadata, encrypted \
+            "SELECT entry_id, version, action, tags, metadata \
-             FROM secrets_history \
+             FROM entries_history \
              WHERE namespace = $1 AND kind = $2 AND name = $3 AND version = $4 \
              ORDER BY id DESC LIMIT 1",
         )
@@ -40,8 +42,8 @@ pub async fn run(pool: &PgPool, args: RollbackArgs<'_>, master_key: &[u8; 32]) -
         .await?
     } else {
         sqlx::query_as(
-            "SELECT secret_id, version, action, tags, metadata, encrypted \
+            "SELECT entry_id, version, action, tags, metadata \
-             FROM secrets_history \
+             FROM entries_history \
              WHERE namespace = $1 AND kind = $2 AND name = $3 \
              ORDER BY id DESC LIMIT 1",
         )
@@ -64,25 +66,53 @@ pub async fn run(pool: &PgPool, args: RollbackArgs<'_>, master_key: &[u8; 32]) -
         )
     })?;
 
-    // Validate encrypted blob is non-trivial (re-encrypt guard).
+    // ── Find the matching secret field snapshots ──────────────────────────────
-    if !snap.encrypted.is_empty() {
+    #[derive(FromRow)]
-        // Probe decrypt to ensure the blob is valid before restoring.
+    struct SecretHistoryRow {
-        crate::crypto::decrypt_json(master_key, &snap.encrypted)?;
+        secret_id: Uuid,
+        field_name: String,
+        field_type: String,
+        value_len: i32,
+        encrypted: Vec<u8>,
+        action: String,
+    }
+
+    let field_snaps: Vec<SecretHistoryRow> = sqlx::query_as(
+        "SELECT secret_id, field_name, field_type, value_len, encrypted, action \
+         FROM secrets_history \
+         WHERE entry_id = $1 AND entry_version = $2 \
+         ORDER BY field_name",
+    )
+    .bind(snap.entry_id)
+    .bind(snap.version)
+    .fetch_all(pool)
+    .await?;
+
+    // Validate: try decrypting all encrypted fields before writing anything.
+    for f in &field_snaps {
+        if f.action != "delete" && !f.encrypted.is_empty() {
+            crypto::decrypt_json(master_key, &f.encrypted).map_err(|e| {
+                anyhow::anyhow!(
+                    "Cannot decrypt snapshot for field '{}': {}",
+                    f.field_name,
+                    e
+                )
+            })?;
+        }
     }
 
     let mut tx = pool.begin().await?;
 
-    // Snapshot current live row (if it exists) before overwriting.
+    // ── Snapshot the current live state before overwriting ────────────────────
     #[derive(sqlx::FromRow)]
-    struct LiveRow {
+    struct LiveEntry {
         id: Uuid,
         version: i64,
         tags: Vec<String>,
         metadata: Value,
-        encrypted: Vec<u8>,
     }
-    let live: Option<LiveRow> = sqlx::query_as(
+    let live: Option<LiveEntry> = sqlx::query_as(
-        "SELECT id, version, tags, metadata, encrypted FROM secrets \
+        "SELECT id, version, tags, metadata FROM entries \
          WHERE namespace = $1 AND kind = $2 AND name = $3 FOR UPDATE",
     )
     .bind(args.namespace)
@@ -91,11 +121,11 @@ pub async fn run(pool: &PgPool, args: RollbackArgs<'_>, master_key: &[u8; 32]) -
     .fetch_optional(&mut *tx)
     .await?;
 
-    if let Some(lr) = live
+    if let Some(ref lr) = live {
-        && let Err(e) = crate::db::snapshot_history(
+        if let Err(e) = db::snapshot_entry_history(
             &mut tx,
-            crate::db::SnapshotParams {
+            db::EntrySnapshotParams {
-                secret_id: lr.id,
+                entry_id: lr.id,
                 namespace: args.namespace,
                 kind: args.kind,
                 name: args.name,
@@ -103,35 +133,104 @@ pub async fn run(pool: &PgPool, args: RollbackArgs<'_>, master_key: &[u8; 32]) -
                 action: "rollback",
                 tags: &lr.tags,
                 metadata: &lr.metadata,
-                encrypted: &lr.encrypted,
             },
         )
         .await
         {
-        tracing::warn!(error = %e, "failed to snapshot current row before rollback");
+            tracing::warn!(error = %e, "failed to snapshot entry before rollback");
         }
 
+        // Snapshot existing secret fields.
+        #[derive(sqlx::FromRow)]
+        struct LiveField {
+            id: Uuid,
+            field_name: String,
+            field_type: String,
+            value_len: i32,
+            encrypted: Vec<u8>,
+        }
+        let live_fields: Vec<LiveField> = sqlx::query_as(
+            "SELECT id, field_name, field_type, value_len, encrypted \
+             FROM secrets WHERE entry_id = $1",
+        )
+        .bind(lr.id)
+        .fetch_all(&mut *tx)
+        .await?;
+
+        for f in &live_fields {
+            if let Err(e) = db::snapshot_secret_history(
+                &mut tx,
+                db::SecretSnapshotParams {
+                    entry_id: lr.id,
+                    secret_id: f.id,
+                    entry_version: lr.version,
+                    field_name: &f.field_name,
+                    field_type: &f.field_type,
+                    value_len: f.value_len,
+                    encrypted: &f.encrypted,
+                    action: "rollback",
+                },
+            )
+            .await
+            {
+                tracing::warn!(error = %e, "failed to snapshot secret field before rollback");
+            }
+        }
+    }
+
+    // ── Restore entry row ─────────────────────────────────────────────────────
     sqlx::query(
-        "INSERT INTO secrets (id, namespace, kind, name, tags, metadata, encrypted, version, updated_at) \
+        "INSERT INTO entries (id, namespace, kind, name, tags, metadata, version, updated_at) \
-         VALUES ($1, $2, $3, $4, $5, $6, $7, $8, NOW()) \
+         VALUES ($1, $2, $3, $4, $5, $6, $7, NOW()) \
          ON CONFLICT (namespace, kind, name) DO UPDATE SET \
              tags       = EXCLUDED.tags, \
              metadata   = EXCLUDED.metadata, \
-             encrypted  = EXCLUDED.encrypted, \
+             version    = entries.version + 1, \
-             version    = secrets.version + 1, \
              updated_at = NOW()",
     )
-    .bind(snap.secret_id)
+    .bind(snap.entry_id)
     .bind(args.namespace)
     .bind(args.kind)
     .bind(args.name)
     .bind(&snap.tags)
     .bind(&snap.metadata)
-    .bind(&snap.encrypted)
     .bind(snap.version)
     .execute(&mut *tx)
     .await?;
 
+    // ── Restore secret fields ─────────────────────────────────────────────────
+    // Delete all current fields and re-insert from snapshot
+    // (only non-deleted fields from the snapshot are restored).
+    sqlx::query("DELETE FROM secrets WHERE entry_id = $1")
+        .bind(snap.entry_id)
+        .execute(&mut *tx)
+        .await?;
+
+    for f in &field_snaps {
+        if f.action == "delete" {
+            // Field was deleted at this snapshot point — don't restore it.
+            continue;
+        }
+        sqlx::query(
+            "INSERT INTO secrets (id, entry_id, field_name, field_type, value_len, encrypted) \
+             VALUES ($1, $2, $3, $4, $5, $6) \
+             ON CONFLICT (entry_id, field_name) DO UPDATE SET \
+                 field_type = EXCLUDED.field_type, \
+                 value_len  = EXCLUDED.value_len, \
+                 encrypted  = EXCLUDED.encrypted, \
+                 version    = secrets.version + 1, \
+                 updated_at = NOW()",
+        )
+        .bind(f.secret_id)
+        .bind(snap.entry_id)
+        .bind(&f.field_name)
+        .bind(&f.field_type)
+        .bind(f.value_len)
+        .bind(&f.encrypted)
+        .execute(&mut *tx)
+        .await?;
+    }
+
     crate::audit::log_tx(
         &mut tx,
         "rollback",
@@ -167,7 +266,7 @@ pub async fn run(pool: &PgPool, args: RollbackArgs<'_>, master_key: &[u8; 32]) -
     Ok(())
 }
 
-/// List history entries for a record.
+/// List history entries for an entry.
 pub async fn list_history(
     pool: &PgPool,
     namespace: &str,
@@ -185,7 +284,7 @@ pub async fn list_history(
     }
 
     let rows: Vec<HistorySummary> = sqlx::query_as(
-        "SELECT version, action, actor, created_at FROM secrets_history \
+        "SELECT version, action, actor, created_at FROM entries_history \
          WHERE namespace = $1 AND kind = $2 AND name = $3 \
          ORDER BY id DESC LIMIT $4",
     )

src/commands/run.rs

@@ -3,7 +3,7 @@ use serde_json::Value;
 use sqlx::PgPool;
 use std::collections::HashMap;
 
-use crate::commands::search::build_injected_env_map;
+use crate::commands::search::{build_injected_env_map, fetch_entries, fetch_secrets_for_entries};
 use crate::output::OutputMode;
 
 pub struct InjectArgs<'a> {
@@ -11,7 +11,6 @@ pub struct InjectArgs<'a> {
     pub kind: Option<&'a str>,
     pub name: Option<&'a str>,
     pub tags: &'a [String],
-    /// Prefix to prepend to every variable name. Empty string means no prefix.
     pub prefix: &'a str,
     pub output: OutputMode,
 }
@@ -22,12 +21,10 @@ pub struct RunArgs<'a> {
     pub name: Option<&'a str>,
     pub tags: &'a [String],
     pub prefix: &'a str,
-    /// The command and its arguments to execute with injected secrets.
     pub command: &'a [String],
 }
 
-/// Fetch secrets matching the filter and build a flat env map.
+/// Fetch entries matching the filter and build a flat env map (metadata + decrypted secrets).
-/// Metadata and secret fields are merged; naming: `<PREFIX_><NAME>_<KEY>` (uppercased).
 pub async fn collect_env_map(
     pool: &PgPool,
     namespace: Option<&str>,
@@ -42,13 +39,19 @@ pub async fn collect_env_map(
             "At least one filter (--namespace, --kind, --name, or --tag) is required for inject/run"
         );
     }
-    let rows = crate::commands::search::fetch_rows(pool, namespace, kind, name, tags, None).await?;
+    let entries = fetch_entries(pool, namespace, kind, name, tags, None).await?;
-    if rows.is_empty() {
+    if entries.is_empty() {
         anyhow::bail!("No records matched the given filters.");
     }
+
+    let entry_ids: Vec<uuid::Uuid> = entries.iter().map(|e| e.id).collect();
+    let fields_map = fetch_secrets_for_entries(pool, &entry_ids).await?;
+
     let mut map = HashMap::new();
-    for row in &rows {
+    for entry in &entries {
-        let row_map = build_injected_env_map(row, prefix, master_key)?;
+        let empty = vec![];
+        let fields = fields_map.get(&entry.id).unwrap_or(&empty);
+        let row_map = build_injected_env_map(pool, entry, prefix, master_key, fields).await?;
         for (k, v) in row_map {
             map.insert(k, v);
         }
@@ -56,7 +59,7 @@ pub async fn collect_env_map(
     Ok(map)
 }
 
-/// `inject` command: print env vars to stdout (suitable for `eval $(...)` or export).
+/// `inject` command: print env vars to stdout.
 pub async fn run_inject(pool: &PgPool, args: InjectArgs<'_>, master_key: &[u8; 32]) -> Result<()> {
     let env_map = collect_env_map(
         pool,
@@ -85,7 +88,6 @@ pub async fn run_inject(pool: &PgPool, args: InjectArgs<'_>, master_key: &[u8; 3
             println!("{}", serde_json::to_string(&Value::Object(obj))?);
         }
         _ => {
-            // Shell-safe KEY=VALUE output, one per line.
             let mut pairs: Vec<(String, String)> = env_map.into_iter().collect();
             pairs.sort_by(|a, b| a.0.cmp(&b.0));
             for (k, v) in pairs {
@@ -136,8 +138,6 @@ pub async fn run_exec(pool: &PgPool, args: RunArgs<'_>, master_key: &[u8; 32]) -
     Ok(())
 }
 
-/// Quote a value for safe shell output. Wraps the value in single quotes,
-/// escaping any single quotes within the value.
 fn shell_quote(s: &str) -> String {
     format!("'{}'", s.replace('\'', "'\\''"))
 }

src/commands/search.rs

@@ -4,7 +4,7 @@ use sqlx::PgPool;
 use std::collections::HashMap;
 
 use crate::crypto;
-use crate::models::Secret;
+use crate::models::{Entry, SecretField};
 use crate::output::{OutputMode, format_local_time};
 
 pub struct SearchArgs<'a> {
@@ -13,7 +13,6 @@ pub struct SearchArgs<'a> {
     pub name: Option<&'a str>,
     pub tags: &'a [String],
     pub query: Option<&'a str>,
-    pub show_secrets: bool,
     pub fields: &'a [String],
     pub summary: bool,
     pub limit: u32,
@@ -23,9 +22,9 @@ pub struct SearchArgs<'a> {
 }
 
 pub async fn run(pool: &PgPool, args: SearchArgs<'_>) -> Result<()> {
-    validate_safe_search_args(args.show_secrets, args.fields)?;
+    validate_safe_search_args(args.fields)?;
 
-    let rows = fetch_rows_paged(
+    let rows = fetch_entries_paged(
         pool,
         PagedFetchArgs {
             namespace: args.namespace,
@@ -40,14 +39,25 @@ pub async fn run(pool: &PgPool, args: SearchArgs<'_>) -> Result<()> {
     )
     .await?;
 
-    // -f/--field: extract specific field values directly
+    // -f/--field: extract specific metadata field values directly
     if !args.fields.is_empty() {
         return print_fields(&rows, args.fields);
     }
 
+    // Fetch secret schemas for all returned entries (no master key needed).
+    let entry_ids: Vec<uuid::Uuid> = rows.iter().map(|r| r.id).collect();
+    let schema_map = if !args.summary && !entry_ids.is_empty() {
+        fetch_secret_schemas(pool, &entry_ids).await?
+    } else {
+        HashMap::new()
+    };
+
     match args.output {
         OutputMode::Json | OutputMode::JsonCompact => {
-            let arr: Vec<Value> = rows.iter().map(|r| to_json(r, args.summary)).collect();
+            let arr: Vec<Value> = rows
+                .iter()
+                .map(|r| to_json(r, args.summary, schema_map.get(&r.id).map(Vec::as_slice)))
+                .collect();
             let out = if args.output == OutputMode::Json {
                 serde_json::to_string_pretty(&arr)?
             } else {
@@ -55,31 +65,17 @@ pub async fn run(pool: &PgPool, args: SearchArgs<'_>) -> Result<()> {
             };
             println!("{}", out);
         }
-        OutputMode::Env => {
-            if rows.len() > 1 {
-                anyhow::bail!(
-                    "env output requires exactly one record; got {}. Add more filters.",
-                    rows.len()
-                );
-            }
-            if let Some(row) = rows.first() {
-                let map = build_metadata_env_map(row, "");
-                let mut pairs: Vec<(String, String)> = map.into_iter().collect();
-                pairs.sort_by(|a, b| a.0.cmp(&b.0));
-                for (k, v) in pairs {
-                    println!("{}={}", k, shell_quote(&v));
-                }
-            } else {
-                eprintln!("No records found.");
-            }
-        }
         OutputMode::Text => {
             if rows.is_empty() {
                 println!("No records found.");
                 return Ok(());
             }
             for row in &rows {
-                print_text(row, args.summary)?;
+                print_text(
+                    row,
+                    args.summary,
+                    schema_map.get(&row.id).map(Vec::as_slice),
+                )?;
             }
             println!("{} record(s) found.", rows.len());
             if rows.len() == args.limit as usize {
@@ -95,20 +91,13 @@ pub async fn run(pool: &PgPool, args: SearchArgs<'_>) -> Result<()> {
     Ok(())
 }
 
-fn validate_safe_search_args(show_secrets: bool, fields: &[String]) -> Result<()> {
+fn validate_safe_search_args(fields: &[String]) -> Result<()> {
-    if show_secrets {
-        anyhow::bail!(
-            "`search` no longer reveals secrets. Use `secrets inject` or `secrets run` instead."
-        );
-    }
-
     if let Some(field) = fields.iter().find(|field| is_secret_field(field)) {
         anyhow::bail!(
             "Field '{}' is sensitive. `search -f` only supports metadata.* fields; use `secrets inject` or `secrets run` for secrets.",
             field
         );
     }
-
     Ok(())
 }
 
@@ -119,16 +108,29 @@ fn is_secret_field(field: &str) -> bool {
     )
 }
 
-/// Fetch rows with simple equality/tag filters (no pagination). Used by inject/run.
+// ── Entry fetching ────────────────────────────────────────────────────────────
-pub async fn fetch_rows(
+
+struct PagedFetchArgs<'a> {
+    namespace: Option<&'a str>,
+    kind: Option<&'a str>,
+    name: Option<&'a str>,
+    tags: &'a [String],
+    query: Option<&'a str>,
+    sort: &'a str,
+    limit: u32,
+    offset: u32,
+}
+
+/// Fetch entries matching the given filters (used by search, inject, run).
+pub async fn fetch_entries(
     pool: &PgPool,
     namespace: Option<&str>,
     kind: Option<&str>,
     name: Option<&str>,
     tags: &[String],
     query: Option<&str>,
-) -> Result<Vec<Secret>> {
+) -> Result<Vec<Entry>> {
-    fetch_rows_paged(
+    fetch_entries_paged(
         pool,
         PagedFetchArgs {
             namespace,
@@ -144,19 +146,7 @@ pub async fn fetch_rows(
     .await
 }
 
-/// Arguments for the internal paged fetch. Grouped to avoid too-many-arguments lint.
+async fn fetch_entries_paged(pool: &PgPool, a: PagedFetchArgs<'_>) -> Result<Vec<Entry>> {
-struct PagedFetchArgs<'a> {
-    namespace: Option<&'a str>,
-    kind: Option<&'a str>,
-    name: Option<&'a str>,
-    tags: &'a [String],
-    query: Option<&'a str>,
-    sort: &'a str,
-    limit: u32,
-    offset: u32,
-}
-
-async fn fetch_rows_paged(pool: &PgPool, a: PagedFetchArgs<'_>) -> Result<Vec<Secret>> {
     let mut conditions: Vec<String> = Vec::new();
     let mut idx: i32 = 1;
 
@@ -205,7 +195,7 @@ async fn fetch_rows_paged(pool: &PgPool, a: PagedFetchArgs<'_>) -> Result<Vec<Se
     };
 
     let sql = format!(
-        "SELECT * FROM secrets {} ORDER BY {} LIMIT ${} OFFSET ${}",
+        "SELECT * FROM entries {} ORDER BY {} LIMIT ${} OFFSET ${}",
         where_clause,
         order,
         idx,
@@ -214,7 +204,7 @@ async fn fetch_rows_paged(pool: &PgPool, a: PagedFetchArgs<'_>) -> Result<Vec<Se
 
     tracing::debug!(sql, "executing search query");
 
-    let mut q = sqlx::query_as::<_, Secret>(&sql);
+    let mut q = sqlx::query_as::<_, Entry>(&sql);
     if let Some(v) = a.namespace {
         q = q.bind(v);
     }
@@ -237,12 +227,62 @@ async fn fetch_rows_paged(pool: &PgPool, a: PagedFetchArgs<'_>) -> Result<Vec<Se
     }
     q = q.bind(a.limit as i64).bind(a.offset as i64);
 
-    let rows = q.fetch_all(pool).await?;
+    Ok(q.fetch_all(pool).await?)
-    Ok(rows)
 }
 
-fn env_prefix(row: &Secret, prefix: &str) -> String {
+// ── Secret schema fetching (no master key) ───────────────────────────────────
-    let name_part = row.name.to_uppercase().replace(['-', '.', ' '], "_");
+
+/// Fetch secret field schemas (field_name, field_type, value_len) for a set of entry ids.
+/// Returns a map from entry_id to list of SecretField (encrypted field not used here).
+async fn fetch_secret_schemas(
+    pool: &PgPool,
+    entry_ids: &[uuid::Uuid],
+) -> Result<HashMap<uuid::Uuid, Vec<SecretField>>> {
+    if entry_ids.is_empty() {
+        return Ok(HashMap::new());
+    }
+
+    let fields: Vec<SecretField> = sqlx::query_as(
+        "SELECT * FROM secrets WHERE entry_id = ANY($1) ORDER BY entry_id, field_name",
+    )
+    .bind(entry_ids)
+    .fetch_all(pool)
+    .await?;
+
+    let mut map: HashMap<uuid::Uuid, Vec<SecretField>> = HashMap::new();
+    for f in fields {
+        map.entry(f.entry_id).or_default().push(f);
+    }
+    Ok(map)
+}
+
+/// Fetch all secret fields (including encrypted bytes) for a set of entry ids.
+pub async fn fetch_secrets_for_entries(
+    pool: &PgPool,
+    entry_ids: &[uuid::Uuid],
+) -> Result<HashMap<uuid::Uuid, Vec<SecretField>>> {
+    if entry_ids.is_empty() {
+        return Ok(HashMap::new());
+    }
+
+    let fields: Vec<SecretField> = sqlx::query_as(
+        "SELECT * FROM secrets WHERE entry_id = ANY($1) ORDER BY entry_id, field_name",
+    )
+    .bind(entry_ids)
+    .fetch_all(pool)
+    .await?;
+
+    let mut map: HashMap<uuid::Uuid, Vec<SecretField>> = HashMap::new();
+    for f in fields {
+        map.entry(f.entry_id).or_default().push(f);
+    }
+    Ok(map)
+}
+
+// ── Display helpers ───────────────────────────────────────────────────────────
+
+fn env_prefix(entry: &Entry, prefix: &str) -> String {
+    let name_part = entry.name.to_uppercase().replace(['-', '.', ' '], "_");
     if prefix.is_empty() {
         name_part
     } else {
@@ -254,15 +294,12 @@ fn env_prefix(row: &Secret, prefix: &str) -> String {
     }
 }
 
-/// Build a flat `KEY=VALUE` map from metadata only.
+/// Build a flat KEY=VALUE map from metadata only (no master key required).
-/// Variable names: `<PREFIX><NAME>_<FIELD>` (all uppercased, hyphens/dots → underscores).
+pub fn build_metadata_env_map(entry: &Entry, prefix: &str) -> HashMap<String, String> {
-/// If `prefix` is empty, the name segment alone is used as the prefix.
+    let effective_prefix = env_prefix(entry, prefix);
-pub fn build_metadata_env_map(row: &Secret, prefix: &str) -> HashMap<String, String> {
-    let effective_prefix = env_prefix(row, prefix);
-
     let mut map = HashMap::new();
 
-    if let Some(meta) = row.metadata.as_object() {
+    if let Some(meta) = entry.metadata.as_object() {
         for (k, v) in meta {
             let key = format!(
                 "{}_{}",
@@ -272,43 +309,68 @@ pub fn build_metadata_env_map(row: &Secret, prefix: &str) -> HashMap<String, Str
             map.insert(key, json_value_to_env_string(v));
         }
     }
-
     map
 }
 
-/// Build a flat `KEY=VALUE` map from metadata and decrypted secrets.
+/// Build a flat KEY=VALUE map from metadata + decrypted secret fields.
-pub fn build_injected_env_map(
+/// Resolves key_ref: if metadata.key_ref is set, merges secret fields from that key entry.
-    row: &Secret,
+pub async fn build_injected_env_map(
+    pool: &PgPool,
+    entry: &Entry,
     prefix: &str,
     master_key: &[u8; 32],
+    fields: &[SecretField],
 ) -> Result<HashMap<String, String>> {
-    let effective_prefix = env_prefix(row, prefix);
+    let effective_prefix = env_prefix(entry, prefix);
-    let mut map = build_metadata_env_map(row, prefix);
+    let mut map = build_metadata_env_map(entry, prefix);
 
-    if !row.encrypted.is_empty() {
+    // Decrypt each secret field and add to env map.
-        let decrypted = crypto::decrypt_json(master_key, &row.encrypted)?;
+    for f in fields {
-        if let Some(enc) = decrypted.as_object() {
+        let decrypted = crypto::decrypt_json(master_key, &f.encrypted)?;
-            for (k, v) in enc {
         let key = format!(
             "{}_{}",
             effective_prefix,
-                    k.to_uppercase().replace(['-', '.'], "_")
+            f.field_name.to_uppercase().replace(['-', '.'], "_")
         );
-                map.insert(key, json_value_to_env_string(v));
+        map.insert(key, json_value_to_env_string(&decrypted));
     }
+
+    // Resolve key_ref: merge secrets from the referenced key entry.
+    if let Some(key_ref) = entry.metadata.get("key_ref").and_then(|v| v.as_str()) {
+        let key_entries = fetch_entries(
+            pool,
+            Some(&entry.namespace),
+            Some("key"),
+            Some(key_ref),
+            &[],
+            None,
+        )
+        .await?;
+
+        if let Some(key_entry) = key_entries.first() {
+            let key_ids = vec![key_entry.id];
+            let key_fields_map = fetch_secrets_for_entries(pool, &key_ids).await?;
+            let empty = vec![];
+            let key_fields = key_fields_map.get(&key_entry.id).unwrap_or(&empty);
+
+            let key_prefix = env_prefix(key_entry, prefix);
+            for f in key_fields {
+                let decrypted = crypto::decrypt_json(master_key, &f.encrypted)?;
+                let key_var = format!(
+                    "{}_{}",
+                    key_prefix,
+                    f.field_name.to_uppercase().replace(['-', '.'], "_")
+                );
+                map.insert(key_var, json_value_to_env_string(&decrypted));
+            }
+        } else {
+            tracing::warn!(key_ref, "key_ref target not found");
         }
     }
 
     Ok(map)
 }
 
-/// Quote a value for safe shell / env output. Wraps in single quotes,
-/// escaping any single quotes within the value.
-fn shell_quote(s: &str) -> String {
-    format!("'{}'", s.replace('\'', "'\\''"))
-}
-
-/// Convert a JSON value to its string representation suitable for env vars.
 fn json_value_to_env_string(v: &Value) -> String {
     match v {
         Value::String(s) => s.clone(),
@@ -317,81 +379,101 @@ fn json_value_to_env_string(v: &Value) -> String {
     }
 }
 
-fn to_json(row: &Secret, summary: bool) -> Value {
+fn to_json(entry: &Entry, summary: bool, schema: Option<&[SecretField]>) -> Value {
     if summary {
-        let desc = row
+        let desc = entry
             .metadata
             .get("desc")
-            .or_else(|| row.metadata.get("url"))
+            .or_else(|| entry.metadata.get("url"))
             .and_then(|v| v.as_str())
             .unwrap_or("")
             .to_string();
         return json!({
-            "namespace": row.namespace,
+            "namespace": entry.namespace,
-            "kind": row.kind,
+            "kind": entry.kind,
-            "name": row.name,
+            "name": entry.name,
-            "tags": row.tags,
+            "tags": entry.tags,
             "desc": desc,
-            "updated_at": row.updated_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
+            "updated_at": entry.updated_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
         });
     }
 
-    let secrets_val = if row.encrypted.is_empty() {
+    let secrets_val: Value = match schema {
-        Value::Object(Default::default())
+        Some(fields) if !fields.is_empty() => {
-    } else {
+            let schema_arr: Vec<Value> = fields
-        json!({"_encrypted": true})
+                .iter()
+                .map(|f| {
+                    json!({
+                        "field_name": f.field_name,
+                        "field_type": f.field_type,
+                        "value_len": f.value_len,
+                    })
+                })
+                .collect();
+            Value::Array(schema_arr)
+        }
+        _ => Value::Array(vec![]),
     };
 
     json!({
-        "id": row.id,
+        "id": entry.id,
-        "namespace": row.namespace,
+        "namespace": entry.namespace,
-        "kind": row.kind,
+        "kind": entry.kind,
-        "name": row.name,
+        "name": entry.name,
-        "tags": row.tags,
+        "tags": entry.tags,
-        "metadata": row.metadata,
+        "metadata": entry.metadata,
         "secrets": secrets_val,
-        "version": row.version,
+        "version": entry.version,
-        "created_at": row.created_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
+        "created_at": entry.created_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
-        "updated_at": row.updated_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
+        "updated_at": entry.updated_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
     })
 }
 
-fn print_text(row: &Secret, summary: bool) -> Result<()> {
+fn print_text(entry: &Entry, summary: bool, schema: Option<&[SecretField]>) -> Result<()> {
-    println!("[{}/{}] {}", row.namespace, row.kind, row.name);
+    println!("[{}/{}] {}", entry.namespace, entry.kind, entry.name);
     if summary {
-        let desc = row
+        let desc = entry
             .metadata
             .get("desc")
-            .or_else(|| row.metadata.get("url"))
+            .or_else(|| entry.metadata.get("url"))
             .and_then(|v| v.as_str())
             .unwrap_or("-");
-        if !row.tags.is_empty() {
+        if !entry.tags.is_empty() {
-            println!("  tags:    [{}]", row.tags.join(", "));
+            println!("  tags:    [{}]", entry.tags.join(", "));
         }
         println!("  desc:    {}", desc);
-        println!("  updated: {}", format_local_time(row.updated_at));
+        println!("  updated: {}", format_local_time(entry.updated_at));
     } else {
-        println!("  id:       {}", row.id);
+        println!("  id:       {}", entry.id);
-        if !row.tags.is_empty() {
+        if !entry.tags.is_empty() {
-            println!("  tags:     [{}]", row.tags.join(", "));
+            println!("  tags:     [{}]", entry.tags.join(", "));
         }
-        if row.metadata.as_object().is_some_and(|m| !m.is_empty()) {
+        if entry.metadata.as_object().is_some_and(|m| !m.is_empty()) {
             println!(
                 "  metadata: {}",
-                serde_json::to_string_pretty(&row.metadata)?
+                serde_json::to_string_pretty(&entry.metadata)?
             );
         }
-        if !row.encrypted.is_empty() {
+        match schema {
-            println!("  secrets:  [encrypted]  (use `secrets inject` or `secrets run`)");
+            Some(fields) if !fields.is_empty() => {
+                let schema_str: Vec<String> = fields
+                    .iter()
+                    .map(|f| format!("{}: {}({})", f.field_name, f.field_type, f.value_len))
+                    .collect();
+                println!("  secrets:  {}", schema_str.join(", "));
+                println!("            (use `secrets inject` or `secrets run` to get values)");
             }
-        println!("  created:  {}", format_local_time(row.created_at));
+            _ => {}
+        }
+        println!("  version:  {}", entry.version);
+        println!("  created:  {}", format_local_time(entry.created_at));
     }
     println!();
     Ok(())
 }
 
-/// Extract one or more field paths like `metadata.url`.
+/// Extract one or more metadata field paths like `metadata.url`.
-fn print_fields(rows: &[Secret], fields: &[String]) -> Result<()> {
+fn print_fields(rows: &[Entry], fields: &[String]) -> Result<()> {
     for row in rows {
         for field in fields {
             let val = extract_field(row, field)?;
@@ -401,13 +483,13 @@ fn print_fields(rows: &[Secret], fields: &[String]) -> Result<()> {
     Ok(())
 }
 
-fn extract_field(row: &Secret, field: &str) -> Result<String> {
+fn extract_field(entry: &Entry, field: &str) -> Result<String> {
     let (section, key) = field
         .split_once('.')
         .ok_or_else(|| anyhow::anyhow!("Invalid field path '{}'. Use metadata.<key>.", field))?;
 
     let obj = match section {
-        "metadata" | "meta" => &row.metadata,
+        "metadata" | "meta" => &entry.metadata,
         other => anyhow::bail!("Unknown field section '{}'. Use 'metadata'.", other),
     };
 
@@ -421,9 +503,9 @@ fn extract_field(row: &Secret, field: &str) -> Result<String> {
             anyhow::anyhow!(
                 "Field '{}' not found in record [{}/{}/{}]",
                 field,
-                row.namespace,
+                entry.namespace,
-                row.kind,
+                entry.kind,
-                row.name
+                entry.name
             )
         })
 }
@@ -435,41 +517,47 @@ mod tests {
     use serde_json::json;
     use uuid::Uuid;
 
-    fn sample_secret() -> Secret {
+    fn sample_entry() -> Entry {
-        let key = [0x42u8; 32];
+        Entry {
-        let encrypted = crypto::encrypt_json(&key, &json!({"token": "abc123"})).unwrap();
-
-        Secret {
             id: Uuid::nil(),
             namespace: "refining".to_string(),
             kind: "service".to_string(),
             name: "gitea.main".to_string(),
             tags: vec!["prod".to_string()],
             metadata: json!({"url": "https://gitea.refining.dev", "enabled": true}),
-            encrypted,
             version: 1,
             created_at: Utc::now(),
             updated_at: Utc::now(),
         }
     }
 
-    #[test]
+    fn sample_fields() -> Vec<SecretField> {
-    fn rejects_show_secrets_flag() {
+        let key = [0x42u8; 32];
-        let err = validate_safe_search_args(true, &[]).unwrap_err();
+        let enc = crypto::encrypt_json(&key, &json!("abc123")).unwrap();
-        assert!(err.to_string().contains("no longer reveals secrets"));
+        vec![SecretField {
+            id: Uuid::nil(),
+            entry_id: Uuid::nil(),
+            field_name: "token".to_string(),
+            field_type: "string".to_string(),
+            value_len: 6,
+            encrypted: enc,
+            version: 1,
+            created_at: Utc::now(),
+            updated_at: Utc::now(),
+        }]
     }
 
     #[test]
     fn rejects_secret_field_extraction() {
         let fields = vec!["secret.token".to_string()];
-        let err = validate_safe_search_args(false, &fields).unwrap_err();
+        let err = validate_safe_search_args(&fields).unwrap_err();
         assert!(err.to_string().contains("sensitive"));
     }
 
     #[test]
     fn metadata_env_map_excludes_secret_values() {
-        let row = sample_secret();
+        let entry = sample_entry();
-        let map = build_metadata_env_map(&row, "");
+        let map = build_metadata_env_map(&entry, "");
 
         assert_eq!(
             map.get("GITEA_MAIN_URL").map(String::as_str),
@@ -483,14 +571,23 @@ mod tests {
     }
 
     #[test]
-    fn injected_env_map_includes_secret_values() {
+    fn to_json_full_includes_secrets_schema() {
-        let row = sample_secret();
+        let entry = sample_entry();
-        let key = [0x42u8; 32];
+        let fields = sample_fields();
-        let map = build_injected_env_map(&row, "", &key).unwrap();
+        let v = to_json(&entry, false, Some(&fields));
 
-        assert_eq!(
+        let secrets = v.get("secrets").unwrap().as_array().unwrap();
-            map.get("GITEA_MAIN_TOKEN").map(String::as_str),
+        assert_eq!(secrets.len(), 1);
-            Some("abc123")
+        assert_eq!(secrets[0]["field_name"], "token");
-        );
+        assert_eq!(secrets[0]["field_type"], "string");
+        assert_eq!(secrets[0]["value_len"], 6);
+    }
+
+    #[test]
+    fn to_json_summary_omits_secrets_schema() {
+        let entry = sample_entry();
+        let fields = sample_fields();
+        let v = to_json(&entry, true, Some(&fields));
+        assert!(v.get("secrets").is_none());
     }
 }

src/commands/update.rs

@@ -4,19 +4,19 @@ use sqlx::{FromRow, PgPool};
 use uuid::Uuid;
 
 use super::add::{
-    collect_field_paths, collect_key_paths, insert_path, parse_key_path, parse_kv, remove_path,
+    collect_field_paths, collect_key_paths, compute_value_len, flatten_json_fields,
+    infer_field_type, insert_path, parse_key_path, parse_kv, remove_path,
 };
 use crate::crypto;
 use crate::db;
 use crate::output::OutputMode;
 
 #[derive(FromRow)]
-struct UpdateRow {
+struct EntryRow {
     id: Uuid,
     version: i64,
     tags: Vec<String>,
     metadata: Value,
-    encrypted: Vec<u8>,
 }
 
 pub struct UpdateArgs<'a> {
@@ -35,9 +35,9 @@ pub struct UpdateArgs<'a> {
 pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) -> Result<()> {
     let mut tx = pool.begin().await?;
 
-    let row: Option<UpdateRow> = sqlx::query_as(
+    let row: Option<EntryRow> = sqlx::query_as(
-        "SELECT id, version, tags, metadata, encrypted \
+        "SELECT id, version, tags, metadata \
-         FROM secrets \
+         FROM entries \
          WHERE namespace = $1 AND kind = $2 AND name = $3 \
          FOR UPDATE",
     )
@@ -56,11 +56,11 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
         )
     })?;
 
-    // Snapshot current state before modifying.
+    // Snapshot current entry state before modifying.
-    if let Err(e) = db::snapshot_history(
+    if let Err(e) = db::snapshot_entry_history(
         &mut tx,
-        db::SnapshotParams {
+        db::EntrySnapshotParams {
-            secret_id: row.id,
+            entry_id: row.id,
             namespace: args.namespace,
             kind: args.kind,
             name: args.name,
@@ -68,15 +68,14 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
             action: "update",
             tags: &row.tags,
             metadata: &row.metadata,
-            encrypted: &row.encrypted,
         },
     )
     .await
     {
-        tracing::warn!(error = %e, "failed to snapshot history before update");
+        tracing::warn!(error = %e, "failed to snapshot entry history before update");
     }
 
-    // Merge tags
+    // ── Merge tags ────────────────────────────────────────────────────────────
     let mut tags: Vec<String> = row.tags;
     for t in args.add_tags {
         if !tags.contains(t) {
@@ -85,7 +84,7 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
     }
     tags.retain(|t| !args.remove_tags.contains(t));
 
-    // Merge metadata
+    // ── Merge metadata ────────────────────────────────────────────────────────
     let mut meta_map: Map<String, Value> = match row.metadata {
         Value::Object(m) => m,
         _ => Map::new(),
@@ -100,43 +99,14 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
     }
     let metadata = Value::Object(meta_map);
 
-    // Decrypt existing encrypted blob, merge changes, re-encrypt
+    // CAS update of the entry row.
-    let existing_json = if row.encrypted.is_empty() {
-        Value::Object(Map::new())
-    } else {
-        crypto::decrypt_json(master_key, &row.encrypted)?
-    };
-    let mut enc_map: Map<String, Value> = match existing_json {
-        Value::Object(m) => m,
-        _ => Map::new(),
-    };
-    for entry in args.secret_entries {
-        let (path, value) = parse_kv(entry)?;
-        insert_path(&mut enc_map, &path, value)?;
-    }
-    for key in args.remove_secrets {
-        let path = parse_key_path(key)?;
-        remove_path(&mut enc_map, &path)?;
-    }
-    let secret_json = Value::Object(enc_map);
-    let encrypted_bytes = crypto::encrypt_json(master_key, &secret_json)?;
-
-    tracing::debug!(
-        namespace = args.namespace,
-        kind = args.kind,
-        name = args.name,
-        "updating record"
-    );
-
-    // CAS: update only if version hasn't changed (FOR UPDATE lock ensures this).
     let result = sqlx::query(
-        "UPDATE secrets \
+        "UPDATE entries \
-         SET tags = $1, metadata = $2, encrypted = $3, version = version + 1, updated_at = NOW() \
+         SET tags = $1, metadata = $2, version = version + 1, updated_at = NOW() \
-         WHERE id = $4 AND version = $5",
+         WHERE id = $3 AND version = $4",
     )
     .bind(&tags)
     .bind(&metadata)
-    .bind(&encrypted_bytes)
     .bind(row.id)
     .bind(row.version)
     .execute(&mut *tx)
@@ -152,6 +122,130 @@ pub async fn run(pool: &PgPool, args: UpdateArgs<'_>, master_key: &[u8; 32]) ->
         );
     }
 
+    let new_version = row.version + 1;
+
+    // ── Update secret fields ──────────────────────────────────────────────────
+    for entry in args.secret_entries {
+        let (path, field_value) = parse_kv(entry)?;
+
+        // For nested paths (e.g. credentials:type), flatten into dot-separated names
+        // and treat the sub-value as the individual field to store.
+        let flat = flatten_json_fields("", &{
+            let mut m = Map::new();
+            insert_path(&mut m, &path, field_value)?;
+            Value::Object(m)
+        });
+
+        for (field_name, fv) in &flat {
+            let field_type = infer_field_type(fv);
+            let value_len = compute_value_len(fv);
+            let encrypted = crypto::encrypt_json(master_key, fv)?;
+
+            // Snapshot existing field before replacing.
+            #[derive(sqlx::FromRow)]
+            struct ExistingField {
+                id: Uuid,
+                field_type: String,
+                value_len: i32,
+                encrypted: Vec<u8>,
+            }
+            let existing_field: Option<ExistingField> = sqlx::query_as(
+                "SELECT id, field_type, value_len, encrypted \
+                 FROM secrets WHERE entry_id = $1 AND field_name = $2",
+            )
+            .bind(row.id)
+            .bind(field_name)
+            .fetch_optional(&mut *tx)
+            .await?;
+
+            if let Some(ef) = &existing_field
+                && let Err(e) = db::snapshot_secret_history(
+                    &mut tx,
+                    db::SecretSnapshotParams {
+                        entry_id: row.id,
+                        secret_id: ef.id,
+                        entry_version: row.version,
+                        field_name,
+                        field_type: &ef.field_type,
+                        value_len: ef.value_len,
+                        encrypted: &ef.encrypted,
+                        action: "update",
+                    },
+                )
+                .await
+            {
+                tracing::warn!(error = %e, "failed to snapshot secret field history");
+            }
+
+            sqlx::query(
+                "INSERT INTO secrets (entry_id, field_name, field_type, value_len, encrypted) \
+                 VALUES ($1, $2, $3, $4, $5) \
+                 ON CONFLICT (entry_id, field_name) DO UPDATE SET \
+                     field_type = EXCLUDED.field_type, \
+                     value_len  = EXCLUDED.value_len, \
+                     encrypted  = EXCLUDED.encrypted, \
+                     version    = secrets.version + 1, \
+                     updated_at = NOW()",
+            )
+            .bind(row.id)
+            .bind(field_name)
+            .bind(field_type)
+            .bind(value_len)
+            .bind(&encrypted)
+            .execute(&mut *tx)
+            .await?;
+        }
+    }
+
+    // ── Remove secret fields ──────────────────────────────────────────────────
+    for key in args.remove_secrets {
+        let path = parse_key_path(key)?;
+        // Dot-join the path to match flattened field_name storage.
+        let field_name = path.join(".");
+
+        // Snapshot before delete.
+        #[derive(sqlx::FromRow)]
+        struct FieldToDelete {
+            id: Uuid,
+            field_type: String,
+            value_len: i32,
+            encrypted: Vec<u8>,
+        }
+        let field: Option<FieldToDelete> = sqlx::query_as(
+            "SELECT id, field_type, value_len, encrypted \
+             FROM secrets WHERE entry_id = $1 AND field_name = $2",
+        )
+        .bind(row.id)
+        .bind(&field_name)
+        .fetch_optional(&mut *tx)
+        .await?;
+
+        if let Some(f) = field {
+            if let Err(e) = db::snapshot_secret_history(
+                &mut tx,
+                db::SecretSnapshotParams {
+                    entry_id: row.id,
+                    secret_id: f.id,
+                    entry_version: new_version,
+                    field_name: &field_name,
+                    field_type: &f.field_type,
+                    value_len: f.value_len,
+                    encrypted: &f.encrypted,
+                    action: "delete",
+                },
+            )
+            .await
+            {
+                tracing::warn!(error = %e, "failed to snapshot secret field history before delete");
+            }
+
+            sqlx::query("DELETE FROM secrets WHERE id = $1")
+                .bind(f.id)
+                .execute(&mut *tx)
+                .await?;
+        }
+    }
+
     let meta_keys = collect_key_paths(args.meta_entries)?;
     let remove_meta_keys = collect_field_paths(args.remove_meta)?;
     let secret_keys = collect_key_paths(args.secret_entries)?;

src/db.rs

@@ -1,4 +1,5 @@
 use anyhow::Result;
+use serde_json::Value;
 use sqlx::PgPool;
 use sqlx::postgres::PgPoolOptions;
 
@@ -17,61 +18,48 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
     tracing::debug!("running migrations");
     sqlx::raw_sql(
         r#"
-        CREATE TABLE IF NOT EXISTS secrets (
+        -- ── entries: top-level entities (server, service, key, …) ──────────────
+        CREATE TABLE IF NOT EXISTS entries (
             id          UUID PRIMARY KEY DEFAULT uuidv7(),
             namespace   VARCHAR(64)  NOT NULL,
             kind        VARCHAR(64)  NOT NULL,
             name        VARCHAR(256) NOT NULL,
             tags        TEXT[]       NOT NULL DEFAULT '{}',
             metadata    JSONB        NOT NULL DEFAULT '{}',
-            encrypted   BYTEA        NOT NULL DEFAULT '\x',
             version     BIGINT       NOT NULL DEFAULT 1,
             created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
             updated_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
             UNIQUE(namespace, kind, name)
         );
 
-        -- idempotent column add for existing tables
+        CREATE INDEX IF NOT EXISTS idx_entries_namespace ON entries(namespace);
-        DO $$ BEGIN
+        CREATE INDEX IF NOT EXISTS idx_entries_kind      ON entries(kind);
-            ALTER TABLE secrets ADD COLUMN IF NOT EXISTS metadata JSONB NOT NULL DEFAULT '{}';
+        CREATE INDEX IF NOT EXISTS idx_entries_tags      ON entries USING GIN(tags);
-        EXCEPTION WHEN OTHERS THEN NULL;
+        CREATE INDEX IF NOT EXISTS idx_entries_metadata  ON entries USING GIN(metadata jsonb_path_ops);
-        END $$;
 
-        DO $$ BEGIN
+        -- ── secrets: one row per encrypted field, plaintext schema metadata ────
-            ALTER TABLE secrets ADD COLUMN IF NOT EXISTS version BIGINT NOT NULL DEFAULT 1;
+        CREATE TABLE IF NOT EXISTS secrets (
-        EXCEPTION WHEN OTHERS THEN NULL;
+            id          UUID PRIMARY KEY DEFAULT uuidv7(),
-        END $$;
+            entry_id    UUID         NOT NULL REFERENCES entries(id) ON DELETE CASCADE,
+            field_name  VARCHAR(256) NOT NULL,
+            field_type  VARCHAR(32)  NOT NULL DEFAULT 'string',
+            value_len   INT          NOT NULL DEFAULT 0,
+            encrypted   BYTEA        NOT NULL DEFAULT '\x',
+            version     BIGINT       NOT NULL DEFAULT 1,
+            created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
+            updated_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
+            UNIQUE(entry_id, field_name)
+        );
 
-        -- Migrate encrypted column from JSONB to BYTEA if still JSONB type.
+        CREATE INDEX IF NOT EXISTS idx_secrets_entry_id ON secrets(entry_id);
-        -- After migration, old plaintext rows will have their JSONB data
-        -- stored as raw bytes (UTF-8 encoded).
-        DO $$ BEGIN
-            IF EXISTS (
-                SELECT 1 FROM information_schema.columns
-                WHERE table_name = 'secrets'
-                  AND column_name = 'encrypted'
-                  AND data_type = 'jsonb'
-            ) THEN
-                ALTER TABLE secrets RENAME COLUMN encrypted TO encrypted_jsonb_old;
-                ALTER TABLE secrets ADD COLUMN encrypted BYTEA NOT NULL DEFAULT '\x';
-                -- Copy existing JSONB data as raw UTF-8 bytes so nothing is lost
-                UPDATE secrets SET encrypted = convert_to(encrypted_jsonb_old::text, 'UTF8');
-                ALTER TABLE secrets DROP COLUMN encrypted_jsonb_old;
-            END IF;
-        EXCEPTION WHEN OTHERS THEN NULL;
-        END $$;
 
-        CREATE INDEX IF NOT EXISTS idx_secrets_namespace ON secrets(namespace);
+        -- ── kv_config: global key-value store (Argon2id salt, etc.) ────────────
-        CREATE INDEX IF NOT EXISTS idx_secrets_kind ON secrets(kind);
-        CREATE INDEX IF NOT EXISTS idx_secrets_tags ON secrets USING GIN(tags);
-        CREATE INDEX IF NOT EXISTS idx_secrets_metadata ON secrets USING GIN(metadata jsonb_path_ops);
-
-        -- Key-value config table: stores Argon2id salt (shared across devices)
         CREATE TABLE IF NOT EXISTS kv_config (
             key   TEXT PRIMARY KEY,
             value BYTEA NOT NULL
         );
 
+        -- ── audit_log: append-only operation log ────────────────────────────────
         CREATE TABLE IF NOT EXISTS audit_log (
             id          BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
             action      VARCHAR(32)  NOT NULL,
@@ -86,11 +74,10 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
         CREATE INDEX IF NOT EXISTS idx_audit_log_created  ON audit_log(created_at DESC);
         CREATE INDEX IF NOT EXISTS idx_audit_log_ns_kind  ON audit_log(namespace, kind);
 
-        -- History table: snapshot of secrets before each write operation.
+        -- ── entries_history: entry-level snapshot (tags + metadata) ─────────────
-        -- Supports rollback to any prior version via `secrets rollback`.
+        CREATE TABLE IF NOT EXISTS entries_history (
-        CREATE TABLE IF NOT EXISTS secrets_history (
             id          BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
-            secret_id   UUID         NOT NULL,
+            entry_id    UUID         NOT NULL,
             namespace   VARCHAR(64)  NOT NULL,
             kind        VARCHAR(64)  NOT NULL,
             name        VARCHAR(256) NOT NULL,
@@ -98,13 +85,34 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
             action      VARCHAR(16)  NOT NULL,
             tags        TEXT[]       NOT NULL DEFAULT '{}',
             metadata    JSONB        NOT NULL DEFAULT '{}',
-            encrypted   BYTEA        NOT NULL DEFAULT '\x',
             actor       VARCHAR(128) NOT NULL DEFAULT '',
             created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
         );
 
-        CREATE INDEX IF NOT EXISTS idx_history_secret_id ON secrets_history(secret_id, version DESC);
+        CREATE INDEX IF NOT EXISTS idx_entries_history_entry_id
-        CREATE INDEX IF NOT EXISTS idx_history_ns_kind_name ON secrets_history(namespace, kind, name, version DESC);
+            ON entries_history(entry_id, version DESC);
+        CREATE INDEX IF NOT EXISTS idx_entries_history_ns_kind_name
+            ON entries_history(namespace, kind, name, version DESC);
+
+        -- ── secrets_history: field-level snapshot ───────────────────────────────
+        CREATE TABLE IF NOT EXISTS secrets_history (
+            id              BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
+            entry_id        UUID         NOT NULL,
+            secret_id       UUID         NOT NULL,
+            entry_version   BIGINT       NOT NULL,
+            field_name      VARCHAR(256) NOT NULL,
+            field_type      VARCHAR(32)  NOT NULL DEFAULT 'string',
+            value_len       INT          NOT NULL DEFAULT 0,
+            encrypted       BYTEA        NOT NULL DEFAULT '\x',
+            action          VARCHAR(16)  NOT NULL,
+            actor           VARCHAR(128) NOT NULL DEFAULT '',
+            created_at      TIMESTAMPTZ  NOT NULL DEFAULT NOW()
+        );
+
+        CREATE INDEX IF NOT EXISTS idx_secrets_history_entry_id
+            ON secrets_history(entry_id, entry_version DESC);
+        CREATE INDEX IF NOT EXISTS idx_secrets_history_secret_id
+            ON secrets_history(secret_id);
         "#,
     )
     .execute(pool)
@@ -113,33 +121,31 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
     Ok(())
 }
 
-/// Snapshot parameters grouped to avoid too-many-arguments lint.
+// ── Entry-level history snapshot ────────────────────────────────────────────
-pub struct SnapshotParams<'a> {
+
-    pub secret_id: uuid::Uuid,
+pub struct EntrySnapshotParams<'a> {
+    pub entry_id: uuid::Uuid,
     pub namespace: &'a str,
     pub kind: &'a str,
     pub name: &'a str,
     pub version: i64,
     pub action: &'a str,
     pub tags: &'a [String],
-    pub metadata: &'a serde_json::Value,
+    pub metadata: &'a Value,
-    pub encrypted: &'a [u8],
 }
 
-/// Snapshot a secrets row into `secrets_history` before a write operation.
+/// Snapshot an entry row into `entries_history` before a write operation.
-/// `action` is one of "add", "update", "delete".
+pub async fn snapshot_entry_history(
-/// Failures are non-fatal (caller should warn).
-pub async fn snapshot_history(
     tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
-    p: SnapshotParams<'_>,
+    p: EntrySnapshotParams<'_>,
 ) -> Result<()> {
     let actor = std::env::var("USER").unwrap_or_default();
     sqlx::query(
-        "INSERT INTO secrets_history \
+        "INSERT INTO entries_history \
-         (secret_id, namespace, kind, name, version, action, tags, metadata, encrypted, actor) \
+         (entry_id, namespace, kind, name, version, action, tags, metadata, actor) \
-         VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
+         VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
     )
-    .bind(p.secret_id)
+    .bind(p.entry_id)
     .bind(p.namespace)
     .bind(p.kind)
     .bind(p.name)
@@ -147,15 +153,53 @@ pub async fn snapshot_history(
     .bind(p.action)
     .bind(p.tags)
     .bind(p.metadata)
-    .bind(p.encrypted)
     .bind(&actor)
     .execute(&mut **tx)
     .await?;
     Ok(())
 }
 
+// ── Secret field-level history snapshot ─────────────────────────────────────
+
+pub struct SecretSnapshotParams<'a> {
+    pub entry_id: uuid::Uuid,
+    pub secret_id: uuid::Uuid,
+    pub entry_version: i64,
+    pub field_name: &'a str,
+    pub field_type: &'a str,
+    pub value_len: i32,
+    pub encrypted: &'a [u8],
+    pub action: &'a str,
+}
+
+/// Snapshot a single secret field into `secrets_history`.
+pub async fn snapshot_secret_history(
+    tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
+    p: SecretSnapshotParams<'_>,
+) -> Result<()> {
+    let actor = std::env::var("USER").unwrap_or_default();
+    sqlx::query(
+        "INSERT INTO secrets_history \
+         (entry_id, secret_id, entry_version, field_name, field_type, value_len, encrypted, action, actor) \
+         VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
+    )
+    .bind(p.entry_id)
+    .bind(p.secret_id)
+    .bind(p.entry_version)
+    .bind(p.field_name)
+    .bind(p.field_type)
+    .bind(p.value_len)
+    .bind(p.encrypted)
+    .bind(p.action)
+    .bind(&actor)
+    .execute(&mut **tx)
+    .await?;
+    Ok(())
+}
+
+// ── Argon2 salt helpers ──────────────────────────────────────────────────────
+
 /// Load the Argon2id salt from the database.
-/// Returns None if not yet initialized.
 pub async fn load_argon2_salt(pool: &PgPool) -> Result<Option<Vec<u8>>> {
     let row: Option<(Vec<u8>,)> =
         sqlx::query_as("SELECT value FROM kv_config WHERE key = 'argon2_salt'")

src/main.rs

@@ -126,7 +126,7 @@ EXAMPLES:
         /// Secret entry: key=value, key:=<json>, key=@file, or nested:path@file
         #[arg(long = "secret", short = 's')]
         secrets: Vec<String>,
-        /// Output format: text (default on TTY), json, json-compact, env
+        /// Output format: text (default on TTY), json, json-compact
         #[arg(short, long = "output")]
         output: Option<String>,
     },
@@ -135,7 +135,7 @@ EXAMPLES:
     ///
     /// Supports fuzzy search (-q), exact lookup (--name), field extraction (-f),
     /// summary view (--summary), pagination (--limit / --offset), and structured
-    /// output (-o json / json-compact / env). When stdout is not a TTY, output
+    /// output (-o json / json-compact). When stdout is not a TTY, output
     /// defaults to json-compact automatically.
     #[command(after_help = "EXAMPLES:
   # Discover all records (summary, safe default limit)
@@ -157,9 +157,6 @@ EXAMPLES:
   secrets search -n refining --kind service --name gitea \\
     -f metadata.url -f metadata.default_org
 
-  # Export metadata as env vars (single record only)
-  secrets search -n refining --kind service --name gitea -o env
-
   # Inject decrypted secrets only when needed
   secrets inject -n refining --kind service --name gitea
   secrets run -n refining --kind service --name gitea -- printenv
@@ -189,9 +186,6 @@ EXAMPLES:
         /// Fuzzy keyword (matches name, namespace, kind, tags, metadata text)
         #[arg(short, long)]
         query: Option<String>,
-        /// Deprecated: search never reveals secrets; use inject/run instead
-        #[arg(long)]
-        show_secrets: bool,
         /// Extract metadata field value(s) directly: metadata.<key> (repeatable)
         #[arg(short = 'f', long = "field")]
         fields: Vec<String>,
@@ -207,7 +201,7 @@ EXAMPLES:
         /// Sort order: name (default), updated, created
         #[arg(long, default_value = "name")]
         sort: String,
-        /// Output format: text (default on TTY), json, json-compact, env
+        /// Output format: text (default on TTY), json, json-compact
         #[arg(short, long = "output")]
         output: Option<String>,
     },
@@ -442,6 +436,83 @@ EXAMPLES:
         #[arg(long)]
         check: bool,
     },
+
+    /// Export records to a file (JSON, TOML, or YAML).
+    ///
+    /// Decrypts and exports all matched records. Requires master key unless --no-secrets is used.
+    #[command(after_help = "EXAMPLES:
+  # Export everything to JSON
+  secrets export --file backup.json
+
+  # Export a specific namespace to TOML
+  secrets export -n refining --file refining.toml
+
+  # Export a specific kind
+  secrets export -n refining --kind service --file services.yaml
+
+  # Export by tag
+  secrets export --tag production --file prod.json
+
+  # Export schema only (no decryption needed)
+  secrets export --no-secrets --file schema.json
+
+  # Print to stdout in YAML
+  secrets export -n refining --format yaml")]
+    Export {
+        /// Filter by namespace
+        #[arg(short, long)]
+        namespace: Option<String>,
+        /// Filter by kind, e.g. server, service
+        #[arg(long)]
+        kind: Option<String>,
+        /// Exact name filter
+        #[arg(long)]
+        name: Option<String>,
+        /// Filter by tag (repeatable)
+        #[arg(long)]
+        tag: Vec<String>,
+        /// Fuzzy keyword search
+        #[arg(short, long)]
+        query: Option<String>,
+        /// Output file path (format inferred from extension: .json / .toml / .yaml / .yml)
+        #[arg(long)]
+        file: Option<String>,
+        /// Explicit format: json, toml, or yaml (overrides file extension; required for stdout)
+        #[arg(long)]
+        format: Option<String>,
+        /// Omit secrets from output (no master key required)
+        #[arg(long)]
+        no_secrets: bool,
+    },
+
+    /// Import records from a file (JSON, TOML, or YAML).
+    ///
+    /// Reads an export file and inserts or updates entries. Requires master key to re-encrypt secrets.
+    #[command(after_help = "EXAMPLES:
+  # Import a JSON backup (conflict = error by default)
+  secrets import backup.json
+
+  # Import and overwrite existing records
+  secrets import --force refining.toml
+
+  # Preview what would be imported (no writes)
+  secrets import --dry-run backup.yaml
+
+  # JSON output for the import summary
+  secrets import backup.json -o json")]
+    Import {
+        /// Input file path (format inferred from extension: .json / .toml / .yaml / .yml)
+        file: String,
+        /// Overwrite existing records on conflict (default: error and abort)
+        #[arg(long)]
+        force: bool,
+        /// Preview operations without writing to the database
+        #[arg(long)]
+        dry_run: bool,
+        /// Output format: text (default on TTY), json, json-compact
+        #[arg(short, long = "output")]
+        output: Option<String>,
+    },
 }
 
 #[derive(Subcommand)]
@@ -531,7 +602,6 @@ async fn main() -> Result<()> {
             name,
             tag,
             query,
-            show_secrets,
             fields,
             summary,
             limit,
@@ -549,7 +619,6 @@ async fn main() -> Result<()> {
                     name: name.as_deref(),
                     tags: &tag,
                     query: query.as_deref(),
-                    show_secrets,
                     fields: &fields,
                     summary,
                     limit,
@@ -690,6 +759,61 @@ async fn main() -> Result<()> {
             )
             .await?;
         }
+
+        Commands::Export {
+            namespace,
+            kind,
+            name,
+            tag,
+            query,
+            file,
+            format,
+            no_secrets,
+        } => {
+            let master_key = if no_secrets {
+                None
+            } else {
+                Some(crypto::load_master_key()?)
+            };
+            let _span = tracing::info_span!("cmd", command = "export").entered();
+            commands::export_cmd::run(
+                &pool,
+                commands::export_cmd::ExportArgs {
+                    namespace: namespace.as_deref(),
+                    kind: kind.as_deref(),
+                    name: name.as_deref(),
+                    tags: &tag,
+                    query: query.as_deref(),
+                    file: file.as_deref(),
+                    format: format.as_deref(),
+                    no_secrets,
+                },
+                master_key.as_ref(),
+            )
+            .await?;
+        }
+
+        Commands::Import {
+            file,
+            force,
+            dry_run,
+            output,
+        } => {
+            let master_key = crypto::load_master_key()?;
+            let _span = tracing::info_span!("cmd", command = "import").entered();
+            let out = resolve_output_mode(output.as_deref())?;
+            commands::import_cmd::run(
+                &pool,
+                commands::import_cmd::ImportArgs {
+                    file: &file,
+                    force,
+                    dry_run,
+                    output: out,
+                },
+                &master_key,
+            )
+            .await?;
+        }
     }
 
     Ok(())

src/models.rs

@@ -1,20 +1,205 @@
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
+use std::collections::BTreeMap;
 use uuid::Uuid;
 
+/// A top-level entry (server, service, key, …).
+/// Sensitive fields are stored separately in `secrets`.
 #[derive(Debug, Serialize, Deserialize, sqlx::FromRow)]
-pub struct Secret {
+pub struct Entry {
     pub id: Uuid,
     pub namespace: String,
     pub kind: String,
     pub name: String,
     pub tags: Vec<String>,
     pub metadata: Value,
+    pub version: i64,
+    pub created_at: DateTime<Utc>,
+    pub updated_at: DateTime<Utc>,
+}
+
+/// A single encrypted field belonging to an Entry.
+/// field_name, field_type, and value_len are stored in plaintext so that
+/// `search` can show the schema without requiring the master key.
+#[derive(Debug, Serialize, Deserialize, sqlx::FromRow)]
+pub struct SecretField {
+    pub id: Uuid,
+    pub entry_id: Uuid,
+    pub field_name: String,
+    /// Inferred type: "string", "number", "boolean", "json"
+    pub field_type: String,
+    /// Length of the plaintext value in characters (0 for binary-like PEM)
+    pub value_len: i32,
     /// AES-256-GCM ciphertext: nonce(12B) || ciphertext+tag
-    /// Decrypt with crypto::decrypt_json() before use.
     pub encrypted: Vec<u8>,
     pub version: i64,
     pub created_at: DateTime<Utc>,
     pub updated_at: DateTime<Utc>,
 }
+
+// ── Export / Import types ──────────────────────────────────────────────────────
+
+/// Supported file formats for export/import.
+#[derive(Debug, Clone, Copy, PartialEq)]
+pub enum ExportFormat {
+    Json,
+    Toml,
+    Yaml,
+}
+
+impl ExportFormat {
+    /// Infer format from file extension (.json / .toml / .yaml / .yml).
+    pub fn from_extension(path: &str) -> anyhow::Result<Self> {
+        let ext = path.rsplit('.').next().unwrap_or("").to_lowercase();
+        match ext.as_str() {
+            "json" => Ok(Self::Json),
+            "toml" => Ok(Self::Toml),
+            "yaml" | "yml" => Ok(Self::Yaml),
+            other => anyhow::bail!(
+                "Cannot infer format from extension '.{}'. Use --format json|toml|yaml",
+                other
+            ),
+        }
+    }
+
+    /// Parse from --format CLI value.
+    pub fn from_str(s: &str) -> anyhow::Result<Self> {
+        match s.to_lowercase().as_str() {
+            "json" => Ok(Self::Json),
+            "toml" => Ok(Self::Toml),
+            "yaml" | "yml" => Ok(Self::Yaml),
+            other => anyhow::bail!("Unknown format '{}'. Expected: json, toml, or yaml", other),
+        }
+    }
+
+    /// Serialize ExportData to a string in this format.
+    pub fn serialize(&self, data: &ExportData) -> anyhow::Result<String> {
+        match self {
+            Self::Json => Ok(serde_json::to_string_pretty(data)?),
+            Self::Toml => {
+                let toml_val = json_to_toml_value(&serde_json::to_value(data)?)?;
+                toml::to_string_pretty(&toml_val)
+                    .map_err(|e| anyhow::anyhow!("TOML serialization failed: {}", e))
+            }
+            Self::Yaml => serde_yaml::to_string(data)
+                .map_err(|e| anyhow::anyhow!("YAML serialization failed: {}", e)),
+        }
+    }
+
+    /// Deserialize ExportData from a string in this format.
+    pub fn deserialize(&self, content: &str) -> anyhow::Result<ExportData> {
+        match self {
+            Self::Json => Ok(serde_json::from_str(content)?),
+            Self::Toml => {
+                let toml_val: toml::Value = toml::from_str(content)
+                    .map_err(|e| anyhow::anyhow!("TOML parse error: {}", e))?;
+                let json_val = toml_to_json_value(&toml_val);
+                Ok(serde_json::from_value(json_val)?)
+            }
+            Self::Yaml => serde_yaml::from_str(content)
+                .map_err(|e| anyhow::anyhow!("YAML parse error: {}", e)),
+        }
+    }
+}
+
+/// Top-level structure for export/import files.
+#[derive(Debug, Serialize, Deserialize)]
+pub struct ExportData {
+    pub version: u32,
+    pub exported_at: String,
+    pub entries: Vec<ExportEntry>,
+}
+
+/// A single entry with decrypted secrets for export/import.
+#[derive(Debug, Serialize, Deserialize)]
+pub struct ExportEntry {
+    pub namespace: String,
+    pub kind: String,
+    pub name: String,
+    #[serde(default)]
+    pub tags: Vec<String>,
+    #[serde(default)]
+    pub metadata: Value,
+    /// Decrypted secret fields. None means no secrets in this export (--no-secrets).
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub secrets: Option<BTreeMap<String, Value>>,
+}
+
+// ── TOML ↔ JSON value conversion ──────────────────────────────────────────────
+
+/// Convert a serde_json Value to a toml Value.
+/// `null` values are filtered out (TOML does not support null).
+/// Mixed-type arrays are serialised as JSON strings.
+pub fn json_to_toml_value(v: &Value) -> anyhow::Result<toml::Value> {
+    match v {
+        Value::Null => anyhow::bail!("TOML does not support null values"),
+        Value::Bool(b) => Ok(toml::Value::Boolean(*b)),
+        Value::Number(n) => {
+            if let Some(i) = n.as_i64() {
+                Ok(toml::Value::Integer(i))
+            } else if let Some(f) = n.as_f64() {
+                Ok(toml::Value::Float(f))
+            } else {
+                anyhow::bail!("unsupported number: {}", n)
+            }
+        }
+        Value::String(s) => Ok(toml::Value::String(s.clone())),
+        Value::Array(arr) => {
+            // Check for uniform scalar type (TOML requires homogeneous arrays at the value level,
+            // though arrays of tables are handled separately via TOML's [[table]] syntax).
+            // For simplicity we convert each element; if types are mixed, toml crate will
+            // handle it gracefully or we fall back to a JSON string.
+            let items: anyhow::Result<Vec<toml::Value>> =
+                arr.iter().map(json_to_toml_value).collect();
+            match items {
+                Ok(vals) => Ok(toml::Value::Array(vals)),
+                Err(_) => {
+                    // Fallback: serialise as JSON string
+                    Ok(toml::Value::String(serde_json::to_string(v)?))
+                }
+            }
+        }
+        Value::Object(map) => {
+            let mut toml_map = toml::map::Map::new();
+            for (k, val) in map {
+                if val.is_null() {
+                    // Skip null entries
+                    continue;
+                }
+                match json_to_toml_value(val) {
+                    Ok(tv) => {
+                        toml_map.insert(k.clone(), tv);
+                    }
+                    Err(_) => {
+                        // Fallback: serialise as JSON string
+                        toml_map
+                            .insert(k.clone(), toml::Value::String(serde_json::to_string(val)?));
+                    }
+                }
+            }
+            Ok(toml::Value::Table(toml_map))
+        }
+    }
+}
+
+/// Convert a toml Value back to a serde_json Value.
+pub fn toml_to_json_value(v: &toml::Value) -> Value {
+    match v {
+        toml::Value::Boolean(b) => Value::Bool(*b),
+        toml::Value::Integer(i) => Value::Number((*i).into()),
+        toml::Value::Float(f) => serde_json::Number::from_f64(*f)
+            .map(Value::Number)
+            .unwrap_or(Value::Null),
+        toml::Value::String(s) => Value::String(s.clone()),
+        toml::Value::Datetime(dt) => Value::String(dt.to_string()),
+        toml::Value::Array(arr) => Value::Array(arr.iter().map(toml_to_json_value).collect()),
+        toml::Value::Table(map) => {
+            let obj: serde_json::Map<String, Value> = map
+                .iter()
+                .map(|(k, v)| (k.clone(), toml_to_json_value(v)))
+                .collect();
+            Value::Object(obj)
+        }
+    }
+}

src/output.rs

@@ -12,8 +12,6 @@ pub enum OutputMode {
     Json,
     /// Single-line JSON (default when stdout is NOT a TTY, e.g. piped to jq)
     JsonCompact,
-    /// KEY=VALUE pairs suitable for `source` or `.env` files
-    Env,
 }
 
 impl FromStr for OutputMode {
@@ -24,9 +22,8 @@ impl FromStr for OutputMode {
             "text" => Ok(Self::Text),
             "json" => Ok(Self::Json),
             "json-compact" => Ok(Self::JsonCompact),
-            "env" => Ok(Self::Env),
             other => Err(anyhow::anyhow!(
-                "Unknown output format '{}'. Valid: text, json, json-compact, env",
+                "Unknown output format '{}'. Valid: text, json, json-compact",
                 other
             )),
         }