docs: README 补充 delete 批量删除与 --dry-run 示例

Made-with: Cursor

.gitea/workflows/secrets.yml

@@ -17,6 +17,7 @@ permissions:
 
 env:
   BINARY_NAME: secrets
+  SECRETS_UPGRADE_URL: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/latest
   CARGO_INCREMENTAL: 0
   CARGO_NET_RETRY: 10
   CARGO_TERM_COLOR: always

.vscode/tasks.json

@@ -142,7 +142,7 @@
     {
       "label": "test: add with file secret",
       "type": "shell",
-      "command": "echo '--- add key from file ---' && ./target/debug/secrets add -n test --kind key --name test-key --tag test -s content=@./refining/keys/Vultr && echo '--- verify metadata ---' && ./target/debug/secrets search -n test --kind key && echo '--- verify inject ---' && ./target/debug/secrets inject -n test --kind key --name test-key && echo '--- cleanup ---' && ./target/debug/secrets delete -n test --kind key --name test-key",
+      "command": "echo '--- add key from file ---' && ./target/debug/secrets add -n test --kind key --name test-key --tag test -s content=@./test-fixtures/example-key.pem && echo '--- verify metadata ---' && ./target/debug/secrets search -n test --kind key && echo '--- verify inject ---' && ./target/debug/secrets inject -n test --kind key --name test-key && echo '--- cleanup ---' && ./target/debug/secrets delete -n test --kind key --name test-key",
       "dependsOn": "build"
     }
   ]

AGENTS.md

@@ -145,9 +145,9 @@ secrets_history (
 |------|--------|------|
 | `namespace` | 项目/团队隔离 | `refining`, `ricnsmart` |
 | `kind` | 记录类型 | `server`, `service`, `key` |
-| `name` | 唯一标识名 | `i-uf63f2uookgs5uxmrdyc`, `gitea` |
+| `name` | 唯一标识名 | `i-example0abcd1234efgh`, `gitea` |
 | `tags` | 多维分类标签 | `["aliyun","hongkong","ricn"]` |
-| `metadata` | 明文非敏感信息 | `{"ip":"47.243.154.187","desc":"Grafana","key_ref":"ricn-hk-260127"}` |
+| `metadata` | 明文非敏感信息 | `{"ip":"192.0.2.1","desc":"Grafana","key_ref":"my-shared-key"}` |
 | `secrets.field_name` | 加密字段名（明文） | `"username"`, `"token"`, `"ssh_key"` |
 | `secrets.field_type` | 值类型（明文） | `"string"`, `"number"`, `"boolean"`, `"json"` |
 | `secrets.value_len` | 原始值字符数（明文） | `4`（root），`40`（token），`4096`（PEM） |
@@ -159,17 +159,17 @@ secrets_history (
 
 ```bash
 # 1. 存共享 PEM
-secrets add -n refining --kind key --name ricn-hk-260127 \
+secrets add -n refining --kind key --name my-shared-key \
   --tag aliyun --tag hongkong \
-  -s content=@./keys/ricn-hk-260127.pem
+  -s content=@./keys/my-shared-key.pem
 
 # 2. 服务器通过 metadata.key_ref 引用（inject/run 时自动合并 key 的 secrets）
-secrets add -n refining --kind server --name i-j6c39dmtkr26vztii0ox \
-  -m ip=47.243.154.187 -m key_ref=ricn-hk-260127 \
+secrets add -n refining --kind server --name i-example0xyz789 \
+  -m ip=192.0.2.1 -m key_ref=my-shared-key \
   -s username=ecs-user
 
 # 3. 轮换只需更新 key 记录，所有引用服务器自动生效
-secrets update -n refining --kind key --name ricn-hk-260127 \
+secrets update -n refining --kind key --name my-shared-key \
   -s content=@./keys/new-key.pem
 ```
 
@@ -231,7 +231,7 @@ secrets init
 # 参数说明（带典型值）
 #   -n / --namespace   refining | ricnsmart
 #   --kind             server | service
-#   --name             gitea | i-uf63f2uookgs5uxmrdyc | mqtt
+#   --name             gitea | i-example0abcd1234efgh | mqtt
 #   --tag              aliyun | hongkong | production
 #   -q / --query       mqtt | grafana | gitea   （模糊匹配 name/namespace/kind/tags/metadata）
 #   secrets schema  search 默认展示 secrets 字段名、类型与长度（无需 master_key）
@@ -249,7 +249,7 @@ secrets search --sort updated --limit 10 --summary
 
 # 精确定位单条记录
 secrets search -n refining --kind service --name gitea
-secrets search -n refining --kind server --name i-uf63f2uookgs5uxmrdyc
+secrets search -n refining --kind server --name i-example0abcd1234efgh
 
 # 精确定位并获取完整内容（secrets 保持加密占位）
 secrets search -n refining --kind service --name gitea -o json
@@ -266,7 +266,7 @@ secrets run -n refining --kind service --name gitea -- printenv
 # 模糊关键词搜索
 secrets search -q mqtt
 secrets search -q grafana
-secrets search -q 47.117
+secrets search -q 192.0.2
 
 # 按条件过滤
 secrets search -n refining --kind service
@@ -290,31 +290,31 @@ secrets search -n refining --kind service | jq '.[].name'
 # 参数说明（带典型值）
 #   -n / --namespace   refining | ricnsmart
 #   --kind             server | service
-#   --name             gitea | i-uf63f2uookgs5uxmrdyc
+#   --name             gitea | i-example0abcd1234efgh
 #   --tag              aliyun | hongkong（可重复）
-#   -m / --meta        ip=47.117.131.22 | desc="Aliyun ECS" | url=https://... | tls:cert@./cert.pem（可重复）
+#   -m / --meta        ip=10.0.0.1 | desc="ECS" | url=https://... | tls:cert@./cert.pem（可重复）
 #   -s / --secret      token=<value> | ssh_key=@./key.pem | password=secret123 | credentials:content@./key.pem（可重复）
 
 # 添加服务器
-secrets add -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
+secrets add -n refining --kind server --name i-example0abcd1234efgh \
   --tag aliyun --tag shanghai \
-  -m ip=47.117.131.22 -m desc="Aliyun Shanghai ECS" \
-  -s username=root -s ssh_key=@./keys/voson_shanghai_e.pem
+  -m ip=10.0.0.1 -m desc="Aliyun Shanghai ECS" \
+  -s username=root -s ssh_key=@./keys/deploy-key.pem
 
 # 添加服务凭据
 secrets add -n refining --kind service --name gitea \
   --tag gitea \
-  -m url=https://gitea.refining.dev -m default_org=refining -m username=voson \
+  -m url=https://code.example.com -m default_org=refining -m username=voson \
   -s token=<token> -s runner_token=<runner_token>
 
 # 从文件读取 token
 secrets add -n ricnsmart --kind service --name mqtt \
-  -m host=mqtt.ricnsmart.com -m port=1883 \
+  -m host=mqtt.example.com -m port=1883 \
   -s password=@./mqtt_password.txt
 
 # 多行文件直接写入嵌套 secret 字段
-secrets add -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
-  -s credentials:content@./keys/voson_shanghai_e.pem
+secrets add -n refining --kind server --name i-example0abcd1234efgh \
+  -s credentials:content@./keys/deploy-key.pem
 
 # 使用类型化值（key:=<json>）存储非字符串类型
 secrets add -n refining --kind service --name prometheus \
@@ -334,7 +334,7 @@ secrets add -n refining --kind service --name prometheus \
 # 参数说明（带典型值）
 #   -n / --namespace   refining | ricnsmart
 #   --kind             server | service
-#   --name             gitea | i-uf63f2uookgs5uxmrdyc
+#   --name             gitea | i-example0abcd1234efgh
 #   --add-tag          production | backup（不影响已有 tag，可重复）
 #   --remove-tag       staging | deprecated（可重复）
 #   -m / --meta        ip=10.0.0.1 | desc="新描述" | credentials:username=root（新增或覆盖，可重复）
@@ -343,7 +343,7 @@ secrets add -n refining --kind service --name prometheus \
 #   --remove-secret    old_password | deprecated_key | credentials:content（删除 secret 字段，可重复）
 
 # 更新单个 metadata 字段
-secrets update -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
+secrets update -n refining --kind server --name i-example0abcd1234efgh \
   -m ip=10.0.0.1
 
 # 轮换 token
@@ -360,11 +360,11 @@ secrets update -n refining --kind service --name mqtt \
   --remove-meta old_port --remove-secret old_password
 
 # 从文件更新嵌套 secret 字段
-secrets update -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
-  -s credentials:content@./keys/voson_shanghai_e.pem
+secrets update -n refining --kind server --name i-example0abcd1234efgh \
+  -s credentials:content@./keys/deploy-key.pem
 
 # 删除嵌套字段
-secrets update -n refining --kind server --name i-uf63f2uookgs5uxmrdyc \
+secrets update -n refining --kind server --name i-example0abcd1234efgh \
   --remove-secret credentials:content
 
 # 移除 tag
@@ -373,19 +373,34 @@ secrets update -n refining --kind service --name gitea --remove-tag staging
 
 ---
 
-### delete — 删除记录
+### delete — 删除记录（支持单条精确删除与批量删除）
+
+删除时会自动将 entry 与所有关联 secret 字段快照到历史表，并写入审计日志，可通过 `rollback` 命令恢复。
 
 ```bash
 # 参数说明（带典型值）
-#   -n / --namespace   refining | ricnsmart
-#   --kind             server | service
-#   --name             gitea | i-uf63f2uookgs5uxmrdyc（必须精确匹配）
+#   -n / --namespace   refining | ricnsmart（必填）
+#   --kind             server | service（指定 --name 时必填；批量时可选）
+#   --name             gitea | i-example0abcd1234efgh（精确匹配；省略则批量删除）
+#   --dry-run          预览将删除的记录，不实际写入（仅批量模式有效）
+#   -o / --output      text | json | json-compact
 
-# 删除服务凭据
+# 精确删除单条记录（--kind 必填）
 secrets delete -n refining --kind service --name legacy-mqtt
-
-# 删除服务器记录
 secrets delete -n ricnsmart --kind server --name i-old-server-id
+
+# 预览批量删除（不写入数据库）
+secrets delete -n refining --dry-run
+secrets delete -n ricnsmart --kind server --dry-run
+
+# 批量删除整个 namespace 的所有记录
+secrets delete -n ricnsmart
+
+# 批量删除 namespace 下指定 kind 的所有记录
+secrets delete -n ricnsmart --kind server
+
+# JSON 输出
+secrets delete -n refining --kind service -o json
 ```
 
 ---
@@ -484,7 +499,9 @@ secrets run -n refining --kind service --name gitea -- printenv
 
 ### upgrade — 自动更新 CLI 二进制
 
-从 Gitea Release 下载最新版本，校验对应 `.sha256` 摘要后替换当前二进制，无需数据库连接或主密钥。
+从 Release 服务器下载最新版本，校验对应 `.sha256` 摘要后替换当前二进制，无需数据库连接或主密钥。
+
+**配置方式**：`SECRETS_UPGRADE_URL` 必填。优先用**构建时**：`SECRETS_UPGRADE_URL=https://... cargo build`，CI 已自动注入。或**运行时**：写在 `.env` 或 `export` 后执行。
 
 ```bash
 # 检查是否有新版本（不下载）
@@ -504,7 +521,7 @@ secrets upgrade
 # 参数说明
 # -n / --namespace refining | ricnsmart
 # --kind server | service
-# --name gitea | i-uf63f2uookgs5uxmrdyc
+# --name gitea | i-example0abcd1234efgh
 # --tag aliyun | production（可重复）
 # -q / --query 模糊关键词
 # --file <path>   输出文件路径，格式由扩展名推断（.json / .toml / .yaml / .yml）
@@ -664,5 +681,6 @@ cargo fmt -- --check && cargo clippy -- -D warnings && cargo test
 |------|------|
 | `RUST_LOG` | 日志级别，如 `secrets=debug`、`secrets=trace`（默认 warn） |
 | `USER` | 审计日志 actor 字段来源，Shell 自动设置，通常无需手动配置 |
+| `SECRETS_UPGRADE_URL` | upgrade 的 Release API 地址。构建时（cargo build）或运行时（.env/export） |
 
 数据库连接通过 `secrets config set-db` 持久化到 `~/.config/secrets/config.toml`，不支持环境变量。

Cargo.lock

@@ -1836,7 +1836,7 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
 [[package]]
 name = "secrets"
-version = "0.9.1"
+version = "0.9.3"
 dependencies = [
  "aes-gcm",
  "anyhow",
@@ -1844,6 +1844,7 @@ dependencies = [
  "chrono",
  "clap",
  "dirs",
+ "dotenvy",
  "flate2",
  "keyring",
  "rand 0.10.0",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "secrets"
-version = "0.9.1"
+version = "0.9.3"
 edition = "2024"
 
 [dependencies]
@@ -10,6 +10,7 @@ argon2 = { version = "^0.5.3", features = ["std"] }
 chrono = { version = "^0.4.44", features = ["serde"] }
 clap = { version = "^4.6.0", features = ["derive"] }
 dirs = "^6.0.0"
+dotenvy = "^0.15"
 flate2 = "^1.1.9"
 keyring = { version = "^3.6.3", features = ["apple-native", "windows-native", "linux-native"] }
 rand = "^0.10.0"

README.md

@@ -120,7 +120,7 @@ secrets search -n refining --summary --limit 10 --offset 10  # 翻页
 # ── add ──────────────────────────────────────────────────────────────────────
 secrets add -n refining --kind server --name my-server \
   --tag aliyun --tag shanghai \
-  -m ip=47.117.131.22 -m desc="Aliyun Shanghai ECS" \
+  -m ip=10.0.0.1 -m desc="Example ECS" \
   -s username=root -s ssh_key=@./keys/server.pem
 
 # 多行文件直接写入嵌套 secret 字段
@@ -136,7 +136,7 @@ secrets add -n refining --kind service --name deploy-bot \
 
 secrets add -n refining --kind service --name gitea \
   --tag gitea \
-  -m url=https://gitea.refining.dev -m default_org=refining \
+  -m url=https://code.example.com -m default_org=myorg \
   -s token=<token>
 
 # ── update ───────────────────────────────────────────────────────────────────
@@ -146,7 +146,10 @@ secrets update -n refining --kind service --name mqtt --remove-meta old_port --r
 secrets update -n refining --kind server --name my-server --remove-secret credentials:content
 
 # ── delete ───────────────────────────────────────────────────────────────────
-secrets delete -n refining --kind service --name legacy-mqtt
+secrets delete -n refining --kind service --name legacy-mqtt   # 精确删除单条（--kind 必填）
+secrets delete -n refining --dry-run                          # 预览批量删除（不写入）
+secrets delete -n ricnsmart                                    # 批量删除整个 namespace
+secrets delete -n ricnsmart --kind server                      # 批量删除指定 kind
 
 # ── init ─────────────────────────────────────────────────────────────────────
 secrets init              # 主密钥初始化（每台设备一次，主密码至少 8 位，派生后存钥匙串）
@@ -158,7 +161,7 @@ secrets config path    # 打印配置文件路径
 
 # ── upgrade ──────────────────────────────────────────────────────────────────
 secrets upgrade --check   # 仅检查是否有新版本
-secrets upgrade           # 下载、校验 SHA-256 并安装最新版（从 Gitea Release）
+secrets upgrade           # 下载、校验 SHA-256 并安装最新版（可通过 SECRETS_UPGRADE_URL 自托管）
 
 # ── export ────────────────────────────────────────────────────────────────────
 secrets export --file backup.json                        # 全量导出到 JSON
@@ -203,12 +206,12 @@ RUST_LOG=secrets=trace secrets search
 
 | 目标值 | 写法示例 | 实际存入 |
 |------|------|------|
-| 普通字符串 | `-m url=https://gitea.refining.dev` | `"https://gitea.refining.dev"` |
+| 普通字符串 | `-m url=https://code.example.com` | `"https://code.example.com"` |
 | 文件内容字符串 | `-m notes=@./service-notes.txt` | `"..."` |
 | 布尔值 | `-m enabled:=true` | `true` |
 | 数字 | `-m port:=3000` | `3000` |
 | `null` | `-m deprecated_at:=null` | `null` |
-| 数组 | `-m domains:='["gitea.refining.dev","git.refining.dev"]'` | `["gitea.refining.dev","git.refining.dev"]` |
+| 数组 | `-m domains:='["code.example.com","git.example.com"]'` | `["code.example.com","git.example.com"]` |
 | 对象 | `-m tls:='{"enabled":true,"redirect_http":true}'` | `{"enabled":true,"redirect_http":true}` |
 | 嵌套路径 + JSON | `-m deploy:strategy:='{"type":"rolling","batch":2}'` | `{"deploy":{"strategy":{"type":"rolling","batch":2}}}` |
 
@@ -223,10 +226,10 @@ RUST_LOG=secrets=trace secrets search
 
 ```bash
 secrets add -n refining --kind service --name gitea \
-  -m url=https://gitea.refining.dev \
+  -m url=https://code.example.com \
   -m port:=3000 \
   -m enabled:=true \
-  -m domains:='["gitea.refining.dev","git.refining.dev"]' \
+  -m domains:='["code.example.com","git.example.com"]' \
   -m tls:='{"enabled":true,"redirect_http":true}'
 ```
 

src/commands/delete.rs

@@ -1,6 +1,7 @@
 use anyhow::Result;
 use serde_json::json;
 use sqlx::PgPool;
+use uuid::Uuid;
 
 use crate::db;
 use crate::models::{EntryRow, SecretFieldRow};
@@ -8,13 +9,50 @@ use crate::output::{OutputMode, print_json};
 
 pub struct DeleteArgs<'a> {
     pub namespace: &'a str,
-    pub kind: &'a str,
-    pub name: &'a str,
+    /// Kind filter. Required when --name is given; optional for bulk deletes.
+    pub kind: Option<&'a str>,
+    /// Exact record name. When None, bulk-delete all matching records.
+    pub name: Option<&'a str>,
+    /// Preview without writing to the database (bulk mode only).
+    pub dry_run: bool,
     pub output: OutputMode,
 }
 
+// ── Internal row type used for bulk queries ────────────────────────────────
+
+#[derive(Debug, sqlx::FromRow)]
+struct FullEntryRow {
+    pub id: Uuid,
+    pub version: i64,
+    pub kind: String,
+    pub name: String,
+    pub metadata: serde_json::Value,
+    pub tags: Vec<String>,
+}
+
+// ── Entry point ────────────────────────────────────────────────────────────
+
 pub async fn run(pool: &PgPool, args: DeleteArgs<'_>) -> Result<()> {
-    let (namespace, kind, name) = (args.namespace, args.kind, args.name);
+    match args.name {
+        Some(name) => {
+            let kind = args
+                .kind
+                .ok_or_else(|| anyhow::anyhow!("--kind is required when --name is specified"))?;
+            delete_one(pool, args.namespace, kind, name, args.output).await
+        }
+        None => delete_bulk(pool, args.namespace, args.kind, args.dry_run, args.output).await,
+    }
+}
+
+// ── Single-record delete (original behaviour) ─────────────────────────────
+
+async fn delete_one(
+    pool: &PgPool,
+    namespace: &str,
+    kind: &str,
+    name: &str,
+    output: OutputMode,
+) -> Result<()> {
     tracing::debug!(namespace, kind, name, "deleting entry");
 
     let mut tx = pool.begin().await?;
@@ -34,16 +72,174 @@ pub async fn run(pool: &PgPool, args: DeleteArgs<'_>) -> Result<()> {
         tx.rollback().await?;
         tracing::warn!(namespace, kind, name, "entry not found for deletion");
         let v = json!({"action":"not_found","namespace":namespace,"kind":kind,"name":name});
-        match args.output {
+        match output {
             OutputMode::Text => println!("Not found: [{}/{}] {}", namespace, kind, name),
             ref mode => print_json(&v, mode)?,
         }
         return Ok(());
     };
 
-    // Snapshot entry history before deleting.
+    snapshot_and_delete(&mut tx, namespace, kind, name, &row).await?;
+
+    crate::audit::log_tx(&mut tx, "delete", namespace, kind, name, json!({})).await;
+    tx.commit().await?;
+
+    let v = json!({"action":"deleted","namespace":namespace,"kind":kind,"name":name});
+    match output {
+        OutputMode::Text => println!("Deleted: [{}/{}] {}", namespace, kind, name),
+        ref mode => print_json(&v, mode)?,
+    }
+    Ok(())
+}
+
+// ── Bulk delete by namespace (+ optional kind filter) ─────────────────────
+
+async fn delete_bulk(
+    pool: &PgPool,
+    namespace: &str,
+    kind: Option<&str>,
+    dry_run: bool,
+    output: OutputMode,
+) -> Result<()> {
+    tracing::debug!(namespace, ?kind, dry_run, "bulk-deleting entries");
+
+    let rows: Vec<FullEntryRow> = if let Some(k) = kind {
+        sqlx::query_as(
+            "SELECT id, version, kind, name, metadata, tags FROM entries \
+             WHERE namespace = $1 AND kind = $2 \
+             ORDER BY name",
+        )
+        .bind(namespace)
+        .bind(k)
+        .fetch_all(pool)
+        .await?
+    } else {
+        sqlx::query_as(
+            "SELECT id, version, kind, name, metadata, tags FROM entries \
+             WHERE namespace = $1 \
+             ORDER BY kind, name",
+        )
+        .bind(namespace)
+        .fetch_all(pool)
+        .await?
+    };
+
+    if rows.is_empty() {
+        let v = json!({
+            "action": "noop",
+            "namespace": namespace,
+            "kind": kind,
+            "deleted": 0,
+            "dry_run": dry_run
+        });
+        match output {
+            OutputMode::Text => println!(
+                "No records found in namespace \"{}\"{}.",
+                namespace,
+                kind.map(|k| format!(" with kind \"{}\"", k))
+                    .unwrap_or_default()
+            ),
+            ref mode => print_json(&v, mode)?,
+        }
+        return Ok(());
+    }
+
+    if dry_run {
+        let count = rows.len();
+        match output {
+            OutputMode::Text => {
+                println!(
+                    "dry-run: would delete {} record(s) in namespace \"{}\":",
+                    count, namespace
+                );
+                for r in &rows {
+                    println!("  [{}/{}] {}", namespace, r.kind, r.name);
+                }
+            }
+            ref mode => {
+                let items: Vec<_> = rows
+                    .iter()
+                    .map(|r| json!({"namespace": namespace, "kind": r.kind, "name": r.name}))
+                    .collect();
+                print_json(
+                    &json!({
+                        "action": "dry_run",
+                        "namespace": namespace,
+                        "kind": kind,
+                        "would_delete": count,
+                        "entries": items
+                    }),
+                    mode,
+                )?;
+            }
+        }
+        return Ok(());
+    }
+
+    let mut deleted = Vec::with_capacity(rows.len());
+
+    for row in &rows {
+        let entry_row = EntryRow {
+            id: row.id,
+            version: row.version,
+            tags: row.tags.clone(),
+            metadata: row.metadata.clone(),
+        };
+        let mut tx = pool.begin().await?;
+        snapshot_and_delete(&mut tx, namespace, &row.kind, &row.name, &entry_row).await?;
+        crate::audit::log_tx(
+            &mut tx,
+            "delete",
+            namespace,
+            &row.kind,
+            &row.name,
+            json!({"bulk": true}),
+        )
+        .await;
+        tx.commit().await?;
+
+        deleted.push(json!({"namespace": namespace, "kind": row.kind, "name": row.name}));
+        tracing::info!(namespace, kind = %row.kind, name = %row.name, "bulk deleted");
+    }
+
+    let count = deleted.len();
+    match output {
+        OutputMode::Text => {
+            for item in &deleted {
+                println!(
+                    "Deleted: [{}/{}] {}",
+                    item["namespace"].as_str().unwrap_or(""),
+                    item["kind"].as_str().unwrap_or(""),
+                    item["name"].as_str().unwrap_or("")
+                );
+            }
+            println!("Total: {} record(s) deleted.", count);
+        }
+        ref mode => print_json(
+            &json!({
+                "action": "deleted",
+                "namespace": namespace,
+                "kind": kind,
+                "deleted": count,
+                "entries": deleted
+            }),
+            mode,
+        )?,
+    }
+    Ok(())
+}
+
+// ── Shared helper: snapshot history then DELETE ────────────────────────────
+
+async fn snapshot_and_delete(
+    tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
+    namespace: &str,
+    kind: &str,
+    name: &str,
+    row: &EntryRow,
+) -> Result<()> {
     if let Err(e) = db::snapshot_entry_history(
-        &mut tx,
+        tx,
         db::EntrySnapshotParams {
             entry_id: row.id,
             namespace,
@@ -60,18 +256,17 @@ pub async fn run(pool: &PgPool, args: DeleteArgs<'_>) -> Result<()> {
         tracing::warn!(error = %e, "failed to snapshot entry history before delete");
     }
 
-    // Snapshot all secret fields before cascade delete.
     let fields: Vec<SecretFieldRow> = sqlx::query_as(
         "SELECT id, field_name, field_type, value_len, encrypted \
          FROM secrets WHERE entry_id = $1",
     )
     .bind(row.id)
-    .fetch_all(&mut *tx)
+    .fetch_all(&mut **tx)
     .await?;
 
     for f in &fields {
         if let Err(e) = db::snapshot_secret_history(
-            &mut tx,
+            tx,
             db::SecretSnapshotParams {
                 entry_id: row.id,
                 secret_id: f.id,
@@ -85,25 +280,14 @@ pub async fn run(pool: &PgPool, args: DeleteArgs<'_>) -> Result<()> {
         )
         .await
         {
-            tracing::warn!(error = %e, "failed to snapshot secret field history before delete");
+            tracing::warn!(error = %e, "failed to snapshot secret history before delete");
         }
     }
 
-    // Delete the entry — secrets rows are removed via ON DELETE CASCADE.
     sqlx::query("DELETE FROM entries WHERE id = $1")
         .bind(row.id)
-        .execute(&mut *tx)
+        .execute(&mut **tx)
         .await?;
 
-    crate::audit::log_tx(&mut tx, "delete", namespace, kind, name, json!({})).await;
-
-    tx.commit().await?;
-
-    let v = json!({"action":"deleted","namespace":namespace,"kind":kind,"name":name});
-    match args.output {
-        OutputMode::Text => println!("Deleted: [{}/{}] {}", namespace, kind, name),
-        ref mode => print_json(&v, mode)?,
-    }
-
     Ok(())
 }

src/commands/search.rs

@@ -542,7 +542,7 @@ mod tests {
             kind: "service".to_string(),
             name: "gitea.main".to_string(),
             tags: vec!["prod".to_string()],
-            metadata: json!({"url": "https://gitea.refining.dev", "enabled": true}),
+            metadata: json!({"url": "https://code.example.com", "enabled": true}),
             version: 1,
             created_at: Utc::now(),
             updated_at: Utc::now(),
@@ -579,7 +579,7 @@ mod tests {
 
         assert_eq!(
             map.get("GITEA_MAIN_URL").map(String::as_str),
-            Some("https://gitea.refining.dev")
+            Some("https://code.example.com")
         );
         assert_eq!(
             map.get("GITEA_MAIN_ENABLED").map(String::as_str),

src/commands/upgrade.rs

@@ -5,10 +5,26 @@ use sha2::{Digest, Sha256};
 use std::io::{Cursor, Read, Write};
 use std::time::Duration;
 
-const GITEA_API: &str = "https://gitea.refining.dev/api/v1/repos/refining/secrets/releases/latest";
-
 const CURRENT_VERSION: &str = env!("CARGO_PKG_VERSION");
 
+/// Build-time config via `option_env!("SECRETS_UPGRADE_URL")`. Set during `cargo build`, e.g.:
+///   SECRETS_UPGRADE_URL=https://... cargo build --release
+const BUILD_UPGRADE_URL: Option<&'static str> = option_env!("SECRETS_UPGRADE_URL");
+
+fn upgrade_api_url() -> Result<String> {
+    if let Some(url) = BUILD_UPGRADE_URL.filter(|s| !s.trim().is_empty()) {
+        return Ok(url.to_string());
+    }
+    let url = std::env::var("SECRETS_UPGRADE_URL").context(
+        "SECRETS_UPGRADE_URL is not set at build or runtime. Set it when building: \
+         SECRETS_UPGRADE_URL=https://... cargo build, or export before running secrets upgrade.",
+    )?;
+    if url.trim().is_empty() {
+        anyhow::bail!("SECRETS_UPGRADE_URL is empty.");
+    }
+    Ok(url)
+}
+
 #[derive(Debug, Deserialize)]
 struct Release {
     tag_name: String,
@@ -186,13 +202,14 @@ pub async fn run(check_only: bool) -> Result<()> {
         .build()
         .context("failed to build HTTP client")?;
 
+    let api_url = upgrade_api_url()?;
     let release: Release = client
-        .get(GITEA_API)
+        .get(&api_url)
         .send()
         .await
-        .context("failed to fetch release info from Gitea")?
+        .context("failed to fetch release info")?
         .error_for_status()
-        .context("Gitea API returned an error")?
+        .context("release API returned an error")?
         .json()
         .await
         .context("failed to parse release JSON")?;

src/main.rs

@@ -7,6 +7,11 @@ mod models;
 mod output;
 
 use anyhow::Result;
+
+/// Load .env from current or parent directories (best-effort, no error if missing).
+fn load_dotenv() {
+    let _ = dotenvy::dotenv();
+}
 use clap::{Parser, Subcommand};
 use tracing_subscriber::EnvFilter;
 
@@ -76,25 +81,25 @@ EXAMPLES:
   # Add a server
   secrets add -n refining --kind server --name my-server \\
     --tag aliyun --tag shanghai \\
-    -m ip=47.117.131.22 -m desc=\"Aliyun Shanghai ECS\" \\
+    -m ip=10.0.0.1 -m desc=\"Example ECS\" \\
     -s username=root -s ssh_key=@./keys/server.pem
 
   # Add a service credential
   secrets add -n refining --kind service --name gitea \\
     --tag gitea \\
-    -m url=https://gitea.refining.dev -m default_org=refining \\
+    -m url=https://code.example.com -m default_org=myorg \\
     -s token=<token>
 
   # Add typed JSON metadata
   secrets add -n refining --kind service --name gitea \\
     -m port:=3000 \\
     -m enabled:=true \\
-    -m domains:='[\"gitea.refining.dev\",\"git.refining.dev\"]' \\
+    -m domains:='[\"code.example.com\",\"git.example.com\"]' \\
     -m tls:='{\"enabled\":true,\"redirect_http\":true}'
 
   # Add with token read from a file
   secrets add -n ricnsmart --kind service --name mqtt \\
-    -m host=mqtt.ricnsmart.com -m port=1883 \\
+    -m host=mqtt.example.com -m port=1883 \\
     -s password=@./mqtt_password.txt
 
   # Add typed JSON secrets
@@ -114,7 +119,7 @@ EXAMPLES:
         /// Kind of record: server, service, key, ...
         #[arg(long)]
         kind: String,
-        /// Human-readable unique name, e.g. gitea, i-uf63f2uookgs5uxmrdyc
+        /// Human-readable unique name, e.g. gitea, i-example0abcd1234efgh
         #[arg(long)]
         name: String,
         /// Tag for categorization (repeatable), e.g. --tag aliyun --tag hongkong
@@ -177,7 +182,7 @@ EXAMPLES:
         /// Filter by kind, e.g. server, service
         #[arg(long)]
         kind: Option<String>,
-        /// Exact name filter, e.g. gitea, i-uf63f2uookgs5uxmrdyc
+        /// Exact name filter, e.g. gitea, i-example0abcd1234efgh
         #[arg(long)]
         name: Option<String>,
         /// Filter by tag, e.g. --tag aliyun (repeatable for AND intersection)
@@ -206,23 +211,39 @@ EXAMPLES:
         output: Option<String>,
     },
 
-    /// Delete a record permanently. Requires exact namespace + kind + name.
+    /// Delete one record precisely, or bulk-delete by namespace.
+    ///
+    /// With --name: deletes exactly that record (--kind also required).
+    /// Without --name: bulk-deletes all records matching namespace + optional --kind.
+    /// Use --dry-run to preview bulk deletes before committing.
     #[command(after_help = "EXAMPLES:
-  # Delete a service credential
+  # Delete a single record (exact match)
   secrets delete -n refining --kind service --name legacy-mqtt
 
-  # Delete a server record
-  secrets delete -n ricnsmart --kind server --name i-old-server-id")]
+  # Preview what a bulk delete would remove (no writes)
+  secrets delete -n refining --dry-run
+
+  # Bulk-delete all records in a namespace
+  secrets delete -n ricnsmart
+
+  # Bulk-delete only server records in a namespace
+  secrets delete -n ricnsmart --kind server
+
+  # JSON output
+  secrets delete -n refining --kind service -o json")]
     Delete {
         /// Namespace, e.g. refining
         #[arg(short, long)]
         namespace: String,
-        /// Kind, e.g. server, service
+        /// Kind filter, e.g. server, service (required with --name; optional for bulk)
         #[arg(long)]
-        kind: String,
-        /// Exact name of the record to delete
+        kind: Option<String>,
+        /// Exact name of the record to delete (omit for bulk delete)
         #[arg(long)]
-        name: String,
+        name: Option<String>,
+        /// Preview what would be deleted without making any changes (bulk mode only)
+        #[arg(long)]
+        dry_run: bool,
         /// Output format: text (default on TTY), json, json-compact
         #[arg(short, long = "output")]
         output: Option<String>,
@@ -423,8 +444,8 @@ EXAMPLES:
 
     /// Check for a newer version and update the binary in-place.
     ///
-    /// Downloads the latest release from Gitea and replaces the current binary.
-    /// No database connection or master key required.
+    /// Downloads the latest release and replaces the current binary. No database connection or master key required.
+    /// Release URL defaults to the upstream server; override via SECRETS_UPGRADE_URL for self-hosted or fork.
     #[command(after_help = "EXAMPLES:
   # Check for updates only (no download)
   secrets upgrade --check
@@ -530,6 +551,7 @@ enum ConfigAction {
 
 #[tokio::main]
 async fn main() -> Result<()> {
+    load_dotenv();
     let cli = Cli::parse();
 
     let filter = if cli.verbose {
@@ -634,17 +656,19 @@ async fn main() -> Result<()> {
             namespace,
             kind,
             name,
+            dry_run,
             output,
         } => {
             let _span =
-                tracing::info_span!("cmd", command = "delete", %namespace, %kind, %name).entered();
+                tracing::info_span!("cmd", command = "delete", %namespace, ?kind, ?name).entered();
             let out = resolve_output_mode(output.as_deref())?;
             commands::delete::run(
                 &pool,
                 commands::delete::DeleteArgs {
                     namespace: &namespace,
-                    kind: &kind,
-                    name: &name,
+                    kind: kind.as_deref(),
+                    name: name.as_deref(),
+                    dry_run,
                     output: out,
                 },
             )

test-fixtures/example-key.pem

@@ -0,0 +1,3 @@
+-----BEGIN EXAMPLE KEY PLACEHOLDER-----
+This file is for local dev/testing. Replace with a real key when needed.
+-----END EXAMPLE KEY PLACEHOLDER-----