style(secrets-mcp): rustfmt web.rs audit mapping

Made-with: Cursor

.gitea/workflows/secrets.yml

@@ -3,13 +3,12 @@ name: Secrets MCP — Build & Release
 
 on:
   push:
-    branches: [main, feat/mcp, mcp]
     paths:
       - 'crates/**'
       - 'Cargo.toml'
       - 'Cargo.lock'
-      # systemd / 部署模板变更也应跑构建（产物无变时可快速跳过 check）
       - 'deploy/**'
+      - '.gitea/workflows/**'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -20,221 +19,167 @@ permissions:
 
 env:
   MCP_BINARY: secrets-mcp
+  RUST_TOOLCHAIN: 1.94.0
   CARGO_INCREMENTAL: 0
   CARGO_NET_RETRY: 10
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: short
+  MUSL_TARGET: x86_64-unknown-linux-musl
 
 jobs:
-  version:
+  ci:
-    name: 版本 & Release
+    name: 检查 / 构建 / 发版
     runs-on: debian
+    timeout-minutes: 40
     outputs:
-      version: ${{ steps.ver.outputs.version }}
       tag: ${{ steps.ver.outputs.tag }}
-      tag_exists: ${{ steps.ver.outputs.tag_exists }}
+      version: ${{ steps.ver.outputs.version }}
-      release_id: ${{ steps.release.outputs.release_id }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
+      # ── 版本解析 ────────────────────────────────────────────────────────
       - name: 解析版本
         id: ver
         run: |
           version=$(grep -m1 '^version' crates/secrets-mcp/Cargo.toml | sed 's/.*"\(.*\)".*/\1/')
           tag="secrets-mcp-${version}"
-          previous_tag=$(git tag --list 'secrets-mcp-*' --sort=-v:refname | awk -v tag="$tag" '$0 != tag { print; exit }')
-
           echo "version=${version}" >> "$GITHUB_OUTPUT"
           echo "tag=${tag}" >> "$GITHUB_OUTPUT"
-          echo "previous_tag=${previous_tag}" >> "$GITHUB_OUTPUT"
 
           if git rev-parse "refs/tags/${tag}" >/dev/null 2>&1; then
+            echo "⚠ 版本 ${tag} 已存在，将覆盖重新发版。"
             echo "tag_exists=true" >> "$GITHUB_OUTPUT"
-            echo "版本 ${tag} 已存在"
           else
-            echo "tag_exists=false" >> "$GITHUB_OUTPUT"
             echo "将创建新版本 ${tag}"
+            echo "tag_exists=false" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: 严格拦截重复版本
+      # ── Rust 工具链 ──────────────────────────────────────────────────────
-        if: steps.ver.outputs.tag_exists == 'true'
+      - name: 安装 Rust 与 musl 工具链
         run: |
-          echo "错误: 版本 ${{ steps.ver.outputs.tag }} 已存在，禁止重复发版。"
+          sudo apt-get update -qq
-          echo "请先 bump crates/secrets-mcp/Cargo.toml 中的 version，并执行 cargo build 同步 Cargo.lock。"
+          sudo apt-get install -y -qq pkg-config musl-tools binutils jq
-          exit 1
+          if ! command -v rustup >/dev/null 2>&1; then
+            curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain "${RUST_TOOLCHAIN}"
+            echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
+          fi
+          source "$HOME/.cargo/env" 2>/dev/null || true
+          rustup toolchain install "${RUST_TOOLCHAIN}" --profile minimal \
+            --component rustfmt --component clippy
+          rustup default "${RUST_TOOLCHAIN}"
+          rustup target add "${MUSL_TARGET}" --toolchain "${RUST_TOOLCHAIN}"
+          rustc -V && cargo -V
 
+      - name: 缓存 Cargo
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry/index
+            ~/.cargo/registry/cache
+            ~/.cargo/git/db
+            target
+          key: cargo-${{ env.MUSL_TARGET }}-${{ env.RUST_TOOLCHAIN }}-${{ hashFiles('Cargo.lock') }}
+          restore-keys: |
+            cargo-${{ env.MUSL_TARGET }}-${{ env.RUST_TOOLCHAIN }}-
+            cargo-${{ env.MUSL_TARGET }}-
+
+      # ── 质量检查（先于构建，失败即止）──────────────────────────────────
+      - name: fmt
+        run: cargo fmt -- --check
+
+      - name: clippy
+        run: cargo clippy --locked -- -D warnings
+
+      - name: test
+        run: cargo test --locked
+
+      # ── 构建（质量检查通过后才执行）────────────────────────────────────
+      - name: 构建 secrets-mcp (musl)
+        run: |
+          cargo build --release --locked --target "${MUSL_TARGET}" -p secrets-mcp
+          strip "target/${MUSL_TARGET}/release/${MCP_BINARY}"
+
+      - name: 上传构建产物
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ env.MCP_BINARY }}-linux-musl
+          path: target/${{ env.MUSL_TARGET }}/release/${{ env.MCP_BINARY }}
+          retention-days: 3
+
+      # ── 创建 / 覆盖 Tag（构建成功后才打）───────────────────────────────
       - name: 创建 Tag
-        if: steps.ver.outputs.tag_exists == 'false'
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
-          git tag -a "${{ steps.ver.outputs.tag }}" -m "Release ${{ steps.ver.outputs.tag }}"
+          tag="${{ steps.ver.outputs.tag }}"
-          git push origin "${{ steps.ver.outputs.tag }}"
+          if [ "${{ steps.ver.outputs.tag_exists }}" = "true" ]; then
+            git tag -d "$tag" 2>/dev/null || true
+            git push origin ":refs/tags/$tag" 2>/dev/null || true
+          fi
+          git tag -a "$tag" -m "Release $tag"
+          git push origin "$tag"
 
-      - name: 解析或创建 Release
+      # ── Release（可选，需配置 RELEASE_TOKEN）───────────────────────────
-        id: release
+      - name: Upsert Release
+        if: env.RELEASE_TOKEN != ''
         env:
           RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         run: |
-          if [ -z "$RELEASE_TOKEN" ]; then
-            echo "release_id=" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq)
-
           tag="${{ steps.ver.outputs.tag }}"
           version="${{ steps.ver.outputs.version }}"
-          release_api="${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases"
+          api="${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases"
+          auth="Authorization: token $RELEASE_TOKEN"
 
-          http_code=$(curl -sS -o /tmp/release.json -w '%{http_code}' \
+          previous_tag=$(git tag --list 'secrets-mcp-*' --sort=-v:refname | awk -v t="$tag" '$0 != t { print; exit }')
-            -H "Authorization: token $RELEASE_TOKEN" \
-            "${release_api}/tags/${tag}")
-
-          if [ "$http_code" = "200" ]; then
-            release_id=$(jq -r '.id // empty' /tmp/release.json)
-            if [ -n "$release_id" ]; then
-              echo "已找到现有 Release: ${release_id}"
-              echo "release_id=${release_id}" >> "$GITHUB_OUTPUT"
-              exit 0
-            fi
-          fi
-
-          previous_tag="${{ steps.ver.outputs.previous_tag }}"
           if [ -n "$previous_tag" ]; then
             changes=$(git log --pretty=format:'- %s (%h)' "${previous_tag}..HEAD")
           else
             changes=$(git log --pretty=format:'- %s (%h)')
           fi
           [ -z "$changes" ] && changes="- 首次发布"
-
           body=$(printf '## 变更日志\n\n%s' "$changes")
 
-          payload=$(jq -n \
+          # Upsert: 存在 → PATCH + 清旧 assets；不存在 → POST
-            --arg tag "$tag" \
+          release_id=$(curl -sS -H "$auth" "${api}/tags/${tag}" 2>/dev/null | jq -r '.id // empty')
-            --arg name "secrets-mcp ${version}" \
-            --arg body "$body" \
-            '{tag_name: $tag, name: $name, body: $body, draft: true}')
-
-          http_code=$(curl -sS -o /tmp/create-release.json -w '%{http_code}' \
-            -H "Authorization: token $RELEASE_TOKEN" \
-            -H "Content-Type: application/json" \
-            -X POST "$release_api" \
-            -d "$payload")
-
-          if [ "$http_code" = "201" ] || [ "$http_code" = "200" ]; then
-            release_id=$(jq -r '.id // empty' /tmp/create-release.json)
-          fi
-
           if [ -n "$release_id" ]; then
-            echo "已创建草稿 Release: ${release_id}"
+            curl -sS -o /dev/null -H "$auth" -H "Content-Type: application/json" \
-            echo "release_id=${release_id}" >> "$GITHUB_OUTPUT"
+              -X PATCH "${api}/${release_id}" \
+              -d "$(jq -n --arg n "secrets-mcp ${version}" --arg b "$body" '{name:$n,body:$b,draft:false}')"
+            curl -sS -H "$auth" "${api}/${release_id}/assets" | \
+              jq -r '.[].id' | xargs -I{} curl -sS -o /dev/null -H "$auth" -X DELETE "${api}/${release_id}/assets/{}"
+            echo "已更新 Release ${release_id}"
           else
-            echo "⚠ 创建 Release 失败 (HTTP ${http_code})，跳过产物上传"
+            release_id=$(curl -fsS -H "$auth" -H "Content-Type: application/json" \
-            cat /tmp/create-release.json 2>/dev/null || true
+              -X POST "$api" \
-            echo "release_id=" >> "$GITHUB_OUTPUT"
+              -d "$(jq -n --arg t "$tag" --arg n "secrets-mcp ${version}" --arg b "$body" \
+                   '{tag_name:$t,name:$n,body:$b,draft:false}')" | jq -r '.id')
+            echo "已创建 Release ${release_id}"
           fi
 
-  check:
+          bin="target/${MUSL_TARGET}/release/${MCP_BINARY}"
-    name: 质量检查 (fmt / clippy / test)
+          archive="${MCP_BINARY}-${tag}-x86_64-linux-musl.tar.gz"
-    runs-on: debian
-    timeout-minutes: 15
-    steps:
-      - name: 安装 Rust
-        run: |
-          if ! command -v cargo >/dev/null 2>&1; then
-            curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable
-            echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
-          fi
-          source "$HOME/.cargo/env" 2>/dev/null || true
-          rustup component add rustfmt clippy
-
-      - uses: actions/checkout@v4
-
-      - name: 缓存 Cargo
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/registry/index
-            ~/.cargo/registry/cache
-            ~/.cargo/git/db
-            target
-          key: cargo-check-${{ hashFiles('Cargo.lock') }}
-          restore-keys: |
-            cargo-check-
-
-      - run: cargo fmt -- --check
-      - run: cargo clippy --locked -- -D warnings
-      - run: cargo test --locked
-
-  build-linux:
-    name: Build Linux (secrets-mcp, musl)
-    needs: [version, check]
-    runs-on: debian
-    timeout-minutes: 25
-    steps:
-      - name: 安装依赖
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y pkg-config musl-tools binutils curl
-          if ! command -v cargo >/dev/null 2>&1; then
-            curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable
-          fi
-          source "$HOME/.cargo/env" 2>/dev/null || true
-          rustup target add x86_64-unknown-linux-musl
-          echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
-
-      - uses: actions/checkout@v4
-
-      - name: 缓存 Cargo
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/registry/index
-            ~/.cargo/registry/cache
-            ~/.cargo/git/db
-            target
-          key: cargo-x86_64-unknown-linux-musl-${{ hashFiles('Cargo.lock') }}
-          restore-keys: |
-            cargo-x86_64-unknown-linux-musl-
-
-      - name: 构建 secrets-mcp (musl)
-        run: |
-          cargo build --release --locked --target x86_64-unknown-linux-musl -p secrets-mcp
-          strip target/x86_64-unknown-linux-musl/release/${{ env.MCP_BINARY }}
-
-      - name: 上传 Release 产物
-        if: needs.version.outputs.release_id != ''
-        env:
-          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        run: |
-          [ -z "$RELEASE_TOKEN" ] && exit 0
-          tag="${{ needs.version.outputs.tag }}"
-          bin="target/x86_64-unknown-linux-musl/release/${{ env.MCP_BINARY }}"
-          archive="${{ env.MCP_BINARY }}-${tag}-x86_64-linux-musl.tar.gz"
           tar -czf "$archive" -C "$(dirname "$bin")" "$(basename "$bin")"
           sha256sum "$archive" > "${archive}.sha256"
-          release_url="${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}/assets"
+          curl -fsS -H "$auth" -F "attachment=@${archive}" "${api}/${release_id}/assets"
-          curl -fsS -H "Authorization: token $RELEASE_TOKEN" \
+          curl -fsS -H "$auth" -F "attachment=@${archive}.sha256" "${api}/${release_id}/assets"
-            -F "attachment=@${archive}" "$release_url"
+          echo "Release ${tag} 已发布"
-          curl -fsS -H "Authorization: token $RELEASE_TOKEN" \
-            -F "attachment=@${archive}.sha256" "$release_url"
 
+      # ── 飞书汇总通知 ─────────────────────────────────────────────────────
       - name: 飞书通知
         if: always()
         env:
           WEBHOOK_URL: ${{ vars.WEBHOOK_URL }}
         run: |
           [ -z "$WEBHOOK_URL" ] && exit 0
-          command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq)
+          tag="${{ steps.ver.outputs.tag }}"
-          tag="${{ needs.version.outputs.tag }}"
+          commit="${{ github.event.head_commit.message }}"
-          commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A")
+          [ -z "$commit" ] && commit="${{ github.sha }}"
           url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
           result="${{ job.status }}"
           if [ "$result" = "success" ]; then icon="✅"; else icon="❌"; fi
-          msg="secrets-mcp linux 构建${icon}
+          msg="secrets-mcp 构建&发版 ${icon}
           版本：${tag}
           提交：${commit}
           作者：${{ github.actor }}
@@ -242,46 +187,21 @@ jobs:
           payload=$(jq -n --arg text "$msg" '{msg_type: "text", content: {text: $text}}')
           curl -sS -H "Content-Type: application/json" -X POST -d "$payload" "$WEBHOOK_URL"
 
-  deploy-mcp:
+  deploy:
     name: 部署 secrets-mcp
-    needs: [version, build-linux]
+    needs: [ci]
-    # 部署目标由仓库 Actions 配置：vars.DEPLOY_HOST / vars.DEPLOY_USER；私钥 secrets.DEPLOY_SSH_KEY（PEM 原文，勿 base64）
+    if: |
-    # （可用 scripts/setup-gitea-actions.sh 或 Gitea API 写入，勿写进本文件）
+      github.ref == 'refs/heads/main' ||
-    # Google OAuth / SERVER_MASTER_KEY / SECRETS_DATABASE_URL 等勿写入 CI，请在 ECS 上
+      github.ref == 'refs/heads/feat/mcp' ||
-    # /opt/secrets-mcp/.env 配置（见 deploy/.env.example）。
+      github.ref == 'refs/heads/mcp'
-    # 若仓库 main 仍为纯 CLI、仅 feat/mcp 含本 workflow，请去掉条件里的 main，避免误部署。
-    if: needs.build-linux.result == 'success' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/mcp' || github.ref == 'refs/heads/mcp')
     runs-on: debian
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - name: 下载构建产物
-
+        uses: actions/download-artifact@v3
-      - name: 安装 Rust
-        run: |
-          if ! command -v cargo >/dev/null 2>&1; then
-            curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable
-            echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
-          fi
-          source "$HOME/.cargo/env" 2>/dev/null || true
-          sudo apt-get update -qq && sudo apt-get install -y -qq pkg-config musl-tools
-          rustup target add x86_64-unknown-linux-musl
-
-      - name: 缓存 Cargo
-        uses: actions/cache@v4
         with:
-          path: |
+          name: ${{ env.MCP_BINARY }}-linux-musl
-            ~/.cargo/registry/index
+          path: /tmp/artifact
-            ~/.cargo/registry/cache
-            ~/.cargo/git/db
-            target
-          key: cargo-x86_64-unknown-linux-musl-${{ hashFiles('Cargo.lock') }}
-          restore-keys: |
-            cargo-x86_64-unknown-linux-musl-
-
-      - name: 构建 secrets-mcp
-        run: |
-          cargo build --release --locked --target x86_64-unknown-linux-musl -p secrets-mcp
-          strip target/x86_64-unknown-linux-musl/release/${{ env.MCP_BINARY }}
 
       - name: 部署到阿里云 ECS
         env:
@@ -290,16 +210,15 @@ jobs:
           DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
         run: |
           if [ -z "$DEPLOY_HOST" ] || [ -z "$DEPLOY_USER" ] || [ -z "$DEPLOY_SSH_KEY" ]; then
-            echo "部署跳过：请在仓库 Actions 中配置 vars.DEPLOY_HOST、vars.DEPLOY_USER 与 secrets.DEPLOY_SSH_KEY"
+            echo "部署跳过：请配置 vars.DEPLOY_HOST、vars.DEPLOY_USER 与 secrets.DEPLOY_SSH_KEY"
             exit 0
           fi
 
           echo "$DEPLOY_SSH_KEY" > /tmp/deploy_key
           chmod 600 /tmp/deploy_key
 
-          SCP="scp -i /tmp/deploy_key -o StrictHostKeyChecking=no"
+          scp -i /tmp/deploy_key -o StrictHostKeyChecking=no \
-
+            "/tmp/artifact/${MCP_BINARY}" \
-          $SCP target/x86_64-unknown-linux-musl/release/${{ env.MCP_BINARY }} \
             "${DEPLOY_USER}@${DEPLOY_HOST}:/tmp/secrets-mcp.new"
 
           ssh -i /tmp/deploy_key -o StrictHostKeyChecking=no "${DEPLOY_USER}@${DEPLOY_HOST}" "
@@ -309,7 +228,6 @@ jobs:
             sleep 2
             sudo systemctl is-active secrets-mcp && echo '服务启动成功' || (sudo journalctl -u secrets-mcp -n 20 && exit 1)
           "
-
           rm -f /tmp/deploy_key
 
       - name: 飞书通知
@@ -318,94 +236,13 @@ jobs:
           WEBHOOK_URL: ${{ vars.WEBHOOK_URL }}
         run: |
           [ -z "$WEBHOOK_URL" ] && exit 0
-          command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq)
+          tag="${{ needs.ci.outputs.tag }}"
-          tag="${{ needs.version.outputs.tag }}"
-          commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A")
           url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
           result="${{ job.status }}"
           if [ "$result" = "success" ]; then icon="✅"; else icon="❌"; fi
-          msg="secrets-mcp 部署${icon}
+          msg="secrets-mcp 部署 ${icon}
           版本：${tag}
-          提交：${commit}
           作者：${{ github.actor }}
           详情：${url}"
           payload=$(jq -n --arg text "$msg" '{msg_type: "text", content: {text: $text}}')
           curl -sS -H "Content-Type: application/json" -X POST -d "$payload" "$WEBHOOK_URL"
-
-  publish-release:
-    name: 发布草稿 Release
-    needs: [version, build-linux]
-    if: always() && needs.version.outputs.release_id != ''
-    runs-on: debian
-    timeout-minutes: 5
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: 发布草稿
-        env:
-          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        run: |
-          [ -z "$RELEASE_TOKEN" ] && exit 0
-
-          linux_r="${{ needs.build-linux.result }}"
-          if [ "$linux_r" != "success" ]; then
-            echo "linux 构建未成功，保留草稿 Release"
-            exit 0
-          fi
-
-          release_api="${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}"
-          http_code=$(curl -sS -o /tmp/publish-release.json -w '%{http_code}' \
-            -H "Authorization: token $RELEASE_TOKEN" \
-            -H "Content-Type: application/json" \
-            -X PATCH "$release_api" \
-            -d '{"draft":false}')
-
-          if [ "$http_code" != "200" ]; then
-            echo "发布草稿 Release 失败 (HTTP ${http_code})"
-            cat /tmp/publish-release.json 2>/dev/null || true
-            exit 1
-          fi
-          echo "Release 已发布"
-
-      - name: 飞书汇总通知
-        if: always()
-        env:
-          WEBHOOK_URL: ${{ vars.WEBHOOK_URL }}
-        run: |
-          [ -z "$WEBHOOK_URL" ] && exit 0
-          command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq)
-
-          tag="${{ needs.version.outputs.tag }}"
-          tag_exists="${{ needs.version.outputs.tag_exists }}"
-          commit="${{ github.event.head_commit.message }}"
-          [ -z "$commit" ] && commit="${{ github.sha }}"
-          url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
-
-          linux_r="${{ needs.build-linux.result }}"
-          publish_r="${{ job.status }}"
-
-          icon() { case "$1" in success) echo "✅";; skipped) echo "⏭";; *) echo "❌";; esac; }
-
-          if [ "$linux_r" = "success" ] && [ "$publish_r" = "success" ]; then
-            status="发布成功 ✅"
-          elif [ "$linux_r" != "success" ]; then
-            status="构建失败 ❌"
-          else
-            status="发布失败 ❌"
-          fi
-
-          if [ "$tag_exists" = "false" ]; then
-            version_line="🆕 新版本 ${tag}"
-          else
-            version_line="🔄 重复构建 ${tag}"
-          fi
-
-          msg="secrets-mcp ${status}
-          ${version_line}
-          linux $(icon "$linux_r") | Release $(icon "$publish_r")
-          提交：${commit}
-          作者：${{ github.actor }}
-          详情：${url}"
-
-          payload=$(jq -n --arg text "$msg" '{msg_type: "text", content: {text: $text}}')
-          curl -sS -H "Content-Type: application/json" -X POST -d "$payload" "$WEBHOOK_URL"

AGENTS.md

@@ -6,7 +6,7 @@
 
 1. 涉及 `crates/**`、根目录 `Cargo.toml`/`Cargo.lock`、`secrets-mcp` 行为变更的提交，默认视为**需要发版**，除非明确说明「本次不发版」。
 2. 发版前检查 `crates/secrets-mcp/Cargo.toml` 的 `version`，再查 tag：`git tag -l 'secrets-mcp-*'`。
-3. 若当前版本对应 tag 已存在，须先 bump `version`，再 `cargo build` 同步 `Cargo.lock` 后提交。
+3. 若当前版本对应 tag 已存在，默认允许复用现有 tag 继续构建；仅在需要新的发布版本时再 bump `version` 并 `cargo build` 同步 `Cargo.lock`。
 4. 提交前优先运行 `./scripts/release-check.sh`（版本/tag + `fmt` + `clippy --locked` + `test --locked`）。
 
 ## 项目结构
@@ -148,11 +148,13 @@ git tag -l 'secrets-mcp-*'
 
 ## CI/CD
 
-- **触发**：`main` / `feat/mcp`（以仓库 workflow 为准）；路径含 `crates/**`、`deploy/**`、`Cargo.toml`、`Cargo.lock`。
+- **触发**：任意分支 `push`，且路径含 `crates/**`、`deploy/**`、根目录 `Cargo.toml`、`Cargo.lock`（见 `.gitea/workflows/secrets.yml`）。
-- **构建**：`x86_64-unknown-linux-musl` → `secrets-mcp`。
+- **版本与 tag**：从 `crates/secrets-mcp/Cargo.toml` 读版本；若远程已存在同名 `secrets-mcp-<version>` tag，则复用现有 tag 继续构建；否则由 CI 创建并推送该 tag。
-- **Release**：tag `secrets-mcp-<version>`，上传 tar.gz + `.sha256`。
+- **质量与构建**：`fmt` / `clippy --locked` / `test --locked` → `x86_64-unknown-linux-musl` 发布构建 `secrets-mcp`。
-- **部署**：可选在仓库 Actions 中配置 `vars.DEPLOY_HOST`、`vars.DEPLOY_USER` 与 `secrets.DEPLOY_SSH_KEY`（勿写进 workflow）；可用 `scripts/setup-gitea-actions.sh` 调 Gitea API 写入。Actions **secrets 须为原始值**（如 PEM 全文、PAT 明文），**不要**先 base64 再写入，否则工作流内无法识别（例如 SSH 私钥无效）。**勿**在 CI 中保存 `GOOGLE_CLIENT_SECRET`、DB 密码。
+- **Release（可选）**：`secrets.RELEASE_TOKEN`（Gitea PAT）用于创建草稿 Release、上传 `tar.gz` + `.sha256`、构建成功后发布；未配置则跳过 API Release，仅 tag + 构建。
-- **通知**：`vars.WEBHOOK_URL`（可选）。
+- **部署（可选）**：仅 `main`、`feat/mcp`、`mcp` 分支在构建成功时跑 `deploy-mcp`；需 `vars.DEPLOY_HOST`、`vars.DEPLOY_USER`、`secrets.DEPLOY_SSH_KEY`。勿把 OAuth/DB 等写进 workflow，用 `deploy/.env.example` 在目标机配置。
+- **Secrets 写法**：Actions **secrets 须为原始值**（PEM、PAT 明文），**勿** base64；否则 SSH/Release 会失败。**勿**在 CI 中保存 `GOOGLE_CLIENT_SECRET`、DB 密码。
+- **通知**：`vars.WEBHOOK_URL`（可选，飞书）。
 
 ## 环境变量（secrets-mcp）
 

Cargo.lock

@@ -1949,7 +1949,7 @@ dependencies = [
 
 [[package]]
 name = "secrets-mcp"
-version = "0.1.0"
+version = "0.1.8"
 dependencies = [
  "anyhow",
  "askama",

README.md

@@ -162,10 +162,16 @@ deploy/                 # systemd、.env 示例
 
 ## CI/CD（Gitea Actions）
 
-见 [`.gitea/workflows/secrets.yml`](.gitea/workflows/secrets.yml)。变更 `crates/**`、`deploy/**`、根目录 `Cargo.toml`/`Cargo.lock` 并推送到配置的分支时：fmt / clippy / test → 构建 `x86_64-unknown-linux-musl` → tag `secrets-mcp-<version>` 与 Release 产物 → 可选 SSH 部署。
+见 [`.gitea/workflows/secrets.yml`](.gitea/workflows/secrets.yml)。
+
+- **触发**：任意分支 `push`，且变更路径包含 `crates/**`、`deploy/**`、根目录 `Cargo.toml` / `Cargo.lock`。
+- **流水线**：解析 `crates/secrets-mcp/Cargo.toml` 版本 → 若 `secrets-mcp-<version>` 的 tag 已存在则**复用现有 tag 继续构建**，否则自动打 tag → `cargo fmt` / `clippy --locked` / `test --locked` → 交叉编译 `x86_64-unknown-linux-musl` 的 `secrets-mcp`。
+- **Release（可选）**：配置仓库 Secret `RELEASE_TOKEN`（Gitea PAT，明文勿 base64）时，会通过 API 创建**草稿** Release、在 Linux 构建成功后上传 `tar.gz` 与 `.sha256`，再自动将草稿**正式发布**；未配置则跳过创建 Release 与产物上传，仅保留 tag 与构建结果。
+- **部署（可选）**：仅在 `main`、`feat/mcp` 或 `mcp` 分支且构建成功时，若已配置 `vars.DEPLOY_HOST`、`vars.DEPLOY_USER` 与 `secrets.DEPLOY_SSH_KEY`，则 `deploy-mcp` 通过 SCP/SSH 更新目标机二进制并 `systemctl restart secrets-mcp`。
+- **通知（可选）**：`vars.WEBHOOK_URL` 为飞书 Webhook 时，构建/部署/发布节点会推送简要状态。
 
 ```bash
-./scripts/setup-gitea-actions.sh   # 配置 Gitea 变量与 Secrets
+./scripts/setup-gitea-actions.sh   # 通过 Gitea API 写入 RELEASE_TOKEN、WEBHOOK_URL、部署相关变量等
 ```
 
 详见 [AGENTS.md](AGENTS.md)（发版规则、代码规范）。

crates/secrets-core/src/audit.rs

@@ -1,14 +1,65 @@
-use serde_json::Value;
+use serde_json::{Value, json};
-use sqlx::{Postgres, Transaction};
+use sqlx::{PgPool, Postgres, Transaction};
+use uuid::Uuid;
+
+pub const ACTION_LOGIN: &str = "login";
+pub const NAMESPACE_AUTH: &str = "auth";
 
 /// Return the current OS user as the audit actor (falls back to empty string).
 pub fn current_actor() -> String {
     std::env::var("USER").unwrap_or_default()
 }
 
+fn login_detail(
+    user_id: Uuid,
+    provider: &str,
+    client_ip: Option<&str>,
+    user_agent: Option<&str>,
+) -> Value {
+    json!({
+        "user_id": user_id,
+        "provider": provider,
+        "client_ip": client_ip,
+        "user_agent": user_agent,
+    })
+}
+
+/// Write a login audit entry without requiring an explicit transaction.
+pub async fn log_login(
+    pool: &PgPool,
+    kind: &str,
+    provider: &str,
+    user_id: Uuid,
+    client_ip: Option<&str>,
+    user_agent: Option<&str>,
+) {
+    let actor = current_actor();
+    let detail = login_detail(user_id, provider, client_ip, user_agent);
+    let result: Result<_, sqlx::Error> = sqlx::query(
+        "INSERT INTO audit_log (user_id, action, namespace, kind, name, detail, actor) \
+         VALUES ($1, $2, $3, $4, $5, $6, $7)",
+    )
+    .bind(user_id)
+    .bind(ACTION_LOGIN)
+    .bind(NAMESPACE_AUTH)
+    .bind(kind)
+    .bind(provider)
+    .bind(&detail)
+    .bind(&actor)
+    .execute(pool)
+    .await;
+
+    if let Err(e) = result {
+        tracing::warn!(error = %e, kind, provider, "failed to write login audit log");
+    } else {
+        tracing::debug!(kind, provider, ?user_id, actor, "login audit logged");
+    }
+}
+
 /// Write an audit entry within an existing transaction.
 pub async fn log_tx(
     tx: &mut Transaction<'_, Postgres>,
+    user_id: Option<Uuid>,
     action: &str,
     namespace: &str,
     kind: &str,
@@ -17,9 +68,10 @@ pub async fn log_tx(
 ) {
     let actor = current_actor();
     let result: Result<_, sqlx::Error> = sqlx::query(
-        "INSERT INTO audit_log (action, namespace, kind, name, detail, actor) \
+        "INSERT INTO audit_log (user_id, action, namespace, kind, name, detail, actor) \
-         VALUES ($1, $2, $3, $4, $5, $6)",
+         VALUES ($1, $2, $3, $4, $5, $6, $7)",
     )
+    .bind(user_id)
     .bind(action)
     .bind(namespace)
     .bind(kind)
@@ -35,3 +87,19 @@ pub async fn log_tx(
         tracing::debug!(action, namespace, kind, name, actor, "audit logged");
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn login_detail_includes_expected_fields() {
+        let user_id = Uuid::nil();
+        let detail = login_detail(user_id, "google", Some("127.0.0.1"), Some("Mozilla/5.0"));
+
+        assert_eq!(detail["user_id"], json!(user_id));
+        assert_eq!(detail["provider"], "google");
+        assert_eq!(detail["client_ip"], "127.0.0.1");
+        assert_eq!(detail["user_agent"], "Mozilla/5.0");
+    }
+}

crates/secrets-core/src/db.rs

@@ -67,6 +67,7 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
         -- ── audit_log: append-only operation log ─────────────────────────────────
         CREATE TABLE IF NOT EXISTS audit_log (
             id          BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
+            user_id     UUID,
             action      VARCHAR(32)  NOT NULL,
             namespace   VARCHAR(64)  NOT NULL,
             kind        VARCHAR(64)  NOT NULL,
@@ -76,8 +77,10 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
             created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
         );
 
+        ALTER TABLE audit_log ADD COLUMN IF NOT EXISTS user_id UUID;
         CREATE INDEX IF NOT EXISTS idx_audit_log_created  ON audit_log(created_at DESC);
         CREATE INDEX IF NOT EXISTS idx_audit_log_ns_kind  ON audit_log(namespace, kind);
+        CREATE INDEX IF NOT EXISTS idx_audit_log_user_id  ON audit_log(user_id) WHERE user_id IS NOT NULL;
 
         -- ── entries_history ───────────────────────────────────────────────────────
         CREATE TABLE IF NOT EXISTS entries_history (

crates/secrets-core/src/models.rs

@@ -174,6 +174,20 @@ pub struct OauthAccount {
     pub created_at: DateTime<Utc>,
 }
 
+/// A single audit log row, optionally scoped to a business user.
+#[derive(Debug, Serialize, Deserialize, sqlx::FromRow)]
+pub struct AuditLogEntry {
+    pub id: i64,
+    pub user_id: Option<Uuid>,
+    pub action: String,
+    pub namespace: String,
+    pub kind: String,
+    pub name: String,
+    pub detail: Value,
+    pub actor: String,
+    pub created_at: DateTime<Utc>,
+}
+
 // ── TOML ↔ JSON value conversion ──────────────────────────────────────────────
 
 /// Convert a serde_json Value to a toml Value.

crates/secrets-core/src/service/add.rs

@@ -346,6 +346,7 @@ pub async fn run(pool: &PgPool, params: AddParams<'_>, master_key: &[u8; 32]) ->
 
     crate::audit::log_tx(
         &mut tx,
+        params.user_id,
         "add",
         params.namespace,
         params.kind,

crates/secrets-core/src/service/audit_log.rs

@@ -0,0 +1,23 @@
+use anyhow::Result;
+use sqlx::PgPool;
+use uuid::Uuid;
+
+use crate::models::AuditLogEntry;
+
+pub async fn list_for_user(pool: &PgPool, user_id: Uuid, limit: i64) -> Result<Vec<AuditLogEntry>> {
+    let limit = limit.clamp(1, 200);
+
+    let rows = sqlx::query_as(
+        "SELECT id, user_id, action, namespace, kind, name, detail, actor, created_at \
+         FROM audit_log \
+         WHERE user_id = $1 OR (user_id IS NULL AND detail->>'user_id' = $1::text) \
+         ORDER BY created_at DESC, id DESC \
+         LIMIT $2",
+    )
+    .bind(user_id)
+    .bind(limit)
+    .fetch_all(pool)
+    .await?;
+
+    Ok(rows)
+}

crates/secrets-core/src/service/delete.rs

@@ -137,7 +137,7 @@ async fn delete_one(
     };
 
     snapshot_and_delete(&mut tx, namespace, kind, name, &row, user_id).await?;
-    crate::audit::log_tx(&mut tx, "delete", namespace, kind, name, json!({})).await;
+    crate::audit::log_tx(&mut tx, user_id, "delete", namespace, kind, name, json!({})).await;
     tx.commit().await?;
 
     Ok(DeleteResult {
@@ -240,6 +240,7 @@ async fn delete_bulk(
         .await?;
         crate::audit::log_tx(
             &mut tx,
+            user_id,
             "delete",
             namespace,
             &row.kind,

crates/secrets-core/src/service/mod.rs

@@ -1,5 +1,6 @@
 pub mod add;
 pub mod api_key;
+pub mod audit_log;
 pub mod delete;
 pub mod env_map;
 pub mod export;

crates/secrets-core/src/service/rollback.rs

@@ -274,6 +274,7 @@ pub async fn run(
 
     crate::audit::log_tx(
         &mut tx,
+        user_id,
         "rollback",
         namespace,
         kind,

crates/secrets-core/src/service/update.rs

@@ -241,6 +241,7 @@ pub async fn run(
 
     crate::audit::log_tx(
         &mut tx,
+        params.user_id,
         "update",
         params.namespace,
         params.kind,

crates/secrets-mcp/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "secrets-mcp"
-version = "0.1.0"
+version = "0.1.8"
 edition.workspace = true
 
 [[bin]]

crates/secrets-mcp/src/web.rs

@@ -1,9 +1,12 @@
 use askama::Template;
+use chrono::SecondsFormat;
+use std::net::SocketAddr;
+
 use axum::{
     Json, Router,
     body::Body,
-    extract::{Path, Query, State},
+    extract::{ConnectInfo, Path, Query, State},
-    http::{StatusCode, header},
+    http::{HeaderMap, StatusCode, header},
     response::{Html, IntoResponse, Redirect, Response},
     routing::{get, post},
 };
@@ -11,9 +14,11 @@ use serde::{Deserialize, Serialize};
 use tower_sessions::Session;
 use uuid::Uuid;
 
+use secrets_core::audit::log_login;
 use secrets_core::crypto::hex;
 use secrets_core::service::{
     api_key::{ensure_api_key, regenerate_api_key},
+    audit_log::list_for_user,
     user::{
         OAuthProfile, bind_oauth_account, find_or_create_user, get_user_by_id,
         unbind_oauth_account, update_user_key_setup,
@@ -47,6 +52,23 @@ struct DashboardTemplate {
     version: &'static str,
 }
 
+#[derive(Template)]
+#[template(path = "audit.html")]
+struct AuditPageTemplate {
+    user_name: String,
+    user_email: String,
+    entries: Vec<AuditEntryView>,
+    version: &'static str,
+}
+
+struct AuditEntryView {
+    /// RFC3339 UTC for `<time datetime>`; rendered as browser-local in audit.html.
+    created_at_iso: String,
+    action: String,
+    target: String,
+    detail: String,
+}
+
 // ── App state helpers ─────────────────────────────────────────────────────────
 
 fn google_cfg(state: &AppState) -> Option<&OAuthConfig> {
@@ -62,6 +84,30 @@ async fn current_user_id(session: &Session) -> Option<Uuid> {
         .and_then(|s| Uuid::parse_str(&s).ok())
 }
 
+fn request_client_ip(headers: &HeaderMap, connect_info: ConnectInfo<SocketAddr>) -> Option<String> {
+    if let Some(first) = headers
+        .get("x-forwarded-for")
+        .and_then(|v| v.to_str().ok())
+        .and_then(|s| s.split(',').next())
+    {
+        let value = first.trim();
+        if !value.is_empty() {
+            return Some(value.to_string());
+        }
+    }
+
+    Some(connect_info.ip().to_string())
+}
+
+fn request_user_agent(headers: &HeaderMap) -> Option<String> {
+    headers
+        .get(header::USER_AGENT)
+        .and_then(|value| value.to_str().ok())
+        .map(str::trim)
+        .filter(|value| !value.is_empty())
+        .map(ToOwned::to_owned)
+}
+
 // ── Routes ────────────────────────────────────────────────────────────────────
 
 pub fn web_router() -> Router<AppState> {
@@ -76,6 +122,7 @@ pub fn web_router() -> Router<AppState> {
         .route("/auth/google/callback", get(auth_google_callback))
         .route("/auth/logout", post(auth_logout))
         .route("/dashboard", get(dashboard))
+        .route("/audit", get(audit_page))
         .route("/account/bind/google", get(account_bind_google))
         .route(
             "/account/bind/google/callback",
@@ -141,16 +188,28 @@ struct OAuthCallbackQuery {
 
 async fn auth_google_callback(
     State(state): State<AppState>,
+    connect_info: ConnectInfo<SocketAddr>,
+    headers: HeaderMap,
     session: Session,
     Query(params): Query<OAuthCallbackQuery>,
 ) -> Result<Response, StatusCode> {
-    handle_oauth_callback(&state, &session, params, "google", |s, cfg, code| {
+    let client_ip = request_client_ip(&headers, connect_info);
-        Box::pin(crate::oauth::google::exchange_code(
+    let user_agent = request_user_agent(&headers);
-            &s.http_client,
+    handle_oauth_callback(
-            cfg,
+        &state,
-            code,
+        &session,
-        ))
+        params,
-    })
+        "google",
+        client_ip.as_deref(),
+        user_agent.as_deref(),
+        |s, cfg, code| {
+            Box::pin(crate::oauth::google::exchange_code(
+                &s.http_client,
+                cfg,
+                code,
+            ))
+        },
+    )
     .await
 }
 
@@ -161,6 +220,8 @@ async fn handle_oauth_callback<F>(
     session: &Session,
     params: OAuthCallbackQuery,
     provider: &str,
+    client_ip: Option<&str>,
+    user_agent: Option<&str>,
     exchange_fn: F,
 ) -> Result<Response, StatusCode>
 where
@@ -274,6 +335,16 @@ where
         .await
         .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
 
+    log_login(
+        &state.pool,
+        "oauth",
+        provider,
+        user.id,
+        client_ip,
+        user_agent,
+    )
+    .await;
+
     Ok(Redirect::to("/dashboard").into_response())
 }
 
@@ -313,6 +384,49 @@ async fn dashboard(
     render_template(tmpl)
 }
 
+async fn audit_page(
+    State(state): State<AppState>,
+    session: Session,
+) -> Result<Response, StatusCode> {
+    let Some(user_id) = current_user_id(&session).await else {
+        return Ok(Redirect::to("/").into_response());
+    };
+
+    let user = match get_user_by_id(&state.pool, user_id)
+        .await
+        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?
+    {
+        Some(u) => u,
+        None => return Ok(Redirect::to("/").into_response()),
+    };
+
+    let rows = list_for_user(&state.pool, user_id, 100)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to load audit log for user");
+            StatusCode::INTERNAL_SERVER_ERROR
+        })?;
+
+    let entries = rows
+        .into_iter()
+        .map(|row| AuditEntryView {
+            created_at_iso: row.created_at.to_rfc3339_opts(SecondsFormat::Secs, true),
+            action: row.action,
+            target: format_audit_target(&row.namespace, &row.kind, &row.name),
+            detail: serde_json::to_string_pretty(&row.detail).unwrap_or_else(|_| "{}".to_string()),
+        })
+        .collect();
+
+    let tmpl = AuditPageTemplate {
+        user_name: user.name.clone(),
+        user_email: user.email.clone().unwrap_or_default(),
+        entries,
+        version: env!("CARGO_PKG_VERSION"),
+    };
+
+    render_template(tmpl)
+}
+
 // ── Account bind/unbind ───────────────────────────────────────────────────────
 
 async fn account_bind_google(
@@ -342,16 +456,28 @@ async fn account_bind_google(
 
 async fn account_bind_google_callback(
     State(state): State<AppState>,
+    connect_info: ConnectInfo<SocketAddr>,
+    headers: HeaderMap,
     session: Session,
     Query(params): Query<OAuthCallbackQuery>,
 ) -> Result<Response, StatusCode> {
-    handle_oauth_callback(&state, &session, params, "google", |s, cfg, code| {
+    let client_ip = request_client_ip(&headers, connect_info);
-        Box::pin(crate::oauth::google::exchange_code(
+    let user_agent = request_user_agent(&headers);
-            &s.http_client,
+    handle_oauth_callback(
-            cfg,
+        &state,
-            code,
+        &session,
-        ))
+        params,
-    })
+        "google",
+        client_ip.as_deref(),
+        user_agent.as_deref(),
+        |s, cfg, code| {
+            Box::pin(crate::oauth::google::exchange_code(
+                &s.http_client,
+                cfg,
+                code,
+            ))
+        },
+    )
     .await
 }
 
@@ -514,3 +640,11 @@ fn render_template<T: Template>(tmpl: T) -> Result<Response, StatusCode> {
     })?;
     Ok(Html(html).into_response())
 }
+
+fn format_audit_target(namespace: &str, kind: &str, name: &str) -> String {
+    if namespace == "auth" {
+        format!("{}/{}", kind, name)
+    } else {
+        format!("[{}/{}] {}", namespace, kind, name)
+    }
+}

crates/secrets-mcp/templates/audit.html

@@ -0,0 +1,154 @@
+<!DOCTYPE html>
+<html lang="zh-CN">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <link rel="icon" href="/favicon.svg?v={{ version }}" type="image/svg+xml">
+    <title>Secrets — Audit</title>
+    <style>
+        *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+        @import url('https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;600&family=Inter:wght@400;500;600&display=swap');
+        :root {
+            --bg: #0d1117; --surface: #161b22; --surface2: #21262d;
+            --border: #30363d; --text: #e6edf3; --text-muted: #8b949e;
+            --accent: #58a6ff; --accent-hover: #79b8ff;
+        }
+        body { background: var(--bg); color: var(--text); font-family: 'Inter', sans-serif; min-height: 100vh; }
+        .layout { display: flex; min-height: 100vh; }
+        .sidebar {
+            width: 220px; flex-shrink: 0; background: var(--surface); border-right: 1px solid var(--border);
+            padding: 24px 16px; display: flex; flex-direction: column; gap: 20px;
+        }
+        .sidebar-logo { font-family: 'JetBrains Mono', monospace; font-size: 16px; font-weight: 600;
+                        color: var(--text); text-decoration: none; padding: 0 10px; }
+        .sidebar-logo span { color: var(--accent); }
+        .sidebar-menu { display: flex; flex-direction: column; gap: 6px; }
+        .sidebar-link {
+            padding: 10px 12px; border-radius: 8px; color: var(--text-muted); text-decoration: none;
+            border: 1px solid transparent; font-size: 13px; font-weight: 500;
+        }
+        .sidebar-link:hover { background: var(--surface2); color: var(--text); }
+        .sidebar-link.active {
+            background: rgba(88,166,255,0.12); color: var(--text); border-color: rgba(88,166,255,0.35);
+        }
+        .content-shell { flex: 1; min-width: 0; display: flex; flex-direction: column; }
+        .topbar {
+            background: var(--surface); border-bottom: 1px solid var(--border); padding: 0 24px;
+            display: flex; align-items: center; gap: 12px; min-height: 52px;
+        }
+        .topbar-spacer { flex: 1; }
+        .nav-user { font-size: 13px; color: var(--text-muted); }
+        .btn-sign-out {
+            padding: 5px 12px; border-radius: 6px; border: 1px solid var(--border);
+            background: none; color: var(--text); font-size: 12px; text-decoration: none; cursor: pointer;
+        }
+        .btn-sign-out:hover { background: var(--surface2); }
+        .main { padding: 32px 24px 40px; flex: 1; }
+        .card { background: var(--surface); border: 1px solid var(--border); border-radius: 12px;
+                padding: 24px; width: 100%; max-width: 1180px; margin: 0 auto; }
+        .card-title { font-size: 20px; font-weight: 600; margin-bottom: 8px; }
+        .card-subtitle { color: var(--text-muted); font-size: 13px; margin-bottom: 20px; }
+        .empty { color: var(--text-muted); font-size: 14px; padding: 20px 0; }
+        table { width: 100%; border-collapse: collapse; }
+        th, td { text-align: left; vertical-align: top; padding: 12px 10px; border-top: 1px solid var(--border); }
+        th { color: var(--text-muted); font-size: 12px; font-weight: 600; }
+        td { font-size: 13px; }
+        .mono { font-family: 'JetBrains Mono', monospace; }
+        .detail {
+            background: var(--bg); border: 1px solid var(--border); border-radius: 8px;
+            padding: 10px; white-space: pre-wrap; word-break: break-word; font-size: 12px;
+            max-width: 460px;
+        }
+        @media (max-width: 900px) {
+            .layout { flex-direction: column; }
+            .sidebar {
+                width: 100%; border-right: none; border-bottom: 1px solid var(--border);
+                padding: 16px; gap: 14px;
+            }
+            .sidebar-menu { flex-direction: row; }
+            .sidebar-link { flex: 1; text-align: center; }
+            .main { padding: 20px 12px 28px; }
+            .card { padding: 16px; }
+            .topbar { padding: 12px 16px; flex-wrap: wrap; }
+            table, thead, tbody, th, td, tr { display: block; }
+            thead { display: none; }
+            tr { border-top: 1px solid var(--border); padding: 12px 0; }
+            td { border-top: none; padding: 6px 0; }
+            td::before {
+                display: block; color: var(--text-muted); font-size: 11px;
+                margin-bottom: 4px; text-transform: uppercase;
+            }
+            td.col-time::before { content: "Time"; }
+            td.col-action::before { content: "Action"; }
+            td.col-target::before { content: "Target"; }
+            td.col-detail::before { content: "Detail"; }
+            .detail { max-width: none; }
+        }
+    </style>
+</head>
+<body>
+<div class="layout">
+<aside class="sidebar">
+    <a href="/dashboard" class="sidebar-logo"><span>secrets</span></a>
+    <nav class="sidebar-menu">
+        <a href="/dashboard" class="sidebar-link">MCP</a>
+        <a href="/audit" class="sidebar-link active">审计</a>
+    </nav>
+</aside>
+
+<div class="content-shell">
+<div class="topbar">
+    <span class="topbar-spacer"></span>
+    <span class="nav-user">{{ user_name }}{% if !user_email.is_empty() %} · {{ user_email }}{% endif %}</span>
+    <form action="/auth/logout" method="post" style="display:inline">
+        <button type="submit" class="btn-sign-out">退出</button>
+    </form>
+</div>
+
+<main class="main">
+    <section class="card">
+        <div class="card-title">我的审计</div>
+        <div class="card-subtitle">展示最近 100 条与当前用户相关的新审计记录。时间为浏览器本地时区。</div>
+
+        {% if entries.is_empty() %}
+        <div class="empty">暂无审计记录。</div>
+        {% else %}
+        <table>
+            <thead>
+                <tr>
+                    <th>时间</th>
+                    <th>动作</th>
+                    <th>目标</th>
+                    <th>详情</th>
+                </tr>
+            </thead>
+            <tbody>
+                {% for entry in entries %}
+                <tr>
+                    <td class="col-time mono"><time class="audit-local-time" datetime="{{ entry.created_at_iso }}">{{ entry.created_at_iso }}</time></td>
+                    <td class="col-action mono">{{ entry.action }}</td>
+                    <td class="col-target mono">{{ entry.target }}</td>
+                    <td class="col-detail"><pre class="detail">{{ entry.detail }}</pre></td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        {% endif %}
+    </section>
+</main>
+</div>
+</div>
+<script>
+(function () {
+  document.querySelectorAll('time.audit-local-time[datetime]').forEach(function (el) {
+    var raw = el.getAttribute('datetime');
+    var d = raw ? new Date(raw) : null;
+    if (d && !isNaN(d.getTime())) {
+      el.textContent = d.toLocaleString(undefined, { dateStyle: 'medium', timeStyle: 'medium' });
+      el.title = raw + ' (UTC)';
+    }
+  });
+})();
+</script>
+</body>
+</html>

crates/secrets-mcp/templates/dashboard.html

@@ -16,13 +16,29 @@
         }
         body { background: var(--bg); color: var(--text); font-family: 'Inter', sans-serif; min-height: 100vh; }
 
-        /* Nav */
+        .layout { display: flex; min-height: 100vh; }
-        .nav { background: var(--surface); border-bottom: 1px solid var(--border);
+        .sidebar {
-               padding: 0 24px; display: flex; align-items: center; gap: 12px; height: 52px; }
+            width: 220px; flex-shrink: 0; background: var(--surface); border-right: 1px solid var(--border);
-        .nav-logo { font-family: 'JetBrains Mono', monospace; font-size: 15px; font-weight: 600;
+            padding: 24px 16px; display: flex; flex-direction: column; gap: 20px;
-                    color: var(--text); text-decoration: none; }
+        }
-        .nav-logo span { color: var(--accent); }
+        .sidebar-logo { font-family: 'JetBrains Mono', monospace; font-size: 16px; font-weight: 600;
-        .nav-spacer { flex: 1; }
+                        color: var(--text); text-decoration: none; padding: 0 10px; }
+        .sidebar-logo span { color: var(--accent); }
+        .sidebar-menu { display: flex; flex-direction: column; gap: 6px; }
+        .sidebar-link {
+            padding: 10px 12px; border-radius: 8px; color: var(--text-muted); text-decoration: none;
+            border: 1px solid transparent; font-size: 13px; font-weight: 500;
+        }
+        .sidebar-link:hover { background: var(--surface2); color: var(--text); }
+        .sidebar-link.active {
+            background: rgba(88,166,255,0.12); color: var(--text); border-color: rgba(88,166,255,0.35);
+        }
+        .content-shell { flex: 1; min-width: 0; display: flex; flex-direction: column; }
+        .topbar {
+            background: var(--surface); border-bottom: 1px solid var(--border); padding: 0 24px;
+            display: flex; align-items: center; gap: 12px; min-height: 52px;
+        }
+        .topbar-spacer { flex: 1; }
         .nav-user { font-size: 13px; color: var(--text-muted); }
         .lang-bar { display: flex; gap: 2px; background: var(--surface2); border-radius: 6px; padding: 2px; }
         .lang-btn { padding: 3px 9px; border: none; background: none; color: var(--text-muted);
@@ -32,17 +48,20 @@
                         background: none; color: var(--text); font-size: 12px; cursor: pointer; }
         .btn-sign-out:hover { background: var(--surface2); }
 
-        /* Main: column so footer can sit at bottom of viewport when content is short */
+        /* Main content column */
         .main { display: flex; flex-direction: column; align-items: center;
-                padding: 48px 24px 24px; min-height: calc(100vh - 52px); }
+                padding: 24px 20px 8px; min-height: 0; }
+        .app-footer {
+            margin-top: auto;
+            text-align: center;
+            padding: 4px 20px 12px;
+            font-size: 12px;
+            color: #9da7b3;
+            font-family: 'JetBrains Mono', monospace;
+        }
         .card { background: var(--surface); border: 1px solid var(--border); border-radius: 12px;
-                padding: 32px; width: 100%; max-width: 980px; }
+                padding: 24px; width: 100%; max-width: 980px; }
-        .card-title { font-size: 18px; font-weight: 600; margin-bottom: 6px; }
+        .card-title { font-size: 18px; font-weight: 600; margin-bottom: 24px; }
-        .card-sub { font-size: 13px; color: var(--text-muted); line-height: 1.6; margin-bottom: 24px; }
-        .info-box { background: var(--surface2); border: 1px solid var(--border); border-radius: 8px;
-                    padding: 12px 14px; margin-bottom: 18px; }
-        .info-title { font-size: 12px; font-weight: 600; color: var(--text); margin-bottom: 8px; }
-        .info-line { font-size: 12px; color: var(--text-muted); line-height: 1.6; }
         /* Form */
         .field { margin-bottom: 12px; }
         .field label { display: block; font-size: 12px; color: var(--text-muted); margin-bottom: 5px; }
@@ -128,28 +147,40 @@
                             background: none; color: var(--text); font-size: 13px; cursor: pointer; }
         .btn-modal-cancel:hover { background: var(--surface2); }
 
-        @media (max-width: 720px) {
+        @media (max-width: 900px) {
-            .config-tabs { grid-template-columns: 1fr; }
+            .layout { flex-direction: column; }
+            .sidebar {
+                width: 100%; border-right: none; border-bottom: 1px solid var(--border);
+                padding: 16px; gap: 14px;
+            }
+            .sidebar-menu { flex-direction: row; }
+            .sidebar-link { flex: 1; text-align: center; }
         }
 
-        .app-footer {
+        @media (max-width: 720px) {
-            margin-top: auto;
+            .config-tabs { grid-template-columns: 1fr; }
-            width: 100%;
+            .topbar { padding: 12px 16px; flex-wrap: wrap; }
-            max-width: 980px;
+            .main { padding: 16px 12px 6px; }
-            flex-shrink: 0;
+            .app-footer { padding: 4px 12px 10px; }
-            text-align: center;
+            .card { padding: 18px; }
-            padding-top: 28px;
-            font-size: 12px;
-            color: #9da7b3;
-            font-family: 'JetBrains Mono', monospace;
         }
+
     </style>
 </head>
 <body data-has-passphrase="{{ has_passphrase }}" data-base-url="{{ base_url }}">
 
-<nav class="nav">
+<div class="layout">
-    <a href="/dashboard" class="nav-logo"><span>secrets</span></a>
+<aside class="sidebar">
-    <span class="nav-spacer"></span>
+    <a href="/dashboard" class="sidebar-logo"><span>secrets</span></a>
+    <nav class="sidebar-menu">
+        <a href="/dashboard" class="sidebar-link active">MCP</a>
+        <a href="/audit" class="sidebar-link">审计</a>
+    </nav>
+</aside>
+
+<div class="content-shell">
+<div class="topbar">
+    <span class="topbar-spacer"></span>
     <span class="nav-user">{{ user_name }}{% if !user_email.is_empty() %} · {{ user_email }}{% endif %}</span>
     <div class="lang-bar">
         <button class="lang-btn" onclick="setLang('zh-CN')">简</button>
@@ -159,7 +190,7 @@
     <form action="/auth/logout" method="post" style="display:inline">
         <button type="submit" class="btn-sign-out" data-i18n="signOut">退出</button>
     </form>
-</nav>
+</div>
 
 <div class="main">
 <div class="card">
@@ -167,11 +198,6 @@
     <!-- ── Locked state ──────────────────────────────────────────────────── -->
     <div id="locked-view">
         <div class="card-title" data-i18n="lockedTitle">获取 MCP 配置</div>
-        <div class="card-sub" data-i18n="lockedSub">输入加密密码，派生密钥后生成完整的 MCP 配置，可直接复制到 AI 客户端。</div>
-        <div class="info-box">
-            <div class="info-title" data-i18n="aboutTitle">说明</div>
-            <div class="info-line" data-i18n="aboutApiKey">API Key 用于身份认证，告诉服务端“你是谁”。</div>
-        </div>
 
         <!-- placeholder config -->
         <div class="config-wrap">
@@ -268,9 +294,11 @@
     </div>
 
 </div>
-
+</div>
 <footer class="app-footer">{{ version }}</footer>
 </div>
+</div>
+</div>
 
 <!-- ── Change passphrase modal ──────────────────────────────────────────────── -->
 <div class="modal-bd" id="change-modal">
@@ -313,9 +341,6 @@ const T = {
     'zh-CN': {
         signOut: '退出',
         lockedTitle: '获取 MCP 配置',
-        lockedSub: '输入加密密码，派生密钥后生成 MCP 配置；请按你所用客户端在解锁后选择对应卡片。',
-        aboutTitle: '说明',
-        aboutApiKey: 'API Key 用于身份认证；X-Encryption-Key 用于加解密密文。二者请仅保存在本机配置中。',
         labelPassphrase: '加密密码',
         labelConfirm: '确认密码',
         labelNew: '新密码',
@@ -350,9 +375,6 @@ const T = {
     'zh-TW': {
         signOut: '登出',
         lockedTitle: '取得 MCP 設定',
-        lockedSub: '輸入加密密碼，派生金鑰後生成 MCP 設定；請依你所用用戶端在解鎖後選擇對應卡片。',
-        aboutTitle: '說明',
-        aboutApiKey: 'API Key 用於身份驗證；X-Encryption-Key 用於加解密密文。二者請僅保存在本機設定中。',
         labelPassphrase: '加密密碼',
         labelConfirm: '確認密碼',
         labelNew: '新密碼',
@@ -387,9 +409,6 @@ const T = {
     'en': {
         signOut: 'Sign out',
         lockedTitle: 'Get MCP Config',
-        lockedSub: 'Enter your encryption password to derive your key and generate MCP config. After unlock, pick the card that matches your client.',
-        aboutTitle: 'About',
-        aboutApiKey: 'The API key authenticates you; X-Encryption-Key encrypts secret payloads. Keep both only in local client config.',
         labelPassphrase: 'Encryption password',
         labelConfirm: 'Confirm password',
         labelNew: 'New password',
@@ -554,12 +573,14 @@ function buildOpencodeEntry(apiKey, encKey) {
     };
 }
 
+/** Full OpenCode config: MCP servers live under top-level `mcp`. */
 function buildOpencodeConfigText(apiKey, encKey) {
-    return JSON.stringify({ secrets: buildOpencodeEntry(apiKey, encKey) }, null, 2);
+    return JSON.stringify({ mcp: { secrets: buildOpencodeEntry(apiKey, encKey) } }, null, 2);
 }
 
+/** Strip outer `{` `}` so user can paste `secrets` under an existing `mcp` object. */
 function buildOpencodeMergeSnippet(apiKey, encKey) {
-    const wrapped = buildOpencodeConfigText(apiKey, encKey);
+    const wrapped = JSON.stringify({ secrets: buildOpencodeEntry(apiKey, encKey) }, null, 2);
     const lines = wrapped.split('\n');
     return lines.length < 3 ? wrapped : lines.slice(1, -1).join('\n');
 }

rust-toolchain.toml

@@ -0,0 +1,3 @@
+[toolchain]
+channel = "1.94.0"
+components = ["rustfmt", "clippy"]

scripts/release-check.sh

@@ -12,12 +12,13 @@ echo "==> 当前 secrets-mcp 版本: ${version}"
 echo "==> 检查是否已存在 tag: ${tag}"
 
 if git rev-parse "refs/tags/${tag}" >/dev/null 2>&1; then
-  echo "错误: 已存在 tag ${tag}"
+  echo "提示: 已存在 tag ${tag}，将按重复构建处理，不阻断检查。"
-  echo "请先 bump crates/secrets-mcp/Cargo.toml 中的 version，再执行 cargo build 同步 Cargo.lock。"
+  echo "如需创建新的发布版本，请先 bump crates/secrets-mcp/Cargo.toml 中的 version。"
-  exit 1
+else
+  echo "==> 未发现重复 tag，将创建新版本"
 fi
 
-echo "==> 未发现重复 tag，开始执行检查"
+echo "==> 开始执行检查"
 cargo fmt -- --check
 cargo clippy --locked -- -D warnings
 cargo test --locked

scripts/setup-gitea-actions.sh

@@ -4,7 +4,7 @@
 # 参考: .gitea/workflows/secrets.yml
 #
 # 所需配置:
-#   - secrets.RELEASE_TOKEN  (必选) Release 上传用，值为 Gitea PAT
+#   - secrets.RELEASE_TOKEN  (可选，推荐) Gitea PAT；未配置则工作流跳过 Release 创建与产物上传
 #   - vars.WEBHOOK_URL       (可选) 飞书通知
 #   - vars.DEPLOY_HOST       (可选) 部署目标 SSH 主机（IP 或域名）
 #   - vars.DEPLOY_USER       (可选) SSH 用户名
@@ -21,7 +21,7 @@
 #   1. 从 ~/.config/gitea/config.env 读取 GITEA_URL, GITEA_TOKEN, GITEA_WEBHOOK_URL
 #   2. 或通过环境变量覆盖: GITEA_TOKEN（作为 RELEASE_TOKEN 的值）, WEBHOOK_URL,
 #      DEPLOY_HOST, DEPLOY_USER, DEPLOY_SSH_KEY_FILE（部署到 ECS）
-#   3. 或使用 secrets CLI 获取: 需 DATABASE_URL，从 refining/service gitea 读取
+#   3. 凭据勿用 base64；部署私钥路径见 DEPLOY_SSH_KEY_FILE
 #
 
 set -e
@@ -30,26 +30,41 @@ OWNER="refining"
 REPO="secrets"
 
 # 解析参数
-USE_SECRETS_CLI=false
 while [[ $# -gt 0 ]]; do
   case $1 in
-    --from-secrets) USE_SECRETS_CLI=true; shift ;;
+    --from-secrets)
+      echo "❌ --from-secrets 尚未实现，请使用 ~/.config/gitea/config.env 或环境变量" >&2
+      exit 1
+      ;;
     -h|--help)
-      echo "用法: $0 [--from-secrets]"
+      echo "用法: $0"
       echo ""
-      echo "  --from-secrets  从 secrets CLI (refining/service gitea) 获取 token 和 webhook_url"
+      echo "从 ~/.config/gitea/config.env 读取，或由环境变量覆盖。"
-      echo "                  否则从 ~/.config/gitea/config.env 读取"
       echo ""
-      echo "环境变量覆盖:"
+      echo "环境变量:"
-      echo "  GITEA_URL        Gitea 实例地址"
+      echo "  GITEA_URL             Gitea 实例根地址（可误带尾部 /api/v1，脚本会规范化后拼接）"
-      echo "  GITEA_TOKEN      用于 Release 上传的 PAT (创建 RELEASE_TOKEN secret)"
+      echo "  GITEA_TOKEN           用于 Release 的 PAT → secrets.RELEASE_TOKEN"
-      echo "  WEBHOOK_URL      飞书 Webhook URL (创建 variable，可选)"
+      echo "  WEBHOOK_URL           或 GITEA_WEBHOOK_URL → vars.WEBHOOK_URL（可选）"
+      echo "  DEPLOY_HOST           部署 SSH 主机（可选，须与下面两项同时设置）"
+      echo "  DEPLOY_USER           部署 SSH 用户"
+      echo "  DEPLOY_SSH_KEY_FILE   本地 PEM 路径 → secrets.DEPLOY_SSH_KEY（原文上传，勿 base64）"
       exit 0
       ;;
-    *) shift ;;
+    *)
+      echo "❌ 未知参数: $1" >&2
+      echo "   使用 $0 --help 查看用法" >&2
+      exit 1
+      ;;
   esac
 done
 
+for cmd in curl jq; do
+  if ! command -v "$cmd" &>/dev/null; then
+    echo "❌ 未找到命令: $cmd（本脚本依赖 curl 与 jq）" >&2
+    exit 1
+  fi
+done
+
 # 加载配置
 load_config() {
   local config="$HOME/.config/gitea/config.env"
@@ -59,26 +74,6 @@ load_config() {
   fi
 }
 
-# 从 secrets CLI 获取 gitea 凭据
-fetch_from_secrets() {
-  if ! command -v secrets &>/dev/null; then
-    echo "❌ secrets CLI 未找到，请先构建: cargo build --release" >&2
-    return 1
-  fi
-  # 输出 JSON 格式便于解析；需要 --show-secrets
-  # secrets 当前无 JSON 输出，用简单解析
-  local out
-  out=$(secrets search -n refining --kind service -q gitea --show-secrets 2>/dev/null || true)
-  if [[ -z "$out" ]]; then
-    echo "❌ 未找到 refining/service gitea 记录" >&2
-    return 1
-  fi
-  # 简化：从 metadata 和 secrets 中提取，实际格式需根据 search 输出调整
-  # 此处仅作占位，实际解析较复杂；建议用户优先用 config.env
-  echo "⚠️  --from-secrets 暂不支持自动解析，请使用 config.env 或环境变量" >&2
-  return 1
-}
-
 load_config
 
 # 优先使用环境变量
@@ -93,18 +88,17 @@ if [[ -z "$GITEA_URL" ]]; then
   exit 1
 fi
 
-# 去掉 URL 尾部斜杠
+# 规范为实例根 URL：去尾部斜杠，并去掉重复的 .../api/v1 后缀（避免拼成 .../api/v1/api/v1）
 GITEA_URL="${GITEA_URL%/}"
-# 确保使用 /api/v1 基础路径（若用户只写了根 URL）
+while [[ "$GITEA_URL" == */api/v1 ]]; do
-[[ "$GITEA_URL" != *"/api/v1"* ]] || true
+  GITEA_URL="${GITEA_URL%/api/v1}"
+  GITEA_URL="${GITEA_URL%/}"
+done
 
 API_BASE="${GITEA_URL}/api/v1"
 
 # 获取 GITEA_TOKEN（作为 workflow 中 secrets.RELEASE_TOKEN 的值）
 if [[ -z "$GITEA_TOKEN" ]]; then
-  if $USE_SECRETS_CLI; then
-    fetch_from_secrets || exit 1
-  fi
   echo "❌ GITEA_TOKEN 未配置"
   echo "   在 ~/.config/gitea/config.env 中设置，或 export GITEA_TOKEN=xxx" >&2
   echo "   Token 需具备 repo 写权限（创建 Release、上传附件）" >&2