feat(secrets-mcp): MCP 请求日志、探测 404 与资源元数据

- 新增 logging 中间件：记录 client_ip、ua、JSON-RPC、tool 等 - tools 各入口/出口结构化日志 - 探测型 404（/.well-known、GET /mcp）降为 debug - /.well-known/oauth-protected-resource 最小元数据 - secrets-mcp 0.1.11 Made-with: Cursor
docs(AGENTS): 精简提交/推送规则第4条
2026-03-21 17:57:10 +08:00 · 2026-03-21 16:56:06 +08:00 · 2026-03-21 16:48:47 +08:00 · 2026-03-21 16:46:33 +08:00 · 2026-03-21 16:45:50 +08:00 · 2026-03-21 12:25:38 +08:00
24 changed files with 1046 additions and 427 deletions
--- a/.gitea/workflows/secrets.yml
+++ b/.gitea/workflows/secrets.yml
@@ -7,7 +7,6 @@ on:
      - 'crates/**'
      - 'Cargo.toml'
      - 'Cargo.lock'
      # systemd / 部署模板变更也应跑构建（产物无变时可快速跳过 check）
      - 'deploy/**'
      - '.gitea/workflows/**'
@@ -25,225 +24,162 @@ env:
  CARGO_NET_RETRY: 10
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: short
  MUSL_TARGET: x86_64-unknown-linux-musl
 jobs:
-  version:
+  ci:
-    name: 版本 & Release
+    name: 检查 / 构建 / 发版
    runs-on: debian
    timeout-minutes: 40
    outputs:
      version: ${{ steps.ver.outputs.version }}
      tag: ${{ steps.ver.outputs.tag }}
-      tag_exists: ${{ steps.ver.outputs.tag_exists }}
+      version: ${{ steps.ver.outputs.version }}
      release_id: ${{ steps.release.outputs.release_id }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      # ── 版本解析 ────────────────────────────────────────────────────────
      - name: 解析版本
        id: ver
        run: |
          version=$(grep -m1 '^version' crates/secrets-mcp/Cargo.toml | sed 's/.*"\(.*\)".*/\1/')
          tag="secrets-mcp-${version}"
          previous_tag=$(git tag --list 'secrets-mcp-*' --sort=-v:refname | awk -v tag="$tag" '$0 != tag { print; exit }')
          echo "version=${version}" >> "$GITHUB_OUTPUT"
          echo "tag=${tag}" >> "$GITHUB_OUTPUT"
          echo "previous_tag=${previous_tag}" >> "$GITHUB_OUTPUT"
          if git rev-parse "refs/tags/${tag}" >/dev/null 2>&1; then
            echo "⚠ 版本 ${tag} 已存在，将覆盖重新发版。"
            echo "tag_exists=true" >> "$GITHUB_OUTPUT"
            echo "版本 ${tag} 已存在"
          else
            echo "tag_exists=false" >> "$GITHUB_OUTPUT"
            echo "将创建新版本 ${tag}"
            echo "tag_exists=false" >> "$GITHUB_OUTPUT"
          fi
-      - name: 严格拦截重复版本
+      # ── Rust 工具链 ──────────────────────────────────────────────────────
-        if: steps.ver.outputs.tag_exists == 'true'
+      - name: 安装 Rust 与 musl 工具链
        run: |
-          echo "错误: 版本 ${{ steps.ver.outputs.tag }} 已存在，禁止重复发版。"
+          sudo apt-get update -qq
-          echo "请先 bump crates/secrets-mcp/Cargo.toml 中的 version，并执行 cargo build 同步 Cargo.lock。"
+          sudo apt-get install -y -qq pkg-config musl-tools binutils jq
-          exit 1
+          if ! command -v rustup >/dev/null 2>&1; then
            curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain "${RUST_TOOLCHAIN}"
            echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
          fi
          source "$HOME/.cargo/env" 2>/dev/null || true
          rustup toolchain install "${RUST_TOOLCHAIN}" --profile minimal \
            --component rustfmt --component clippy
          rustup default "${RUST_TOOLCHAIN}"
          rustup target add "${MUSL_TARGET}" --toolchain "${RUST_TOOLCHAIN}"
          rustc -V && cargo -V
      - name: 缓存 Cargo
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry/index
            ~/.cargo/registry/cache
            ~/.cargo/git/db
            target
          key: cargo-${{ env.MUSL_TARGET }}-${{ env.RUST_TOOLCHAIN }}-${{ hashFiles('Cargo.lock') }}
          restore-keys: |
            cargo-${{ env.MUSL_TARGET }}-${{ env.RUST_TOOLCHAIN }}-
            cargo-${{ env.MUSL_TARGET }}-
      # ── 质量检查（先于构建，失败即止）──────────────────────────────────
      - name: fmt
        run: cargo fmt -- --check
      - name: clippy
        run: cargo clippy --locked -- -D warnings
      - name: test
        run: cargo test --locked
      # ── 构建（质量检查通过后才执行）────────────────────────────────────
      - name: 构建 secrets-mcp (musl)
        run: |
          cargo build --release --locked --target "${MUSL_TARGET}" -p secrets-mcp
          strip "target/${MUSL_TARGET}/release/${MCP_BINARY}"
      - name: 上传构建产物
        uses: actions/upload-artifact@v3
        with:
          name: ${{ env.MCP_BINARY }}-linux-musl
          path: target/${{ env.MUSL_TARGET }}/release/${{ env.MCP_BINARY }}
          retention-days: 3
      # ── 创建 / 覆盖 Tag（构建成功后才打）───────────────────────────────
      - name: 创建 Tag
        if: steps.ver.outputs.tag_exists == 'false'
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git tag -a "${{ steps.ver.outputs.tag }}" -m "Release ${{ steps.ver.outputs.tag }}"
+          tag="${{ steps.ver.outputs.tag }}"
-          git push origin "${{ steps.ver.outputs.tag }}"
+          if [ "${{ steps.ver.outputs.tag_exists }}" = "true" ]; then
            git tag -d "$tag" 2>/dev/null || true
            git push origin ":refs/tags/$tag" 2>/dev/null || true
          fi
          git tag -a "$tag" -m "Release $tag"
          git push origin "$tag"
-      - name: 解析或创建 Release
+      # ── Release（可选，需配置 RELEASE_TOKEN）───────────────────────────
-        id: release
+      - name: Upsert Release
        if: env.RELEASE_TOKEN != ''
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
          if [ -z "$RELEASE_TOKEN" ]; then
            echo "release_id=" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq)
          tag="${{ steps.ver.outputs.tag }}"
          version="${{ steps.ver.outputs.version }}"
-          release_api="${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases"
+          api="${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases"
          auth="Authorization: token $RELEASE_TOKEN"
-          http_code=$(curl -sS -o /tmp/release.json -w '%{http_code}' \
+          previous_tag=$(git tag --list 'secrets-mcp-*' --sort=-v:refname | awk -v t="$tag" '$0 != t { print; exit }')
            -H "Authorization: token $RELEASE_TOKEN" \
            "${release_api}/tags/${tag}")
          if [ "$http_code" = "200" ]; then
            release_id=$(jq -r '.id // empty' /tmp/release.json)
            if [ -n "$release_id" ]; then
              echo "已找到现有 Release: ${release_id}"
              echo "release_id=${release_id}" >> "$GITHUB_OUTPUT"
              exit 0
            fi
          fi
          previous_tag="${{ steps.ver.outputs.previous_tag }}"
          if [ -n "$previous_tag" ]; then
            changes=$(git log --pretty=format:'- %s (%h)' "${previous_tag}..HEAD")
          else
            changes=$(git log --pretty=format:'- %s (%h)')
          fi
          [ -z "$changes" ] && changes="- 首次发布"
          body=$(printf '## 变更日志\n\n%s' "$changes")
-          payload=$(jq -n \
+          # Upsert: 存在 → PATCH + 清旧 assets；不存在 → POST
-            --arg tag "$tag" \
+          release_id=$(curl -sS -H "$auth" "${api}/tags/${tag}" 2>/dev/null | jq -r '.id // empty')
            --arg name "secrets-mcp ${version}" \
            --arg body "$body" \
            '{tag_name: $tag, name: $name, body: $body, draft: true}')
          http_code=$(curl -sS -o /tmp/create-release.json -w '%{http_code}' \
            -H "Authorization: token $RELEASE_TOKEN" \
            -H "Content-Type: application/json" \
            -X POST "$release_api" \
            -d "$payload")
          if [ "$http_code" = "201" ] || [ "$http_code" = "200" ]; then
            release_id=$(jq -r '.id // empty' /tmp/create-release.json)
          fi
          if [ -n "$release_id" ]; then
-            echo "已创建草稿 Release: ${release_id}"
+            curl -sS -o /dev/null -H "$auth" -H "Content-Type: application/json" \
-            echo "release_id=${release_id}" >> "$GITHUB_OUTPUT"
+              -X PATCH "${api}/${release_id}" \
              -d "$(jq -n --arg n "secrets-mcp ${version}" --arg b "$body" '{name:$n,body:$b,draft:false}')"
            curl -sS -H "$auth" "${api}/${release_id}/assets" | \
              jq -r '.[].id' | xargs -I{} curl -sS -o /dev/null -H "$auth" -X DELETE "${api}/${release_id}/assets/{}"
            echo "已更新 Release ${release_id}"
          else
-            echo "⚠ 创建 Release 失败 (HTTP ${http_code})，跳过产物上传"
+            release_id=$(curl -fsS -H "$auth" -H "Content-Type: application/json" \
-            cat /tmp/create-release.json 2>/dev/null || true
+              -X POST "$api" \
-            echo "release_id=" >> "$GITHUB_OUTPUT"
+              -d "$(jq -n --arg t "$tag" --arg n "secrets-mcp ${version}" --arg b "$body" \
                   '{tag_name:$t,name:$n,body:$b,draft:false}')" | jq -r '.id')
            echo "已创建 Release ${release_id}"
          fi
-  check:
+          bin="target/${MUSL_TARGET}/release/${MCP_BINARY}"
-    name: 质量检查 (fmt / clippy / test)
+          archive="${MCP_BINARY}-${tag}-x86_64-linux-musl.tar.gz"
    needs: [version]
    runs-on: debian
    timeout-minutes: 15
    steps:
      - name: 安装 Rust
        run: |
          if ! command -v rustup >/dev/null 2>&1; then
            curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain "${RUST_TOOLCHAIN}"
            echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
          fi
          source "$HOME/.cargo/env" 2>/dev/null || true
          rustup toolchain install "${RUST_TOOLCHAIN}" --profile minimal --component rustfmt --component clippy
          rustup default "${RUST_TOOLCHAIN}"
          rustc -V
          cargo -V
      - uses: actions/checkout@v4
      - name: 缓存 Cargo
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry/index
            ~/.cargo/registry/cache
            ~/.cargo/git/db
          key: cargo-check-${{ env.RUST_TOOLCHAIN }}-${{ hashFiles('Cargo.lock') }}
          restore-keys: |
            cargo-check-${{ env.RUST_TOOLCHAIN }}-
            cargo-check-
      - run: cargo fmt -- --check
      - run: cargo clippy --locked -- -D warnings
      - run: cargo test --locked
  build-linux:
    name: Build Linux (secrets-mcp, musl)
    needs: [version, check]
    runs-on: debian
    timeout-minutes: 25
    steps:
      - name: 安装依赖
        run: |
          sudo apt-get update
          sudo apt-get install -y pkg-config musl-tools binutils curl
          if ! command -v rustup >/dev/null 2>&1; then
            curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain "${RUST_TOOLCHAIN}"
            echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
          fi
          source "$HOME/.cargo/env" 2>/dev/null || true
          rustup toolchain install "${RUST_TOOLCHAIN}" --profile minimal
          rustup default "${RUST_TOOLCHAIN}"
          rustup target add x86_64-unknown-linux-musl --toolchain "${RUST_TOOLCHAIN}"
          rustc -V
          cargo -V
      - uses: actions/checkout@v4
      - name: 缓存 Cargo
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry/index
            ~/.cargo/registry/cache
            ~/.cargo/git/db
          key: cargo-x86_64-unknown-linux-musl-${{ env.RUST_TOOLCHAIN }}-${{ hashFiles('Cargo.lock') }}
          restore-keys: |
            cargo-x86_64-unknown-linux-musl-${{ env.RUST_TOOLCHAIN }}-
            cargo-x86_64-unknown-linux-musl-
      - name: 构建 secrets-mcp (musl)
        run: |
          cargo build --release --locked --target x86_64-unknown-linux-musl -p secrets-mcp
          strip target/x86_64-unknown-linux-musl/release/${{ env.MCP_BINARY }}
      - name: 上传 Release 产物
        if: needs.version.outputs.release_id != ''
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
          [ -z "$RELEASE_TOKEN" ] && exit 0
          tag="${{ needs.version.outputs.tag }}"
          bin="target/x86_64-unknown-linux-musl/release/${{ env.MCP_BINARY }}"
          archive="${{ env.MCP_BINARY }}-${tag}-x86_64-linux-musl.tar.gz"
          tar -czf "$archive" -C "$(dirname "$bin")" "$(basename "$bin")"
          sha256sum "$archive" > "${archive}.sha256"
-          release_url="${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}/assets"
+          curl -fsS -H "$auth" -F "attachment=@${archive}" "${api}/${release_id}/assets"
-          curl -fsS -H "Authorization: token $RELEASE_TOKEN" \
+          curl -fsS -H "$auth" -F "attachment=@${archive}.sha256" "${api}/${release_id}/assets"
-            -F "attachment=@${archive}" "$release_url"
+          echo "Release ${tag} 已发布"
          curl -fsS -H "Authorization: token $RELEASE_TOKEN" \
            -F "attachment=@${archive}.sha256" "$release_url"
      # ── 飞书汇总通知 ─────────────────────────────────────────────────────
      - name: 飞书通知
        if: always()
        env:
          WEBHOOK_URL: ${{ vars.WEBHOOK_URL }}
        run: |
          [ -z "$WEBHOOK_URL" ] && exit 0
-          command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq)
+          tag="${{ steps.ver.outputs.tag }}"
-          tag="${{ needs.version.outputs.tag }}"
+          commit="${{ github.event.head_commit.message }}"
-          commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A")
+          [ -z "$commit" ] && commit="${{ github.sha }}"
          url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
          result="${{ job.status }}"
          if [ "$result" = "success" ]; then icon="✅"; else icon="❌"; fi
-          msg="secrets-mcp linux 构建${icon}
+          msg="secrets-mcp 构建&发版 ${icon}
          版本：${tag}
          提交：${commit}
          作者：${{ github.actor }}
@@ -251,50 +187,21 @@ jobs:
          payload=$(jq -n --arg text "$msg" '{msg_type: "text", content: {text: $text}}')
          curl -sS -H "Content-Type: application/json" -X POST -d "$payload" "$WEBHOOK_URL"
-  deploy-mcp:
+  deploy:
    name: 部署 secrets-mcp
-    needs: [version, build-linux]
+    needs: [ci]
-    # 部署目标由仓库 Actions 配置：vars.DEPLOY_HOST / vars.DEPLOY_USER；私钥 secrets.DEPLOY_SSH_KEY（PEM 原文，勿 base64）
+    if: |
-    # （可用 scripts/setup-gitea-actions.sh 或 Gitea API 写入，勿写进本文件）
+      github.ref == 'refs/heads/main' ||
-    # Google OAuth / SERVER_MASTER_KEY / SECRETS_DATABASE_URL 等勿写入 CI，请在 ECS 上
+      github.ref == 'refs/heads/feat/mcp' ||
-    # /opt/secrets-mcp/.env 配置（见 deploy/.env.example）。
+      github.ref == 'refs/heads/mcp'
    # 若仓库 main 仍为纯 CLI、仅 feat/mcp 含本 workflow，请去掉条件里的 main，避免误部署。
    if: needs.build-linux.result == 'success' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/mcp' || github.ref == 'refs/heads/mcp')
    runs-on: debian
    timeout-minutes: 10
    steps:
-      - uses: actions/checkout@v4
+      - name: 下载构建产物
-
+        uses: actions/download-artifact@v3
      - name: 安装 Rust
        run: |
          if ! command -v rustup >/dev/null 2>&1; then
            curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain "${RUST_TOOLCHAIN}"
            echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
          fi
          source "$HOME/.cargo/env" 2>/dev/null || true
          sudo apt-get update -qq && sudo apt-get install -y -qq pkg-config musl-tools
          rustup toolchain install "${RUST_TOOLCHAIN}" --profile minimal
          rustup default "${RUST_TOOLCHAIN}"
          rustup target add x86_64-unknown-linux-musl --toolchain "${RUST_TOOLCHAIN}"
          rustc -V
          cargo -V
      - name: 缓存 Cargo
        uses: actions/cache@v4
        with:
-          path: |
+          name: ${{ env.MCP_BINARY }}-linux-musl
-            ~/.cargo/registry/index
+          path: /tmp/artifact
            ~/.cargo/registry/cache
            ~/.cargo/git/db
          key: cargo-x86_64-unknown-linux-musl-${{ env.RUST_TOOLCHAIN }}-${{ hashFiles('Cargo.lock') }}
          restore-keys: |
            cargo-x86_64-unknown-linux-musl-${{ env.RUST_TOOLCHAIN }}-
            cargo-x86_64-unknown-linux-musl-
      - name: 构建 secrets-mcp
        run: |
          cargo build --release --locked --target x86_64-unknown-linux-musl -p secrets-mcp
          strip target/x86_64-unknown-linux-musl/release/${{ env.MCP_BINARY }}
      - name: 部署到阿里云 ECS
        env:
@@ -303,16 +210,15 @@ jobs:
          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
        run: |
          if [ -z "$DEPLOY_HOST" ] || [ -z "$DEPLOY_USER" ] || [ -z "$DEPLOY_SSH_KEY" ]; then
-            echo "部署跳过：请在仓库 Actions 中配置 vars.DEPLOY_HOST、vars.DEPLOY_USER 与 secrets.DEPLOY_SSH_KEY"
+            echo "部署跳过：请配置 vars.DEPLOY_HOST、vars.DEPLOY_USER 与 secrets.DEPLOY_SSH_KEY"
            exit 0
          fi
          echo "$DEPLOY_SSH_KEY" > /tmp/deploy_key
          chmod 600 /tmp/deploy_key
-          SCP="scp -i /tmp/deploy_key -o StrictHostKeyChecking=no"
+          scp -i /tmp/deploy_key -o StrictHostKeyChecking=no \
-
+            "/tmp/artifact/${MCP_BINARY}" \
          $SCP target/x86_64-unknown-linux-musl/release/${{ env.MCP_BINARY }} \
            "${DEPLOY_USER}@${DEPLOY_HOST}:/tmp/secrets-mcp.new"
          ssh -i /tmp/deploy_key -o StrictHostKeyChecking=no "${DEPLOY_USER}@${DEPLOY_HOST}" "
@@ -322,7 +228,6 @@ jobs:
            sleep 2
            sudo systemctl is-active secrets-mcp && echo '服务启动成功' || (sudo journalctl -u secrets-mcp -n 20 && exit 1)
          "
          rm -f /tmp/deploy_key
      - name: 飞书通知
@@ -331,94 +236,13 @@ jobs:
          WEBHOOK_URL: ${{ vars.WEBHOOK_URL }}
        run: |
          [ -z "$WEBHOOK_URL" ] && exit 0
-          command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq)
+          tag="${{ needs.ci.outputs.tag }}"
          tag="${{ needs.version.outputs.tag }}"
          commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A")
          url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
          result="${{ job.status }}"
          if [ "$result" = "success" ]; then icon="✅"; else icon="❌"; fi
-          msg="secrets-mcp 部署${icon}
+          msg="secrets-mcp 部署 ${icon}
          版本：${tag}
          提交：${commit}
          作者：${{ github.actor }}
          详情：${url}"
          payload=$(jq -n --arg text "$msg" '{msg_type: "text", content: {text: $text}}')
          curl -sS -H "Content-Type: application/json" -X POST -d "$payload" "$WEBHOOK_URL"
  publish-release:
    name: 发布草稿 Release
    needs: [version, build-linux]
    if: always() && needs.version.outputs.release_id != ''
    runs-on: debian
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@v4
      - name: 发布草稿
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
          [ -z "$RELEASE_TOKEN" ] && exit 0
          linux_r="${{ needs.build-linux.result }}"
          if [ "$linux_r" != "success" ]; then
            echo "linux 构建未成功，保留草稿 Release"
            exit 0
          fi
          release_api="${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}"
          http_code=$(curl -sS -o /tmp/publish-release.json -w '%{http_code}' \
            -H "Authorization: token $RELEASE_TOKEN" \
            -H "Content-Type: application/json" \
            -X PATCH "$release_api" \
            -d '{"draft":false}')
          if [ "$http_code" != "200" ]; then
            echo "发布草稿 Release 失败 (HTTP ${http_code})"
            cat /tmp/publish-release.json 2>/dev/null || true
            exit 1
          fi
          echo "Release 已发布"
      - name: 飞书汇总通知
        if: always()
        env:
          WEBHOOK_URL: ${{ vars.WEBHOOK_URL }}
        run: |
          [ -z "$WEBHOOK_URL" ] && exit 0
          command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq)
          tag="${{ needs.version.outputs.tag }}"
          tag_exists="${{ needs.version.outputs.tag_exists }}"
          commit="${{ github.event.head_commit.message }}"
          [ -z "$commit" ] && commit="${{ github.sha }}"
          url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
          linux_r="${{ needs.build-linux.result }}"
          publish_r="${{ job.status }}"
          icon() { case "$1" in success) echo "✅";; skipped) echo "⏭";; *) echo "❌";; esac; }
          if [ "$linux_r" = "success" ] && [ "$publish_r" = "success" ]; then
            status="发布成功 ✅"
          elif [ "$linux_r" != "success" ]; then
            status="构建失败 ❌"
          else
            status="发布失败 ❌"
          fi
          if [ "$tag_exists" = "false" ]; then
            version_line="🆕 新版本 ${tag}"
          else
            version_line="🔄 重复构建 ${tag}"
          fi
          msg="secrets-mcp ${status}
          ${version_line}
          linux $(icon "$linux_r") | Release $(icon "$publish_r")
          提交：${commit}
          作者：${{ github.actor }}
          详情：${url}"
          payload=$(jq -n --arg text "$msg" '{msg_type: "text", content: {text: $text}}')
          curl -sS -H "Content-Type: application/json" -X POST -d "$payload" "$WEBHOOK_URL"
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -2,12 +2,13 @@
 本仓库为 **MCP SaaS**：`secrets-core`（业务与持久化）+ `secrets-mcp`（Streamable HTTP MCP、Web、OAuth、API Key）。对外入口见 `crates/secrets-mcp`。
-## 提交 / 发版硬规则（优先于下文）
+## 提交 / 推送硬规则（优先于下文）
 **每次提交和推送前必须执行以下检查，无论是否明确「发版」：**
 1. 涉及 `crates/**`、根目录 `Cargo.toml`/`Cargo.lock`、`secrets-mcp` 行为变更的提交，默认视为**需要发版**，除非明确说明「本次不发版」。
-2. 发版前检查 `crates/secrets-mcp/Cargo.toml` 的 `version`，再查 tag：`git tag -l 'secrets-mcp-*'`。
+2. 提交前检查 `crates/secrets-mcp/Cargo.toml` 的 `version`，再查 tag：`git tag -l 'secrets-mcp-*'`。若当前版本对应 tag 已存在且有代码变更，**必须 bump 版本号**并 `cargo build` 同步 `Cargo.lock`。
-3. 若当前版本对应 tag 已存在，须先 bump `version`，再 `cargo build` 同步 `Cargo.lock` 后提交。
+3. 提交前运行 `./scripts/release-check.sh`（版本/tag + `fmt` + `clippy --locked` + `test --locked`）。若脚本不存在或不可用，至少运行 `cargo fmt -- --check && cargo clippy --locked -- -D warnings && cargo test --locked`。
 4. 提交前优先运行 `./scripts/release-check.sh`（版本/tag + `fmt` + `clippy --locked` + `test --locked`）。
 ## 项目结构
@@ -28,7 +29,7 @@ secrets/
 - **建议库名**：`secrets-mcp`（专用实例，与历史库名区分）。
 - **连接**：环境变量 **`SECRETS_DATABASE_URL`**（本分支无本地配置文件路径）。
- **表**：`entries`（含 `user_id`）、`secrets`、`entries_history`、`secrets_history`、`audit_log`、`users`、`oauth_accounts`、`api_keys`，首次连接 **auto-migrate**。
+- **表**：`entries`（含 `user_id`）、`secrets`、`entries_history`、`secrets_history`、`audit_log`、`users`、`oauth_accounts`，首次连接 **auto-migrate**。
 ### 表结构（摘录）
@@ -60,7 +61,7 @@ secrets (
 )
 ```
-### users / oauth_accounts / api_keys
+### users / oauth_accounts
 ```sql
 users (
@@ -71,6 +72,7 @@ users (
  key_salt     BYTEA,         -- PBKDF2 salt（32B），首次设置密码短语时写入
  key_check    BYTEA,         -- 派生密钥加密已知常量，用于验证密码短语
  key_params   JSONB,         -- 算法参数，如 {"alg":"pbkdf2-sha256","iterations":600000}
  api_key      TEXT UNIQUE,   -- MCP Bearer token（当前实现为明文存储）
  created_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
  updated_at   TIMESTAMPTZ NOT NULL DEFAULT NOW()
 )
@@ -83,21 +85,11 @@ oauth_accounts (
  ...
  UNIQUE(provider, provider_id)
 )
 api_keys (
  id            UUID PRIMARY KEY DEFAULT uuidv7(),
  user_id       UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
  name          VARCHAR(256) NOT NULL,
  key_hash      VARCHAR(64) NOT NULL UNIQUE,
  key_prefix    VARCHAR(12) NOT NULL,
  last_used_at  TIMESTAMPTZ,
  created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW()
 )
 ```
 ### audit_log / history
-与迁移脚本一致：`audit_log`、`entries_history`、`secrets_history` 用于审计与时间旅行恢复；字段定义见 `crates/secrets-core/src/db.rs` 内 `migrate` SQL。
+与迁移脚本一致：`audit_log`、`entries_history`、`secrets_history` 用于审计与时间旅行恢复；字段定义见 `crates/secrets-core/src/db.rs` 内 `migrate` SQL。`audit_log` 中普通业务事件的 `namespace/kind/name` 对应 entry 坐标；登录类事件固定使用 `namespace='auth'`，此时 `kind/name` 表示认证目标而非 entry 身份。
 ### 字段职责
@@ -149,7 +141,7 @@ git tag -l 'secrets-mcp-*'
 ## CI/CD
 - **触发**：任意分支 `push`，且路径含 `crates/**`、`deploy/**`、根目录 `Cargo.toml`、`Cargo.lock`（见 `.gitea/workflows/secrets.yml`）。
- **版本与 tag**：从 `crates/secrets-mcp/Cargo.toml` 读版本；若远程已存在同名 `secrets-mcp-<version>` tag，**工作流失败**（须先 bump 版本并 `cargo build` 同步 `Cargo.lock`）；否则由 CI 创建并推送该 tag。
+- **版本与 tag**：从 `crates/secrets-mcp/Cargo.toml` 读版本；若远程已存在同名 `secrets-mcp-<version>` tag，则复用现有 tag 继续构建；否则由 CI 创建并推送该 tag。
 - **质量与构建**：`fmt` / `clippy --locked` / `test --locked` → `x86_64-unknown-linux-musl` 发布构建 `secrets-mcp`。
 - **Release（可选）**：`secrets.RELEASE_TOKEN`（Gitea PAT）用于创建草稿 Release、上传 `tar.gz` + `.sha256`、构建成功后发布；未配置则跳过 API Release，仅 tag + 构建。
 - **部署（可选）**：仅 `main`、`feat/mcp`、`mcp` 分支在构建成功时跑 `deploy-mcp`；需 `vars.DEPLOY_HOST`、`vars.DEPLOY_USER`、`secrets.DEPLOY_SSH_KEY`。勿把 OAuth/DB 等写进 workflow，用 `deploy/.env.example` 在目标机配置。
@@ -165,6 +157,5 @@ git tag -l 'secrets-mcp-*'
 | `SECRETS_MCP_BIND` | 监听地址，默认 `0.0.0.0:9315`。 |
 | `GOOGLE_CLIENT_ID` / `GOOGLE_CLIENT_SECRET` | 可选；仅运行时配置。 |
 | `RUST_LOG` | 如 `secrets_mcp=debug`。 |
 | `USER` | 若写入审计 `actor`，由运行环境提供。 |
 > `SERVER_MASTER_KEY` 已不再需要。新架构下密钥由用户密码短语在客户端派生，服务端不持有。
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1949,7 +1949,7 @@ dependencies = [
 [[package]]
 name = "secrets-mcp"
-version = "0.1.6"
+version = "0.1.11"
 dependencies = [
 "anyhow",
 "askama",
@@ -2700,6 +2700,7 @@ dependencies = [
 "tower",
 "tower-layer",
 "tower-service",
 "tracing",
 ]
 [[package]]
--- a/README.md
+++ b/README.md
@@ -77,7 +77,7 @@ flowchart LR
 ### 敏感数据传输
 - **OAuth `client_secret`** 只存服务端环境变量，不发给浏览器
- **API Key** 创建时原始 key 仅展示一次，库中只存 SHA-256 哈希
+- **API Key** 当前存放在 `users.api_key`，Dashboard 会明文展示并可重置
 - **X-Encryption-Key** 随 MCP 请求经 TLS 传输，服务端仅在请求处理期间持有（不持久化）
 - **生产环境必须走 HTTPS/TLS**
@@ -121,7 +121,7 @@ flowchart LR
 ## 数据模型
-主表 **`entries`**（`namespace`、`kind`、`name`、`tags`、`metadata`，多租户时带 `user_id`）+ 子表 **`secrets`**（每行一个加密字段：`field_name`、`encrypted`）。另有 `entries_history`、`secrets_history`、`audit_log`，以及 **`users`**（含 `key_salt`、`key_check`、`key_params`）、**`oauth_accounts`**、**`api_keys`**。首次连库自动迁移建表。
+主表 **`entries`**（`namespace`、`kind`、`name`、`tags`、`metadata`，多租户时带 `user_id`）+ 子表 **`secrets`**（每行一个加密字段：`field_name`、`encrypted`）。另有 `entries_history`、`secrets_history`、`audit_log`，以及 **`users`**（含 `key_salt`、`key_check`、`key_params`、`api_key`）、**`oauth_accounts`**。首次连库自动迁移建表。
 | 位置 | 字段 | 说明 |
 |------|------|------|
@@ -142,9 +142,10 @@ flowchart LR
 ## 审计日志
 `add`、`update`、`delete` 等写操作写入 **`audit_log`**（操作类型、对象、摘要，不含 secret 明文）。
 其中业务条目事件使用 `[namespace/kind] name` 语义；登录类事件使用 `namespace='auth'`，此时 `kind/name` 表示认证目标（例如 `oauth/google`），不表示某条 secrets entry。
 ```sql
-SELECT action, namespace, kind, name, actor, detail, created_at
+SELECT action, namespace, kind, name, detail, created_at
 FROM audit_log
 ORDER BY created_at DESC
 LIMIT 20;
@@ -165,7 +166,7 @@ deploy/                 # systemd、.env 示例
 见 [`.gitea/workflows/secrets.yml`](.gitea/workflows/secrets.yml)。
 - **触发**：任意分支 `push`，且变更路径包含 `crates/**`、`deploy/**`、根目录 `Cargo.toml` / `Cargo.lock`。
- **流水线**：解析 `crates/secrets-mcp/Cargo.toml` 版本 → **若 `secrets-mcp-<version>` 的 tag 已存在则整次运行失败**（避免重复发版）→ 否则自动打 tag → `cargo fmt` / `clippy --locked` / `test --locked` → 交叉编译 `x86_64-unknown-linux-musl` 的 `secrets-mcp`。
+- **流水线**：解析 `crates/secrets-mcp/Cargo.toml` 版本 → 若 `secrets-mcp-<version>` 的 tag 已存在则**复用现有 tag 继续构建**，否则自动打 tag → `cargo fmt` / `clippy --locked` / `test --locked` → 交叉编译 `x86_64-unknown-linux-musl` 的 `secrets-mcp`。
 - **Release（可选）**：配置仓库 Secret `RELEASE_TOKEN`（Gitea PAT，明文勿 base64）时，会通过 API 创建**草稿** Release、在 Linux 构建成功后上传 `tar.gz` 与 `.sha256`，再自动将草稿**正式发布**；未配置则跳过创建 Release 与产物上传，仅保留 tag 与构建结果。
 - **部署（可选）**：仅在 `main`、`feat/mcp` 或 `mcp` 分支且构建成功时，若已配置 `vars.DEPLOY_HOST`、`vars.DEPLOY_USER` 与 `secrets.DEPLOY_SSH_KEY`，则 `deploy-mcp` 通过 SCP/SSH 更新目标机二进制并 `systemctl restart secrets-mcp`。
 - **通知（可选）**：`vars.WEBHOOK_URL` 为飞书 Webhook 时，构建/部署/发布节点会推送简要状态。
--- a/crates/secrets-core/src/audit.rs
+++ b/crates/secrets-core/src/audit.rs
@@ -5,19 +5,8 @@ use uuid::Uuid;
 pub const ACTION_LOGIN: &str = "login";
 pub const NAMESPACE_AUTH: &str = "auth";
-/// Return the current OS user as the audit actor (falls back to empty string).
+fn login_detail(provider: &str, client_ip: Option<&str>, user_agent: Option<&str>) -> Value {
 pub fn current_actor() -> String {
    std::env::var("USER").unwrap_or_default()
 }
 fn login_detail(
    user_id: Uuid,
    provider: &str,
    client_ip: Option<&str>,
    user_agent: Option<&str>,
 ) -> Value {
    json!({
        "user_id": user_id,
        "provider": provider,
        "client_ip": client_ip,
        "user_agent": user_agent,
@@ -33,55 +22,54 @@ pub async fn log_login(
    client_ip: Option<&str>,
    user_agent: Option<&str>,
 ) {
-    let actor = current_actor();
+    let detail = login_detail(provider, client_ip, user_agent);
    let detail = login_detail(user_id, provider, client_ip, user_agent);
    let result: Result<_, sqlx::Error> = sqlx::query(
-        "INSERT INTO audit_log (action, namespace, kind, name, detail, actor) \
+        "INSERT INTO audit_log (user_id, action, namespace, kind, name, detail) \
         VALUES ($1, $2, $3, $4, $5, $6)",
    )
    .bind(user_id)
    .bind(ACTION_LOGIN)
    .bind(NAMESPACE_AUTH)
    .bind(kind)
    .bind(provider)
    .bind(&detail)
    .bind(&actor)
    .execute(pool)
    .await;
    if let Err(e) = result {
        tracing::warn!(error = %e, kind, provider, "failed to write login audit log");
    } else {
-        tracing::debug!(kind, provider, ?user_id, actor, "login audit logged");
+        tracing::debug!(kind, provider, ?user_id, "login audit logged");
    }
 }
 /// Write an audit entry within an existing transaction.
 pub async fn log_tx(
    tx: &mut Transaction<'_, Postgres>,
    user_id: Option<Uuid>,
    action: &str,
    namespace: &str,
    kind: &str,
    name: &str,
    detail: Value,
 ) {
    let actor = current_actor();
    let result: Result<_, sqlx::Error> = sqlx::query(
-        "INSERT INTO audit_log (action, namespace, kind, name, detail, actor) \
+        "INSERT INTO audit_log (user_id, action, namespace, kind, name, detail) \
         VALUES ($1, $2, $3, $4, $5, $6)",
    )
    .bind(user_id)
    .bind(action)
    .bind(namespace)
    .bind(kind)
    .bind(name)
    .bind(&detail)
    .bind(&actor)
    .execute(&mut **tx)
    .await;
    if let Err(e) = result {
        tracing::warn!(error = %e, "failed to write audit log");
    } else {
-        tracing::debug!(action, namespace, kind, name, actor, "audit logged");
+        tracing::debug!(action, namespace, kind, name, "audit logged");
    }
 }
@@ -91,10 +79,8 @@ mod tests {
    #[test]
    fn login_detail_includes_expected_fields() {
-        let user_id = Uuid::nil();
+        let detail = login_detail("google", Some("127.0.0.1"), Some("Mozilla/5.0"));
        let detail = login_detail(user_id, "google", Some("127.0.0.1"), Some("Mozilla/5.0"));
        assert_eq!(detail["user_id"], json!(user_id));
        assert_eq!(detail["provider"], "google");
        assert_eq!(detail["client_ip"], "127.0.0.1");
        assert_eq!(detail["user_agent"], "Mozilla/5.0");
--- a/crates/secrets-core/src/db.rs
+++ b/crates/secrets-core/src/db.rs
@@ -3,8 +3,6 @@ use serde_json::Value;
 use sqlx::PgPool;
 use sqlx::postgres::PgPoolOptions;
 use crate::audit::current_actor;
 pub async fn create_pool(database_url: &str) -> Result<PgPool> {
    tracing::debug!("connecting to database");
    let pool = PgPoolOptions::new()
@@ -67,17 +65,18 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
        -- ── audit_log: append-only operation log ─────────────────────────────────
        CREATE TABLE IF NOT EXISTS audit_log (
            id          BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
            user_id     UUID,
            action      VARCHAR(32)  NOT NULL,
            namespace   VARCHAR(64)  NOT NULL,
            kind        VARCHAR(64)  NOT NULL,
            name        VARCHAR(256) NOT NULL,
            detail      JSONB        NOT NULL DEFAULT '{}',
            actor       VARCHAR(128) NOT NULL DEFAULT '',
            created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
        );
        CREATE INDEX IF NOT EXISTS idx_audit_log_created  ON audit_log(created_at DESC);
        CREATE INDEX IF NOT EXISTS idx_audit_log_ns_kind  ON audit_log(namespace, kind);
        CREATE INDEX IF NOT EXISTS idx_audit_log_user_id  ON audit_log(user_id) WHERE user_id IS NOT NULL;
        -- ── entries_history ───────────────────────────────────────────────────────
        CREATE TABLE IF NOT EXISTS entries_history (
@@ -90,7 +89,6 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
            action      VARCHAR(16)  NOT NULL,
            tags        TEXT[]       NOT NULL DEFAULT '{}',
            metadata    JSONB        NOT NULL DEFAULT '{}',
            actor       VARCHAR(128) NOT NULL DEFAULT '',
            created_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
        );
@@ -103,6 +101,7 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
        ALTER TABLE entries_history ADD COLUMN IF NOT EXISTS user_id UUID;
        CREATE INDEX IF NOT EXISTS idx_entries_history_user_id
            ON entries_history(user_id) WHERE user_id IS NOT NULL;
        ALTER TABLE entries_history DROP COLUMN IF EXISTS actor;
        -- ── secrets_history: field-level snapshot ────────────────────────────────
        CREATE TABLE IF NOT EXISTS secrets_history (
@@ -113,7 +112,6 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
            field_name      VARCHAR(256) NOT NULL,
            encrypted       BYTEA        NOT NULL DEFAULT '\x',
            action          VARCHAR(16)  NOT NULL,
            actor           VARCHAR(128) NOT NULL DEFAULT '',
            created_at      TIMESTAMPTZ  NOT NULL DEFAULT NOW()
        );
@@ -122,6 +120,12 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
        CREATE INDEX IF NOT EXISTS idx_secrets_history_secret_id
            ON secrets_history(secret_id);
        -- Drop redundant actor column (derivable via entries_history JOIN)
        ALTER TABLE secrets_history DROP COLUMN IF EXISTS actor;
        -- Drop redundant actor column; user_id already identifies the business user
        ALTER TABLE audit_log DROP COLUMN IF EXISTS actor;
        -- ── users ─────────────────────────────────────────────────────────────────
        CREATE TABLE IF NOT EXISTS users (
            id          UUID PRIMARY KEY DEFAULT uuidv7(),
@@ -156,10 +160,75 @@ pub async fn migrate(pool: &PgPool) -> Result<()> {
    )
    .execute(pool)
    .await?;
    restore_plaintext_api_keys(pool).await?;
    tracing::debug!("migrations complete");
    Ok(())
 }
 async fn restore_plaintext_api_keys(pool: &PgPool) -> Result<()> {
    let has_users_api_key: bool = sqlx::query_scalar(
        "SELECT EXISTS (
            SELECT 1
            FROM information_schema.columns
            WHERE table_schema = 'public'
              AND table_name = 'users'
              AND column_name = 'api_key'
        )",
    )
    .fetch_one(pool)
    .await?;
    if !has_users_api_key {
        sqlx::query("ALTER TABLE users ADD COLUMN api_key TEXT")
            .execute(pool)
            .await?;
        sqlx::query("CREATE UNIQUE INDEX IF NOT EXISTS idx_users_api_key ON users(api_key) WHERE api_key IS NOT NULL")
            .execute(pool)
            .await?;
    }
    let has_api_keys_table: bool = sqlx::query_scalar(
        "SELECT EXISTS (
            SELECT 1
            FROM information_schema.tables
            WHERE table_schema = 'public'
              AND table_name = 'api_keys'
        )",
    )
    .fetch_one(pool)
    .await?;
    if !has_api_keys_table {
        return Ok(());
    }
    #[derive(sqlx::FromRow)]
    struct UserWithoutKey {
        id: uuid::Uuid,
    }
    let users_without_key: Vec<UserWithoutKey> =
        sqlx::query_as("SELECT DISTINCT user_id AS id FROM api_keys WHERE user_id NOT IN (SELECT id FROM users WHERE api_key IS NOT NULL)")
            .fetch_all(pool)
            .await?;
    for user in users_without_key {
        let new_key = crate::service::api_key::generate_api_key();
        sqlx::query("UPDATE users SET api_key = $1 WHERE id = $2")
            .bind(&new_key)
            .bind(user.id)
            .execute(pool)
            .await?;
    }
    sqlx::query("DROP TABLE IF EXISTS api_keys")
        .execute(pool)
        .await?;
    Ok(())
 }
 // ── Entry-level history snapshot ─────────────────────────────────────────────
 pub struct EntrySnapshotParams<'a> {
@@ -178,11 +247,10 @@ pub async fn snapshot_entry_history(
    tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
    p: EntrySnapshotParams<'_>,
 ) -> Result<()> {
    let actor = current_actor();
    sqlx::query(
        "INSERT INTO entries_history \
-         (entry_id, namespace, kind, name, version, action, tags, metadata, actor, user_id) \
+         (entry_id, namespace, kind, name, version, action, tags, metadata, user_id) \
-         VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
+         VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
    )
    .bind(p.entry_id)
    .bind(p.namespace)
@@ -192,7 +260,6 @@ pub async fn snapshot_entry_history(
    .bind(p.action)
    .bind(p.tags)
    .bind(p.metadata)
    .bind(&actor)
    .bind(p.user_id)
    .execute(&mut **tx)
    .await?;
@@ -214,11 +281,10 @@ pub async fn snapshot_secret_history(
    tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
    p: SecretSnapshotParams<'_>,
 ) -> Result<()> {
    let actor = current_actor();
    sqlx::query(
        "INSERT INTO secrets_history \
-         (entry_id, secret_id, entry_version, field_name, encrypted, action, actor) \
+         (entry_id, secret_id, entry_version, field_name, encrypted, action) \
-         VALUES ($1, $2, $3, $4, $5, $6, $7)",
+         VALUES ($1, $2, $3, $4, $5, $6)",
    )
    .bind(p.entry_id)
    .bind(p.secret_id)
@@ -226,7 +292,6 @@ pub async fn snapshot_secret_history(
    .bind(p.field_name)
    .bind(p.encrypted)
    .bind(p.action)
    .bind(&actor)
    .execute(&mut **tx)
    .await?;
    Ok(())
--- a/crates/secrets-core/src/models.rs
+++ b/crates/secrets-core/src/models.rs
@@ -9,6 +9,7 @@ use uuid::Uuid;
 #[derive(Debug, Serialize, Deserialize, sqlx::FromRow)]
 pub struct Entry {
    pub id: Uuid,
    pub user_id: Option<Uuid>,
    pub namespace: String,
    pub kind: String,
    pub name: String,
@@ -174,6 +175,19 @@ pub struct OauthAccount {
    pub created_at: DateTime<Utc>,
 }
 /// A single audit log row, optionally scoped to a business user.
 #[derive(Debug, Serialize, Deserialize, sqlx::FromRow)]
 pub struct AuditLogEntry {
    pub id: i64,
    pub user_id: Option<Uuid>,
    pub action: String,
    pub namespace: String,
    pub kind: String,
    pub name: String,
    pub detail: Value,
    pub created_at: DateTime<Utc>,
 }
 // ── TOML ↔ JSON value conversion ──────────────────────────────────────────────
 /// Convert a serde_json Value to a toml Value.
--- a/crates/secrets-core/src/service/add.rs
+++ b/crates/secrets-core/src/service/add.rs
@@ -346,6 +346,7 @@ pub async fn run(pool: &PgPool, params: AddParams<'_>, master_key: &[u8; 32]) ->
    crate::audit::log_tx(
        &mut tx,
        params.user_id,
        "add",
        params.namespace,
        params.kind,
--- a/crates/secrets-core/src/service/audit_log.rs
+++ b/crates/secrets-core/src/service/audit_log.rs
@@ -0,0 +1,23 @@
 use anyhow::Result;
 use sqlx::PgPool;
 use uuid::Uuid;
 use crate::models::AuditLogEntry;
 pub async fn list_for_user(pool: &PgPool, user_id: Uuid, limit: i64) -> Result<Vec<AuditLogEntry>> {
    let limit = limit.clamp(1, 200);
    let rows = sqlx::query_as(
        "SELECT id, user_id, action, namespace, kind, name, detail, created_at \
         FROM audit_log \
         WHERE user_id = $1 \
         ORDER BY created_at DESC, id DESC \
         LIMIT $2",
    )
    .bind(user_id)
    .bind(limit)
    .fetch_all(pool)
    .await?;
    Ok(rows)
 }
--- a/crates/secrets-core/src/service/delete.rs
+++ b/crates/secrets-core/src/service/delete.rs
@@ -137,7 +137,7 @@ async fn delete_one(
    };
    snapshot_and_delete(&mut tx, namespace, kind, name, &row, user_id).await?;
-    crate::audit::log_tx(&mut tx, "delete", namespace, kind, name, json!({})).await;
+    crate::audit::log_tx(&mut tx, user_id, "delete", namespace, kind, name, json!({})).await;
    tx.commit().await?;
    Ok(DeleteResult {
@@ -240,6 +240,7 @@ async fn delete_bulk(
        .await?;
        crate::audit::log_tx(
            &mut tx,
            user_id,
            "delete",
            namespace,
            &row.kind,
--- a/crates/secrets-core/src/service/history.rs
+++ b/crates/secrets-core/src/service/history.rs
@@ -7,7 +7,6 @@ use uuid::Uuid;
 pub struct HistoryEntry {
    pub version: i64,
    pub action: String,
    pub actor: String,
    pub created_at: String,
 }
@@ -23,13 +22,12 @@ pub async fn run(
    struct Row {
        version: i64,
        action: String,
        actor: String,
        created_at: chrono::DateTime<chrono::Utc>,
    }
    let rows: Vec<Row> = if let Some(uid) = user_id {
        sqlx::query_as(
-            "SELECT version, action, actor, created_at FROM entries_history \
+            "SELECT version, action, created_at FROM entries_history \
             WHERE namespace = $1 AND kind = $2 AND name = $3 AND user_id = $4 \
             ORDER BY id DESC LIMIT $5",
        )
@@ -42,7 +40,7 @@ pub async fn run(
        .await?
    } else {
        sqlx::query_as(
-            "SELECT version, action, actor, created_at FROM entries_history \
+            "SELECT version, action, created_at FROM entries_history \
             WHERE namespace = $1 AND kind = $2 AND name = $3 AND user_id IS NULL \
             ORDER BY id DESC LIMIT $4",
        )
@@ -59,7 +57,6 @@ pub async fn run(
        .map(|r| HistoryEntry {
            version: r.version,
            action: r.action,
            actor: r.actor,
            created_at: r.created_at.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
        })
        .collect())
--- a/crates/secrets-core/src/service/mod.rs
+++ b/crates/secrets-core/src/service/mod.rs
@@ -1,5 +1,6 @@
 pub mod add;
 pub mod api_key;
 pub mod audit_log;
 pub mod delete;
 pub mod env_map;
 pub mod export;
--- a/crates/secrets-core/src/service/rollback.rs
+++ b/crates/secrets-core/src/service/rollback.rs
@@ -274,6 +274,7 @@ pub async fn run(
    crate::audit::log_tx(
        &mut tx,
        user_id,
        "rollback",
        namespace,
        kind,
--- a/crates/secrets-core/src/service/search.rs
+++ b/crates/secrets-core/src/service/search.rs
@@ -131,7 +131,7 @@ async fn fetch_entries_paged(pool: &PgPool, a: &SearchParams<'_>) -> Result<Vec<
    };
    let sql = format!(
-        "SELECT id, COALESCE(user_id, '00000000-0000-0000-0000-000000000000'::uuid) AS user_id, \
+        "SELECT id, user_id, \
         namespace, kind, name, tags, metadata, version, created_at, updated_at \
         FROM entries {where_clause} ORDER BY {order} LIMIT ${limit_idx} OFFSET ${offset_idx}"
    );
@@ -212,8 +212,7 @@ pub async fn fetch_secrets_for_entries(
 #[derive(sqlx::FromRow)]
 struct EntryRaw {
    id: Uuid,
-    #[allow(dead_code)] // Selected for row shape; Entry model has no user_id field
+    user_id: Option<Uuid>,
    user_id: Uuid,
    namespace: String,
    kind: String,
    name: String,
@@ -228,6 +227,7 @@ impl From<EntryRaw> for Entry {
    fn from(r: EntryRaw) -> Self {
        Entry {
            id: r.id,
            user_id: r.user_id,
            namespace: r.namespace,
            kind: r.kind,
            name: r.name,
--- a/crates/secrets-core/src/service/update.rs
+++ b/crates/secrets-core/src/service/update.rs
@@ -241,6 +241,7 @@ pub async fn run(
    crate::audit::log_tx(
        &mut tx,
        params.user_id,
        "update",
        params.namespace,
        params.kind,
--- a/crates/secrets-mcp/Cargo.toml
+++ b/crates/secrets-mcp/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "secrets-mcp"
-version = "0.1.6"
+version = "0.1.11"
 edition.workspace = true
 [[bin]]
@@ -17,7 +17,7 @@ rmcp = { version = "1", features = ["server", "macros", "transport-streamable-ht
 axum = "0.8"
 axum-extra = { version = "0.10", features = ["typed-header"] }
 tower = "0.5"
-tower-http = { version = "0.6", features = ["cors"] }
+tower-http = { version = "0.6", features = ["cors", "trace"] }
 tower-sessions = "0.14"
 # OAuth (manual token exchange via reqwest)
--- a/crates/secrets-mcp/src/auth.rs
+++ b/crates/secrets-mcp/src/auth.rs
@@ -9,7 +9,6 @@ use axum::{
 use sqlx::PgPool;
 use uuid::Uuid;
 use secrets_core::audit::log_login;
 use secrets_core::service::api_key::validate_api_key;
 /// Injected into request extensions after Bearer token validation.
@@ -35,15 +34,6 @@ fn log_client_ip(req: &Request) -> Option<String> {
        .map(|c| c.ip().to_string())
 }
 fn log_user_agent(req: &Request) -> Option<String> {
    req.headers()
        .get(axum::http::header::USER_AGENT)
        .and_then(|v| v.to_str().ok())
        .map(str::trim)
        .filter(|value| !value.is_empty())
        .map(ToOwned::to_owned)
 }
 /// Axum middleware that validates Bearer API keys for the /mcp route.
 /// Passes all non-MCP paths through without authentication.
 pub async fn bearer_auth_middleware(
@@ -54,7 +44,6 @@ pub async fn bearer_auth_middleware(
    let path = req.uri().path();
    let method = req.method().as_str();
    let client_ip = log_client_ip(&req);
    let user_agent = log_user_agent(&req);
    // Only authenticate /mcp paths
    if !path.starts_with("/mcp") {
@@ -95,15 +84,6 @@ pub async fn bearer_auth_middleware(
    match validate_api_key(&pool, raw_key).await {
        Ok(Some(user_id)) => {
            log_login(
                &pool,
                "api_key",
                "bearer",
                user_id,
                client_ip.as_deref(),
                user_agent.as_deref(),
            )
            .await;
            tracing::debug!(?user_id, "api key authenticated");
            let mut req = req;
            req.extensions_mut().insert(AuthUser { user_id });
--- a/crates/secrets-mcp/src/logging.rs
+++ b/crates/secrets-mcp/src/logging.rs
@@ -0,0 +1,249 @@
 use std::net::SocketAddr;
 use std::time::Instant;
 use axum::{
    body::{Body, Bytes, to_bytes},
    extract::{ConnectInfo, Request},
    http::{
        HeaderMap, Method,
        header::{CONTENT_LENGTH, CONTENT_TYPE, USER_AGENT},
    },
    middleware::Next,
    response::Response,
 };
 /// Axum middleware that logs structured info for every HTTP request.
 ///
 /// All requests: method, path, status, latency_ms, client_ip, user_agent.
 /// POST /mcp requests: additionally parses JSON-RPC body for jsonrpc_method,
 /// tool_name, jsonrpc_id, mcp_session, batch_size.
 ///
 /// Sensitive headers (Authorization, X-Encryption-Key) and secret values
 /// are never logged.
 pub async fn request_logging_middleware(req: Request, next: Next) -> Response {
    let method = req.method().clone();
    let path = req.uri().path().to_string();
    let ip = client_ip(&req);
    let ua = header_str(req.headers(), USER_AGENT);
    let content_len = header_str(req.headers(), CONTENT_LENGTH).and_then(|v| v.parse::<u64>().ok());
    let mcp_session = req
        .headers()
        .get("mcp-session-id")
        .or_else(|| req.headers().get("x-mcp-session"))
        .and_then(|v| v.to_str().ok())
        .map(|s| s.to_string());
    let is_mcp_post = path.starts_with("/mcp") && method == Method::POST;
    let is_json = header_str(req.headers(), CONTENT_TYPE)
        .map(|ct| ct.contains("application/json"))
        .unwrap_or(false);
    let start = Instant::now();
    // For MCP JSON-RPC POST requests, buffer body to extract JSON-RPC metadata.
    // We cap at 512 KiB to avoid buffering large payloads.
    if is_mcp_post && is_json {
        let cap = content_len.unwrap_or(0);
        if cap <= 512 * 1024 {
            let (parts, body) = req.into_parts();
            match to_bytes(body, 512 * 1024).await {
                Ok(bytes) => {
                    let rpc = parse_jsonrpc_meta(&bytes);
                    let req = Request::from_parts(parts, Body::from(bytes));
                    let resp = next.run(req).await;
                    let status = resp.status().as_u16();
                    let elapsed = start.elapsed().as_millis();
                    log_mcp_request(
                        &method,
                        &path,
                        status,
                        elapsed,
                        ip.as_deref(),
                        ua.as_deref(),
                        content_len,
                        mcp_session.as_deref(),
                        &rpc,
                    );
                    return resp;
                }
                Err(e) => {
                    tracing::warn!(path, error = %e, "failed to buffer MCP request body for logging");
                    // Reconstruct with empty body; request was consumed — return 500.
                    // This branch is highly unlikely in practice.
                    let resp = next.run(Request::from_parts(parts, Body::empty())).await;
                    return resp;
                }
            }
        }
    }
    let resp = next.run(req).await;
    let status = resp.status().as_u16();
    let elapsed = start.elapsed().as_millis();
    // Known client probe patterns that legitimately 404 — downgrade to debug to
    // avoid noise in production logs.  These are:
    //   • GET /.well-known/* — OAuth/OIDC discovery by MCP clients (RFC 8414 / RFC 9728)
    //   • GET /mcp → 404    — old SSE-transport compatibility probe by clients
    let is_expected_probe_404 = status == 404
        && (path.starts_with("/.well-known/")
            || (method == Method::GET && path.starts_with("/mcp")));
    if is_expected_probe_404 {
        tracing::debug!(
            method = method.as_str(),
            path,
            status,
            elapsed_ms = elapsed,
            client_ip = ip.as_deref(),
            ua = ua.as_deref(),
            "probe request (not found — expected)",
        );
    } else {
        log_http_request(
            &method,
            &path,
            status,
            elapsed,
            ip.as_deref(),
            ua.as_deref(),
            content_len,
        );
    }
    resp
 }
 // ── Logging helpers ───────────────────────────────────────────────────────────
 fn log_http_request(
    method: &Method,
    path: &str,
    status: u16,
    elapsed_ms: u128,
    client_ip: Option<&str>,
    ua: Option<&str>,
    content_length: Option<u64>,
 ) {
    tracing::info!(
        method = method.as_str(),
        path,
        status,
        elapsed_ms,
        client_ip,
        ua,
        content_length,
        "http request",
    );
 }
 #[allow(clippy::too_many_arguments)]
 fn log_mcp_request(
    method: &Method,
    path: &str,
    status: u16,
    elapsed_ms: u128,
    client_ip: Option<&str>,
    ua: Option<&str>,
    content_length: Option<u64>,
    mcp_session: Option<&str>,
    rpc: &JsonRpcMeta,
 ) {
    tracing::info!(
        method = method.as_str(),
        path,
        status,
        elapsed_ms,
        client_ip,
        ua,
        content_length,
        mcp_session,
        jsonrpc = rpc.rpc_method.as_deref(),
        tool = rpc.tool_name.as_deref(),
        jsonrpc_id = rpc.request_id.as_deref(),
        batch_size = rpc.batch_size,
        "mcp request",
    );
 }
 // ── JSON-RPC body parsing ─────────────────────────────────────────────────────
 #[derive(Debug, Default)]
 struct JsonRpcMeta {
    request_id: Option<String>,
    rpc_method: Option<String>,
    tool_name: Option<String>,
    batch_size: Option<usize>,
 }
 fn parse_jsonrpc_meta(bytes: &Bytes) -> JsonRpcMeta {
    let Ok(value) = serde_json::from_slice::<serde_json::Value>(bytes) else {
        return JsonRpcMeta::default();
    };
    if let Some(arr) = value.as_array() {
        // Batch request: summarise method(s) from first element only
        let first = arr.first().map(parse_single).unwrap_or_default();
        return JsonRpcMeta {
            batch_size: Some(arr.len()),
            ..first
        };
    }
    parse_single(&value)
 }
 fn parse_single(value: &serde_json::Value) -> JsonRpcMeta {
    let request_id = value.get("id").and_then(json_to_string);
    let rpc_method = value
        .get("method")
        .and_then(|v| v.as_str())
        .map(|s| s.to_string());
    let tool_name = value
        .pointer("/params/name")
        .and_then(|v| v.as_str())
        .map(|s| s.to_string());
    JsonRpcMeta {
        request_id,
        rpc_method,
        tool_name,
        batch_size: None,
    }
 }
 fn json_to_string(value: &serde_json::Value) -> Option<String> {
    match value {
        serde_json::Value::Null => None,
        serde_json::Value::String(s) => Some(s.clone()),
        serde_json::Value::Number(n) => Some(n.to_string()),
        serde_json::Value::Bool(b) => Some(b.to_string()),
        other => Some(other.to_string()),
    }
 }
 // ── Header helpers ────────────────────────────────────────────────────────────
 fn header_str(headers: &HeaderMap, name: impl axum::http::header::AsHeaderName) -> Option<String> {
    headers
        .get(name)
        .and_then(|v| v.to_str().ok())
        .map(|s| s.to_string())
 }
 fn client_ip(req: &Request) -> Option<String> {
    if let Some(first) = req
        .headers()
        .get("x-forwarded-for")
        .and_then(|v| v.to_str().ok())
        .and_then(|s| s.split(',').next())
    {
        let s = first.trim();
        if !s.is_empty() {
            return Some(s.to_string());
        }
    }
    req.extensions()
        .get::<ConnectInfo<SocketAddr>>()
        .map(|c| c.ip().to_string())
 }
--- a/crates/secrets-mcp/src/main.rs
+++ b/crates/secrets-mcp/src/main.rs
@@ -1,4 +1,5 @@
 mod auth;
 mod logging;
 mod oauth;
 mod tools;
 mod web;
@@ -53,7 +54,8 @@ async fn main() -> Result<()> {
    tracing_subscriber::fmt()
        .with_env_filter(
-            EnvFilter::try_from_default_env().unwrap_or_else(|_| "secrets_mcp=info".into()),
+            EnvFilter::try_from_default_env()
                .unwrap_or_else(|_| "secrets_mcp=info,tower_http=info".into()),
        )
        .init();
@@ -120,6 +122,9 @@ async fn main() -> Result<()> {
    let router = Router::new()
        .merge(web::web_router())
        .nest_service("/mcp", mcp_service)
        .layer(axum::middleware::from_fn(
            logging::request_logging_middleware,
        ))
        .layer(axum::middleware::from_fn_with_state(
            pool,
            auth::bearer_auth_middleware,
--- a/crates/secrets-mcp/src/tools.rs
+++ b/crates/secrets-mcp/src/tools.rs
@@ -1,4 +1,5 @@
 use std::sync::Arc;
 use std::time::Instant;
 use anyhow::Result;
 use rmcp::{
@@ -257,7 +258,17 @@ impl SecretsService {
        Parameters(input): Parameters<SearchInput>,
        ctx: RequestContext<RoleServer>,
    ) -> Result<CallToolResult, rmcp::ErrorData> {
        let t = Instant::now();
        let user_id = Self::user_id_from_ctx(&ctx)?;
        tracing::info!(
            tool = "secrets_search",
            ?user_id,
            namespace = input.namespace.as_deref(),
            kind = input.kind.as_deref(),
            name = input.name.as_deref(),
            query = input.query.as_deref(),
            "tool call start",
        );
        let tags = input.tags.unwrap_or_default();
        let result = svc_search(
            &self.pool,
@@ -274,7 +285,10 @@ impl SecretsService {
            },
        )
        .await
-        .map_err(|e| rmcp::ErrorData::internal_error(e.to_string(), None))?;
+        .map_err(|e| {
            tracing::warn!(tool = "secrets_search", ?user_id, error = %e, "tool call failed");
            rmcp::ErrorData::internal_error(e.to_string(), None)
        })?;
        let summary = input.summary.unwrap_or(false);
        let entries: Vec<serde_json::Value> = result
@@ -312,6 +326,14 @@ impl SecretsService {
            })
            .collect();
        let count = entries.len();
        tracing::info!(
            tool = "secrets_search",
            ?user_id,
            result_count = count,
            elapsed_ms = t.elapsed().as_millis(),
            "tool call ok",
        );
        let json = serde_json::to_string_pretty(&entries).unwrap_or_else(|_| "[]".to_string());
        Ok(CallToolResult::success(vec![Content::text(json)]))
    }
@@ -326,7 +348,17 @@ impl SecretsService {
        Parameters(input): Parameters<GetSecretInput>,
        ctx: RequestContext<RoleServer>,
    ) -> Result<CallToolResult, rmcp::ErrorData> {
        let t = Instant::now();
        let (user_id, user_key) = Self::require_user_and_key(&ctx)?;
        tracing::info!(
            tool = "secrets_get",
            ?user_id,
            namespace = %input.namespace,
            kind = %input.kind,
            name = %input.name,
            field = input.field.as_deref(),
            "tool call start",
        );
        if let Some(field_name) = &input.field {
            let value = get_secret_field(
@@ -339,8 +371,17 @@ impl SecretsService {
                Some(user_id),
            )
            .await
-            .map_err(|e| rmcp::ErrorData::internal_error(e.to_string(), None))?;
+            .map_err(|e| {
                tracing::warn!(tool = "secrets_get", ?user_id, error = %e, "tool call failed");
                rmcp::ErrorData::internal_error(e.to_string(), None)
            })?;
            tracing::info!(
                tool = "secrets_get",
                ?user_id,
                elapsed_ms = t.elapsed().as_millis(),
                "tool call ok",
            );
            let result = serde_json::json!({ field_name: value });
            let json = serde_json::to_string_pretty(&result).unwrap_or_default();
            Ok(CallToolResult::success(vec![Content::text(json)]))
@@ -354,8 +395,19 @@ impl SecretsService {
                Some(user_id),
            )
            .await
-            .map_err(|e| rmcp::ErrorData::internal_error(e.to_string(), None))?;
+            .map_err(|e| {
                tracing::warn!(tool = "secrets_get", ?user_id, error = %e, "tool call failed");
                rmcp::ErrorData::internal_error(e.to_string(), None)
            })?;
            let count = secrets.len();
            tracing::info!(
                tool = "secrets_get",
                ?user_id,
                field_count = count,
                elapsed_ms = t.elapsed().as_millis(),
                "tool call ok",
            );
            let json = serde_json::to_string_pretty(&secrets).unwrap_or_default();
            Ok(CallToolResult::success(vec![Content::text(json)]))
        }
@@ -371,7 +423,16 @@ impl SecretsService {
        Parameters(input): Parameters<AddInput>,
        ctx: RequestContext<RoleServer>,
    ) -> Result<CallToolResult, rmcp::ErrorData> {
        let t = Instant::now();
        let (user_id, user_key) = Self::require_user_and_key(&ctx)?;
        tracing::info!(
            tool = "secrets_add",
            ?user_id,
            namespace = %input.namespace,
            kind = %input.kind,
            name = %input.name,
            "tool call start",
        );
        let tags = input.tags.unwrap_or_default();
        let meta = input.meta.unwrap_or_default();
@@ -391,8 +452,20 @@ impl SecretsService {
            &user_key,
        )
        .await
-        .map_err(|e| rmcp::ErrorData::internal_error(e.to_string(), None))?;
+        .map_err(|e| {
            tracing::warn!(tool = "secrets_add", ?user_id, error = %e, "tool call failed");
            rmcp::ErrorData::internal_error(e.to_string(), None)
        })?;
        tracing::info!(
            tool = "secrets_add",
            ?user_id,
            namespace = %input.namespace,
            kind = %input.kind,
            name = %input.name,
            elapsed_ms = t.elapsed().as_millis(),
            "tool call ok",
        );
        let json = serde_json::to_string_pretty(&result).unwrap_or_default();
        Ok(CallToolResult::success(vec![Content::text(json)]))
    }
@@ -406,7 +479,16 @@ impl SecretsService {
        Parameters(input): Parameters<UpdateInput>,
        ctx: RequestContext<RoleServer>,
    ) -> Result<CallToolResult, rmcp::ErrorData> {
        let t = Instant::now();
        let (user_id, user_key) = Self::require_user_and_key(&ctx)?;
        tracing::info!(
            tool = "secrets_update",
            ?user_id,
            namespace = %input.namespace,
            kind = %input.kind,
            name = %input.name,
            "tool call start",
        );
        let add_tags = input.add_tags.unwrap_or_default();
        let remove_tags = input.remove_tags.unwrap_or_default();
@@ -432,8 +514,20 @@ impl SecretsService {
            &user_key,
        )
        .await
-        .map_err(|e| rmcp::ErrorData::internal_error(e.to_string(), None))?;
+        .map_err(|e| {
            tracing::warn!(tool = "secrets_update", ?user_id, error = %e, "tool call failed");
            rmcp::ErrorData::internal_error(e.to_string(), None)
        })?;
        tracing::info!(
            tool = "secrets_update",
            ?user_id,
            namespace = %input.namespace,
            kind = %input.kind,
            name = %input.name,
            elapsed_ms = t.elapsed().as_millis(),
            "tool call ok",
        );
        let json = serde_json::to_string_pretty(&result).unwrap_or_default();
        Ok(CallToolResult::success(vec![Content::text(json)]))
    }
@@ -447,7 +541,17 @@ impl SecretsService {
        Parameters(input): Parameters<DeleteInput>,
        ctx: RequestContext<RoleServer>,
    ) -> Result<CallToolResult, rmcp::ErrorData> {
        let t = Instant::now();
        let user_id = Self::user_id_from_ctx(&ctx)?;
        tracing::info!(
            tool = "secrets_delete",
            ?user_id,
            namespace = %input.namespace,
            kind = input.kind.as_deref(),
            name = input.name.as_deref(),
            dry_run = input.dry_run.unwrap_or(false),
            "tool call start",
        );
        let result = svc_delete(
            &self.pool,
@@ -460,8 +564,18 @@ impl SecretsService {
            },
        )
        .await
-        .map_err(|e| rmcp::ErrorData::internal_error(e.to_string(), None))?;
+        .map_err(|e| {
            tracing::warn!(tool = "secrets_delete", ?user_id, error = %e, "tool call failed");
            rmcp::ErrorData::internal_error(e.to_string(), None)
        })?;
        tracing::info!(
            tool = "secrets_delete",
            ?user_id,
            namespace = %input.namespace,
            elapsed_ms = t.elapsed().as_millis(),
            "tool call ok",
        );
        let json = serde_json::to_string_pretty(&result).unwrap_or_default();
        Ok(CallToolResult::success(vec![Content::text(json)]))
    }
@@ -473,19 +587,39 @@ impl SecretsService {
    async fn secrets_history(
        &self,
        Parameters(input): Parameters<HistoryInput>,
-        _ctx: RequestContext<RoleServer>,
+        ctx: RequestContext<RoleServer>,
    ) -> Result<CallToolResult, rmcp::ErrorData> {
        let t = Instant::now();
        let user_id = Self::user_id_from_ctx(&ctx)?;
        tracing::info!(
            tool = "secrets_history",
            ?user_id,
            namespace = %input.namespace,
            kind = %input.kind,
            name = %input.name,
            "tool call start",
        );
        let result = svc_history(
            &self.pool,
            &input.namespace,
            &input.kind,
            &input.name,
            input.limit.unwrap_or(20),
-            None,
+            user_id,
        )
        .await
-        .map_err(|e| rmcp::ErrorData::internal_error(e.to_string(), None))?;
+        .map_err(|e| {
            tracing::warn!(tool = "secrets_history", ?user_id, error = %e, "tool call failed");
            rmcp::ErrorData::internal_error(e.to_string(), None)
        })?;
        tracing::info!(
            tool = "secrets_history",
            ?user_id,
            elapsed_ms = t.elapsed().as_millis(),
            "tool call ok",
        );
        let json = serde_json::to_string_pretty(&result).unwrap_or_default();
        Ok(CallToolResult::success(vec![Content::text(json)]))
    }
@@ -499,7 +633,17 @@ impl SecretsService {
        Parameters(input): Parameters<RollbackInput>,
        ctx: RequestContext<RoleServer>,
    ) -> Result<CallToolResult, rmcp::ErrorData> {
        let t = Instant::now();
        let (user_id, user_key) = Self::require_user_and_key(&ctx)?;
        tracing::info!(
            tool = "secrets_rollback",
            ?user_id,
            namespace = %input.namespace,
            kind = %input.kind,
            name = %input.name,
            to_version = input.to_version,
            "tool call start",
        );
        let result = svc_rollback(
            &self.pool,
@@ -511,8 +655,17 @@ impl SecretsService {
            Some(user_id),
        )
        .await
-        .map_err(|e| rmcp::ErrorData::internal_error(e.to_string(), None))?;
+        .map_err(|e| {
            tracing::warn!(tool = "secrets_rollback", ?user_id, error = %e, "tool call failed");
            rmcp::ErrorData::internal_error(e.to_string(), None)
        })?;
        tracing::info!(
            tool = "secrets_rollback",
            ?user_id,
            elapsed_ms = t.elapsed().as_millis(),
            "tool call ok",
        );
        let json = serde_json::to_string_pretty(&result).unwrap_or_default();
        Ok(CallToolResult::success(vec![Content::text(json)]))
    }
@@ -526,9 +679,18 @@ impl SecretsService {
        Parameters(input): Parameters<ExportInput>,
        ctx: RequestContext<RoleServer>,
    ) -> Result<CallToolResult, rmcp::ErrorData> {
        let t = Instant::now();
        let (user_id, user_key) = Self::require_user_and_key(&ctx)?;
        let tags = input.tags.unwrap_or_default();
        let format = input.format.as_deref().unwrap_or("json");
        tracing::info!(
            tool = "secrets_export",
            ?user_id,
            namespace = input.namespace.as_deref(),
            kind = input.kind.as_deref(),
            format,
            "tool call start",
        );
        let data = svc_export(
            &self.pool,
@@ -544,13 +706,23 @@ impl SecretsService {
            Some(&user_key),
        )
        .await
-        .map_err(|e| rmcp::ErrorData::internal_error(e.to_string(), None))?;
+        .map_err(|e| {
            tracing::warn!(tool = "secrets_export", ?user_id, error = %e, "tool call failed");
            rmcp::ErrorData::internal_error(e.to_string(), None)
        })?;
        let serialized = format
            .parse::<secrets_core::models::ExportFormat>()
            .and_then(|fmt| fmt.serialize(&data))
            .map_err(|e| rmcp::ErrorData::internal_error(e.to_string(), None))?;
        tracing::info!(
            tool = "secrets_export",
            ?user_id,
            entry_count = data.entries.len(),
            elapsed_ms = t.elapsed().as_millis(),
            "tool call ok",
        );
        Ok(CallToolResult::success(vec![Content::text(serialized)]))
    }
@@ -564,9 +736,18 @@ impl SecretsService {
        Parameters(input): Parameters<EnvMapInput>,
        ctx: RequestContext<RoleServer>,
    ) -> Result<CallToolResult, rmcp::ErrorData> {
        let t = Instant::now();
        let (user_id, user_key) = Self::require_user_and_key(&ctx)?;
        let tags = input.tags.unwrap_or_default();
        let only_fields = input.only_fields.unwrap_or_default();
        tracing::info!(
            tool = "secrets_env_map",
            ?user_id,
            namespace = input.namespace.as_deref(),
            kind = input.kind.as_deref(),
            prefix = input.prefix.as_deref().unwrap_or(""),
            "tool call start",
        );
        let env_map = secrets_core::service::env_map::build_env_map(
            &self.pool,
@@ -580,8 +761,19 @@ impl SecretsService {
            Some(user_id),
        )
        .await
-        .map_err(|e| rmcp::ErrorData::internal_error(e.to_string(), None))?;
+        .map_err(|e| {
            tracing::warn!(tool = "secrets_env_map", ?user_id, error = %e, "tool call failed");
            rmcp::ErrorData::internal_error(e.to_string(), None)
        })?;
        let entry_count = env_map.len();
        tracing::info!(
            tool = "secrets_env_map",
            ?user_id,
            entry_count,
            elapsed_ms = t.elapsed().as_millis(),
            "tool call ok",
        );
        let json = serde_json::to_string_pretty(&env_map).unwrap_or_default();
        Ok(CallToolResult::success(vec![Content::text(json)]))
    }
--- a/crates/secrets-mcp/src/web.rs
+++ b/crates/secrets-mcp/src/web.rs
@@ -1,4 +1,5 @@
 use askama::Template;
 use chrono::SecondsFormat;
 use std::net::SocketAddr;
 use axum::{
@@ -17,6 +18,7 @@ use secrets_core::audit::log_login;
 use secrets_core::crypto::hex;
 use secrets_core::service::{
    api_key::{ensure_api_key, regenerate_api_key},
    audit_log::list_for_user,
    user::{
        OAuthProfile, bind_oauth_account, find_or_create_user, get_user_by_id,
        unbind_oauth_account, update_user_key_setup,
@@ -50,6 +52,23 @@ struct DashboardTemplate {
    version: &'static str,
 }
 #[derive(Template)]
 #[template(path = "audit.html")]
 struct AuditPageTemplate {
    user_name: String,
    user_email: String,
    entries: Vec<AuditEntryView>,
    version: &'static str,
 }
 struct AuditEntryView {
    /// RFC3339 UTC for `<time datetime>`; rendered as browser-local in audit.html.
    created_at_iso: String,
    action: String,
    target: String,
    detail: String,
 }
 // ── App state helpers ─────────────────────────────────────────────────────────
 fn google_cfg(state: &AppState) -> Option<&OAuthConfig> {
@@ -98,11 +117,16 @@ pub fn web_router() -> Router<AppState> {
            "/favicon.ico",
            get(|| async { Redirect::permanent("/favicon.svg") }),
        )
        .route(
            "/.well-known/oauth-protected-resource",
            get(oauth_protected_resource_metadata),
        )
        .route("/", get(login_page))
        .route("/auth/google", get(auth_google))
        .route("/auth/google/callback", get(auth_google_callback))
        .route("/auth/logout", post(auth_logout))
        .route("/dashboard", get(dashboard))
        .route("/audit", get(audit_page))
        .route("/account/bind/google", get(account_bind_google))
        .route(
            "/account/bind/google/callback",
@@ -301,11 +325,6 @@ where
            StatusCode::INTERNAL_SERVER_ERROR
        })?;
    // Ensure the user has an API key (auto-creates on first login).
    if let Err(e) = ensure_api_key(&state.pool, user.id).await {
        tracing::warn!(error = %e, "failed to ensure api key for user");
    }
    session
        .insert(SESSION_USER_ID, user.id.to_string())
        .await
@@ -364,6 +383,49 @@ async fn dashboard(
    render_template(tmpl)
 }
 async fn audit_page(
    State(state): State<AppState>,
    session: Session,
 ) -> Result<Response, StatusCode> {
    let Some(user_id) = current_user_id(&session).await else {
        return Ok(Redirect::to("/").into_response());
    };
    let user = match get_user_by_id(&state.pool, user_id)
        .await
        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?
    {
        Some(u) => u,
        None => return Ok(Redirect::to("/").into_response()),
    };
    let rows = list_for_user(&state.pool, user_id, 100)
        .await
        .map_err(|e| {
            tracing::error!(error = %e, "failed to load audit log for user");
            StatusCode::INTERNAL_SERVER_ERROR
        })?;
    let entries = rows
        .into_iter()
        .map(|row| AuditEntryView {
            created_at_iso: row.created_at.to_rfc3339_opts(SecondsFormat::Secs, true),
            action: row.action,
            target: format_audit_target(&row.namespace, &row.kind, &row.name),
            detail: serde_json::to_string_pretty(&row.detail).unwrap_or_else(|_| "{}".to_string()),
        })
        .collect();
    let tmpl = AuditPageTemplate {
        user_name: user.name.clone(),
        user_email: user.email.clone().unwrap_or_default(),
        entries,
        version: env!("CARGO_PKG_VERSION"),
    };
    render_template(tmpl)
 }
 // ── Account bind/unbind ───────────────────────────────────────────────────────
 async fn account_bind_google(
@@ -568,6 +630,28 @@ async fn api_apikey_regenerate(
    Ok(Json(ApiKeyResponse { api_key }))
 }
 // ── OAuth / Well-known ────────────────────────────────────────────────────────
 /// RFC 9728 — OAuth 2.0 Protected Resource Metadata.
 ///
 /// Advertises that this server accepts Bearer tokens in the `Authorization`
 /// header.  We deliberately omit `authorization_servers` because this service
 /// issues its own API keys (no external OAuth AS is involved).  MCP clients
 /// that probe this endpoint will see the resource identifier and stop looking
 /// for a delegated OAuth flow.
 async fn oauth_protected_resource_metadata(State(state): State<AppState>) -> impl IntoResponse {
    let body = serde_json::json!({
        "resource": state.base_url,
        "bearer_methods_supported": ["header"],
        "resource_documentation": format!("{}/dashboard", state.base_url),
    });
    (
        StatusCode::OK,
        [(header::CONTENT_TYPE, "application/json")],
        axum::Json(body),
    )
 }
 // ── Helper ────────────────────────────────────────────────────────────────────
 fn render_template<T: Template>(tmpl: T) -> Result<Response, StatusCode> {
@@ -577,3 +661,12 @@ fn render_template<T: Template>(tmpl: T) -> Result<Response, StatusCode> {
    })?;
    Ok(Html(html).into_response())
 }
 fn format_audit_target(namespace: &str, kind: &str, name: &str) -> String {
    // Auth events reuse kind/name as a provider-scoped target, not an entry identity.
    if namespace == "auth" {
        format!("{}/{}", kind, name)
    } else {
        format!("[{}/{}] {}", namespace, kind, name)
    }
 }
--- a/crates/secrets-mcp/templates/audit.html
+++ b/crates/secrets-mcp/templates/audit.html
@@ -0,0 +1,154 @@
 <!DOCTYPE html>
 <html lang="zh-CN">
 <head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="icon" href="/favicon.svg?v={{ version }}" type="image/svg+xml">
    <title>Secrets — Audit</title>
    <style>
        *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
        @import url('https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;600&family=Inter:wght@400;500;600&display=swap');
        :root {
            --bg: #0d1117; --surface: #161b22; --surface2: #21262d;
            --border: #30363d; --text: #e6edf3; --text-muted: #8b949e;
            --accent: #58a6ff; --accent-hover: #79b8ff;
        }
        body { background: var(--bg); color: var(--text); font-family: 'Inter', sans-serif; min-height: 100vh; }
        .layout { display: flex; min-height: 100vh; }
        .sidebar {
            width: 220px; flex-shrink: 0; background: var(--surface); border-right: 1px solid var(--border);
            padding: 24px 16px; display: flex; flex-direction: column; gap: 20px;
        }
        .sidebar-logo { font-family: 'JetBrains Mono', monospace; font-size: 16px; font-weight: 600;
                        color: var(--text); text-decoration: none; padding: 0 10px; }
        .sidebar-logo span { color: var(--accent); }
        .sidebar-menu { display: flex; flex-direction: column; gap: 6px; }
        .sidebar-link {
            padding: 10px 12px; border-radius: 8px; color: var(--text-muted); text-decoration: none;
            border: 1px solid transparent; font-size: 13px; font-weight: 500;
        }
        .sidebar-link:hover { background: var(--surface2); color: var(--text); }
        .sidebar-link.active {
            background: rgba(88,166,255,0.12); color: var(--text); border-color: rgba(88,166,255,0.35);
        }
        .content-shell { flex: 1; min-width: 0; display: flex; flex-direction: column; }
        .topbar {
            background: var(--surface); border-bottom: 1px solid var(--border); padding: 0 24px;
            display: flex; align-items: center; gap: 12px; min-height: 52px;
        }
        .topbar-spacer { flex: 1; }
        .nav-user { font-size: 13px; color: var(--text-muted); }
        .btn-sign-out {
            padding: 5px 12px; border-radius: 6px; border: 1px solid var(--border);
            background: none; color: var(--text); font-size: 12px; text-decoration: none; cursor: pointer;
        }
        .btn-sign-out:hover { background: var(--surface2); }
        .main { padding: 32px 24px 40px; flex: 1; }
        .card { background: var(--surface); border: 1px solid var(--border); border-radius: 12px;
                padding: 24px; width: 100%; max-width: 1180px; margin: 0 auto; }
        .card-title { font-size: 20px; font-weight: 600; margin-bottom: 8px; }
        .card-subtitle { color: var(--text-muted); font-size: 13px; margin-bottom: 20px; }
        .empty { color: var(--text-muted); font-size: 14px; padding: 20px 0; }
        table { width: 100%; border-collapse: collapse; }
        th, td { text-align: left; vertical-align: top; padding: 12px 10px; border-top: 1px solid var(--border); }
        th { color: var(--text-muted); font-size: 12px; font-weight: 600; }
        td { font-size: 13px; }
        .mono { font-family: 'JetBrains Mono', monospace; }
        .detail {
            background: var(--bg); border: 1px solid var(--border); border-radius: 8px;
            padding: 10px; white-space: pre-wrap; word-break: break-word; font-size: 12px;
            max-width: 460px;
        }
        @media (max-width: 900px) {
            .layout { flex-direction: column; }
            .sidebar {
                width: 100%; border-right: none; border-bottom: 1px solid var(--border);
                padding: 16px; gap: 14px;
            }
            .sidebar-menu { flex-direction: row; }
            .sidebar-link { flex: 1; text-align: center; }
            .main { padding: 20px 12px 28px; }
            .card { padding: 16px; }
            .topbar { padding: 12px 16px; flex-wrap: wrap; }
            table, thead, tbody, th, td, tr { display: block; }
            thead { display: none; }
            tr { border-top: 1px solid var(--border); padding: 12px 0; }
            td { border-top: none; padding: 6px 0; }
            td::before {
                display: block; color: var(--text-muted); font-size: 11px;
                margin-bottom: 4px; text-transform: uppercase;
            }
            td.col-time::before { content: "Time"; }
            td.col-action::before { content: "Action"; }
            td.col-target::before { content: "Target"; }
            td.col-detail::before { content: "Detail"; }
            .detail { max-width: none; }
        }
    </style>
 </head>
 <body>
 <div class="layout">
 <aside class="sidebar">
    <a href="/dashboard" class="sidebar-logo"><span>secrets</span></a>
    <nav class="sidebar-menu">
        <a href="/dashboard" class="sidebar-link">MCP</a>
        <a href="/audit" class="sidebar-link active">审计</a>
    </nav>
 </aside>
 <div class="content-shell">
 <div class="topbar">
    <span class="topbar-spacer"></span>
    <span class="nav-user">{{ user_name }}{% if !user_email.is_empty() %} · {{ user_email }}{% endif %}</span>
    <form action="/auth/logout" method="post" style="display:inline">
        <button type="submit" class="btn-sign-out">退出</button>
    </form>
 </div>
 <main class="main">
    <section class="card">
        <div class="card-title">我的审计</div>
        <div class="card-subtitle">展示最近 100 条与当前用户相关的新审计记录。时间为浏览器本地时区。</div>
        {% if entries.is_empty() %}
        <div class="empty">暂无审计记录。</div>
        {% else %}
        <table>
            <thead>
                <tr>
                    <th>时间</th>
                    <th>动作</th>
                    <th>目标</th>
                    <th>详情</th>
                </tr>
            </thead>
            <tbody>
                {% for entry in entries %}
                <tr>
                    <td class="col-time mono"><time class="audit-local-time" datetime="{{ entry.created_at_iso }}">{{ entry.created_at_iso }}</time></td>
                    <td class="col-action mono">{{ entry.action }}</td>
                    <td class="col-target mono">{{ entry.target }}</td>
                    <td class="col-detail"><pre class="detail">{{ entry.detail }}</pre></td>
                </tr>
                {% endfor %}
            </tbody>
        </table>
        {% endif %}
    </section>
 </main>
 </div>
 </div>
 <script>
 (function () {
  document.querySelectorAll('time.audit-local-time[datetime]').forEach(function (el) {
    var raw = el.getAttribute('datetime');
    var d = raw ? new Date(raw) : null;
    if (d && !isNaN(d.getTime())) {
      el.textContent = d.toLocaleString(undefined, { dateStyle: 'medium', timeStyle: 'medium' });
      el.title = raw + ' (UTC)';
    }
  });
 })();
 </script>
 </body>
 </html>
--- a/crates/secrets-mcp/templates/dashboard.html
+++ b/crates/secrets-mcp/templates/dashboard.html
@@ -16,13 +16,29 @@
        }
        body { background: var(--bg); color: var(--text); font-family: 'Inter', sans-serif; min-height: 100vh; }
-        /* Nav */
+        .layout { display: flex; min-height: 100vh; }
-        .nav { background: var(--surface); border-bottom: 1px solid var(--border);
+        .sidebar {
-               padding: 0 24px; display: flex; align-items: center; gap: 12px; height: 52px; }
+            width: 220px; flex-shrink: 0; background: var(--surface); border-right: 1px solid var(--border);
-        .nav-logo { font-family: 'JetBrains Mono', monospace; font-size: 15px; font-weight: 600;
+            padding: 24px 16px; display: flex; flex-direction: column; gap: 20px;
-                    color: var(--text); text-decoration: none; }
+        }
-        .nav-logo span { color: var(--accent); }
+        .sidebar-logo { font-family: 'JetBrains Mono', monospace; font-size: 16px; font-weight: 600;
-        .nav-spacer { flex: 1; }
+                        color: var(--text); text-decoration: none; padding: 0 10px; }
        .sidebar-logo span { color: var(--accent); }
        .sidebar-menu { display: flex; flex-direction: column; gap: 6px; }
        .sidebar-link {
            padding: 10px 12px; border-radius: 8px; color: var(--text-muted); text-decoration: none;
            border: 1px solid transparent; font-size: 13px; font-weight: 500;
        }
        .sidebar-link:hover { background: var(--surface2); color: var(--text); }
        .sidebar-link.active {
            background: rgba(88,166,255,0.12); color: var(--text); border-color: rgba(88,166,255,0.35);
        }
        .content-shell { flex: 1; min-width: 0; display: flex; flex-direction: column; }
        .topbar {
            background: var(--surface); border-bottom: 1px solid var(--border); padding: 0 24px;
            display: flex; align-items: center; gap: 12px; min-height: 52px;
        }
        .topbar-spacer { flex: 1; }
        .nav-user { font-size: 13px; color: var(--text-muted); }
        .lang-bar { display: flex; gap: 2px; background: var(--surface2); border-radius: 6px; padding: 2px; }
        .lang-btn { padding: 3px 9px; border: none; background: none; color: var(--text-muted);
@@ -32,11 +48,19 @@
                        background: none; color: var(--text); font-size: 12px; cursor: pointer; }
        .btn-sign-out:hover { background: var(--surface2); }
-        /* Main: column so footer can sit at bottom of viewport when content is short */
+        /* Main content column */
        .main { display: flex; flex-direction: column; align-items: center;
-                padding: 48px 24px 24px; min-height: calc(100vh - 52px); }
+                padding: 24px 20px 8px; min-height: 0; }
        .app-footer {
            margin-top: auto;
            text-align: center;
            padding: 4px 20px 12px;
            font-size: 12px;
            color: #9da7b3;
            font-family: 'JetBrains Mono', monospace;
        }
        .card { background: var(--surface); border: 1px solid var(--border); border-radius: 12px;
-                padding: 32px; width: 100%; max-width: 980px; }
+                padding: 24px; width: 100%; max-width: 980px; }
        .card-title { font-size: 18px; font-weight: 600; margin-bottom: 24px; }
        /* Form */
        .field { margin-bottom: 12px; }
@@ -123,28 +147,40 @@
                            background: none; color: var(--text); font-size: 13px; cursor: pointer; }
        .btn-modal-cancel:hover { background: var(--surface2); }
-        @media (max-width: 720px) {
+        @media (max-width: 900px) {
-            .config-tabs { grid-template-columns: 1fr; }
+            .layout { flex-direction: column; }
            .sidebar {
                width: 100%; border-right: none; border-bottom: 1px solid var(--border);
                padding: 16px; gap: 14px;
            }
            .sidebar-menu { flex-direction: row; }
            .sidebar-link { flex: 1; text-align: center; }
        }
-        .app-footer {
+        @media (max-width: 720px) {
-            margin-top: auto;
+            .config-tabs { grid-template-columns: 1fr; }
-            width: 100%;
+            .topbar { padding: 12px 16px; flex-wrap: wrap; }
-            max-width: 980px;
+            .main { padding: 16px 12px 6px; }
-            flex-shrink: 0;
+            .app-footer { padding: 4px 12px 10px; }
-            text-align: center;
+            .card { padding: 18px; }
            padding-top: 28px;
            font-size: 12px;
            color: #9da7b3;
            font-family: 'JetBrains Mono', monospace;
        }
    </style>
 </head>
 <body data-has-passphrase="{{ has_passphrase }}" data-base-url="{{ base_url }}">
-<nav class="nav">
+<div class="layout">
-    <a href="/dashboard" class="nav-logo"><span>secrets</span></a>
+<aside class="sidebar">
-    <span class="nav-spacer"></span>
+    <a href="/dashboard" class="sidebar-logo"><span>secrets</span></a>
    <nav class="sidebar-menu">
        <a href="/dashboard" class="sidebar-link active">MCP</a>
        <a href="/audit" class="sidebar-link">审计</a>
    </nav>
 </aside>
 <div class="content-shell">
 <div class="topbar">
    <span class="topbar-spacer"></span>
    <span class="nav-user">{{ user_name }}{% if !user_email.is_empty() %} · {{ user_email }}{% endif %}</span>
    <div class="lang-bar">
        <button class="lang-btn" onclick="setLang('zh-CN')">简</button>
@@ -154,7 +190,7 @@
    <form action="/auth/logout" method="post" style="display:inline">
        <button type="submit" class="btn-sign-out" data-i18n="signOut">退出</button>
    </form>
-</nav>
+</div>
 <div class="main">
 <div class="card">
@@ -258,9 +294,11 @@
    </div>
 </div>
-
+</div>
 <footer class="app-footer">{{ version }}</footer>
 </div>
 </div>
 </div>
 <!-- ── Change passphrase modal ──────────────────────────────────────────────── -->
 <div class="modal-bd" id="change-modal">
--- a/scripts/release-check.sh
+++ b/scripts/release-check.sh
@@ -12,12 +12,13 @@ echo "==> 当前 secrets-mcp 版本: ${version}"
 echo "==> 检查是否已存在 tag: ${tag}"
 if git rev-parse "refs/tags/${tag}" >/dev/null 2>&1; then
-  echo "错误: 已存在 tag ${tag}"
+  echo "提示: 已存在 tag ${tag}，将按重复构建处理，不阻断检查。"
-  echo "请先 bump crates/secrets-mcp/Cargo.toml 中的 version，再执行 cargo build 同步 Cargo.lock。"
+  echo "如需创建新的发布版本，请先 bump crates/secrets-mcp/Cargo.toml 中的 version。"
-  exit 1
+else
  echo "==> 未发现重复 tag，将创建新版本"
 fi
-echo "==> 未发现重复 tag，开始执行检查"
+echo "==> 开始执行检查"
 cargo fmt -- --check
 cargo clippy --locked -- -D warnings
 cargo test --locked
Author	SHA1	Message	Date
voson	0b57605103	feat(secrets-mcp): MCP 请求日志、探测 404 与资源元数据 All checks were successful Secrets MCP — Build & Release / 检查 / 构建 / 发版 (push) Successful in 3m10s Details Secrets MCP — Build & Release / 部署 secrets-mcp (push) Successful in 5s Details - 新增 logging 中间件：记录 client_ip、ua、JSON-RPC、tool 等 - tools 各入口/出口结构化日志 - 探测型 404（/.well-known、GET /mcp）降为 debug - /.well-known/oauth-protected-resource 最小元数据 - secrets-mcp 0.1.11 Made-with: Cursor	2026-03-21 17:57:10 +08:00
voson	8b191937cd	docs(AGENTS): 精简提交/推送规则第4条 Made-with: Cursor	2026-03-21 16:56:06 +08:00
voson	11c936a5b8	docs(AGENTS): 明确提交/推送前必须检查版本号与运行 fmt/clippy/test Made-with: Cursor	2026-03-21 16:48:47 +08:00
voson	b6349dd1c8	chore(secrets-mcp): bump version to 0.1.10 All checks were successful Secrets MCP — Build & Release / 检查 / 构建 / 发版 (push) Successful in 2m57s Details Secrets MCP — Build & Release / 部署 secrets-mcp (push) Successful in 5s Details Made-with: Cursor	2026-03-21 16:46:33 +08:00
voson	f720983328	refactor(db): 移除无意义 actor，修复 history 多租户与模型 Some checks failed Secrets MCP — Build & Release / 部署 secrets-mcp (push) Has been cancelled Details Secrets MCP — Build & Release / 检查 / 构建 / 发版 (push) Has started running Details - 删除 entries_history / audit_log / secrets_history 的 actor 列及写入逻辑 - MCP secrets_history 透传当前 user_id - Entry 增加 user_id，search 查询不再用伪 UUID - 迁移：保留 users.api_key，从 api_keys 表回退时生成新明文 key 并删表 - 文档：audit_log auth 语义、API Key 存储说明 Made-with: Cursor	2026-03-21 16:45:50 +08:00
voson	7bd0603dc6	chore(secrets-mcp): bump version to 0.1.9 All checks were successful Secrets MCP — Build & Release / 检查 / 构建 / 发版 (push) Successful in 2m47s Details Secrets MCP — Build & Release / 部署 secrets-mcp (push) Successful in 5s Details Made-with: Cursor	2026-03-21 12:25:38 +08:00
voson	17a95bea5b	refactor(audit): 移除旧格式兼容，user_id 统一走列字段 Some checks failed Secrets MCP — Build & Release / 部署 secrets-mcp (push) Has been cancelled Details Secrets MCP — Build & Release / 检查 / 构建 / 发版 (push) Has been cancelled Details - audit_log 查询去掉 detail->>'user_id' 回退分支 - login_detail 不再冗余写入 user_id 到 detail JSON - 迁移 SQL 去掉多余的 ALTER TABLE ADD COLUMN Made-with: Cursor	2026-03-21 12:24:00 +08:00
voson	a42db62702	style(secrets-mcp): rustfmt web.rs audit mapping All checks were successful Secrets MCP — Build & Release / 检查 / 构建 / 发版 (push) Successful in 5m20s Details Secrets MCP — Build & Release / 部署 secrets-mcp (push) Successful in 6s Details Made-with: Cursor	2026-03-21 12:06:29 +08:00
voson	2edb970cba	chore(secrets-mcp): bump version to 0.1.8 Some checks failed Secrets MCP — Build & Release / 检查 / 构建 / 发版 (push) Failing after 19s Details Secrets MCP — Build & Release / 部署 secrets-mcp (push) Has been skipped Details Made-with: Cursor	2026-03-21 12:05:22 +08:00
voson	17f8ac0dbc	web: 审计页时间按浏览器本地时区显示 Some checks failed Secrets MCP — Build & Release / 检查 / 构建 / 发版 (push) Failing after 25s Details Secrets MCP — Build & Release / 部署 secrets-mcp (push) Has been skipped Details Made-with: Cursor	2026-03-21 12:03:44 +08:00
voson	259fbe10a6	ci: 精简 Release upsert 逻辑 All checks were successful Secrets MCP — Build & Release / 检查 / 构建 / 发版 (push) Successful in 4m36s Details Secrets MCP — Build & Release / 部署 secrets-mcp (push) Successful in 5s Details 提取 auth/api 公共变量避免重复；用 xargs 单行替换 while 循环清理旧 assets；POST 分支用管道直接取 id 省去临时文件。 279 行 → 248 行。 Made-with: Cursor	2026-03-21 11:36:43 +08:00
voson	c815fb4cc8	ci: 修复覆盖重发时 Release 唯一约束冲突 DELETE + POST 同名 release 会触发 Gitea 的 UQE_release_n 约束。改为：已有 release → PATCH 更新 name/body，再逐个删除旧 assets 后重传；无 release → 正常 POST 新建。 Made-with: Cursor	2026-03-21 11:33:45 +08:00
voson	90cd1eca15	ci: 允许对同版本覆盖重发版 Some checks failed Secrets MCP — Build & Release / 检查 / 构建 / 发版 (push) Failing after 4m33s Details Secrets MCP — Build & Release / 部署 secrets-mcp (push) Has been skipped Details - 解析版本时不再 exit 1，改为记录 tag_exists=true 并打印警告 - 创建 Tag 步骤：若 tag 已存在则先本地删除再远端删除，再重新打带注释的 tag - 创建 Release 步骤：先查询同名 Release，若存在则 DELETE 旧 Release，再 POST 新建 Made-with: Cursor	2026-03-21 11:22:24 +08:00
voson	da007348ea	ci: 合并为 ci + deploy 两个 job，check 先于 build Some checks failed Secrets MCP — Build & Release / 检查 / 构建 / 发版 (push) Failing after 7s Details Secrets MCP — Build & Release / 部署 secrets-mcp (push) Has been skipped Details 单台 self-hosted runner 下并行 job 只是排队，多 job 拆分带来的 artifact 传递、重复 checkout、调度延迟反而更慢。改动： - 原 version/check/build-linux/publish-release 四个 job 合并为单个 ci job - 步骤顺序：版本拦截 → fmt/clippy/test → build → 打 tag → 发 Release - tag 在构建成功后才创建，避免失败提交留下脏 tag - Release 创建+上传+发布合并为单步，去掉草稿中转 - deploy job 仅保留 artifact 下载 + SSH 部署逻辑，不再重复编译 - 整体从 400 行缩减至 244 行 Made-with: Cursor	2026-03-21 11:18:10 +08:00
voson	f2344b7543	feat(secrets-mcp): 审计页、audit_log user_id、OAuth 登录与仪表盘 footer All checks were successful Secrets MCP — Build & Release / 版本 & Release (push) Successful in 3s Details Secrets MCP — Build & Release / 质量检查 (fmt / clippy / test) (push) Successful in 7m20s Details Secrets MCP — Build & Release / Build Linux (musl) (push) Successful in 8m23s Details Secrets MCP — Build & Release / 发布草稿 Release (push) Successful in 1s Details Secrets MCP — Build & Release / 部署 secrets-mcp (push) Successful in 6s Details - audit_log 增加 user_id；业务写审计透传 user_id - Web /audit 与侧边栏；Dashboard 版本 footer 贴底（margin-top: auto） - 停止 API Key 鉴权成功写入登录审计 - 文档、CI、release-check 配套更新 Made-with: Cursor	2026-03-21 11:12:11 +08:00
voson	ee028d45c3	ci: 优化 workflow 并行度与产物传递 - check 与 build-linux 改为并行执行，节省约 10min - 新增 upload-artifact / download-artifact，deploy-mcp 直接复用二进制，免重复编译（节省约 15min） - check / build 缓存加入 target/ 目录，加速增量编译 - 提取 MUSL_TARGET 全局变量，消除 x86_64-unknown-linux-musl 硬编码 - publish-release 增加 check 结果检查，质量失败时不发布 Release - 移除 build-linux 冗余飞书通知，publish-release 汇总已覆盖 Made-with: Cursor	2026-03-21 10:07:29 +08:00