release(secrets-mcp): 0.5.17 — 取消生产环境强制 PG TLS 校验

移除 SECRETS_ENV=production 时对 verify-ca/verify-full 的硬性要求，
仍可通过 SECRETS_DATABASE_SSL_MODE 显式选择模式。

Made-with: Cursor

Cargo.lock

@@ -2065,7 +2065,7 @@ dependencies = [
 
 [[package]]
 name = "secrets-mcp"
-version = "0.5.16"
+version = "0.5.17"
 dependencies = [
  "anyhow",
  "askama",

crates/secrets-core/src/config.rs

@@ -8,7 +8,6 @@ pub struct DatabaseConfig {
     pub url: String,
     pub ssl_mode: Option<PgSslMode>,
     pub ssl_root_cert: Option<PathBuf>,
-    pub enforce_strict_tls: bool,
 }
 
 /// Resolve database URL from environment.
@@ -63,20 +62,10 @@ fn resolve_ssl_root_cert_from_env() -> Result<Option<PathBuf>> {
     Ok(Some(path))
 }
 
-fn is_production_env() -> bool {
-    matches!(
-        env_var_non_empty("SECRETS_ENV")
-            .as_deref()
-            .map(|value| value.to_ascii_lowercase()),
-        Some(value) if value == "prod" || value == "production"
-    )
-}
-
 pub fn resolve_db_config(override_url: &str) -> Result<DatabaseConfig> {
     Ok(DatabaseConfig {
         url: resolve_db_url(override_url)?,
         ssl_mode: parse_ssl_mode_from_env()?,
         ssl_root_cert: resolve_ssl_root_cert_from_env()?,
-        enforce_strict_tls: is_production_env(),
     })
 }

crates/secrets-core/src/db.rs

@@ -3,7 +3,7 @@ use std::str::FromStr;
 use anyhow::{Context, Result};
 use serde_json::{Map, Value};
 use sqlx::PgPool;
-use sqlx::postgres::{PgConnectOptions, PgPoolOptions, PgSslMode};
+use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
 use crate::config::DatabaseConfig;
 
@@ -18,18 +18,6 @@ fn build_connect_options(config: &DatabaseConfig) -> Result<PgConnectOptions> {
         options = options.ssl_root_cert(path);
     }
 
-    if config.enforce_strict_tls
-        && !matches!(
-            options.get_ssl_mode(),
-            PgSslMode::VerifyCa | PgSslMode::VerifyFull
-        )
-    {
-        anyhow::bail!(
-            "Refusing to start in production with weak PostgreSQL TLS mode. \
-             Set SECRETS_DATABASE_SSL_MODE=verify-ca or verify-full."
-        );
-    }
-
     Ok(options)
 }
 

crates/secrets-mcp/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "secrets-mcp"
-version = "0.5.16"
+version = "0.5.17"
 edition.workspace = true
 
 [[bin]]