release(secrets-mcp): 0.5.7

- db: metadata_with_secret_snapshot / strip / parse 辅助
- add/update/delete/rollback 在写 entries_history 前合并快照
- rollback: 按历史快照同步 entry_secrets、更新或插入 secrets
- 满足 clippy collapsible_if

.gitea/workflows/secrets.yml

@@ -208,6 +208,7 @@ jobs:
           DEPLOY_HOST: ${{ vars.DEPLOY_HOST }}
           DEPLOY_USER: ${{ vars.DEPLOY_USER }}
           DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
+          DEPLOY_KNOWN_HOSTS: ${{ vars.DEPLOY_KNOWN_HOSTS }}
         run: |
           if [ -z "$DEPLOY_HOST" ] || [ -z "$DEPLOY_USER" ] || [ -z "$DEPLOY_SSH_KEY" ]; then
             echo "部署跳过：请配置 vars.DEPLOY_HOST、vars.DEPLOY_USER 与 secrets.DEPLOY_SSH_KEY"
@@ -216,19 +217,26 @@ jobs:
 
           echo "$DEPLOY_SSH_KEY" > /tmp/deploy_key
           chmod 600 /tmp/deploy_key
+          trap 'rm -f /tmp/deploy_key' EXIT
 
-          scp -i /tmp/deploy_key -o StrictHostKeyChecking=no \
+          if [ -n "$DEPLOY_KNOWN_HOSTS" ]; then
+            echo "$DEPLOY_KNOWN_HOSTS" > /tmp/deploy_known_hosts
+            ssh_opts="-o UserKnownHostsFile=/tmp/deploy_known_hosts -o StrictHostKeyChecking=yes"
+          else
+            ssh_opts="-o StrictHostKeyChecking=accept-new"
+          fi
+
+          scp -i /tmp/deploy_key $ssh_opts \
             "/tmp/artifact/${MCP_BINARY}" \
             "${DEPLOY_USER}@${DEPLOY_HOST}:/tmp/secrets-mcp.new"
 
-          ssh -i /tmp/deploy_key -o StrictHostKeyChecking=no "${DEPLOY_USER}@${DEPLOY_HOST}" "
+          ssh -i /tmp/deploy_key $ssh_opts "${DEPLOY_USER}@${DEPLOY_HOST}" "
             sudo mv /tmp/secrets-mcp.new /opt/secrets-mcp/secrets-mcp
             sudo chmod +x /opt/secrets-mcp/secrets-mcp
             sudo systemctl restart secrets-mcp
             sleep 2
             sudo systemctl is-active secrets-mcp && echo '服务启动成功' || (sudo journalctl -u secrets-mcp -n 20 && exit 1)
           "
-          rm -f /tmp/deploy_key
 
       - name: 飞书通知
         if: always()

.vscode/tasks.json

@@ -22,7 +22,6 @@
       "label": "test: workspace",
       "type": "shell",
       "command": "cargo test --workspace --locked",
-      "dependsOn": "build",
       "group": { "kind": "test", "isDefault": true }
     },
     {
@@ -35,7 +34,7 @@
       "label": "clippy: workspace",
       "type": "shell",
       "command": "cargo clippy --workspace --locked -- -D warnings",
-      "dependsOn": "build"
+      "problemMatcher": []
     },
     {
       "label": "ci: release-check",

Cargo.lock

@@ -2066,7 +2066,7 @@ dependencies = [
 
 [[package]]
 name = "secrets-mcp"
-version = "0.5.5"
+version = "0.5.7"
 dependencies = [
  "anyhow",
  "askama",

README.md

@@ -25,6 +25,13 @@ cargo build --release -p secrets-mcp
 | `SECRETS_MCP_BIND` | 监听地址，默认 `127.0.0.1:9315`。容器内或直接对外暴露端口时请改为 `0.0.0.0:9315`；反代时常为 `127.0.0.1:9315`。 |
 | `GOOGLE_CLIENT_ID` / `GOOGLE_CLIENT_SECRET` | 可选；不配置则无 Google 登录入口。运行时从环境读取，勿写入 CI、勿打入二进制。 |
 | `RUST_LOG` | 可选；日志级别，如 `secrets_mcp=debug`。 |
+| `SECRETS_DATABASE_POOL_SIZE` | 可选。连接池最大连接数，默认 `10`。 |
+| `SECRETS_DATABASE_ACQUIRE_TIMEOUT` | 可选。获取连接超时秒数，默认 `5`。 |
+| `RATE_LIMIT_GLOBAL_PER_SECOND` | 可选。全局限流速率，默认 `100` req/s。 |
+| `RATE_LIMIT_GLOBAL_BURST` | 可选。全局限流突发量，默认 `200`。 |
+| `RATE_LIMIT_IP_PER_SECOND` | 可选。单 IP 限流速率，默认 `20` req/s。 |
+| `RATE_LIMIT_IP_BURST` | 可选。单 IP 限流突发量，默认 `40`。 |
+| `TRUST_PROXY` | 可选。设为 `1`/`true`/`yes` 时从 `X-Forwarded-For` / `X-Real-IP` 提取客户端 IP；仅在反代环境下启用。 |
 
 ```bash
 cargo run -p secrets-mcp

crates/secrets-core/src/db.rs

@@ -1,7 +1,7 @@
 use std::str::FromStr;
 
 use anyhow::{Context, Result};
-use serde_json::Value;
+use serde_json::{Map, Value};
 use sqlx::PgPool;
 use sqlx::postgres::{PgConnectOptions, PgPoolOptions, PgSslMode};
 
@@ -562,4 +562,75 @@ pub async fn snapshot_secret_history(
     Ok(())
 }
 
+pub const ENTRY_HISTORY_SECRETS_KEY: &str = "__secrets_snapshot_v1";
+
+#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
+pub struct EntrySecretSnapshot {
+    pub name: String,
+    #[serde(rename = "type")]
+    pub secret_type: String,
+    pub encrypted_hex: String,
+}
+
+pub async fn metadata_with_secret_snapshot(
+    tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
+    entry_id: uuid::Uuid,
+    metadata: &Value,
+) -> Result<Value> {
+    #[derive(sqlx::FromRow)]
+    struct Row {
+        name: String,
+        #[sqlx(rename = "type")]
+        secret_type: String,
+        encrypted: Vec<u8>,
+    }
+
+    let rows: Vec<Row> = sqlx::query_as(
+        "SELECT s.name, s.type, s.encrypted \
+         FROM entry_secrets es \
+         JOIN secrets s ON s.id = es.secret_id \
+         WHERE es.entry_id = $1 \
+         ORDER BY s.name ASC",
+    )
+    .bind(entry_id)
+    .fetch_all(&mut **tx)
+    .await?;
+
+    let snapshots: Vec<EntrySecretSnapshot> = rows
+        .into_iter()
+        .map(|r| EntrySecretSnapshot {
+            name: r.name,
+            secret_type: r.secret_type,
+            encrypted_hex: ::hex::encode(r.encrypted),
+        })
+        .collect();
+
+    let mut merged = match metadata.clone() {
+        Value::Object(obj) => obj,
+        _ => Map::new(),
+    };
+    merged.insert(
+        ENTRY_HISTORY_SECRETS_KEY.to_string(),
+        serde_json::to_value(snapshots)?,
+    );
+    Ok(Value::Object(merged))
+}
+
+pub fn strip_secret_snapshot_from_metadata(metadata: &Value) -> Value {
+    let mut m = match metadata.clone() {
+        Value::Object(obj) => obj,
+        _ => return metadata.clone(),
+    };
+    m.remove(ENTRY_HISTORY_SECRETS_KEY);
+    Value::Object(m)
+}
+
+pub fn entry_secret_snapshot_from_metadata(metadata: &Value) -> Option<Vec<EntrySecretSnapshot>> {
+    let Value::Object(map) = metadata else {
+        return None;
+    };
+    let raw = map.get(ENTRY_HISTORY_SECRETS_KEY)?;
+    serde_json::from_value(raw.clone()).ok()
+}
+
 // ── DB helpers ────────────────────────────────────────────────────────────────

crates/secrets-core/src/service/add.rs

@@ -223,8 +223,16 @@ pub async fn run(pool: &PgPool, params: AddParams<'_>, master_key: &[u8; 32]) ->
         .await?
     };
 
-    if let Some(ref ex) = existing
-        && let Err(e) = db::snapshot_entry_history(
+    if let Some(ref ex) = existing {
+        let history_metadata =
+            match db::metadata_with_secret_snapshot(&mut tx, ex.id, &ex.metadata).await {
+                Ok(v) => v,
+                Err(e) => {
+                    tracing::warn!(error = %e, "failed to build secret snapshot for entry history");
+                    ex.metadata.clone()
+                }
+            };
+        if let Err(e) = db::snapshot_entry_history(
             &mut tx,
             db::EntrySnapshotParams {
                 entry_id: ex.id,
@@ -235,13 +243,14 @@ pub async fn run(pool: &PgPool, params: AddParams<'_>, master_key: &[u8; 32]) ->
                 version: ex.version,
                 action: "add",
                 tags: &ex.tags,
-                metadata: &ex.metadata,
+                metadata: &history_metadata,
             },
         )
         .await
         {
             tracing::warn!(error = %e, "failed to snapshot entry history before upsert");
         }
+    }
 
     // Upsert the entry row. On conflict (existing entry with same user_id+folder+name),
     // the entry columns are replaced wholesale. The old secret associations are torn down
@@ -303,26 +312,6 @@ pub async fn run(pool: &PgPool, params: AddParams<'_>, master_key: &[u8; 32]) ->
             .fetch_one(&mut *tx)
             .await?;
 
-    if existing.is_none()
-        && let Err(e) = db::snapshot_entry_history(
-            &mut tx,
-            db::EntrySnapshotParams {
-                entry_id,
-                user_id: params.user_id,
-                folder: params.folder,
-                entry_type,
-                name: params.name,
-                version: current_entry_version,
-                action: "create",
-                tags: params.tags,
-                metadata: &metadata,
-            },
-        )
-        .await
-    {
-        tracing::warn!(error = %e, "failed to snapshot entry history on create");
-    }
-
     if existing.is_some() {
         #[derive(sqlx::FromRow)]
         struct ExistingField {
@@ -432,6 +421,35 @@ pub async fn run(pool: &PgPool, params: AddParams<'_>, master_key: &[u8; 32]) ->
         }
     }
 
+    if existing.is_none() {
+        let history_metadata =
+            match db::metadata_with_secret_snapshot(&mut tx, entry_id, &metadata).await {
+                Ok(v) => v,
+                Err(e) => {
+                    tracing::warn!(error = %e, "failed to build secret snapshot for entry history");
+                    metadata.clone()
+                }
+            };
+        if let Err(e) = db::snapshot_entry_history(
+            &mut tx,
+            db::EntrySnapshotParams {
+                entry_id,
+                user_id: params.user_id,
+                folder: params.folder,
+                entry_type,
+                name: params.name,
+                version: current_entry_version,
+                action: "create",
+                tags: params.tags,
+                metadata: &history_metadata,
+            },
+        )
+        .await
+        {
+            tracing::warn!(error = %e, "failed to snapshot entry history on create");
+        }
+    }
+
     crate::audit::log_tx(
         &mut tx,
         params.user_id,

crates/secrets-core/src/service/delete.rs

@@ -441,6 +441,15 @@ async fn snapshot_and_delete(
     row: &EntryRow,
     user_id: Option<Uuid>,
 ) -> Result<()> {
+    let history_metadata = match db::metadata_with_secret_snapshot(tx, row.id, &row.metadata).await
+    {
+        Ok(v) => v,
+        Err(e) => {
+            tracing::warn!(error = %e, "failed to build secret snapshot for entry history");
+            row.metadata.clone()
+        }
+    };
+
     if let Err(e) = db::snapshot_entry_history(
         tx,
         db::EntrySnapshotParams {
@@ -452,7 +461,7 @@ async fn snapshot_and_delete(
             version: row.version,
             action: "delete",
             tags: &row.tags,
-            metadata: &row.metadata,
+            metadata: &history_metadata,
         },
     )
     .await

crates/secrets-core/src/service/history.rs

@@ -31,8 +31,11 @@ pub async fn run(
     let entry = resolve_entry(pool, name, folder, user_id).await?;
 
     let rows: Vec<Row> = sqlx::query_as(
-        "SELECT version, action, created_at FROM entries_history \
-         WHERE entry_id = $1 ORDER BY id DESC LIMIT $2",
+        "SELECT DISTINCT ON (version) version, action, created_at \
+         FROM entries_history \
+         WHERE entry_id = $1 \
+         ORDER BY version DESC, id DESC \
+         LIMIT $2",
     )
     .bind(entry.id)
     .bind(limit as i64)

crates/secrets-core/src/service/import.rs

@@ -54,7 +54,13 @@ pub async fn run(
         .bind(params.user_id)
         .fetch_one(pool)
         .await
-        .unwrap_or(false);
+        .map_err(|e| {
+            anyhow::anyhow!(
+                "Failed to check entry existence for '{}': {}",
+                entry.name,
+                e
+            )
+        })?;
 
         if exists && !params.force {
             return Err(anyhow::anyhow!(

crates/secrets-core/src/service/rollback.rs

@@ -1,3 +1,5 @@
+use std::collections::HashSet;
+
 use anyhow::Result;
 use serde_json::Value;
 use sqlx::PgPool;
@@ -122,7 +124,7 @@ pub async fn run(
         sqlx::query_as(
             "SELECT folder, type, version, action, tags, metadata \
              FROM entries_history \
-             WHERE entry_id = $1 AND version = $2 ORDER BY id DESC LIMIT 1",
+             WHERE entry_id = $1 AND version = $2 ORDER BY id ASC LIMIT 1",
         )
         .bind(entry_id)
         .bind(ver)
@@ -149,6 +151,9 @@ pub async fn run(
         )
     })?;
 
+    let snap_secret_snapshot = db::entry_secret_snapshot_from_metadata(&snap.metadata);
+    let snap_metadata = db::strip_secret_snapshot_from_metadata(&snap.metadata);
+
     let _ = master_key;
 
     let mut tx = pool.begin().await?;
@@ -176,6 +181,15 @@ pub async fn run(
     .await?;
 
     let live_entry_id = if let Some(ref lr) = live {
+        let history_metadata =
+            match db::metadata_with_secret_snapshot(&mut tx, lr.id, &lr.metadata).await {
+                Ok(v) => v,
+                Err(e) => {
+                    tracing::warn!(error = %e, "failed to build secret snapshot for entry history");
+                    lr.metadata.clone()
+                }
+            };
+
         if let Err(e) = db::snapshot_entry_history(
             &mut tx,
             db::EntrySnapshotParams {
@@ -187,7 +201,7 @@ pub async fn run(
                 version: lr.version,
                 action: "rollback",
                 tags: &lr.tags,
-                metadata: &lr.metadata,
+                metadata: &history_metadata,
             },
         )
         .await
@@ -228,11 +242,13 @@ pub async fn run(
         }
 
         sqlx::query(
-            "UPDATE entries SET tags = $1, metadata = $2, version = version + 1, \
-             updated_at = NOW() WHERE id = $3",
+            "UPDATE entries SET folder = $1, type = $2, tags = $3, metadata = $4, version = version + 1, \
+             updated_at = NOW() WHERE id = $5",
         )
+        .bind(&snap.folder)
+        .bind(&snap.entry_type)
         .bind(&snap.tags)
-        .bind(&snap.metadata)
+        .bind(&snap_metadata)
         .bind(lr.id)
         .execute(&mut *tx)
         .await?;
@@ -250,7 +266,7 @@ pub async fn run(
             .bind(&snap.entry_type)
             .bind(name)
             .bind(&snap.tags)
-            .bind(&snap.metadata)
+            .bind(&snap_metadata)
             .bind(snap.version)
             .fetch_one(&mut *tx)
             .await?
@@ -264,16 +280,16 @@ pub async fn run(
             .bind(&snap.entry_type)
             .bind(name)
             .bind(&snap.tags)
-            .bind(&snap.metadata)
+            .bind(&snap_metadata)
             .bind(snap.version)
             .fetch_one(&mut *tx)
             .await?
         }
     };
 
-    // In N:N mode, rollback restores entry metadata/tags only.
-    // Secret snapshots are kept for audit but secret linkage/content is not rewritten here.
-    let _ = live_entry_id;
+    if let Some(secret_snapshot) = snap_secret_snapshot {
+        restore_entry_secrets(&mut tx, live_entry_id, user_id, &secret_snapshot).await?;
+    }
 
     crate::audit::log_tx(
         &mut tx,
@@ -298,3 +314,144 @@ pub async fn run(
         restored_version: snap.version,
     })
 }
+
+async fn restore_entry_secrets(
+    tx: &mut sqlx::Transaction<'_, sqlx::Postgres>,
+    entry_id: Uuid,
+    user_id: Option<Uuid>,
+    snapshot: &[db::EntrySecretSnapshot],
+) -> Result<()> {
+    #[derive(sqlx::FromRow)]
+    struct LinkedSecret {
+        id: Uuid,
+        name: String,
+        encrypted: Vec<u8>,
+    }
+
+    let linked: Vec<LinkedSecret> = sqlx::query_as(
+        "SELECT s.id, s.name, s.encrypted \
+         FROM entry_secrets es \
+         JOIN secrets s ON s.id = es.secret_id \
+         WHERE es.entry_id = $1",
+    )
+    .bind(entry_id)
+    .fetch_all(&mut **tx)
+    .await?;
+
+    let target_names: HashSet<&str> = snapshot.iter().map(|s| s.name.as_str()).collect();
+
+    for s in &linked {
+        if target_names.contains(s.name.as_str()) {
+            continue;
+        }
+        if let Err(e) = db::snapshot_secret_history(
+            tx,
+            db::SecretSnapshotParams {
+                secret_id: s.id,
+                name: &s.name,
+                encrypted: &s.encrypted,
+                action: "rollback",
+            },
+        )
+        .await
+        {
+            tracing::warn!(error = %e, "failed to snapshot secret before rollback unlink");
+        }
+
+        sqlx::query("DELETE FROM entry_secrets WHERE entry_id = $1 AND secret_id = $2")
+            .bind(entry_id)
+            .bind(s.id)
+            .execute(&mut **tx)
+            .await?;
+
+        sqlx::query(
+            "DELETE FROM secrets s \
+             WHERE s.id = $1 \
+               AND NOT EXISTS (SELECT 1 FROM entry_secrets es WHERE es.secret_id = s.id)",
+        )
+        .bind(s.id)
+        .execute(&mut **tx)
+        .await?;
+    }
+
+    for snap in snapshot {
+        let encrypted = ::hex::decode(&snap.encrypted_hex).map_err(|e| {
+            anyhow::anyhow!("invalid secret snapshot data for '{}': {}", snap.name, e)
+        })?;
+
+        #[derive(sqlx::FromRow)]
+        struct ExistingSecret {
+            id: Uuid,
+            encrypted: Vec<u8>,
+        }
+
+        let existing: Option<ExistingSecret> = if let Some(uid) = user_id {
+            sqlx::query_as("SELECT id, encrypted FROM secrets WHERE user_id = $1 AND name = $2")
+                .bind(uid)
+                .bind(&snap.name)
+                .fetch_optional(&mut **tx)
+                .await?
+        } else {
+            sqlx::query_as("SELECT id, encrypted FROM secrets WHERE user_id IS NULL AND name = $1")
+                .bind(&snap.name)
+                .fetch_optional(&mut **tx)
+                .await?
+        };
+
+        let secret_id = if let Some(ex) = existing {
+            if ex.encrypted != encrypted
+                && let Err(e) = db::snapshot_secret_history(
+                    tx,
+                    db::SecretSnapshotParams {
+                        secret_id: ex.id,
+                        name: &snap.name,
+                        encrypted: &ex.encrypted,
+                        action: "rollback",
+                    },
+                )
+                .await
+            {
+                tracing::warn!(error = %e, "failed to snapshot secret before rollback restore");
+            }
+            sqlx::query(
+                "UPDATE secrets SET type = $1, encrypted = $2, version = version + 1, updated_at = NOW() \
+                 WHERE id = $3",
+            )
+            .bind(&snap.secret_type)
+            .bind(&encrypted)
+            .bind(ex.id)
+            .execute(&mut **tx)
+            .await?;
+            ex.id
+        } else if let Some(uid) = user_id {
+            sqlx::query_scalar(
+                "INSERT INTO secrets (user_id, name, type, encrypted) VALUES ($1, $2, $3, $4) RETURNING id",
+            )
+            .bind(uid)
+            .bind(&snap.name)
+            .bind(&snap.secret_type)
+            .bind(&encrypted)
+            .fetch_one(&mut **tx)
+            .await?
+        } else {
+            sqlx::query_scalar(
+                "INSERT INTO secrets (user_id, name, type, encrypted) VALUES (NULL, $1, $2, $3) RETURNING id",
+            )
+            .bind(&snap.name)
+            .bind(&snap.secret_type)
+            .bind(&encrypted)
+            .fetch_one(&mut **tx)
+            .await?
+        };
+
+        sqlx::query(
+            "INSERT INTO entry_secrets (entry_id, secret_id) VALUES ($1, $2) ON CONFLICT DO NOTHING",
+        )
+        .bind(entry_id)
+        .bind(secret_id)
+        .execute(&mut **tx)
+        .await?;
+    }
+
+    Ok(())
+}

crates/secrets-core/src/service/update.rs

@@ -112,6 +112,15 @@ pub async fn run(
         }
     };
 
+    let history_metadata =
+        match db::metadata_with_secret_snapshot(&mut tx, row.id, &row.metadata).await {
+            Ok(v) => v,
+            Err(e) => {
+                tracing::warn!(error = %e, "failed to build secret snapshot for entry history");
+                row.metadata.clone()
+            }
+        };
+
     if let Err(e) = db::snapshot_entry_history(
         &mut tx,
         db::EntrySnapshotParams {
@@ -123,7 +132,7 @@ pub async fn run(
             version: row.version,
             action: "update",
             tags: &row.tags,
-            metadata: &row.metadata,
+            metadata: &history_metadata,
         },
     )
     .await
@@ -481,6 +490,15 @@ pub async fn update_fields_by_id(
         }
     };
 
+    let history_metadata =
+        match db::metadata_with_secret_snapshot(&mut tx, row.id, &row.metadata).await {
+            Ok(v) => v,
+            Err(e) => {
+                tracing::warn!(error = %e, "failed to build secret snapshot for entry history");
+                row.metadata.clone()
+            }
+        };
+
     if let Err(e) = db::snapshot_entry_history(
         &mut tx,
         db::EntrySnapshotParams {
@@ -492,7 +510,7 @@ pub async fn update_fields_by_id(
             version: row.version,
             action: "update",
             tags: &row.tags,
-            metadata: &row.metadata,
+            metadata: &history_metadata,
         },
     )
     .await

crates/secrets-core/src/service/user.rs

@@ -200,10 +200,14 @@ pub async fn unbind_oauth_account(
         );
     }
 
-    let count: i64 = sqlx::query_scalar("SELECT COUNT(*) FROM oauth_accounts WHERE user_id = $1")
+    let mut tx = pool.begin().await?;
+
+    let locked_accounts: Vec<(String,)> =
+        sqlx::query_as("SELECT provider FROM oauth_accounts WHERE user_id = $1 FOR UPDATE")
             .bind(user_id)
-        .fetch_one(pool)
+            .fetch_all(&mut *tx)
             .await?;
+    let count = locked_accounts.len();
 
     if count <= 1 {
         anyhow::bail!("Cannot unbind the last OAuth account. Please link another account first.");
@@ -212,8 +216,87 @@ pub async fn unbind_oauth_account(
     sqlx::query("DELETE FROM oauth_accounts WHERE user_id = $1 AND provider = $2")
         .bind(user_id)
         .bind(provider)
-        .execute(pool)
+        .execute(&mut *tx)
         .await?;
 
+    tx.commit().await?;
+
     Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    async fn maybe_test_pool() -> Option<PgPool> {
+        let database_url = match std::env::var("SECRETS_DATABASE_URL") {
+            Ok(v) => v,
+            Err(_) => {
+                eprintln!("skip user service tests: SECRETS_DATABASE_URL not set");
+                return None;
+            }
+        };
+        let pool = match sqlx::PgPool::connect(&database_url).await {
+            Ok(pool) => pool,
+            Err(e) => {
+                eprintln!("skip user service tests: cannot connect to database: {e}");
+                return None;
+            }
+        };
+        if let Err(e) = crate::db::migrate(&pool).await {
+            eprintln!("skip user service tests: migrate failed: {e}");
+            return None;
+        }
+        Some(pool)
+    }
+
+    async fn cleanup_user_rows(pool: &PgPool, user_id: Uuid) -> Result<()> {
+        sqlx::query("DELETE FROM oauth_accounts WHERE user_id = $1")
+            .bind(user_id)
+            .execute(pool)
+            .await?;
+        sqlx::query("DELETE FROM users WHERE id = $1")
+            .bind(user_id)
+            .execute(pool)
+            .await?;
+        Ok(())
+    }
+
+    #[tokio::test]
+    async fn unbind_oauth_account_removes_only_requested_provider() -> Result<()> {
+        let Some(pool) = maybe_test_pool().await else {
+            return Ok(());
+        };
+        let user_id = Uuid::from_u128(rand::random());
+
+        cleanup_user_rows(&pool, user_id).await?;
+
+        sqlx::query("INSERT INTO users (id, name) VALUES ($1, '')")
+            .bind(user_id)
+            .execute(&pool)
+            .await?;
+        sqlx::query(
+            "INSERT INTO oauth_accounts (user_id, provider, provider_id, email, name, avatar_url) \
+             VALUES ($1, 'google', $2, NULL, NULL, NULL), \
+                    ($1, 'github', $3, NULL, NULL, NULL)",
+        )
+        .bind(user_id)
+        .bind(format!("google-{user_id}"))
+        .bind(format!("github-{user_id}"))
+        .execute(&pool)
+        .await?;
+
+        unbind_oauth_account(&pool, user_id, "github", Some("google")).await?;
+
+        let remaining: Vec<(String,)> = sqlx::query_as(
+            "SELECT provider FROM oauth_accounts WHERE user_id = $1 ORDER BY provider",
+        )
+        .bind(user_id)
+        .fetch_all(&pool)
+        .await?;
+        assert_eq!(remaining, vec![("google".to_string(),)]);
+
+        cleanup_user_rows(&pool, user_id).await?;
+        Ok(())
+    }
+}

crates/secrets-mcp/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "secrets-mcp"
-version = "0.5.5"
+version = "0.5.7"
 edition.workspace = true
 
 [[bin]]

crates/secrets-mcp/src/logging.rs

@@ -1,9 +1,8 @@
-use std::net::SocketAddr;
 use std::time::Instant;
 
 use axum::{
     body::{Body, Bytes, to_bytes},
-    extract::{ConnectInfo, Request},
+    extract::Request,
     http::{
         HeaderMap, Method, StatusCode,
         header::{CONTENT_LENGTH, CONTENT_TYPE, USER_AGENT},
@@ -245,18 +244,5 @@ fn header_str(headers: &HeaderMap, name: impl axum::http::header::AsHeaderName)
 }
 
 fn client_ip(req: &Request) -> Option<String> {
-    if let Some(first) = req
-        .headers()
-        .get("x-forwarded-for")
-        .and_then(|v| v.to_str().ok())
-        .and_then(|s| s.split(',').next())
-    {
-        let s = first.trim();
-        if !s.is_empty() {
-            return Some(s.to_string());
-        }
-    }
-    req.extensions()
-        .get::<ConnectInfo<SocketAddr>>()
-        .map(|c| c.ip().to_string())
+    crate::client_ip::extract_client_ip(req).into()
 }

crates/secrets-mcp/src/main.rs

@@ -187,6 +187,9 @@ async fn main() -> Result<()> {
         ))
         .layer(session_layer)
         .layer(cors)
+        .layer(tower_http::limit::RequestBodyLimitLayer::new(
+            10 * 1024 * 1024,
+        ))
         .with_state(app_state);
 
     // ── Start server ──────────────────────────────────────────────────────────

crates/secrets-mcp/src/tools.rs

@@ -230,15 +230,6 @@ impl SecretsService {
         }
     }
 
-    /// Extract user_id from the HTTP request parts injected by auth middleware.
-    fn user_id_from_ctx(ctx: &RequestContext<RoleServer>) -> Result<Option<Uuid>, rmcp::ErrorData> {
-        let parts = ctx
-            .extensions
-            .get::<http::request::Parts>()
-            .ok_or_else(mcp_err_missing_http_parts)?;
-        Ok(parts.extensions.get::<AuthUser>().map(|a| a.user_id))
-    }
-
     /// Get the authenticated user_id (returns error if not authenticated).
     fn require_user_id(ctx: &RequestContext<RoleServer>) -> Result<Uuid, rmcp::ErrorData> {
         let parts = ctx
@@ -1142,7 +1133,7 @@ impl SecretsService {
         ctx: RequestContext<RoleServer>,
     ) -> Result<CallToolResult, rmcp::ErrorData> {
         let t = Instant::now();
-        let user_id = Self::user_id_from_ctx(&ctx)?;
+        let user_id = Self::require_user_id(&ctx)?;
 
         // Safety: require at least one filter.
         if input.id.is_none()
@@ -1172,9 +1163,9 @@ impl SecretsService {
             if let Some(ref id_str) = input.id {
                 let eid = parse_uuid(id_str)?;
                 let uid = user_id;
-                let entry = resolve_entry_by_id(&self.pool, eid, uid)
+                let entry = resolve_entry_by_id(&self.pool, eid, Some(uid))
                     .await
-                    .map_err(|e| mcp_err_internal_logged("secrets_delete", uid, e))?;
+                    .map_err(|e| mcp_err_internal_logged("secrets_delete", Some(uid), e))?;
                 (Some(entry.name), Some(entry.folder))
             } else {
                 (input.name.clone(), input.folder.clone())
@@ -1187,11 +1178,11 @@ impl SecretsService {
                 folder: effective_folder.as_deref(),
                 entry_type: input.entry_type.as_deref(),
                 dry_run: input.dry_run.unwrap_or(false),
-                user_id,
+                user_id: Some(user_id),
             },
         )
         .await
-        .map_err(|e| mcp_err_internal_logged("secrets_delete", user_id, e))?;
+        .map_err(|e| mcp_err_internal_logged("secrets_delete", Some(user_id), e))?;
 
         tracing::info!(
             tool = "secrets_delete",
@@ -1218,7 +1209,7 @@ impl SecretsService {
         ctx: RequestContext<RoleServer>,
     ) -> Result<CallToolResult, rmcp::ErrorData> {
         let t = Instant::now();
-        let user_id = Self::user_id_from_ctx(&ctx)?;
+        let user_id = Self::require_user_id(&ctx)?;
         tracing::info!(
             tool = "secrets_history",
             ?user_id,
@@ -1230,9 +1221,9 @@ impl SecretsService {
         let (resolved_name, resolved_folder): (String, Option<String>) =
             if let Some(ref id_str) = input.id {
                 let eid = parse_uuid(id_str)?;
-                let entry = resolve_entry_by_id(&self.pool, eid, user_id)
+                let entry = resolve_entry_by_id(&self.pool, eid, Some(user_id))
                     .await
-                    .map_err(|e| mcp_err_internal_logged("secrets_history", user_id, e))?;
+                    .map_err(|e| mcp_err_internal_logged("secrets_history", Some(user_id), e))?;
                 (entry.name, Some(entry.folder))
             } else {
                 (input.name.clone(), input.folder.clone())
@@ -1243,10 +1234,10 @@ impl SecretsService {
             &resolved_name,
             resolved_folder.as_deref(),
             input.limit.unwrap_or(20),
-            user_id,
+            Some(user_id),
         )
         .await
-        .map_err(|e| mcp_err_internal_logged("secrets_history", user_id, e))?;
+        .map_err(|e| mcp_err_internal_logged("secrets_history", Some(user_id), e))?;
 
         tracing::info!(
             tool = "secrets_history",

crates/secrets-mcp/src/web.rs

@@ -1,6 +1,6 @@
 use askama::Template;
 use chrono::SecondsFormat;
-use std::net::SocketAddr;
+use std::net::{IpAddr, SocketAddr};
 
 use axum::{
     Json, Router,
@@ -176,14 +176,33 @@ async fn current_user_id(session: &Session) -> Option<Uuid> {
 }
 
 fn request_client_ip(headers: &HeaderMap, connect_info: ConnectInfo<SocketAddr>) -> Option<String> {
+    let trust_proxy = std::env::var("TRUST_PROXY")
+        .as_deref()
+        .is_ok_and(|v| matches!(v, "1" | "true" | "yes"));
+    request_client_ip_with_trust_proxy(headers, connect_info, trust_proxy)
+}
+
+fn request_client_ip_with_trust_proxy(
+    headers: &HeaderMap,
+    connect_info: ConnectInfo<SocketAddr>,
+    trust_proxy: bool,
+) -> Option<String> {
+    if trust_proxy {
         if let Some(first) = headers
             .get("x-forwarded-for")
             .and_then(|v| v.to_str().ok())
             .and_then(|s| s.split(',').next())
         {
             let value = first.trim();
-        if !value.is_empty() {
-            return Some(value.to_string());
+            if let Ok(ip) = value.parse::<IpAddr>() {
+                return Some(ip.to_string());
+            }
+        }
+        if let Some(value) = headers.get("x-real-ip").and_then(|v| v.to_str().ok()) {
+            let value = value.trim();
+            if let Ok(ip) = value.parse::<IpAddr>() {
+                return Some(ip.to_string());
+            }
         }
     }
 
@@ -234,10 +253,6 @@ pub fn web_router() -> Router<AppState> {
         .route("/entries", get(entries_page))
         .route("/audit", get(audit_page))
         .route("/account/bind/google", get(account_bind_google))
-        .route(
-            "/account/bind/google/callback",
-            get(account_bind_google_callback),
-        )
         .route("/account/unbind/{provider}", post(account_unbind))
         .route("/api/key-salt", get(api_key_salt))
         .route("/api/key-setup", post(api_key_setup))
@@ -909,14 +924,9 @@ async fn account_bind_google(
             StatusCode::INTERNAL_SERVER_ERROR
         })?;
 
-    let redirect_uri = format!("{}/account/bind/google/callback", state.base_url);
-    let mut cfg = state
-        .google_config
-        .clone()
-        .ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
-    cfg.redirect_uri = redirect_uri;
-    let st = random_state();
-    if let Err(e) = session.insert(SESSION_OAUTH_STATE, &st).await {
+    let config = google_cfg(&state).ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
+    let oauth_state = random_state();
+    if let Err(e) = session.insert(SESSION_OAUTH_STATE, &oauth_state).await {
         tracing::error!(error = %e, "failed to insert oauth_state for account bind flow");
         if let Err(rm) = session.remove::<bool>(SESSION_OAUTH_BIND_MODE).await {
             tracing::warn!(error = %rm, "failed to roll back oauth_bind_mode after oauth_state insert failure");
@@ -924,34 +934,8 @@ async fn account_bind_google(
         return Err(StatusCode::INTERNAL_SERVER_ERROR);
     }
 
-    Ok(Redirect::to(&google_auth_url(&cfg, &st)).into_response())
-}
-
-async fn account_bind_google_callback(
-    State(state): State<AppState>,
-    connect_info: ConnectInfo<SocketAddr>,
-    headers: HeaderMap,
-    session: Session,
-    Query(params): Query<OAuthCallbackQuery>,
-) -> Result<Response, StatusCode> {
-    let client_ip = request_client_ip(&headers, connect_info);
-    let user_agent = request_user_agent(&headers);
-    handle_oauth_callback(
-        &state,
-        &session,
-        params,
-        "google",
-        client_ip.as_deref(),
-        user_agent.as_deref(),
-        |s, cfg, code| {
-            Box::pin(crate::oauth::google::exchange_code(
-                &s.http_client,
-                cfg,
-                code,
-            ))
-        },
-    )
-    .await
+    let url = google_auth_url(config, &oauth_state);
+    Ok(Redirect::to(&url).into_response())
 }
 
 async fn account_unbind(
@@ -1742,6 +1726,34 @@ fn format_audit_target(folder: &str, entry_type: &str, name: &str) -> String {
 mod tests {
     use super::*;
 
+    #[test]
+    fn request_client_ip_ignores_forwarded_headers_without_trusted_proxy() {
+        let mut headers = HeaderMap::new();
+        headers.insert("x-forwarded-for", "203.0.113.10".parse().unwrap());
+
+        let ip = request_client_ip_with_trust_proxy(
+            &headers,
+            ConnectInfo(SocketAddr::from(([127, 0, 0, 1], 9315))),
+            false,
+        );
+
+        assert_eq!(ip.as_deref(), Some("127.0.0.1"));
+    }
+
+    #[test]
+    fn request_client_ip_uses_valid_forwarded_header_with_trusted_proxy() {
+        let mut headers = HeaderMap::new();
+        headers.insert("x-forwarded-for", "203.0.113.10, 10.0.0.1".parse().unwrap());
+
+        let ip = request_client_ip_with_trust_proxy(
+            &headers,
+            ConnectInfo(SocketAddr::from(([127, 0, 0, 1], 9315))),
+            true,
+        );
+
+        assert_eq!(ip.as_deref(), Some("203.0.113.10"));
+    }
+
     #[test]
     fn request_ui_lang_prefers_zh_cn_over_en_fallback() {
         let mut headers = HeaderMap::new();

deploy/.env.example

@@ -30,3 +30,24 @@ GOOGLE_CLIENT_SECRET=
 
 # ─── 日志（可选）──────────────────────────────────────────────────────
 # RUST_LOG=secrets_mcp=debug
+
+# ─── 数据库连接池（可选）──────────────────────────────────────────────
+# 最大连接数，默认 10
+# SECRETS_DATABASE_POOL_SIZE=10
+# 获取连接超时秒数，默认 5
+# SECRETS_DATABASE_ACQUIRE_TIMEOUT=5
+
+# ─── 限流（可选）──────────────────────────────────────────────────────
+# 全局限流速率（req/s），默认 100
+# RATE_LIMIT_GLOBAL_PER_SECOND=100
+# 全局限流突发量，默认 200
+# RATE_LIMIT_GLOBAL_BURST=200
+# 单 IP 限流速率（req/s），默认 20
+# RATE_LIMIT_IP_PER_SECOND=20
+# 单 IP 限流突发量，默认 40
+# RATE_LIMIT_IP_BURST=40
+
+# ─── 代理信任（可选）─────────────────────────────────────────────────
+# 设为 1/true/yes 时从 X-Forwarded-For / X-Real-IP 提取客户端 IP
+# 仅在反代环境下启用，否则客户端可伪造 IP 绕过限流
+# TRUST_PROXY=1

scripts/sync-test-to-prod.sh

@@ -1,95 +0,0 @@
-#!/bin/bash
-# 同步测试环境数据到生产环境
-# 用法: ./scripts/sync-test-to-prod.sh
-
-set -euo pipefail
-
-# PostgreSQL 客户端工具路径 (Homebrew libpq)
-export PATH="/opt/homebrew/opt/libpq/bin:$PATH"
-
-# SSL 配置
-export PGSSLMODE=verify-full
-export PGSSLROOTCERT=/etc/ssl/cert.pem
-
-# 测试环境
-TEST_DB="postgres://postgres:Voson_2026_Pg18!@db.refining.ltd:5432/secrets-nn-test"
-
-# 生产环境
-PROD_DB="postgres://postgres:Voson_2026_Pg18!@db.refining.ltd:5432/secrets-nn-prod"
-
-echo "========================================="
-echo "  测试环境 -> 生产环境 数据同步"
-echo "========================================="
-echo ""
-
-# 确认操作
-read -p "⚠️  此操作将覆盖生产环境数据,确认继续? (yes/no): " confirm
-if [ "$confirm" != "yes" ]; then
-    echo "已取消"
-    exit 0
-fi
-
-echo ""
-echo "步骤 1/4: 导出测试环境数据..."
-TEMP_DIR=$(mktemp -d)
-trap "rm -rf $TEMP_DIR" EXIT
-
-# 导出测试环境数据(不含审计日志和历史记录)
-pg_dump "$TEST_DB" \
-    --table=entries \
-    --table=secrets \
-    --table=entry_secrets \
-    --table=users \
-    --table=oauth_accounts \
-    --data-only \
-    --column-inserts \
-    --no-owner \
-    --no-privileges \
-    > "$TEMP_DIR/test_data.sql"
-
-echo "✓ 测试数据已导出到临时文件"
-echo "  文件大小: $(du -h "$TEMP_DIR/test_data.sql" | cut -f1)"
-
-echo ""
-echo "步骤 2/4: 备份当前生产数据..."
-pg_dump "$PROD_DB" \
-    --table=entries \
-    --table=secrets \
-    --table=entry_secrets \
-    --table=users \
-    --table=oauth_accounts \
-    --data-only \
-    --column-inserts \
-    --no-owner \
-    --no-privileges \
-    > "$TEMP_DIR/prod_backup_$(date +%Y%m%d_%H%M%S).sql"
-
-echo "✓ 生产数据已备份"
-
-echo ""
-echo "步骤 3/4: 清空生产环境目标表..."
-psql "$PROD_DB" <<'SQL'
-TRUNCATE TABLE entry_secrets CASCADE;
-TRUNCATE TABLE secrets CASCADE;
-TRUNCATE TABLE entries CASCADE;
-SQL
-
-echo "✓ 生产环境目标表已清空"
-
-echo ""
-echo "步骤 4/4: 导入测试数据到生产环境..."
-psql "$PROD_DB" -f "$TEMP_DIR/test_data.sql" 2>&1 | tail -20
-
-echo ""
-echo "验证数据..."
-echo "生产环境数据统计:"
-psql "$PROD_DB" -c "SELECT 'users' as table_name, count(*) FROM users UNION ALL SELECT 'entries', count(*) FROM entries UNION ALL SELECT 'secrets', count(*) FROM secrets UNION ALL SELECT 'entry_secrets', count(*) FROM entry_secrets UNION ALL SELECT 'oauth_accounts', count(*) FROM oauth_accounts ORDER BY table_name;"
-
-echo ""
-echo "========================================="
-echo "  ✓ 数据同步完成!"
-echo "========================================="
-echo ""
-echo "提示:"
-echo "  - 生产数据备份已保存在临时目录"
-echo "  - 临时文件将在脚本退出后自动删除"