Skip to content

feat(pass): add --metadata flag to pass set#499

Merged
Benehiko merged 2 commits intomainfrom
feat/pass/cli
Mar 19, 2026
Merged

feat(pass): add --metadata flag to pass set#499
Benehiko merged 2 commits intomainfrom
feat/pass/cli

Conversation

@Benehiko
Copy link
Member

@Benehiko Benehiko commented Mar 19, 2026

The pass set command now accepts non-sensitive key=value metadata alongside the secret value via the new --metadata flag (repeatable):

pass set docker/foo=bar --metadata owner=alice --metadata expiry=2027-03-01

When reading from STDIN, a JSON payload can carry both the secret and metadata in one input:

echo '{"secret":"bar","metadata":{"owner":"alice"}}' | pass set docker/foo

If both STDIN JSON metadata and --metadata flags are provided, the flag values take precedence on key collision. Plain STDIN input (non-JSON) is unchanged.

Metadata is stored on PassValue via SetMetadata/Metadata, which were previously no-op stubs.

@Benehiko
feat(pass): add --metadata flag to pass set
afc67a6 
The `pass set` command now accepts non-sensitive key=value metadata
alongside the secret value via the new `--metadata` flag (repeatable):

  pass set docker/foo=bar --metadata owner=alice --metadata expiry=2027-03-01

When reading from STDIN, a JSON payload can carry both the secret and
metadata in one input:

  echo '{"secret":"bar","metadata":{"owner":"alice"}}' | pass set docker/foo

If both STDIN JSON metadata and --metadata flags are provided, the flag
values take precedence on key collision. Plain STDIN input (non-JSON) is
unchanged.

Metadata is stored on PassValue via SetMetadata/Metadata, which were
previously no-op stubs.

Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>
@Benehiko Benehiko requested a review from joe0BAB March 19, 2026 13:03
docker-agent[bot]
docker-agent bot reviewed Mar 19, 2026
View reviewed changes
Copy link

@docker-agent docker-agent bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 CRITICAL Issue Found

Assessment

This PR introduces a critical data loss bug that breaks the metadata feature for persistent storage. The metadata field is not included in serialization, causing all metadata to be silently discarded when secrets are saved.

Summary

  • 1 CRITICAL issue found: Metadata persistence broken
  • Issue Type: Data integrity/loss

Details

The --metadata flag implementation works correctly at the command level and in tests, but the metadata is never persisted to disk. The Marshal() method (line 31) only serializes the Value field, completely ignoring the metadata field added in this PR. When secrets are loaded via Unmarshal(), the metadata will always be nil.

This makes the entire metadata feature non-functional for any real storage backend. The tests pass only because they use a mock store that doesn't exercise the Marshal/Unmarshal cycle.

Recommendation: Update both Marshal() and Unmarshal() methods to include the metadata field in serialization.

@Benehiko
chore: unexport PassValue.Value
b9fc271 
Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>
@Benehiko Benehiko merged commit 88eb7a4 into main Mar 19, 2026
11 checks passed
@Benehiko Benehiko deleted the feat/pass/cli branch March 19, 2026 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@docker-agent docker-agent[bot] docker-agent[bot] left review comments

@joe0BAB joe0BAB joe0BAB approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Benehiko @joe0BAB