feat(pass): add --metadata flag to pass set

Benehiko · Benehiko · commit afc67a674264 · 2026-03-19T14:02:41.000+01:00
The `pass set` command now accepts non-sensitive key=value metadata
alongside the secret value via the new `--metadata` flag (repeatable):

  pass set docker/foo=bar --metadata owner=alice --metadata expiry=2027-03-01

When reading from STDIN, a JSON payload can carry both the secret and
metadata in one input:

  echo '{"secret":"bar","metadata":{"owner":"alice"}}' | pass set docker/foo

If both STDIN JSON metadata and --metadata flags are provided, the flag
values take precedence on key collision. Plain STDIN input (non-JSON) is
unchanged.

Metadata is stored on PassValue via SetMetadata/Metadata, which were
previously no-op stubs.

Signed-off-by: Alano Terblanche &lt;18033717+Benehiko@users.noreply.github.com&gt;
diff --git a/plugins/pass/command_test.go b/plugins/pass/command_test.go
@@ -69,6 +69,47 @@ func Test_rootCommand(t *testing.T) {
 			require.True(t, ok)
 			assert.Equal(t, "my\nmultiline\nvalue", string(impl.Value))
 		})
+		t.Run("with --metadata flag", func(t *testing.T) {
+			mock := teststore.NewMockStore()
+			out, err := executeCommand(Root(t.Context(), mock, mockInfo), "set", "foo=bar", "--metadata", "name=bob", "--metadata", "expiry=2027-03-01")
+			assert.NoError(t, err)
+			assert.Empty(t, out)
+			s, err := mock.Get(t.Context(), secrets.MustParseID("foo"))
+			require.NoError(t, err)
+			impl, ok := s.(*pass.PassValue)
+			require.True(t, ok)
+			assert.Equal(t, "bar", string(impl.Value))
+			assert.Equal(t, map[string]string{"name": "bob", "expiry": "2027-03-01"}, impl.Metadata())
+		})
+		t.Run("from STDIN JSON with value and metadata", func(t *testing.T) {
+			mock := teststore.NewMockStore()
+			out, err := executeCommandWithStdin(Root(t.Context(), mock, mockInfo), `{"secret":"bar","metadata":{"name":"bob"}}`, "set", "foo")
+			assert.NoError(t, err)
+			assert.Empty(t, out)
+			s, err := mock.Get(t.Context(), secrets.MustParseID("foo"))
+			require.NoError(t, err)
+			impl, ok := s.(*pass.PassValue)
+			require.True(t, ok)
+			assert.Equal(t, "bar", string(impl.Value))
+			assert.Equal(t, map[string]string{"name": "bob"}, impl.Metadata())
+		})
+		t.Run("from STDIN JSON merged with --metadata flag wins on collision", func(t *testing.T) {
+			mock := teststore.NewMockStore()
+			out, err := executeCommandWithStdin(Root(t.Context(), mock, mockInfo), `{"secret":"bar","metadata":{"name":"bob","extra":"thing"}}`, "set", "foo", "--metadata", "name=alice")
+			assert.NoError(t, err)
+			assert.Empty(t, out)
+			s, err := mock.Get(t.Context(), secrets.MustParseID("foo"))
+			require.NoError(t, err)
+			impl, ok := s.(*pass.PassValue)
+			require.True(t, ok)
+			assert.Equal(t, "bar", string(impl.Value))
+			assert.Equal(t, map[string]string{"name": "alice", "extra": "thing"}, impl.Metadata())
+		})
+		t.Run("invalid --metadata flag (no =)", func(t *testing.T) {
+			mock := teststore.NewMockStore()
+			_, err := executeCommand(Root(t.Context(), mock, mockInfo), "set", "foo=bar", "--metadata", "invalid")
+			assert.ErrorContains(t, err, "invalid metadata pair (expected key=value): invalid")
+		})
 		t.Run("store error", func(t *testing.T) {
 			errSave := errors.New("save error")
 			mock := teststore.NewMockStore(teststore.WithStoreSaveErr(errSave))
diff --git a/plugins/pass/commands/set.go b/plugins/pass/commands/set.go
@@ -16,8 +16,10 @@ package commands
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"io"
+	"maps"
 	"strings"
 
 	"github.com/spf13/cobra"
@@ -34,9 +36,25 @@ docker pass set POSTGRES_PASSWORD=my-secret-password
 # Or pass the secret via STDIN:
 echo my-secret-password > pwd.txt
 cat pwd.txt | docker pass set POSTGRES_PASSWORD
+
+# Set a secret with metadata:
+docker pass set POSTGRES_PASSWORD=my-secret-password --metadata owner=alice --metadata expiry=2027-03-01
+
+# Or pass a JSON payload with secret and metadata via STDIN:
+echo '{"secret":"my-secret-password","metadata":{"owner":"alice"}}' | docker pass set POSTGRES_PASSWORD
 `
 
+type setOpts struct {
+	metadata []string // raw "key=value" strings from --metadata flag
+}
+
+type stdinPayload struct {
+	Secret   string            `json:"secret"`
+	Metadata map[string]string `json:"metadata,omitempty"`
+}
+
 func SetCommand(kc store.Store) *cobra.Command {
+	opts := setOpts{}
 	cmd := &cobra.Command{
 		Use:     "set id[=value]",
 		Aliases: []string{"store", "save"},
@@ -62,12 +80,47 @@ func SetCommand(kc store.Store) *cobra.Command {
 			if err != nil {
 				return err
 			}
-			return kc.Save(cmd.Context(), id, &pass.PassValue{Value: []byte(s.val)})
+
+			flagMeta, err := parseMetadataFlags(opts.metadata)
+			if err != nil {
+				return err
+			}
+
+			// Merge: start with STDIN JSON metadata, override with flag metadata
+			merged := maps.Clone(s.metadata)
+			for k, v := range flagMeta {
+				if merged == nil {
+					merged = make(map[string]string)
+				}
+				merged[k] = v
+			}
+
+			pv := &pass.PassValue{Value: []byte(s.val)}
+			if len(merged) > 0 {
+				if err := pv.SetMetadata(merged); err != nil {
+					return err
+				}
+			}
+			return kc.Save(cmd.Context(), id, pv)
 		},
 	}
+	flags := cmd.Flags()
+	flags.StringArrayVar(&opts.metadata, "metadata", nil, "Non-sensitive key=value metadata (repeatable)")
 	return cmd
 }
 
+func parseMetadataFlags(raw []string) (map[string]string, error) {
+	m := make(map[string]string, len(raw))
+	for _, kv := range raw {
+		k, v, ok := strings.Cut(kv, "=")
+		if !ok {
+			return nil, fmt.Errorf("invalid metadata pair (expected key=value): %s", kv)
+		}
+		m[k] = v
+	}
+	return m, nil
+}
+
 func isNotImplicitReadFromStdinSyntax(args []string) bool {
 	return strings.Contains(args[0], "=") || len(args) > 1
 }
@@ -79,15 +132,17 @@ func secretMappingFromSTDIN(ctx context.Context, reader io.Reader, id string) (*
 	}
 	defer clear(data)
 
-	return &secret{
-		id:  id,
-		val: string(data),
-	}, nil
+	var payload stdinPayload
+	if err := json.Unmarshal(data, &payload); err == nil && payload.Secret != "" {
+		return &secret{id: id, val: payload.Secret, metadata: payload.Metadata}, nil
+	}
+	return &secret{id: id, val: string(data)}, nil
 }
 
 type secret struct {
-	id  string
-	val string
+	id       string
+	val      string
+	metadata map[string]string
 }
 
 func parseArg(arg string) (*secret, error) {
diff --git a/plugins/pass/store/store.go b/plugins/pass/store/store.go
@@ -24,7 +24,8 @@ import (
 var _ store.Secret = &PassValue{}
 
 type PassValue struct {
-	Value []byte `json:"value"`
+	Value    []byte            `json:"value"`
+	metadata map[string]string // not exported; populated via SetMetadata
 }
 
 func (m *PassValue) Marshal() ([]byte, error) {
@@ -37,10 +38,11 @@ func (m *PassValue) Unmarshal(data []byte) error {
 }
 
 func (m *PassValue) Metadata() map[string]string {
-	return nil
+	return m.metadata
 }
 
-func (m *PassValue) SetMetadata(map[string]string) error {
+func (m *PassValue) SetMetadata(md map[string]string) error {
+	m.metadata = md
 	return nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,8 @@ import (`
`24`	`24`	`var _ store.Secret = &PassValue{}`
`25`	`25`
`26`	`26`	`type PassValue struct {`
`27`		- Value []byte `json:"value"`
	`27`	+ Value []byte `json:"value"`
	`28`	`+ metadata map[string]string // not exported; populated via SetMetadata`
`28`	`29`	`}`
`29`	`30`
`30`	`31`	`func (m *PassValue) Marshal() ([]byte, error) {`
`@@ -37,10 +38,11 @@ func (m *PassValue) Unmarshal(data []byte) error {`
`37`	`38`	`}`
`38`	`39`
`39`	`40`	`func (m *PassValue) Metadata() map[string]string {`
`40`		`- return nil`
	`41`	`+ return m.metadata`
`41`	`42`	`}`
`42`	`43`
`43`		`-func (m *PassValue) SetMetadata(map[string]string) error {`
	`44`	`+func (m *PassValue) SetMetadata(md map[string]string) error {`
	`45`	`+ m.metadata = md`
`44`	`46`	`return nil`
`45`	`47`	`}`
`46`	`48`