feat(show): allow repeated -k and -K with -k

dbohdan · dbohdan · commit 9ec25892154d · 2025-10-05T08:29:14.000Z
Also support repeated `-k`/`--key` in `clip` and `pick`.
diff --git a/README.md b/README.md
@@ -283,7 +283,9 @@ pago show services/my-api-custom-default
 ```
 
 You can retrieve other values from the TOML entry using the `-k`/`--key` option with `show`, `clip`, and `pick`.
+The option can be repeated to access nested keys.
 To see all available keys (sorted), use the `-K`/`--keys` option with `show`.
+You can combine this with `-k`/`--key` to list keys within a nested table.
 
 ```shell
 # List all keys in the entry.
@@ -294,13 +296,21 @@ pago show --keys services/my-api
 # => url
 # => user
 
+# List all keys in a nested table.
+pago show --keys -k table entry-with-table
+# => key
+
 # You can also pick an entry to list keys from.
 pago show -K -p
 
 # Show the user from the TOML entry.
 pago show -k user services/my-api
 # => jdoe
 
+# Show a nested key.
+pago show entry-with-table -k table -k key
+# => value
+
 # Show an array.
 pago show -k numbers services/my-api
 # => [1, 1, 2, 3, 5]
@@ -311,7 +321,7 @@ pago clip -k key services/my-api
 
 When an entry is parsed as TOML, pago can retrieve scalar values (strings, numbers, booleans) and arrays of scalars.
 Arrays and scalars other than strings are encoded as TOML for output.
-pago cannot retrieve tables.
+pago cannot retrieve tables directly, but it can traverse them to access nested values.
 
 ### TOTP
 
diff --git a/cmd/pago/main.go b/cmd/pago/main.go
@@ -276,10 +276,10 @@ func (cmd *StopCmd) Run(config *Config) error {
 type ClipCmd struct {
 	Name string `arg:"" optional:"" help:"Name of the password entry"`
 
-	Command string `short:"c" env:"${ClipEnv}" help:"Command for copying text from stdin to clipboard (${env})"`
-	Key     string `short:"k" help:"Retrieve a key from a TOML entry"`
-	Pick    bool   `short:"p" help:"Pick entry using fuzzy finder"`
-	Timeout int    `short:"t" env:"${TimeoutEnv}" default:"30" help:"Clipboard timeout (0 to disable, ${env})"`
+	Command string   `short:"c" env:"${ClipEnv}" help:"Command for copying text from stdin to clipboard (${env})"`
+	Key     []string `short:"k" help:"Retrieve a key from a TOML entry (repeatable)"`
+	Pick    bool     `short:"p" help:"Pick entry using fuzzy finder"`
+	Timeout int      `short:"t" env:"${TimeoutEnv}" default:"30" help:"Clipboard timeout (0 to disable, ${env})"`
 }
 
 // copyToClipboard executes a command to copy text to the system clipboard.
@@ -375,17 +375,30 @@ func generateOTP(otpURL string) (string, error) {
 	return code, nil
 }
 
+// quoteKeyPath formats a TOML key path for display in error messages.
+// It does so by quoting each key with %q and joining them with periods.
+// For example: []string{"a", "b"} becomes "a"."b"
+func quoteKeyPath(keys []string) string {
+	quoted := []string{}
+
+	for _, key := range keys {
+		quoted = append(quoted, fmt.Sprintf("%q", key))
+	}
+
+	return strings.Join(quoted, ".")
+}
+
 // getPassword decrypts an entry and returns its content, or a specific key's
 // value if it's a TOML entry.
-func getPassword(agentExecutable string, agentExpire time.Duration, agentMemlock bool, agentSocket, identities, passwordStore, name, key string) (string, error) {
+func getPassword(agentExecutable string, agentExpire time.Duration, agentMemlock bool, agentSocket, identities, passwordStore, name string, keys []string) (string, error) {
 	content, err := decryptEntry(agentExecutable, agentExpire, agentMemlock, agentSocket, identities, passwordStore, name)
 	if err != nil {
 		return "", err
 	}
 
 	if !isTOML(content) {
-		if key != "" {
-			return "", fmt.Errorf("%q is not a TOML entry; cannot use key", name)
+		if len(keys) > 0 {
+			return "", fmt.Errorf("%q is not a TOML entry; cannot use keys", name)
 		}
 
 		return content, nil
@@ -396,33 +409,44 @@ func getPassword(agentExecutable string, agentExpire time.Duration, agentMemlock
 		return "", fmt.Errorf("failed to parse entry as TOML: %w", err)
 	}
 
-	if key == "" {
-		key = "password"
+	effectiveKeys := keys
+	if len(effectiveKeys) == 0 {
+		key := pago.DefaultTOMLPasswordKey
 
-		if defaultKey, ok := data["default"]; ok {
+		if defaultKey, ok := data[pago.TOMLDefaultKey]; ok {
 			if defaultKeyStr, ok := defaultKey.(string); ok {
 				key = defaultKeyStr
 			} else {
-				return "", fmt.Errorf(`key "default" must have string value`)
+				return "", fmt.Errorf("key %q must have string value", pago.TOMLDefaultKey)
 			}
 		}
+		effectiveKeys = []string{key}
 	}
 
-	value, ok := data[key]
-	if !ok {
-		return "", fmt.Errorf("key %q not found in entry %q", key, name)
+	var value any = data
+	for i, key := range effectiveKeys {
+		currentMap, ok := value.(map[string]any)
+		if !ok {
+			return "", fmt.Errorf("value at key path %s is not a table", quoteKeyPath(effectiveKeys[:i]))
+		}
+
+		v, ok := currentMap[key]
+		if !ok {
+			return "", fmt.Errorf("key path %s not found in entry %q", quoteKeyPath(effectiveKeys[:i+1]), name)
+		}
+		value = v
 	}
 
 	v := reflect.ValueOf(value)
 	switch v.Kind() {
 
 	case reflect.Map:
-		return "", fmt.Errorf("key %q in entry %q is a table", key, name)
+		return "", fmt.Errorf("key path %s in entry %q is a table", quoteKeyPath(effectiveKeys), name)
 
 	case reflect.String:
 		s := v.String()
 
-		if key == "otp" {
+		if len(effectiveKeys) > 0 && effectiveKeys[len(effectiveKeys)-1] == "otp" {
 			return generateOTP(s)
 		}
 
@@ -794,7 +818,7 @@ func (cmd *InitCmd) Run(config *Config) error {
 type PickCmd struct {
 	Name string `arg:"" optional:"" help:"Name of the password entry"`
 
-	Key string `short:"k" help:"Retrieve a key from a TOML entry"`
+	Key []string `short:"k" help:"Retrieve a key from a TOML entry (repeatable)"`
 }
 
 func (cmd *PickCmd) Run(config *Config) error {
@@ -993,7 +1017,7 @@ func (cmd *RewrapCmd) Run(config *Config) error {
 }
 
 // getTOMLKeys decrypts a TOML entry and returns a sorted list of its keys.
-func getTOMLKeys(agentExecutable string, agentExpire time.Duration, agentMemlock bool, agentSocket, identities, passwordStore, name string) ([]string, error) {
+func getTOMLKeys(agentExecutable string, agentExpire time.Duration, agentMemlock bool, agentSocket, identities, passwordStore, name string, keyPath []string) ([]string, error) {
 	content, err := decryptEntry(agentExecutable, agentExpire, agentMemlock, agentSocket, identities, passwordStore, name)
 	if err != nil {
 		return nil, err
@@ -1008,8 +1032,30 @@ func getTOMLKeys(agentExecutable string, agentExpire time.Duration, agentMemlock
 		return nil, fmt.Errorf("failed to parse entry as TOML: %w", err)
 	}
 
-	keys := make([]string, 0, len(data))
-	for k := range data {
+	var value any = data
+	for i, key := range keyPath {
+		currentMap, ok := value.(map[string]any)
+		if !ok {
+			return nil, fmt.Errorf("value at key path %s is not a table", quoteKeyPath(keyPath[:i]))
+		}
+
+		v, ok := currentMap[key]
+		if !ok {
+			return nil, fmt.Errorf("key path %s not found in entry %q", quoteKeyPath(keyPath[:i+1]), name)
+		}
+		value = v
+	}
+
+	currentMap, ok := value.(map[string]any)
+	if !ok {
+		if len(keyPath) > 0 {
+			return nil, fmt.Errorf("value at key path %s is not a table", quoteKeyPath(keyPath))
+		}
+		return nil, fmt.Errorf("entry %q is not a TOML table", name)
+	}
+
+	keys := make([]string, 0, len(currentMap))
+	for k := range currentMap {
 		keys = append(keys, k)
 	}
 	sort.Strings(keys)
@@ -1020,9 +1066,9 @@ func getTOMLKeys(agentExecutable string, agentExpire time.Duration, agentMemlock
 type ShowCmd struct {
 	Name string `arg:"" optional:"" help:"Name of the password entry"`
 
-	Key  string `short:"k" help:"Retrieve a key from a TOML entry" xor:"toml"`
-	Keys bool   `short:"K" help:"List keys in a TOML entry" xor:"toml"`
-	Pick bool   `short:"p" help:"Pick entry using fuzzy finder"`
+	Key  []string `short:"k" help:"Retrieve a key from a TOML entry (repeatable)"`
+	Keys bool     `short:"K" help:"List keys in a TOML entry"`
+	Pick bool     `short:"p" help:"Pick entry using fuzzy finder"`
 }
 
 func (cmd *ShowCmd) Run(config *Config) error {
@@ -1065,6 +1111,7 @@ func (cmd *ShowCmd) Run(config *Config) error {
 			config.Identities,
 			config.Store,
 			name,
+			cmd.Key,
 		)
 		if err != nil {
 			return err
diff --git a/config.go b/config.go
@@ -25,11 +25,15 @@ const (
 	Version          = "0.23.0"
 	WaitForSocket    = 3 * time.Second
 
+	// Configurable defaults.
 	DefaultAgent           = "pago-agent"
 	DefaultGitEmail        = "pago@localhost"
 	DefaultGitName         = "pago password manager"
 	DefaultPasswordLength  = "20"
 	DefaultPasswordPattern = "[A-Za-z0-9]"
+	// Not currently configurable.
+	DefaultTOMLPasswordKey = "password"
+	TOMLDefaultKey = "default"
 
 	AgentEnv    = "PAGO_AGENT"
 	ClipEnv     = "PAGO_CLIP"
diff --git a/test/e2e_test.go b/test/e2e_test.go
@@ -720,7 +720,12 @@ bar = 5
 phi = 1.68
 # Another comment.
 baz = [1, 2, 3, true, false]
-qux = {"key" = "value"}
+
+[qux]
+key = "value"
+
+[qux.nested]
+deep = "secret"
 `)
 		var stdout, stderr bytes.Buffer
 		cmd.Stdout = &stdout
@@ -754,19 +759,22 @@ foo = "secret"
 
 		testCases := []struct {
 			entry    string
-			key      string
+			keys     []string
 			expected string
 			wantErr  bool
 		}{
-			{"toml", "", "hunter2", false},
-			{"toml", "foo", "string", false},
-			{"toml", "bar", "5", false},
-			{"toml", "phi", "1.68", false},
-			{"toml", "baz", "[1, 2, 3, true, false]", false},
-			{"toml", "qux", "", true}, // Tables cannot be retrieved.
-			{"toml", "nonexistent", "", true},
-			{"toml-default", "", "secret", false},
-			{"not-toml", "foo", "", true}, // Cannot use "--key" on non-TOML entries.
+			{"toml", nil, "hunter2", false},
+			{"toml", []string{"foo"}, "string", false},
+			{"toml", []string{"bar"}, "5", false},
+			{"toml", []string{"phi"}, "1.68", false},
+			{"toml", []string{"baz"}, "[1, 2, 3, true, false]", false},
+			{"toml", []string{"qux"}, "", true}, // Tables cannot be retrieved.
+			{"toml", []string{"qux", "key"}, "value", false},
+			{"toml", []string{"qux", "nested", "deep"}, "secret", false},
+			{"toml", []string{"qux", "nonexistent"}, "", true},
+			{"toml", []string{"nonexistent"}, "", true},
+			{"toml-default", nil, "secret", false},
+			{"not-toml", []string{"foo"}, "", true}, // Cannot use "--key" on non-TOML entries.
 		}
 
 		for _, tc := range testCases {
@@ -779,32 +787,33 @@ foo = "secret"
 
 			buf.Reset()
 
-			var cmd *exec.Cmd
-			if tc.key == "" {
-				cmd = exec.Command(commandPago, "--dir", dataDir, "--socket", "", "show", tc.entry)
-			} else {
-				cmd = exec.Command(commandPago, "--dir", dataDir, "--socket", "", "show", "--key", tc.key, tc.entry)
+			args := []string{"--dir", dataDir, "--socket", "", "show"}
+			for _, k := range tc.keys {
+				args = append(args, "--key", k)
 			}
+			args = append(args, tc.entry)
+			cmd := exec.Command(commandPago, args...)
+
 			cmd.Stdin = c.Tty()
 			cmd.Stdout = &buf
 			cmd.Stderr = c.Tty()
 
 			err = cmd.Start()
 			if err != nil {
-				return "", fmt.Errorf("failed to start command for entry %q key %q: %w", tc.entry, tc.key, err)
+				return "", fmt.Errorf("failed to start command for entry %q keys %v: %w", tc.entry, tc.keys, err)
 			}
 
 			_, _ = c.ExpectString("Enter password")
 			_, _ = c.SendLine(password)
 
 			err = cmd.Wait()
 			if (err != nil) != tc.wantErr {
-				return "", fmt.Errorf("command failed for entry %q key %q: %w", tc.entry, tc.key, err)
+				return "", fmt.Errorf("command failed for entry %q keys %v: %w", tc.entry, tc.keys, err)
 			}
 
 			output := strings.TrimSpace(buf.String())
 			if !tc.wantErr && output != tc.expected {
-				return "", fmt.Errorf("for entry %q key %q, expected %q, got %q", tc.entry, tc.key, tc.expected, output)
+				return "", fmt.Errorf("for entry %q keys %v, expected %q, got %q", tc.entry, tc.keys, tc.expected, output)
 			}
 		}
 
@@ -851,14 +860,17 @@ qux = {"key" = "value"}
 
 		testCases := []struct {
 			entry    string
+			args     []string
 			expected string
-			flag     string
 			wantErr  bool
 		}{
-			{"toml", "bar\nbaz\nfoo\npassword\nphi\nqux", "-K", false},
-			{"toml", "bar\nbaz\nfoo\npassword\nphi\nqux", "--keys", false},
-			{"not-toml", "", "-K", true},
-			{"nonexistent", "", "--keys", true},
+			{"toml", []string{"-K"}, "bar\nbaz\nfoo\npassword\nphi\nqux", false},
+			{"toml", []string{"--keys"}, "bar\nbaz\nfoo\npassword\nphi\nqux", false},
+			{"toml", []string{"-K", "-k", "qux"}, "key", false},
+			{"toml", []string{"--keys", "--key", "qux"}, "key", false},
+			{"not-toml", []string{"-K"}, "", true},
+			{"nonexistent", []string{"--keys"}, "", true},
+			{"", []string{"--keys"}, "", true},
 		}
 
 		for _, tc := range testCases {
@@ -871,12 +883,13 @@ qux = {"key" = "value"}
 
 			buf.Reset()
 
-			var cmd *exec.Cmd
-			if tc.entry == "" {
-				cmd = exec.Command(commandPago, "--dir", dataDir, "--socket", "", "show", "--keys")
-			} else {
-				cmd = exec.Command(commandPago, "--dir", dataDir, "--socket", "", "show", "--keys", tc.entry)
+			args := []string{"--dir", dataDir, "--socket", "", "show"}
+			args = append(args, tc.args...)
+			if tc.entry != "" {
+				args = append(args, tc.entry)
 			}
+			cmd := exec.Command(commandPago, args...)
+
 			cmd.Stdin = c.Tty()
 			cmd.Stdout = &buf
 			cmd.Stderr = c.Tty()
