`protonpass` provider incompatible with `pass-cli >= 2.0.3`

[cschmatzler]

Summary

The protonpass provider is incompatible with Proton Pass CLI pass-cli >= 2.0.3.

secretspec check reports active secrets as missing because pass-cli item list --output json changed shape in 2.0.3: list entries now expose title at the top level instead of under content.title.

Versions

• secretspec: 0.10.1
• pass-cli: broken with 2.0.3, 2.1.2
• pass-cli: works with 2.0.2

Reproduction

Given a secretspec.toml like:

[project]
name = "example"
revision = "1.0"

[profiles.default]
EXAMPLE_SECRET = { description = "Example secret" }

And an active Proton Pass note item titled:

example/default/EXAMPLE_SECRET

Run:

SECRETSPEC_PROVIDER='protonpass://MyVault' secretspec check --no-prompt

Actual behavior

With pass-cli >= 2.0.3:

Checking secrets in example (profile: default)...

✗ EXAMPLE_SECRET - Example secret (required)

Summary: 0 found, 1 missing
Error: Secret 'EXAMPLE_SECRET' is required but not set

Expected behavior

The active Proton Pass item should be found.

Root cause

secretspec currently expects item list JSON entries with this shape:

{
  "items": [
    {
      "content": {
        "title": "example/default/EXAMPLE_SECRET"
      }
    }
  ]
}

That matches pass-cli 2.0.2.

Starting in pass-cli 2.0.3, the default JSON list output became a summary shape:

{
  "items": [
    {
      "title": "example/default/EXAMPLE_SECRET",
      "item_type": "note"
    }
  ]
}

So this deserialize path fails:

struct ProtonPassItemData {
    id: String,
    share_id: String,
    content: ProtonPassItemContent,
}

and the provider silently falls back to an empty item list here:

serde_json::from_str(&output).unwrap_or(ProtonPassListResponse { items: vec![] })

The relevant change in pass-cli is here: protonpass/pass-cli@1c09fd8

[domenkozar]

Did you try with secretspec 0.12?