feat(tool): add security field to mise tool --json#7303
Merged
Conversation
Add security information to `mise tool <name> --json` output showing aqua registry security metadata. The security field is an array of enabled security features with relevant metadata: - checksum (with algorithm) - github_attestations (with signer_workflow) - slsa - cosign - minisign (with public_key) For non-aqua backends, returns an empty array. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds security metadata reporting to the mise tool command by including a security field in both JSON and table outputs. The field displays security features enabled in aqua registry tools.
- Introduces
SecurityFeatureenum to represent different security verification methods (checksum, GitHub attestations, SLSA, cosign, minisign) - Implements
security_info()method for aqua backend to fetch and parse security metadata from the aqua registry - Extends
mise toolcommand output to include security information in both JSON and human-readable formats
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/cli/tool.rs | Adds security field to ToolInfo struct and implements display logic for both JSON and table formats |
| src/backend/mod.rs | Defines SecurityFeature enum and adds security_info() trait method with default empty implementation |
| src/backend/aqua.rs | Implements security_info() for AquaBackend to extract security features from aqua registry metadata |
| e2e/cli/test_tool | Adds e2e tests verifying security field presence, type, and behavior for both aqua and non-aqua tools |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+23
to
+26
| mise tool aqua:cli/cli --json | jq -e '.security' || fail "security field not found in JSON" | ||
|
|
||
| # Test security field is an array | ||
| mise tool aqua:cli/cli --json | jq -e '.security | type == "array"' || fail "security is not an array" |
There was a problem hiding this comment.
The tool name 'aqua:cli/cli' is repeated three times. Consider storing it in a variable to improve maintainability and make it easier to change the test tool if needed.
| mise tool node --json | jq -e '.security == []' || fail "non-aqua tool should have empty security" | ||
|
|
||
| # Test that security features have type field when present | ||
| mise tool aqua:cli/cli --json | jq -e '.security | if length > 0 then .[0].type else true end' || fail "security feature missing type field" |
There was a problem hiding this comment.
The tool name 'aqua:cli/cli' is repeated three times. Consider storing it in a variable to improve maintainability and make it easier to change the test tool if needed.
Extend security field in `mise tool --json` to core plugins: - node: checksum (sha256) + GPG verification - zig: checksum (sha256) + minisign (with public key) - swift: checksum (sha256) + GPG verification (Linux only) - go, ruby, deno, bun: checksum (sha256) Also adds Gpg variant to SecurityFeature enum. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.12.7 x -- echo |
20.3 ± 0.3 | 19.8 | 22.9 | 1.00 |
mise x -- echo |
20.3 ± 0.2 | 19.8 | 21.3 | 1.00 ± 0.02 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.12.7 env |
19.8 ± 0.6 | 19.2 | 25.3 | 1.00 |
mise env |
19.9 ± 0.2 | 19.4 | 21.2 | 1.01 ± 0.03 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.12.7 hook-env |
19.8 ± 0.3 | 19.3 | 24.6 | 1.00 |
mise hook-env |
19.9 ± 0.3 | 19.4 | 22.7 | 1.00 ± 0.02 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.12.7 ls |
16.7 ± 0.3 | 16.2 | 19.0 | 1.00 |
mise ls |
16.8 ± 0.3 | 16.4 | 18.7 | 1.01 ± 0.02 |
xtasks/test/perf
| Command | mise-2025.12.7 | mise | Variance |
|---|---|---|---|
| install (cached) | 108ms | 108ms | +0% |
| ls (cached) | 65ms | 66ms | -1% |
| bin-paths (cached) | 71ms | 71ms | +0% |
| task-ls (cached) | 436ms | 423ms | +3% |
jdx
pushed a commit
that referenced
this pull request
Dec 15, 2025
### 🚀 Features - **(conda)** add dependency resolution for conda packages by @jdx in [#7280](#7280) - **(go)** add created_at support to ls-remote --json by @jdx in [#7305](#7305) - **(hook-env)** add hook_env.cache_ttl and hook_env.chpwd_only settings for NFS optimization by @jdx in [#7312](#7312) - **(hooks)** add MISE_TOOL_NAME and MISE_TOOL_VERSION to preinstall/postinstall hooks by @jdx in [#7311](#7311) - **(shell_alias)** add shell_alias support for cross-shell aliases by @jdx in [#7316](#7316) - **(tool)** add security field to mise tool --json by @jdx in [#7303](#7303) - add --before flag for date-based version filtering by @jdx in [#7298](#7298) ### 🐛 Bug Fixes - **(aqua)** support cosign v3 bundle verification by @jdx in [#7314](#7314) - **(config)** use correct config_root in tera context for hooks by @jdx in [#7309](#7309) - **(nu)** fix nushell deactivation script on Windows by @fu050409 in [#7213](#7213) - **(python)** apply uv_venv_create_args in auto-venv code path by @jdx in [#7310](#7310) - **(shell)** escape exe path in activation scripts for paths with spaces by @jdx in [#7315](#7315) - **(task)** parallelize exec_env loading to fix parallel task execution by @jdx in [#7313](#7313) - track downloads for python and java by @jdx in [#7304](#7304) - include full tool ID in download track by @jdx in [#7320](#7320) ### 📚 Documentation - Switch `postinstall` code to be shell-agnostic by @thejcannon in [#7317](#7317) ### 🧪 Testing - **(e2e)** disable debug mode by default for windows-e2e by @jdx in [#7318](#7318) ### New Contributors - @fu050409 made their first contribution in [#7213](#7213)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
securityfield tomise tool <name> --jsonoutput showing aqua registry security metadatachecksum(with algorithm)github_attestations(with signer_workflow)slsacosignminisign(with public_key)[]Example Output
For aqua tool with security features:
{ "backend": "aqua:hashicorp/terraform", "security": [ { "type": "checksum", "algorithm": "sha256" } ] }For non-aqua tool:
{ "backend": "core:node", "security": [] }Test plan
🤖 Generated with Claude Code
Note
Adds a
securityarray tomise tool <name> --jsonand table output, populated from aqua registry and core plugins (checksum, gpg, minisign, etc.), with e2e tests.src/cli/tool.rs)securityarray tomise tool <name> --jsonand display a "Security:" row in human output.securityinToolInfoand render feature labels.src/backend/mod.rs)SecurityFeatureenum (checksum, github_attestations, slsa, cosign, minisign, gpg).Backendtrait withsecurity_info()(default empty).src/backend/aqua.rs)security_info()mapping registry fields: checksum(+algorithm), github_attestations(+signer_workflow), slsa, cosign, minisign(+public_key).security_info():node: checksum + optional gpg (based on settings).swift: checksum + optional gpg (Linux/settings).zig: checksum + minisign (+public_key).go,deno,bun: checksum only.e2e/cli/test_tool)securityexists and is an array in JSON.Written by Cursor Bugbot for commit b42dea8. This will update automatically on new commits. Configure here.