fix(lock): write tools to lockfile matching their source config

[jdx]

Summary

• mise lock now groups tools by their source config file and writes each to the corresponding lockfile
• Tools defined in mise.toml → mise.lock, tools in mise.local.toml → mise.local.lock
• Previously, all tools were written to whichever lockfile corresponded to the highest-priority config (typically mise.local.lock), which meant locked versions were silently gitignored

Problem

When both mise.toml (committed) and mise.local.toml (gitignored) exist, mise lock wrote everything to mise.local.lock. Team members never got locked versions because the lockfile was gitignored.

Fix

Instead of picking a single lockfile from the first (highest-priority) config file, get_tools_by_lockfile() now determines the correct lockfile for each tool based on its ToolSource config path. The run() method iterates over each lockfile group independently.

The --local flag continues to work, restricting output to only mise.local.lock.

Fixes #8000

Test plan

• Create a directory with mise.toml (tools) and mise.local.toml (env only), run mise lock, verify mise.lock is created (not mise.local.lock)
• Create a directory with tools in both files, run mise lock, verify each tool goes to the correct lockfile
• Verify mise lock --local still only writes mise.local.lock

🤖 Generated with Claude Code

---

Note

Medium Risk
Changes core lockfile write behavior and tool selection logic, which could mis-route tools or alter generated lockfiles in edge cases (e.g., overridden tools or tools without a source path).

Overview
mise lock now splits locking into two passes so tools defined in committed config(s) are written to mise.lock and tools defined in local config(s) are written to mise.local.lock, instead of emitting everything to a single lockfile.

Tool selection was updated to filter by each tool’s source config (lockfile_path_for_config locality) and by config directory, while preserving --local behavior to only write mise.local.lock; an e2e test (test_lock_local_config) was added to verify the new lockfile routing in mixed-config scenarios.

^{Written by Cursor Bugbot for commit 974a1da. This will update automatically on new commits. Configure here.}

[gemini-code-assist]

Summary of Changes

Hello @jdx, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a significant bug in the mise lock command where all tools were incorrectly written to a single, highest-priority lockfile, typically mise.local.lock. This behavior led to locked versions of tools being overlooked by version control systems when they originated from committed configuration files like mise.toml. The implemented changes introduce a more precise locking mechanism, ensuring that tools are now written to the correct lockfile corresponding to their source configuration, thereby preventing the unintended omission of crucial locked versions and improving team collaboration.

Highlights

• Granular Lockfile Generation: The mise lock command now groups tools based on their source configuration file (e.g., mise.toml or mise.local.toml) and writes them to the corresponding lockfile.
• Correct Lockfile Assignment: Tools defined in mise.toml will now be written to mise.lock, and tools from mise.local.toml will be written to mise.local.lock, resolving the issue of locked versions being silently gitignored.
• Refactored Lock Processing Logic: The main run method in the Lock command has been refactored to iterate and process tools for each distinct lockfile independently, improving clarity and correctness.
• Updated Tool Grouping Function: The get_tools_to_lock function was renamed to get_tools_by_lockfile and its return type changed to a BTreeMap<PathBuf, Vec<...>> to explicitly support grouping tools by their target lockfile path.
• Preserved --local Flag Behavior: The --local flag functionality remains unchanged, ensuring it restricts output to only mise.local.lock when used.

Changelog

• src/cli/lock.rs
  • Refactored the run method to iterate over and process tools for multiple lockfiles independently, based on their source configuration.
  • Renamed the get_tools_to_lock function to get_tools_by_lockfile and updated its return type to a BTreeMap mapping lockfile paths to lists of tools.
  • Modified the internal logic for collecting and filtering tools to correctly assign them to their respective lockfiles, including handling of the --local flag and ToolSource paths.

Activity

• No human activity (comments, reviews, etc.) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull request overview

This PR fixes mise lock to write tools to lockfiles matching their source config files, preventing locked versions from being inadvertently gitignored. Previously, all tools were written to the lockfile corresponding to the highest-priority config (often mise.local.lock), causing committed tools to be locked in gitignored files.

Changes:

• Introduced get_tools_by_lockfile() to group tools by their source config's corresponding lockfile
• Modified run() to iterate over each lockfile group independently instead of writing to a single lockfile
• Updated tool tracking to include lockfile path in the deduplication key, allowing the same tool in multiple lockfiles

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This comment is misleading. The target lockfile directory is used as a filter to ensure tools come from the same directory, not to determine where tools are written. Consider updating to clarify this is used for filtering config files in the same directory.

Suggested change

	// Calculate target lockfile directory from the first config file
	// Use the first config file to determine the reference lockfile directory.
	// This directory is used to filter/group config files and tools that belong
	// to the same location, not to decide where tools themselves are written.

[Copilot]

This comment could be clearer about why this is necessary. Consider explaining that this allows the same tool version to be locked in both mise.lock and mise.local.lock when defined in both config files.

Suggested change

	// Include lockfile path in seen key so the same tool can appear in different lockfiles
	// Include lockfile path in seen key so the same tool/version can be locked separately
	// in mise.lock and mise.local.lock when it is defined in both types of config files.

[gemini-code-assist]

Code Review

This pull request correctly refactors the mise lock command to handle multiple lockfiles based on the source configuration files. The logic for grouping tools by their target lockfile and processing each group independently is well-implemented. This change effectively addresses the issue of locked versions being ignored when using both global and local configuration files.

I have one suggestion to improve performance by reducing PathBuf cloning within loops. Overall, this is a solid improvement to the locking mechanism.

[github-actions]

Hyperfine Performance

mise x -- echo

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.2.4 x -- echo	21.2 ± 0.4	20.2	24.5	1.00
mise x -- echo	21.6 ± 0.7	20.3	27.4	1.02 ± 0.04

mise env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.2.4 env	20.5 ± 0.5	19.5	22.9	1.00
mise env	21.0 ± 0.5	19.7	22.2	1.02 ± 0.03

mise hook-env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.2.4 hook-env	21.5 ± 1.0	20.4	37.3	1.00
mise hook-env	21.7 ± 0.5	20.4	23.6	1.01 ± 0.05

mise ls

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.2.4 ls	19.4 ± 0.4	18.4	20.9	1.00
mise ls	19.6 ± 0.5	18.5	21.5	1.01 ± 0.04

xtasks/test/perf

Command	mise-2026.2.4	mise	Variance
install (cached)	115ms	114ms	+0%
ls (cached)	72ms	73ms	-1%
bin-paths (cached)	76ms	76ms	+0%
task-ls (cached)	548ms	541ms	+1%

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON, but a Cloud Agent failed to start.}