fix(schema): add missing config fields

[risu729]

Summary

• add missing task sandbox fields to the mise task schemas
• add top-level env_file/dotenv/env_path schema entries and mark them deprecated as legacy shortcuts
• allow env age directive options, tighten complex age option nesting, and cover the schema fixture
• keep sandbox fields in a task-only schema overlay so they validate for [tasks.*] but do not leak into [task_templates.*], whose Rust type does not deserialize/apply them

Context

• The renderer builds both task and task_template schemas from task_props. The new taskOnlyProps overlay is for fields accepted by Task but not TaskTemplate; this mirrors the existing task-only treatment for extends.
• env_file, dotenv, and env_path are still accepted by current serde parsing, but they are legacy top-level shortcuts. env: use mise.file/mise.path config #1361 marked env_file/env_path deprecated in favor of env.mise.file/env.mise.path; env: resolve env vars in order #1519 later rewrote env parsing and kept accepting env_file, alias dotenv, and env_path without a runtime deprecation warning. The schema keeps them valid but marks them deprecated to point users at [env] _.file / _.path.
• Task sandbox config fields were introduced with process sandboxing in feat(exec): add process sandboxing for mise x and mise run #8845; allow_env wildcard semantics were later expanded in feat(sandbox): support wildcard patterns in allow_env #8974.
• Age env directives, including flattened EnvDirectiveOptions on age values, were introduced in feat(age): support age encrypted env vars in mise.toml files #6463. This PR now mirrors the Rust variants more closely: top-level age options are allowed with age = "...", while complex age = { value = ... } options must be nested inside the age object.

Verification

• bun xtasks/render/schema.ts
• jq empty schema/mise.json schema/mise-task.json schema/miserc.json
• git diff --check
• mise run test:e2e e2e/config/test_schema_tombi

[greptile-apps]

Greptile Summary

This PR fills schema gaps: sandbox task fields (deny_all, deny_read, deny_write, deny_net, deny_env, allow_read, allow_write, allow_net, allow_env) are added to tasks-only via a new taskOnlyProps overlay so they validate for [tasks.*] but are correctly excluded from [task_templates.*]; top-level env_file/dotenv/env_path shortcuts are added as deprecated properties; and the age env directive schema is restructured to support both the simple ({ age = \"string\", tools = true }) and complex ({ age = { value = \"string\", tools = true } }) inline formats.

Confidence Score: 5/5

Safe to merge — schema-only additions that correctly mirror the Rust types, with positive and negative e2e coverage.

All sandbox fields match the Rust Task struct and are correctly absent from TaskTemplate; the age directive restructuring matches the Val::AgeComplex/Val::AgeWithOptions deserialization branches; deprecated top-level fields are accurately modelled. The one open item (no negative test for sandbox fields on task_templates) is a P2 coverage gap that does not affect runtime correctness.

No files require special attention.

Important Files Changed

Filename	Overview
xtasks/render/schema.ts	Adds taskOnlyProps object with all nine sandbox fields and spreads it into the task object variant only; task_template correctly keeps its existing properties without sandbox fields.
schema/mise.json	Sandbox fields added to task object variant only (not task_template); deprecated env_file/dotenv/env_path top-level properties added; age directive oneOf restructured to support simple-string and complex-object variants with correct property placement.
schema/mise-task.json	Task definition updated with sandbox fields matching Rust Task struct; age directive schema updated via schema.ts copy; no sandbox fields leak into task_template definition.
e2e/config/test_schema_tombi	New mise-age.toml positive case and mise-bad-age.toml negative case added; deny_env/allow_read added to the task fixture; deprecated env_file/env_path included in the top-level fixture.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[schema.ts runs] --> B[Read mise.json base schema]
    B --> C[Build taskOnlyProps\ndeny_all/deny_read/deny_write\ndeny_net/deny_env/allow_read\nallow_write/allow_net/allow_env]
    B --> D[Read taskProps from task_props def]
    D --> E[task_template schema\ntaskProps only\nadditionalProperties: false]
    D --> F[task object variant\ntaskProps + taskOnlyProps + extends\nadditionalProperties: false]
    F --> G[Write mise.json\nwith env_file/dotenv/env_path deprecated]
    E --> G
    G --> H[Copy task + task_template defs\nto mise-task.json]
    G --> I[Write miserc.json\nrc=true settings only]

Loading

_{Reviews (3): Last reviewed commit: "fix(schema): tighten age directive optio..." | Re-trigger Greptile}

[gemini-code-assist]

Code Review

This pull request introduces sandbox-related properties (deny/allow for reads, writes, network, and environment) to tasks and adds new environment configuration options such as env_file, env_path, and redact. It also updates the schema generation script to handle these new task-specific properties. Feedback suggests tightening the age directive schema to match the Rust implementation's nesting requirements and improving the JSON schema structure by including task-specific properties in the common $defs.task_props definition to avoid redundancy.