fix(vfox-plugin): support Git URL with commit hash for mise.toml

[Oyami-Srk]

The ensure_installed method of the vfox backend is very different from the asdf backend; it's a simplified version and behaves differently from the install method of vfox itself.

This PR fixes this by reusing the plugin install logic to make them consistent.

Before this fix, a Git URL with a commit hash for mise.toml would not work when using mise install to install the tools (because in that case, the ensure_installed method will be invoked to handle the tools with specified plugins).

An example of a failure use case:

[plugins]
"vfox:something" = "https://github.com/org/repo#commit_hash"

[tools]
"vfox:something" = "1.0.0"

P.S.: mise plugin install would still work, because it invokes the install method instead of the ensure_installed method.

[greptile-apps]

Greptile Summary

This PR fixes a bug in VfoxPlugin::ensure_installed where Git URLs with a commit-hash fragment (e.g. https://github.com/org/repo#abc1234) were silently ignored. The old implementation cloned the repo using a plain CloneOptions::default() call, which never parsed the #ref portion; the new implementation delegates to self.install() (which calls PluginSource::parse → Git::split_url_and_ref) so the commit reference is correctly resolved.

As a side effect, the new code also aligns ensure_installed with asdf_plugin: it now adds a community-plugin trust prompt that was previously missing, and it honours the force parameter (previously marked _force and completely ignored).

Confidence Score: 5/5

Safe to merge — the fix is correct and all remaining observations are P2 quality-of-life notes.

The delegation to install() correctly threads the Url (fragment preserved by url::Url::as_str) through PluginSource::parse and Git::split_url_and_ref, fixing the reported bug. The community-trust guard and lock-file logic are faithful copies of AsdfPlugin::ensure_installed. normalize_remote strips the fragment before comparing against the registry, so the trust check is not broken by the #ref suffix. No P0/P1 issues found.

No files require special attention.

Important Files Changed

Filename	Overview
src/plugins/vfox_plugin.rs	ensure_installed now delegates to install(), correctly handling #ref fragments; logic mirrors asdf_plugin closely, community trust check and lock-file handling are correct

Sequence Diagram

sequenceDiagram
    participant U as mise install
    participant EI as ensure_installed (vfox)
    participant I as install()
    participant PS as PluginSource::parse
    participant G as Git

    U->>EI: ensure_installed(config, mpr, force, dry_run)
    alt already installed && !force
        EI-->>U: Ok(()) (early return)
    end
    alt !settings.yes && repo_url is None
        EI->>EI: get_repo_url() → check community trust
        alt paranoid mode
            EI-->>U: bail! error
        end
        alt user declines
            EI-->>U: PluginNotInstalled error
        end
    end
    EI->>EI: lock_file::get(plugin_path, force)
    EI->>I: self.install(config, pr)
    I->>I: get_repo_url() → Url with #fragment preserved
    I->>PS: PluginSource::parse(url_string)
    PS->>PS: Git::split_url_and_ref → extracts commit hash
    PS-->>I: Git { url, git_ref: Some("abc1234") }
    I->>G: git.clone(url)
    I->>G: git.update(Some("abc1234"))
    G-->>I: checked out at commit hash
    I-->>EI: Ok(())
    EI->>EI: warn_if_env_plugin_shadows_registry
    EI-->>U: Ok(())

Loading

_{Reviews (1): Last reviewed commit: "fix: correct install vfox plugin" | Re-trigger Greptile}

[greptile-apps]

install() error not returned from ensure_installed

asdf_plugin::ensure_installed returns the result of install() directly (self.install(...).await), so any install error is the function's return value. The new vfox code uses ? to propagate the error and then calls warn_if_env_plugin_shadows_registry, which is correct — but the two branches are asymmetric in their return style. Consider matching asdf's pattern for clarity, even though the observable behavior is the same:

Suggested change

	if !dry_run {
	let _lock = lock_file::get(&self.plugin_path, force)?;
	self.install(config, pr.as_ref()).await?;
	warn_if_env_plugin_shadows_registry(&self.name, &self.plugin_path);
	}
	Ok(())
	if !dry_run {
	let _lock = lock_file::get(&self.plugin_path, force)?;
	self.install(config, pr.as_ref()).await?;
	warn_if_env_plugin_shadows_registry(&self.name, &self.plugin_path);
	}
	Ok(())

(This is already what the PR has — the note is just that the warn_if_env_plugin_shadows_registry call is a vfox-only addition not present in asdf's version, which is intentional and correct for vfox env-plugins.)

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[gemini-code-assist]

Code Review

This pull request updates the vfox_plugin.rs to implement a trust-based installation flow for plugins. It adds checks for community-developed plugins, introduces a confirmation prompt for untrusted sources, and supports a 'paranoid' mode to block such installations. The update also includes file locking to handle concurrent installations and refactors the cloning logic into a dedicated install method. I have no feedback to provide.