fix(gitlab): warn when glab OAuth2 token is expired

[stanhu]

When mise reads a GitLab token from glab's config.yml and the oauth2_expiry_date field (RFC3339) indicates the token has expired, emit a warning telling the user to run a glab command (e.g. glab api user) to trigger a silent OAuth2 refresh.

Old glab versions wrote this field in RFC822 format with ambiguous timezone abbreviations; current versions write RFC3339. We only check RFC3339 values to avoid brittle timezone mapping--users on old glab will not see the warning until they upgrade.

[gemini-code-assist]

Code Review

This pull request introduces a mechanism to detect and warn users about expired GitLab OAuth2 tokens by parsing the glab configuration file. I have reviewed the implementation and provided a suggestion to improve the readability and efficiency of the YAML traversal logic by using more idiomatic lookup methods and hoisting the current time calculation outside of the loop.

[greptile-apps]

Greptile Summary

This PR adds an expiry check for glab OAuth2 tokens: when mise reads glab's config.yml and finds an expired oauth2_expiry_date (RFC3339 only) paired with an oauth2_refresh_token, it emits a warn! telling the user to run glab api user to trigger a silent refresh. The check runs inside the GLAB_HOSTS lazy initializer, so it fires at most once per process. Both previously raised concerns — the local use serde_yaml::Value placement and the missing oauth2_refresh_token guard — are addressed in this revision.

Confidence Score: 5/5

Safe to merge; all previous concerns have been addressed and the only remaining note is a minor style observation about double YAML parsing.

Both P1-level issues from earlier review rounds are resolved. The only remaining finding is a P2 observation about parsing the same YAML string twice, which has no practical impact given the lazy-static initializer runs once per process.

No files require special attention.

Important Files Changed

Filename	Overview
src/gitlab.rs	Adds warn_glab_expired_tokens + find_expired_glab_tokens with RFC3339-only parsing, refresh-token guard, and eight unit tests; previously flagged issues (top-level import, refresh-token check) are both resolved.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[read_glab_hosts called once via LazyLock] --> B[Read glab config.yml from disk]
    B --> C{File readable?}
    C -- No --> D[return None]
    C -- Yes --> E[warn_glab_expired_tokens]
    E --> F[find_expired_glab_tokens]
    F --> G[serde_yaml parse contents]
    G --> H{hosts mapping present?}
    H -- No --> I[return empty vec]
    H -- Yes --> J[For each host entry]
    J --> K{oauth2_refresh_token present?}
    K -- No --> J
    K -- Yes --> L{oauth2_expiry_date present & RFC3339?}
    L -- No/parse error --> J
    L -- Yes --> M{expiry_date < now?}
    M -- No --> J
    M -- Yes --> N[Collect host + expiry_str]
    N --> J
    J --> O[warn! for each expired token]
    O --> P[yaml_hosts_to_tokens parse contents again]
    P --> Q[return HashMap host→token]

Loading

_{Reviews (2): Last reviewed commit: "fix(gitlab): address review comments on ..." | Re-trigger Greptile}