feat(oci): build OCI images from mise.toml with per-tool layers

[jdx]

Summary

Adds a new mise oci build command that builds OCI container images directly from a mise.toml. The key design choice: each tool version gets its own content-addressable OCI layer, so bumping any single tool invalidates exactly one blob — unlike a Dockerfile where changing an early RUN invalidates every layer above it.

This works because mise installs tools to isolated, non-overlapping directories ($MISE_DATA_DIR/installs/<plugin>/<version>/), so layer ordering is semantically irrelevant. Swapping a version swaps one layer; everything else (base image, other tools, mise binary, config) stays identical and gets reused from the registry / local cache.

What's in this PR

• mise oci build — reads current mise.toml, produces an OCI image layout in ./mise-oci/ (configurable via -o). Output is consumable by skopeo, crane, and podman load directly.
• [oci] section in mise.toml for from, tag, workdir, entrypoint, cmd, user, mount_point, env, labels.
• New settings: oci.default_from (default debian:bookworm-slim — a glibc-based image, so most mise-installed prebuilt binaries actually run; alpine/musl is a footgun we explicitly don't recommend) and oci.default_mount_point (default /mise).
• --from CLI flag overrides base image. Anonymous OCI registry v2 pulls (Docker Hub / GHCR / quay) — no auth, no login flow. --from scratch or empty builds without a base.
• Bakes env (mise [env] + per-tool exec_env()), PATH (each tool's bin dir), and per-tool labels (dev.mise.tools.<plugin>=<version>) into the image config.
• Embeds the currently-running mise binary at /usr/local/bin/mise by default (--no-mise opts out).
• Same-host reproducible layer digests: normalized tar headers (mtime=0, uid/gid=0, sorted entries, deterministic perms), gzip header mtime zeroed. Honors SOURCE_DATE_EPOCH for the created timestamp so manifests themselves can be fully reproducible.
• asdf/vfox backends rejected — their install scripts can write outside the per-version dir, which would break the one-layer-per-tool invariant. Clear error. Re-enabling these via a sandboxed install contract is future work.

Module layout

• src/oci/ — manifest (hand-rolled serde structs matching the OCI image-spec), layer (reproducible tar builder), layout (image-layout writer), registry (anonymous base pull), builder (orchestrator).
• src/cli/oci/ — command group dispatcher + build subcommand.
• src/config/config_file/mise_toml.rs — new oci: Option<OciConfig> field.

Test plan

• Unit tests in src/oci/layer.rs assert the tar builder is byte-identical across runs and digests differ for different prefixes.
• E2E test at e2e/oci/test_oci_build_slow covers: basic build, reproducibility (same inputs → same digests under SOURCE_DATE_EPOCH), delta behavior (bumping a version only changes that tool's layer digest), image config PATH/labels, asdf/vfox rejection.
• mise run lint-fix and cargo test --bin mise pass (719 tests).
• Generated docs/completions/schema regenerated via mise run render.

What's next (not in this PR)

• mise oci run — convenience wrapper to build + docker run.
• mise oci push — native registry push (v1 users go through skopeo copy oci:./mise-oci docker://...).
• Authenticated registry pulls (private base images).
• Cross-platform builds (build a linux/amd64 image on darwin/arm64).

🤖 Generated with Claude Code

---

Note

Medium Risk
Adds a new experimental CLI surface that pulls base images over HTTP, writes OCI image layouts, and shells out to container/registry tooling; despite gating, it introduces new security- and correctness-sensitive paths (digest validation, env baking, external command execution).

Overview
Adds an experimental mise oci command group (build, run, push) that can generate an OCI image-layout directory from the current mise.toml, optionally pull a base image from public registries, and then either run it via podman/docker+skopeo or push it via skopeo/crane.

Implements a new src/oci module that builds reproducible, per-tool OCI layers, synthesizes an embedded /etc/mise/config.toml, bakes env/PATH/labels into the image config (with warnings about secrets), and rejects asdf/vfox backends; also adds [oci] config support in mise.toml, new settings defaults (oci.default_from, oci.default_mount_point), and updates generated docs/manpages/schema/completions plus new e2e coverage for build determinism and error handling.

^{Reviewed by Cursor Bugbot for commit 1ed597a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds a new mise oci build command (plus oci run and oci push) that turns a mise.toml toolset into an OCI image layout with one content-addressable layer per tool. It introduces src/oci/ (manifest, layer, layout, registry, builder modules), src/cli/oci/, a new [oci] config section in mise.toml, and two new settings (oci.default_from, oci.default_mount_point).

All issues raised in earlier review rounds have been addressed: rfc3339_now() is captured once, path-traversal digest validation is in place with content verification, MISE_DATA_DIR/MISE_CONFIG_DIR are inserted last so user [env] cannot shadow them, the [oci] config now merges across layered config files via fill_defaults_from, normalize_os maps windows → linux, quay.io token auth is handled, absolute intra-tree symlinks are rebased to relative paths, and list_bin_paths is used for the PATH instead of a hardcoded /bin.

Confidence Score: 5/5

Safe to merge — all previous P0/P1 concerns have been resolved and no new critical issues were found.

Every blocking concern from prior review rounds is addressed: single timestamp capture, path-traversal + content-verification guards on blob writes, correct env insertion order, per-registry token auth, Windows OS normalization, symlink rebasing, and proper multi-file OciConfig merging. The new code is well-tested and experimentally gated.

No files require special attention.

Important Files Changed

Filename	Overview
src/oci/builder.rs	Orchestrates full image build: base pull, per-tool layers, mise binary layer, config synthesis, env/PATH rebasing. Timestamp captured once, MISE_DATA_DIR inserted last, secrets warning present.
src/oci/registry.rs	Anonymous OCI registry pull with Bearer token auth. Now uses shared HTTP client; quay.io token endpoint added; digest references parsed correctly; config/layer digests validated before any filesystem writes.
src/oci/layer.rs	Reproducible tar builder with mtime/uid/gid normalization, deterministic entry ordering, and zeroed gzip header mtime. Absolute intra-tree symlinks are now rebased to relative paths.
src/oci/layout.rs	OCI image layout writer. write_blob_with_digest now validates sha256 hex format (path traversal guard) and verifies sha256(bytes)==digest before writing.
src/oci/mod.rs	Module root with normalize_arch/normalize_os helpers and OciConfig struct with fill_defaults_from merge logic. normalize_os now maps both "macos" and "windows" to "linux".
src/cli/oci/common.rs	Shared perform_build helper and merged_oci_config that iterates all config files using fill_defaults_from (most-specific-first wins per field).
src/cli/oci/run.rs	Build-and-run via podman or docker+skopeo. TempDir guard keeps layout alive during run; per-invocation docker tag avoids concurrent collisions; loaded image cleaned up post-run unless --keep.
src/cli/oci/push.rs	Shells out to skopeo or crane for authenticated registry push; validates reference contains a slash before building; TempDir guard prevents layout accumulation.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[mise oci build] --> B[Load Config + Toolset]
    B --> C{from ref?}
    C -- yes --> D[registry::pull_base_image\nvalidate digests\nwrite base blobs]
    C -- no / scratch --> E[empty base layers]
    D --> F
    E --> F[Per-tool layers\nlayer::build_layer_from_dir\none blob per tool]
    F --> G{include_mise?}
    G -- yes --> H[mise binary layer\nbuild_layer_from_files]
    G -- no --> I
    H --> I[Config layer\netc/mise/config.toml]
    I --> J[build_image_config\nenv + PATH rebased\nMISE_DATA_DIR last]
    J --> K[layout::write_blob\nconfig + manifest + index.json]
    K --> L[OCI image layout on disk]
    L --> M{subcommand}
    M -- oci build --> N[print manifest digest]
    M -- oci run --> O[load into podman/docker\nrun container\ncleanup image]
    M -- oci push --> P[skopeo/crane push\nto registry]

Loading

_{Reviews (19): Last reviewed commit: "refactor(oci): explicit in-image vs tar-..." | Re-trigger Greptile}

[gemini-code-assist]

Code Review

This pull request introduces the mise oci build command, enabling the creation of OCI container images where each tool version is isolated into its own content-addressable layer. The implementation prioritizes reproducibility by normalizing file permissions and timestamps within the generated layers. Review feedback highlights several areas for improvement, including the need to normalize version strings in the image's PATH to match the filesystem layout, ensuring proper escaping when synthesizing the embedded config.toml, and capturing timestamps once to maintain consistency across the manifest and labels. Additionally, suggestions were made to optimize network usage by reusing the existing HTTP client and to dynamically resolve tool binary paths instead of assuming a standard bin directory.

[gemini-code-assist]

The tool version is not being normalized here, but it is normalized in tool_prefix (line 476). This will cause the PATH in the image config to point to non-existent directories if the version string contains characters like : or /.

Suggested change

	tv.version
	tv.version.replace([':', '/'], "-")

[gemini-code-assist]

Creating a new reqwest::Client for every layer download is inefficient as it bypasses connection pooling. You should reuse the existing crate::http::HTTP client instead.

[gemini-code-assist]

The tool name and version are inserted directly into a TOML string without escaping. If a tool name or version contains a double quote, the generated /etc/mise/config.toml will be invalid.

[gemini-code-assist]

rfc3339_now() is called multiple times during image configuration building. If the system clock ticks between these calls, the created timestamp in the manifest and the labels might differ slightly, which is inconsistent. It's better to capture the timestamp once and reuse it.

[gemini-code-assist]

This logic assumes that every tool's binary directory is named bin. While common, some tools might have different or multiple binary paths. It would be more robust to use backend.list_bin_paths(tv) and relativize them against the install path.

[github-actions]

Hyperfine Performance

mise x -- echo

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.18 x -- echo	18.0 ± 0.2	17.5	20.4	1.00
mise x -- echo	18.7 ± 0.2	18.2	19.6	1.04 ± 0.02

mise env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.18 env	17.5 ± 0.5	17.0	23.7	1.00
mise env	18.4 ± 0.4	17.7	21.6	1.05 ± 0.04

mise hook-env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.18 hook-env	18.2 ± 0.3	17.7	21.3	1.00
mise hook-env	18.7 ± 0.3	18.2	20.9	1.03 ± 0.02

mise ls

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.18 ls	15.9 ± 0.2	15.5	16.8	1.00
mise ls	16.5 ± 0.2	16.0	18.0	1.04 ± 0.02

xtasks/test/perf

Command	mise-2026.4.18	mise	Variance
install (cached)	114ms	120ms	-5%
ls (cached)	60ms	63ms	-4%
bin-paths (cached)	64ms	67ms	-4%
task-ls (cached)	623ms	618ms	+0%

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit c008ec9. Configure here.}