fix(aqua): route versions host by registry repo

[jdx]

Summary

• keep using mise-versions for Aqua tools that come from the mise registry, including explicit aqua:owner/repo forms that reverse-map to a registry backend
• skip mise-versions for fully qualified/non-registry Aqua GitHub metadata, including foreign override repos used by verification paths
• include capped versions-host response bodies in fallback warnings so policy failures explain themselves
• preserve the shared HTTP retry and HTTPS-fallback path while still allowing versions-host callers to inspect non-2xx responses

Context

This fixes noisy 403 warnings like the one reported in discussion #10339 for aqua:aws/session-manager-plugin@latest on 2026.6.2. That package is in the Aqua registry but not the mise registry, and mise-versions intentionally serves GitHub metadata only for repos known to the mise registry.

The fix is not to remove the versions host from Aqua. Registry-backed tools such as act still use mise-versions for shared GitHub metadata and unauthenticated GitHub rate-limit avoidance, whether invoked as act or explicitly as aqua:nektos/act. The client now makes that decision using the resolved GitHub repo plus the mise registry mapping, so non-registry and foreign override repos go directly to GitHub instead of producing avoidable versions-host warnings.

Separately, versions-host warnings now include a capped response body. This keeps expected fallbacks visible without hiding useful server-side policy messages. The fetch path still uses the normal mise HTTP client retry/fallback behavior.

Tests

• cargo test test_use_versions_host_for_github_metadata_only_for_registry_tools
• cargo test versions_host_error_message
• cargo test versions_host_flag_splits_release_cache
• cargo check
• MISE_DEBUG=1 cargo run --quiet -- latest aqua:aws/session-manager-plugin (direct GitHub, no mise-versions)
• MISE_DEBUG=1 cargo run --quiet -- latest act (mise-versions is still used)

---

Note

Medium Risk
Changes which network path Aqua uses for GitHub releases and attestations and alters release cache keys; mistakes could mis-route metadata or serve stale/wrong cached releases for some tools.

Overview
Limits mise-versions usage for Aqua so only mise-registry-backed tools whose resolved GitHub repo matches the Aqua package id (including subpackages) fetch releases and attestation metadata through the versions host; explicit non-registry Aqua tools and foreign override repos go straight to GitHub instead of triggering avoidable 403 warnings.

Aqua GitHub release lookups (latest, assets, minisign) now go through get_github_release, which passes that per-repo flag into get_release_for_url_with_versions_host. GitHub release caching keys are split by hosted vs direct so versions-host and direct API results cannot overwrite each other.

The HTTP client gains an opt-out from error_for_status on GET (retries and HTTPS fallback unchanged). Versions-host JSON fetches use it to treat non-2xx as soft fallbacks, respect offline mode, and log warnings with a capped response body for clearer policy messages.

^{Reviewed by Cursor Bugbot for commit b29ad33. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Bug Fixes

  • Improved offline mode handling for version checks.
  • Enhanced error messages for failed GitHub requests, including better handling of rate limiting (429) and not-found (404) scenarios.
  • Better resilience in release metadata fetching with refined cache key handling.

• Tests

  • Added unit test coverage for cache behavior and error messaging.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 9ab1a059-490c-4ce4-9d9b-4e16e059f1ce

📥 Commits

Reviewing files that changed from the base of the PR and between ea35917 and b29ad33.

📒 Files selected for processing (4)

• src/backend/aqua.rs
• src/github.rs
• src/http.rs
• src/versions_host.rs

🚧 Files skipped from review as they are similar to previous changes (3)

• src/backend/aqua.rs
• src/versions_host.rs
• src/http.rs

---

📝 Walkthrough

Walkthrough

Adds an allow-error-status HTTP path and propagates it through retries; rewrites versions-host JSON fetching and error-message formatting; scopes GitHub release cache by a versions-host flag; and routes Aqua GitHub-release lookups through backend-aware helpers with tests.

Changes

Versions-host, HTTP client, GitHub release, and Aqua integration

Layer / File(s)	Summary
Versions-host HTTP fetch and error formatting src/versions_host.rs	fetch_optional_json returns Ok(None) in offline or non-success cases, uses GET that allows error-status, logs URL/status, reads response body for messages, and adds versions_host_error_message plus unit tests validating trimming/truncation.
HTTP client error_for_status plumbing src/http.rs	SendOnceOptions gains error_for_status; public Client::get_async_with_headers_allow_error_status added. The flag is threaded through http→https fallback and retry helpers, gates 403 auth-retry and final error_for_status_ref() behavior, and TextRequest::send() updated.
GitHub release API versions-host parameter and cache split src/github.rs	Adds release_cache_key(api_url, repo, tag, use_versions_host) and scopes cached releases to hosted vs direct; get_release now seeds the hosted key via get_release_with_options(..., true) and tests ensure different use_versions_host values don't share cache entries.
Aqua backend GitHub release integration src/backend/aqua.rs	Added AquaBackend::use_versions_host_for_github_metadata() and get_github_release(repo, tag) that call github::get_release_for_url_with_versions_host(..., use_versions_host). Updated minisign verification, attestation detect/verify, latest-stable lookup, and asset matching to use the helper; unit test verifies backend boolean behavior.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant AquaBackend
  participant GitHub
  participant Cache
  participant VersionsHost
  Client->>AquaBackend: request install/verify
  AquaBackend->>GitHub: get_github_release(repo, tag) (maps to use_versions_host)
  GitHub->>Cache: lookup release_cache_key(api_url, repo, tag, use_versions_host)
  alt cache miss & use_versions_host=true
    GitHub->>VersionsHost: fetch metadata (allow_error_status)
    VersionsHost->>GitHub: return JSON or Ok(None)
    GitHub->>Cache: store fetched release under namespaced key
  else cache hit
    Cache->>GitHub: return cached release
  end
  GitHub->>AquaBackend: return release metadata
  AquaBackend->>Client: proceed with asset selection / verification

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• jdx/mise#10255: Introduces/uses a use_versions_host boolean in GitHub release fetching and related helper changes.
• jdx/mise#10254: Modifies src/versions_host.rs's fetch_optional_json behavior and related logging around versions-host requests.
• jdx/mise#10256: Also updates src/versions_host.rs, overlapping on error/status handling and logging changes.

Poem

A rabbit hops through logs at night,
Trims long bodies, keeps the message light,
Splits cache keys with a careful tap,
Lets requests return when statuses snap,
Backend picks hosted or direct — small delight. 🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 57.14% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'fix(aqua): route versions host by registry repo' clearly summarizes the main change: routing Aqua GitHub metadata through the versions host based on registry relationships, which is the primary objective across all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/versions_host.rs`:
- Around line 426-437: The message formatter versions_host_error_message
currently always labels responses "client error" even for 5xx codes; change it
to inspect the parsed reqwest::StatusCode (using methods like
is_client_error/is_server_error) and choose the correct label ("client error"
for 4xx, "server error" for 5xx, or a generic "HTTP status" otherwise), then use
that label when composing the returned string while keeping the existing
truncation and status-to-string logic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 830d86f9-ad98-43be-821c-eaf1e6016ef7

📥 Commits

Reviewing files that changed from the base of the PR and between ddfe0c3 and 629d740.

📒 Files selected for processing (3)

• src/backend/aqua.rs
• src/github.rs
• src/versions_host.rs

[greptile-apps]

Greptile Summary

Fixes spurious 403 warnings for Aqua tools that are in the Aqua registry but not the mise registry (e.g. aws/session-manager-plugin) by routing their GitHub metadata requests directly to GitHub instead of through mise-versions. Registry-backed tools (e.g. act) continue to use the versions host as before.

• use_versions_host_for_github_metadata is added to AquaBackend and gates all GitHub release/attestation fetches on whether the resolved repo matches the backend's aqua ID and a registry lookup; all three release call-sites are updated.
• release_cache_key in github.rs is unified to include the API URL and a hosted/direct suffix, preventing versions-host and direct-API cached results from overwriting each other.
• fetch_optional_json in versions_host.rs gains an explicit offline guard and uses the new allow_error_status HTTP path, producing body-inclusive, correctly-labelled (4xx/5xx/other) fallback warnings capped at 200 chars.

Confidence Score: 5/5

Safe to merge; the routing logic is well-scoped, the HTTP flag propagates correctly through all retry and fallback paths, and the new cache-key scheme prevents cross-contamination between hosted and direct results.

The three main change areas (routing predicate, cache keys, HTTP allow-error-status flag) are each covered by targeted tests. The use_versions_host_for_github_metadata logic handles all four documented cases (short alias, explicit aqua: prefix, subpackage, non-registry). The error_for_status flag is correctly propagated through recursive_retry and HTTPS fallback so neither retry nor fallback path accidentally re-enables error promotion. No existing callers of get_release or get_async_with_headers are affected by the changes.

No files require special attention.

Important Files Changed

Filename	Overview
src/backend/aqua.rs	Adds use_versions_host_for_github_metadata method to correctly route GitHub release fetches through the versions host only for registry-backed tools whose resolved GitHub repo matches the aqua package ID; all release-fetching call sites updated to use the new get_github_release wrapper. New unit test covers registry, explicit, subpackage, and direct (non-registry) cases.
src/github.rs	Unifies cache key generation into release_cache_key, which now incorporates the API URL and a hosted/direct suffix so versions-host and direct-GitHub results cannot collide in the shared cache. The old per-function ad-hoc key format is removed. A new test (test_versions_host_flag_splits_release_cache) verifies the split behaviour end-to-end.
src/http.rs	Adds error_for_status flag to SendOnceOptions and get_async_with_headers_allow_error_status public method; the flag is correctly propagated through recursive_retry, HTTPS fallback, and retry loops. No existing callers are affected: they continue to receive the default error_for_status: true behaviour.
src/versions_host.rs	Refactors fetch_optional_json to use the new allow-error-status HTTP path, adds an upfront offline guard (matching the previous json_with_headers behaviour), and introduces versions_host_error_message to emit body-inclusive, correctly-labelled (4xx/5xx/other) warnings capped at 200 chars. Three new unit tests cover the error message formatting.

_{Reviews (7): Last reviewed commit: "style(http): format retry helper call" | Re-trigger Greptile}

[jdx]

Correction: I initially pushed this too broadly by making Aqua release metadata skip mise-versions globally. That would have been bad for unauthenticated GitHub users because registry-backed Aqua tools should keep using the shared host cache.

I amended the branch so the behavior is now registry-aware:

• shorthand/mise-registry Aqua backend, e.g. act -> still uses mise-versions
• fully qualified/non-registry Aqua backend, e.g. aqua:aws/session-manager-plugin -> skips mise-versions and goes directly to GitHub
• if mise does hit mise-versions and gets an unexpected failure, the warning remains visible and now includes a capped response body

Verified with debug smoke tests for both aqua:aws/session-manager-plugin and act.

This comment was generated by an AI coding assistant.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/backend/aqua.rs`:
- Around line 1508-1510: The helper use_versions_host_for_github_metadata
currently only inspects self.ba and should be made repo-aware: change its
signature to accept the resolved repo identifier (e.g. owner/repo string or a
RepoInfo struct) and use backend_arg_matches_registry_backend(self.ba, repo) (or
otherwise consult the registry backend contract with the repo) so decisions
respect override/foreign repos; update all call sites that currently call
use_versions_host_for_github_metadata (including where resolve_repo_info(...) is
used, run_minisign_check(), and github_release_asset_matching()) to pass the
resolved repo_owner/repo_name (or RepoInfo) so registry-backed lookups route
correctly. Ensure any tests or override-package paths that call
github_release_asset_matching are adjusted to supply the repo parameter.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 466fef2d-753f-45f5-ab1c-e07a3fbafd90

📥 Commits

Reviewing files that changed from the base of the PR and between 629d740 and 6cee613.

📒 Files selected for processing (3)

• src/backend/aqua.rs
• src/github.rs
• src/versions_host.rs

🚧 Files skipped from review as they are similar to previous changes (2)

• src/versions_host.rs
• src/github.rs

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit de68324. Configure here.}

[coderabbitai]

🧹 Nitpick comments (2)

src/http.rs (2)

169-178: ⚡ Quick win

Add a regression test for the new allow-error-status contract.

This helper is now the boundary that src/versions_host.rs:367-425 relies on to inspect 404/429/5xx bodies directly. A small test here that asserts non-2xx returns Ok(Response)—while offline/network failures still return Err—would lock that behavior down before someone reintroduces error_for_status_ref() in the wrong layer.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/http.rs` around lines 169 - 178, Add a regression test that verifies the
new allow-error-status contract: call get_async_with_headers_allow_error_status
(which delegates to send_with_https_fallback_allow_error_status) against a
mocked HTTP server that returns non-2xx responses (e.g., 404, 429, 500) and
assert the call returns Ok(Response) and that the response body can be
inspected; also include a separate case that simulates an offline/network
failure (or Settings::get().offline() enabled) and assert it returns Err,
ensuring the helper does not call error_for_status_ref() and preserves non-2xx
responses for callers like versions_host.rs.

---

409-556: ⚡ Quick win

Avoid threading another raw bool through the send stack.

error_for_status is now a second mode flag riding through a deep call chain, and the true/false literals at Lines 421-422, 439-440, and 492 are easy to flip by accident. A tiny enum or moving SendOnceOptions up a layer would make the new status-mode contract self-describing.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/http.rs` around lines 409 - 556, Introduce a small enum (e.g., StatusMode
{ErrorForStatus, AllowErrorStatus}) or fold the status mode into SendOnceOptions
and stop passing the raw bool through the call chain; change the signatures of
send_with_https_fallback, send_with_https_fallback_allow_error_status,
send_with_https_fallback_with_retries, send_once_with_https_fallback,
send_once_with_https_fallback_with_retry_headers, and
send_once_with_retry_headers to accept the enum or SendOnceOptions instance
instead of a bool named error_for_status, construct the correct mode in the
top-level callers (send_with_https_fallback → ErrorForStatus,
send_with_https_fallback_allow_error_status → AllowErrorStatus), and update
send_once_with_retry_headers to derive the proper SendOnceOptions (or use the
passed-in one) rather than branching on a boolean literal so the API becomes
self-describing and eliminates the fragile true/false literals.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/http.rs`:
- Around line 169-178: Add a regression test that verifies the new
allow-error-status contract: call get_async_with_headers_allow_error_status
(which delegates to send_with_https_fallback_allow_error_status) against a
mocked HTTP server that returns non-2xx responses (e.g., 404, 429, 500) and
assert the call returns Ok(Response) and that the response body can be
inspected; also include a separate case that simulates an offline/network
failure (or Settings::get().offline() enabled) and assert it returns Err,
ensuring the helper does not call error_for_status_ref() and preserves non-2xx
responses for callers like versions_host.rs.
- Around line 409-556: Introduce a small enum (e.g., StatusMode {ErrorForStatus,
AllowErrorStatus}) or fold the status mode into SendOnceOptions and stop passing
the raw bool through the call chain; change the signatures of
send_with_https_fallback, send_with_https_fallback_allow_error_status,
send_with_https_fallback_with_retries, send_once_with_https_fallback,
send_once_with_https_fallback_with_retry_headers, and
send_once_with_retry_headers to accept the enum or SendOnceOptions instance
instead of a bool named error_for_status, construct the correct mode in the
top-level callers (send_with_https_fallback → ErrorForStatus,
send_with_https_fallback_allow_error_status → AllowErrorStatus), and update
send_once_with_retry_headers to derive the proper SendOnceOptions (or use the
passed-in one) rather than branching on a boolean literal so the API becomes
self-describing and eliminates the fragile true/false literals.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 8c9f186c-65b9-457e-94e0-9c07e193a403

📥 Commits

Reviewing files that changed from the base of the PR and between de68324 and ea35917.

📒 Files selected for processing (4)

• src/backend/aqua.rs
• src/github.rs
• src/http.rs
• src/versions_host.rs

🚧 Files skipped from review as they are similar to previous changes (3)

• src/backend/aqua.rs
• src/github.rs
• src/versions_host.rs

[github-actions]

Hyperfine Performance

mise x -- echo

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.6.3 x -- echo	18.8 ± 1.3	16.1	26.6	1.00
mise x -- echo	18.8 ± 1.1	17.0	29.8	1.00 ± 0.09

mise env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.6.3 env	18.8 ± 1.6	16.4	23.8	1.00
mise env	22.9 ± 4.6	17.2	37.4	1.22 ± 0.26
⚠️ Inconclusive: env measured 22% slower, but the relative uncertainty overlaps the 10% threshold.

mise hook-env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.6.3 hook-env	21.3 ± 1.3	18.6	27.6	1.00
mise hook-env	22.0 ± 2.0	17.9	29.8	1.03 ± 0.11

mise ls

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.6.3 ls	16.6 ± 1.3	13.7	22.1	1.03 ± 0.10
mise ls	16.2 ± 1.0	14.6	20.9	1.00

xtasks/test/perf

Command	mise-2026.6.3	mise	Variance
install (cached)	137ms	136ms	+0%
ls (cached)	59ms	59ms	+0%
bin-paths (cached)	62ms	63ms	-1%
task-ls (cached)	124ms	125ms	+0%