jdx · jdx · Feb 27, 2026 · Feb 26, 2026 · cursor · Feb 26, 2026
diff --git a/e2e/lockfile/test_lockfile_locked_mode b/e2e/lockfile/test_lockfile_locked_mode
@@ -80,5 +80,23 @@ EOF
 
 assert_contains "mise install --dry-run 2>&1" "would install"
 
+# --- Test 7: mise lock refuses to run in --locked mode ---
+export MISE_LOCKFILE=1
+
+cat <<'EOF' >mise.toml
+[tools]
+jq = "1.7.1"
+EOF
+
+cat <<EOF >mise.lock
+[[tools.jq]]
+version = "1.7.1"
+backend = "aqua:jqlang/jq"
+"platforms.$PLATFORM" = { url = "https://example.com/jq-1.7.1.tar.gz" }
+EOF
+
+assert_fail_contains "mise lock --locked 2>&1" "mise lock is disabled in --locked mode"
+MISE_LOCKED=1 assert_fail_contains "mise lock 2>&1" "mise lock is disabled in --locked mode"
+
 # Restore for any subsequent tests
 export MISE_LOCKFILE=1
diff --git a/src/cli/lock.rs b/src/cli/lock.rs
@@ -10,7 +10,7 @@ use crate::toolset::Toolset;
 use crate::ui::multi_progress_report::MultiProgressReport;
 use crate::{cli::args::ToolArg, config::Settings};
 use console::style;
-use eyre::Result;
+use eyre::{Result, bail};
 use tokio::sync::Semaphore;
 use tokio::task::JoinSet;
 
@@ -52,6 +52,11 @@ pub struct Lock {
 impl Lock {
     pub async fn run(self) -> Result<()> {
         let settings = Settings::get();
+        if settings.locked {
+            bail!(
+                "mise lock is disabled in --locked mode\nhint: Remove --locked or unset MISE_LOCKED=1"
+            );
+        }
         let config = Config::get().await?;
 
         let ts = config.get_toolset().await?;

diff --git a/src/cli/use.rs b/src/cli/use.rs
@@ -145,7 +145,7 @@ impl Use {
             .cloned()
             .map(|t| match t.tvr {
                 Some(tvr) => {
-                    if tvr.version() == "latest" {
+                    if tvr.version() == "latest" && !Settings::get().locked {
                         // user specified `@latest` so we should resolve the latest version
                         // TODO: this should only happen on this tool, not all of them
                         resolve_options.latest_versions = true;

diff --git a/src/toolset/tool_version.rs b/src/toolset/tool_version.rs
@@ -15,7 +15,7 @@ use crate::lockfile::{CondaPackageInfo, LockfileTool, PlatformInfo};
 use crate::toolset::{ToolRequest, ToolVersionOptions, tool_request};
 use console::style;
 use dashmap::DashMap;
-use eyre::Result;
+use eyre::{Result, bail};
 use jiff::Timestamp;
 #[cfg(windows)]
 use path_absolutize::Absolutize;
@@ -210,6 +210,19 @@ impl ToolVersion {
         {
             return Ok(Self::from_lockfile(request.clone(), lt));
         }
+        let settings = Settings::get();
+        if settings.locked
+            && opts.use_locked_version
+            && settings.lockfile_enabled()
+            && !has_linked_version(request.ba())
+            && request.source().path().is_some()
+        {
+            bail!(
+                "{}@{} is not in the lockfile\nhint: Run `mise install` without --locked to update the lockfile",
+                request.ba().short,
+                request.version()
+            );
+        }
 
         match v.split_once(':') {
             Some((ref_type @ ("ref" | "tag" | "branch" | "rev"), r)) => {