feat(wings): add auth, policy, and MOCITO install path

.github/workflows/docs.yml

@@ -44,6 +44,19 @@ jobs:
   docs:
     if: github.repository == 'jdx/mise'
     runs-on: namespace-profile-endev-linux-amd64;overrides.cache-tag=mise-pr-rust-linux
+    # `id-token: write` lets the runner mint the OIDC token mise
+    # exchanges for a wings session at `POST /auth`. Combined
+    # with the explicit `MISE_WINGS_ENABLED=1` opt-in below,
+    # normal tool installs can resolve through the mise-wings
+    # catalog and OCI registry.
+    permissions:
+      contents: read
+      id-token: write
+    env:
+      # Opt in to wings for this workflow. Required for the
+      # auto-OIDC exchange to fire; without it mise leaves wings
+      # inactive (no identity data sent to wings).
+      MISE_WINGS_ENABLED: "1"
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:

Cargo.toml

@@ -96,6 +96,7 @@ demand = "2"
 digest = "0.11.0"
 dotenvy = "0.15"
 duct = "1.0"
+ed25519-dalek = "2"
 homedir = "0.3"
 expr-lang = "1"
 eyre = "0.6"
@@ -117,6 +118,7 @@ clx = "2"
 indoc = "2"
 itertools = "0.14"
 jiff = "0.2"
+jsonwebtoken = "9"
 junction = "2"
 log = "0.4"
 minisign-verify = "0.2"

docs/.vitepress/cli_commands.ts

@@ -409,4 +409,27 @@ export const commands: { [key: string]: Command } = {
   which: {
     hide: false,
   },
+  wings: {
+    hide: false,
+    subcommands: {
+      inspect: {
+        hide: false,
+      },
+      login: {
+        hide: false,
+      },
+      logout: {
+        hide: false,
+      },
+      rebuild: {
+        hide: false,
+      },
+      status: {
+        hide: false,
+      },
+      whoami: {
+        hide: false,
+      },
+    },
+  },
 };

docs/cli/index.md

@@ -188,3 +188,14 @@ Can also use `MISE_NO_HOOKS=1`
 - [`mise watch [FLAGS] [TASK] [ARGS]…`](/cli/watch.md)
 - [`mise where <TOOL@VERSION>`](/cli/where.md)
 - [`mise which [FLAGS] [BIN_NAME]`](/cli/which.md)
+- [`mise wings <SUBCOMMAND>`](/cli/wings.md)
+- [`mise wings inspect <SUBCOMMAND>`](/cli/wings/inspect.md)
+- [`mise wings inspect manifest [--digest <DIGEST>] <REFERENCE>`](/cli/wings/inspect/manifest.md)
+- [`mise wings inspect referrers [--digest <DIGEST>] <REFERENCE>`](/cli/wings/inspect/referrers.md)
+- [`mise wings inspect sbom [--digest <DIGEST>] <REFERENCE>`](/cli/wings/inspect/sbom.md)
+- [`mise wings inventory`](/cli/wings/inventory.md)
+- [`mise wings login`](/cli/wings/login.md)
+- [`mise wings logout [FLAGS]`](/cli/wings/logout.md)
+- [`mise wings rebuild <TOOL@VERSION>`](/cli/wings/rebuild.md)
+- [`mise wings status`](/cli/wings/status.md)
+- [`mise wings whoami`](/cli/wings/whoami.md)

docs/cli/wings.md

@@ -0,0 +1,30 @@
+<!-- @generated by usage-cli from usage spec -->
+# `mise wings`
+
+- **Usage**: `mise wings <SUBCOMMAND>`
+- **Source code**: [`src/cli/wings/mod.rs`](https://github.com/jdx/mise/blob/main/src/cli/wings/mod.rs)
+
+Manage `mise wings` authentication
+
+`mise-wings` is a paid asset cache for tool installs. Run
+`mise wings login` once to authenticate; subsequent installs
+resolve through the mise-wings catalog and OCI registry when
+`wings.enabled` is set. Set `wings = false` on a specific
+`[tools]` entry to keep that tool on its normal backend path.
+
+`mise wings inspect` provides read-only OCI debugging commands
+for artifact manifests, referrers, and evidence blobs such as
+SBOMs.
+
+Bare `mise wings` with no subcommand prints the same status
+summary as `mise wings status`.
+
+## Subcommands
+
+- [`mise wings inspect <SUBCOMMAND>`](/cli/wings/inspect.md)
+- [`mise wings inventory`](/cli/wings/inventory.md)
+- [`mise wings login`](/cli/wings/login.md)
+- [`mise wings logout [FLAGS]`](/cli/wings/logout.md)
+- [`mise wings rebuild <TOOL@VERSION>`](/cli/wings/rebuild.md)
+- [`mise wings status`](/cli/wings/status.md)
+- [`mise wings whoami`](/cli/wings/whoami.md)

docs/cli/wings/inspect.md

@@ -0,0 +1,20 @@
+<!-- @generated by usage-cli from usage spec -->
+# `mise wings inspect`
+
+- **Usage**: `mise wings inspect <SUBCOMMAND>`
+- **Source code**: [`src/cli/wings/mod.rs`](https://github.com/jdx/mise/blob/main/src/cli/wings/mod.rs)
+
+Inspect Wings OCI artifacts and attached evidence.
+
+Examples:
+
+```sh
+$ mise wings inspect manifest registry.mise-wings.en.dev/acme/node:20
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","layers":[{"mediaType":"application/vnd.mise-wings.artifact.v1","digest":"sha256:..."}]}
+```
+
+## Subcommands
+
+- [`mise wings inspect manifest [--digest <DIGEST>] <REFERENCE>`](/cli/wings/inspect/manifest.md)
+- [`mise wings inspect referrers [--digest <DIGEST>] <REFERENCE>`](/cli/wings/inspect/referrers.md)
+- [`mise wings inspect sbom [--digest <DIGEST>] <REFERENCE>`](/cli/wings/inspect/sbom.md)

docs/cli/wings/inspect/manifest.md

@@ -0,0 +1,33 @@
+<!-- @generated by usage-cli from usage spec -->
+# `mise wings inspect manifest`
+
+- **Usage**: `mise wings inspect manifest [--digest <DIGEST>] <REFERENCE>`
+- **Source code**: [`src/cli/wings/inspect/manifest.rs`](https://github.com/jdx/mise/blob/main/src/cli/wings/inspect/manifest.rs)
+
+Print the OCI image manifest for a Wings artifact.
+
+Examples:
+
+```sh
+$ mise wings inspect manifest registry.mise-wings.en.dev/acme/node:20
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","layers":[{"mediaType":"application/vnd.mise-wings.artifact.v1","digest":"sha256:..."}]}
+```
+
+Fetch and verify a specific manifest digest:
+
+```sh
+$ mise wings inspect manifest registry.mise-wings.en.dev/acme/node --digest sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json"}
+```
+
+## Arguments
+
+### `<REFERENCE>`
+
+Wings OCI reference, optionally including @sha256:&lt;digest>
+
+## Flags
+
+### `--digest <DIGEST>`
+
+Manifest digest to fetch when the reference does not include one

docs/cli/wings/inspect/referrers.md

@@ -0,0 +1,26 @@
+<!-- @generated by usage-cli from usage spec -->
+# `mise wings inspect referrers`
+
+- **Usage**: `mise wings inspect referrers [--digest <DIGEST>] <REFERENCE>`
+- **Source code**: [`src/cli/wings/inspect/referrers.rs`](https://github.com/jdx/mise/blob/main/src/cli/wings/inspect/referrers.rs)
+
+Print the OCI referrers index for a Wings artifact.
+
+Examples:
+
+```sh
+$ mise wings inspect referrers registry.mise-wings.en.dev/acme/node@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","artifactType":"application/spdx+json","digest":"sha256:..."}]}
+```
+
+## Arguments
+
+### `<REFERENCE>`
+
+Wings OCI reference, including @sha256:&lt;digest> or paired with --digest
+
+## Flags
+
+### `--digest <DIGEST>`
+
+Subject manifest digest when the reference does not include one

docs/cli/wings/inspect/sbom.md

@@ -0,0 +1,33 @@
+<!-- @generated by usage-cli from usage spec -->
+# `mise wings inspect sbom`
+
+- **Usage**: `mise wings inspect sbom [--digest <DIGEST>] <REFERENCE>`
+- **Source code**: [`src/cli/wings/inspect/sbom.rs`](https://github.com/jdx/mise/blob/main/src/cli/wings/inspect/sbom.rs)
+
+Print the first SPDX or CycloneDX SBOM attached to a Wings artifact.
+
+Examples:
+
+```sh
+$ mise wings inspect sbom registry.mise-wings.en.dev/acme/node@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+{"spdxVersion":"SPDX-2.3","name":"node-20.11.1-linux-x64","packages":[]}
+```
+
+If no SBOM is attached:
+
+```sh
+$ mise wings inspect sbom registry.mise-wings.en.dev/acme/node@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+no SBOM referrer found for sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; Wings may not have published SBOM referrers for this artifact yet
+```
+
+## Arguments
+
+### `<REFERENCE>`
+
+Wings OCI reference, including @sha256:&lt;digest> or paired with --digest
+
+## Flags
+
+### `--digest <DIGEST>`
+
+Subject manifest digest when the reference does not include one

docs/cli/wings/inventory.md

@@ -0,0 +1,12 @@
+<!-- @generated by usage-cli from usage spec -->
+# `mise wings inventory`
+
+- **Usage**: `mise wings inventory`
+- **Source code**: [`src/cli/wings/inventory.rs`](https://github.com/jdx/mise/blob/main/src/cli/wings/inventory.rs)
+
+Upload current installed-tool inventory to mise-wings
+
+Reports the current machine's installed tool versions, platform, and
+Wings artifact digests when present. The snapshot is scoped to the
+authenticated Wings org and intentionally excludes local paths, usernames,
+hostnames, environment values, command arguments, and package-manager logs.

docs/cli/wings/login.md

@@ -0,0 +1,23 @@
+<!-- @generated by usage-cli from usage spec -->
+# `mise wings login`
+
+- **Usage**: `mise wings login`
+- **Source code**: [`src/cli/wings/login.rs`](https://github.com/jdx/mise/blob/main/src/cli/wings/login.rs)
+
+Authenticate with mise-wings
+
+By default, starts device-code auth and stores a device-bound
+credential.
+
+Examples:
+
+```sh
+$ mise wings login
+To sign in to mise-wings, open:
+
+https://app.mise-wings.en.dev/cli-device?code=AB12CD34
+
+Enter code: AB12-CD34
+Waiting for browser approval...
+Signed in to mise-wings as user_123 (acme).
+```

docs/cli/wings/logout.md

@@ -0,0 +1,50 @@
+<!-- @generated by usage-cli from usage spec -->
+# `mise wings logout`
+
+- **Usage**: `mise wings logout [FLAGS]`
+- **Source code**: [`src/cli/wings/logout.rs`](https://github.com/jdx/mise/blob/main/src/cli/wings/logout.rs)
+
+Sign out of mise-wings.
+
+Deletes the local credentials file. With `--token-stdin`
+or `--token`, also POSTs to `/auth/dev/revoke` to invalidate
+every wings session belonging to the calling user
+(including ones on other machines).
+
+Examples:
+
+```sh
+$ mise wings logout --local-only
+Local mise-wings credentials cleared.
+```
+
+Revoke all server-side sessions for the current user:
+
+```sh
+$ pbpaste | mise wings logout --token-stdin
+Revoked every active mise-wings session for your user.
+```
+
+Without a token, logout still clears local credentials:
+
+```sh
+$ mise wings logout
+Local mise-wings credentials cleared. Server-side revoke skipped (no Clerk session token).
+To revoke every session for your user (including other machines), run:
+
+mise wings logout --token-stdin
+```
+
+## Flags
+
+### `--local-only`
+
+Skip the server-side revoke; only delete the local credentials file. Use this when you don't have a fresh Clerk session JWT handy and just want this machine signed out — the wings session JWT remains valid on the server until its `exp` (24 h default)
+
+### `--token <TOKEN>`
+
+Clerk session JWT for the server-side revoke
+
+### `--token-stdin`
+
+Read the Clerk session JWT from stdin (avoids shell history)

docs/cli/wings/rebuild.md

@@ -0,0 +1,23 @@
+<!-- @generated by usage-cli from usage spec -->
+# `mise wings rebuild`
+
+- **Usage**: `mise wings rebuild <TOOL@VERSION>`
+- **Source code**: [`src/cli/wings/rebuild.rs`](https://github.com/jdx/mise/blob/main/src/cli/wings/rebuild.rs)
+
+Rebuild a Wings artifact for a tool version.
+
+Resolves the tool exactly like an install would, asks the Wings API to evict
+the current packaged catalog row for this org/tool/platform, and queues a
+fresh server-side packaging job.
+
+Examples:
+
+```sh
+mise wings rebuild jq@1.7.1
+```
+
+## Arguments
+
+### `<TOOL@VERSION>`
+
+Tool version to rebuild e.g.: node@20