fix(vfox): resolve GitHub token lazily inside Lua plugins

[jdx]

Summary

mise hook-env, mise completion, and other commands that build the toolset env call VfoxBackend::exec_env() for every installed Vfox tool. That eventually goes through VfoxPlugin::vfox(), which was eagerly resolving the GitHub token on every call — spawning github.credential_command (e.g. unlocking a password manager) even when no Lua plugin would ever issue an HTTP request.

This change passes a closure to vfox instead of a pre-resolved string. The vfox crate registers it as a Lua function that the http module only calls when actually sending a request to a GitHub API URL.

End result: mise hook-env / mise activate / mise completion / mise --help no longer trigger credential_command. It only runs when a Lua plugin really needs to talk to the GitHub API (e.g. during an install).

Fixes #9797.

Test plan

• New unit tests in crates/vfox/src/lua_mod/http.rs cover lazy invocation, precedence over the eager string, and the empty-string fallback path.
• New vfox::tests::test_github_token_resolver_not_called_for_local_hooks runs env_keys + pre_uninstall on the dummy plugin and asserts the resolver is never called.
• Existing e2e cli/test_github_credential_shim_recursion still passes (still exercises real-credential-command path via github: backend).
• mise run lint / mise run test:unit clean.

🤖 Generated with Claude Code

---

Note

Medium Risk
Medium risk because it changes GitHub token resolution flow and caching behavior (including credential_command invocation) for both Lua plugin HTTP and core GitHub token lookup, which could affect authenticated requests or prompt behavior.

Overview
vfox Lua plugins now resolve GitHub auth lazily. Instead of eagerly resolving and storing a GitHub token when constructing Vfox, the PR wires an optional github_token_resolver closure through Vfox/Plugin into the Lua registry as github_token_fn, and the Lua http module only calls it when sending requests to GitHub API URLs (with resolver precedence over the string token and fallback behavior).

GitHub credential-command invocation is reduced. resolve_token now runs github.credential_command only once per canonical host (avoiding double-spawns for api.github.com vs github.com), and token caching docs/tests are updated accordingly.

Adds targeted regression/unit tests to ensure the resolver is only invoked for GitHub API HTTP calls and is not triggered by local vfox hooks like env_keys/pre_uninstall.

^{Reviewed by Cursor Bugbot for commit 29aa1a3. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes eager GitHub token resolution in vfox-backed commands by introducing a lazy github_token_resolver closure that is only invoked when a Lua plugin actually issues an HTTP request to a GitHub API URL. It also tightens credential_command to call the helper once per canonical host, eliminating double password-manager prompts when resolving api.github.com.

• Lazy resolver path: VfoxPlugin::vfox() now sets github_token_resolver (an Arc<Fn>) instead of calling resolve_token eagerly; Plugin::set_github_token_resolver wraps it as a Lua function stored in the named registry; github_token() in the HTTP module checks the function before the static string, falling back when the resolver returns empty.
• credential_command deduplication (src/github.rs): resolution now passes only lookup_hosts.first() (the canonical host, e.g. \"github.com\" for both github.com and api.github.com) to get_credential_command_token, rather than iterating all hosts.
• Tests: new unit tests in http.rs and vfox.rs cover lazy invocation, resolver-over-string precedence, empty-string fallback, and a regression check that local hooks never trigger the resolver.

Confidence Score: 5/5

Safe to merge — the lazy-resolver plumbing is well-encapsulated, the fallback chain (resolver → static string → env vars) is explicitly tested, and the credential_command host-deduplication aligns with the documented canonical-host mapping.

The change is narrowly scoped: token resolution moves from eager to lazy with a clean fallback chain, and the credential_command simplification only removes a redundant second spawn for hosts that share a canonical form. All affected paths have unit and integration test coverage.

No files require special attention.

Important Files Changed

Filename	Overview
src/plugins/vfox_plugin.rs	Replaces eager resolve_token call with a lazy Arc closure set on github_token_resolver, so mise hook-env/completion never invoke the credential command.
crates/vfox/src/lua_mod/http.rs	Extends github_token() to check a github_token_fn Lua registry function first; adds three unit tests covering lazy invocation, resolver precedence, and empty-string fallback.
crates/vfox/src/vfox.rs	Adds github_token_resolver field with manual Debug impl that redacts secrets; set_github_token now registers both the string and the closure resolver; integration test verifies the resolver is never called for non-network hooks.
crates/vfox/src/plugin.rs	Adds set_github_token_resolver wrapping the Arc<Fn> closure in a Lua function and storing it as github_token_fn in the named Lua registry.
src/github.rs	Tightens credential_command resolution to call the helper once with only the canonical host, preventing double prompts when resolving api.github.com; behavior is unchanged for hosts that are their own canonical form.
src/tokens.rs	Documentation clarification and a new test_get_credential_command_token_caches_per_host test confirming one subprocess spawn per distinct host.
settings.toml	Docs for forgejo, github, and gitlab credential_command settings updated: $1 phrasing replaced with MISE_CREDENTIAL_HOST, and the "Results are cached per host per session" sentence removed.
docs/dev-tools/github-tokens.md	Trailing "Results are cached per host per session." sentence removed from the credential_command paragraph to match the stripped settings.toml docs.

_{Reviews (4): Last reviewed commit: "docs(github): drop misleading "duration ..." | Re-trigger Greptile}

[gemini-code-assist]

Code Review

This pull request implements lazy resolution for GitHub tokens to prevent unnecessary execution of credential commands during operations that do not require network access. Key changes include adding a github_token_resolver to the Vfox and Plugin structs and updating the Lua HTTP module to invoke this resolver only when needed. Feedback was provided regarding the manual Debug implementation for the Vfox struct, specifically suggesting the inclusion of the log_tx field for completeness.

[gemini-code-assist]

The manual Debug implementation for Vfox omits the log_tx field. While log_tx is a private field and its content (an mpsc::Sender) might not be highly informative, it is generally best practice for a manual Debug implementation to include all fields of the struct to provide a complete view of the object's state during debugging, especially since it was previously included via the derived Debug trait.

Suggested change

	impl std::fmt::Debug for Vfox {
	fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
	f.debug_struct("Vfox")
	.field("runtime_version", &self.runtime_version)
	.field("install_dir", &self.install_dir)
	.field("plugin_dir", &self.plugin_dir)
	.field("cache_dir", &self.cache_dir)
	.field("download_dir", &self.download_dir)
	.field("skip_verification", &self.skip_verification)
	.field("cmd_env", &self.cmd_env)
	.field("github_token", &self.github_token.as_deref().map(|_| "***"))
	.field(
	"github_token_resolver",
	&self.github_token_resolver.as_ref().map(|_| "<closure>"),
	)
	.field("runtime_env_type", &self.runtime_env_type)
	.finish()
	}
	}
	impl std::fmt::Debug for Vfox {
	fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
	f.debug_struct("Vfox")
	.field("runtime_version", &self.runtime_version)
	.field("install_dir", &self.install_dir)
	.field("plugin_dir", &self.plugin_dir)
	.field("cache_dir", &self.cache_dir)
	.field("download_dir", &self.download_dir)
	.field("skip_verification", &self.skip_verification)
	.field("cmd_env", &self.cmd_env)
	.field("github_token", &self.github_token.as_deref().map(|_| "***"))
	.field(
	"github_token_resolver",
	&self.github_token_resolver.as_ref().map(|_| "<closure>"),
	)
	.field("runtime_env_type", &self.runtime_env_type)
	.field("log_tx", &self.log_tx.as_ref().map(|_| "Sender"))
	.finish()
	}
	}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 46ea0e7. Configure here.}

[github-actions]

Hyperfine Performance

mise x -- echo

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.5.6 x -- echo	18.5 ± 0.7	16.8	21.6	1.00
mise x -- echo	19.4 ± 2.7	17.0	36.6	1.05 ± 0.15

mise env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.5.6 env	18.5 ± 0.9	16.3	23.4	1.00
mise env	18.7 ± 1.1	16.9	23.6	1.01 ± 0.08

mise hook-env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.5.6 hook-env	19.5 ± 0.8	17.6	22.6	1.00
mise hook-env	19.5 ± 0.8	17.7	22.5	1.00 ± 0.06

mise ls

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.5.6 ls	15.9 ± 0.7	14.3	19.7	1.00
mise ls	15.9 ± 0.7	14.4	19.0	1.00 ± 0.06

xtasks/test/perf

Command	mise-2026.5.6	mise	Variance
install (cached)	125ms	128ms	-2%
ls (cached)	59ms	59ms	+0%
bin-paths (cached)	64ms	63ms	+1%
task-ls (cached)	489ms	490ms	+0%