fix: verify provenance during lock

[jdx]

Summary

• Verify and record missing provenance while running mise lock, instead of forcing already-installed tools through the install path.
• Stop writing or preserving github_attestations = "unavailable" as lockfile state. Legacy entries still parse, but are dropped on write.
• Add provenance_api_failures_fatal so GitHub attestation API failures are blocking by default and can be made warn-only when needed.
• Keep malformed attestation JSON fatal even when API provenance failures are configured as non-blocking.

Root Cause

Restored or older lockfiles could contain checksum-only entries or the old
github_attestations = "unavailable" sentinel. Reusing that sentinel meant
GitHub attestation availability could stay stale after cache restore or API
failure.

mise lock is the right place to refresh that metadata: it can query release
assets, download artifacts when needed for lock-time provenance verification,
and update the lockfile without deleting or reinstalling a working tool.

Validation

• target/debug/mise lock
• cargo test -p mise github::sigstore::tests::test_is_api_failure_excludes_malformed_payloads
• cargo test -p mise backend::vfox::test
• cargo fmt --check
• cargo clippy -p mise --all-targets -- -D warnings
• commit hook: schema, format, cargo-check, shell/lua/markdown/prettier lint

---

Note

Medium Risk
Changes provenance detection/verification paths for mise lock and installs, which can affect whether tool installs fail vs. proceed when remote provenance services are unavailable. Also modifies lockfile serialization semantics, so existing lockfiles may be rewritten differently and alter caching/downgrade behavior.

Overview
mise lock now actively verifies and records provenance (GitHub attestations and SLSA) at lock time for the current platform, rather than relying on install-time verification or persisting negative attestation cache state.

Adds a new setting provenance_api_failures_fatal (default true, env MISE_PROVENANCE_API_FAILURES_FATAL) to control whether remote provenance API failures abort; when disabled, API failures warn and fall back/skip, while malformed/verification errors remain fatal.

Removes writing/preserving github_attestations = "unavailable" in lockfiles (legacy values still parse but are dropped on write), simplifying PlatformInfo merging/serialization and updating mise.lock accordingly.

^{Reviewed by Cursor Bugbot for commit 258e64e. Bugbot is set up for automated code reviews on this repo. Configure here.}

[gemini-code-assist]

Code Review

This pull request introduces a mechanism to refresh tool metadata by allowing already installed versions to re-run the installation path. This is primarily used to ensure that checksums and provenance information, such as GitHub Attestations or SLSA, are correctly captured in the lockfile. A critical issue was identified where the logic for enabling provenance checks does not account for whether the GitHub API actually supports attestations on specific instances, such as GitHub Enterprise. This oversight could lead to infinite reinstallation loops, and a code suggestion was provided to incorporate an explicit support check into the logic.

[greptile-apps]

Greptile Summary

This PR removes the github_attestations = "unavailable" sentinel from the lockfile format and introduces a provenance_api_failures_fatal setting (default true) that makes transient attestation API errors fatal at install time while keeping malformed-payload and mismatch failures unconditionally fatal. mise lock now actively verifies and records provenance rather than relying on install-time paths to refresh stale metadata.

• Lockfile sentinel removal: all github_attestations = \"unavailable\" lines are dropped on write; legacy entries still parse but are silently dropped during merge/update.
• New setting provenance_api_failures_fatal: controls whether API-level failures (rate limits, transport errors) abort mise install; applied consistently in the aqua and github backends via a new is_api_failure helper; the VerificationStatus::ApiError variant makes the distinction explicit at install time.
• Lock-time verification: detect_provenance_type now returns Result and propagates errors through ?, while failures inside verify_provenance_at_lock_time are caught by the caller and logged as warnings so mise lock can still succeed and leave install-time verification to enforce strictness.

Confidence Score: 4/5

Safe to merge with awareness that tools lacking attestations or SLSA will trigger a fresh provenance check on every mise install until mise lock is re-run successfully.

The core provenance detection and verification logic changes are consistent and the new provenance_api_failures_fatal guards are applied symmetrically across the aqua and github backends. The main area requiring attention is the interaction between removing the github_attestations = "unavailable" sentinel and the install-time loop guard: without the sentinel, tools that genuinely have no attestations or SLSA will re-trigger provenance checks on every mise install rather than short-circuiting. This was raised in earlier review rounds. The lock-time vs. install-time error propagation split is intentional and documented.

src/backend/github.rs and src/backend/aqua.rs — specifically the interaction between removing the sentinel and the install-time guard that decides whether to re-run verification for already-installed tools.

Important Files Changed

Filename	Overview
src/backend/github.rs	Adds VerificationStatus::ApiError variant, makes detect_provenance_type return Result propagated via ?, removes github_attestations sentinel from all return paths; core logic looks correct
src/backend/aqua.rs	Removes sentinel path from verify_lock_time_provenance and installed_version_missing_lock_integrity, adds provenance_api_failures_fatal check in run_github_attestations; simplifies return types throughout
src/github/sigstore.rs	Adds is_api_failure helper and new test; test covers Api and Json variants but not Http
src/lockfile.rs	Removes github_attestations write paths and has_checksum_and_github_attestations_unavailable; legacy entries parse but are dropped on write; is_empty updated to ignore the field
src/backend/vfox.rs	Refactors repeated log-forwarding thread into forward_plugin_logs helper; clean change
settings.toml	Adds provenance_api_failures_fatal setting with default true, env var, and documentation
schema/mise.json	Adds JSON schema entry for provenance_api_failures_fatal; straightforward
mise.lock	Removes all github_attestations = "unavailable" sentinel lines from the repo's own lockfile

_{Reviews (8): Last reviewed commit: "fix: verify provenance during lock" | Re-trigger Greptile}

[github-actions]

Hyperfine Performance

mise x -- echo

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.5.10 x -- echo	18.5 ± 0.9	16.8	23.3	1.00
mise x -- echo	18.8 ± 1.2	16.9	30.7	1.02 ± 0.08

mise env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.5.10 env	18.5 ± 0.8	16.6	21.7	1.00
mise env	18.9 ± 1.1	17.0	24.8	1.02 ± 0.07

mise hook-env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.5.10 hook-env	19.5 ± 0.9	17.7	25.5	1.00
mise hook-env	19.9 ± 0.9	17.8	24.0	1.02 ± 0.07

mise ls

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.5.10 ls	16.0 ± 0.9	14.3	21.7	1.00
mise ls	16.2 ± 0.8	14.7	20.8	1.01 ± 0.07

xtasks/test/perf

Command	mise-2026.5.10	mise	Variance
install (cached)	134ms	137ms	-2%
ls (cached)	59ms	62ms	-4%
bin-paths (cached)	64ms	68ms	-5%
task-ls (cached)	124ms	127ms	-2%

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit e30fb17. Configure here.}