feat(lock): add resolve_lock_info to core backends for checksum fetching

[jdx]

Summary

• Implement resolve_lock_info for core backends (node, bun, go, zig, deno) to fetch checksums during mise lock without downloading full tarballs
• Add HTTP caching infrastructure with per-URL OnceCell to prevent redundant network requests when fetching checksums for multiple platforms
• Add shared helper functions (fetch_checksum_from_shasums, fetch_checksum_from_file) to reduce code duplication

Backend Status

Backend	Status	Checksum Source	Notes
core:node	✅ Implemented	SHASUMS256.txt from nodejs.org	Cached
core:bun	✅ Implemented	SHASUMS256.txt from GitHub releases	Cached
core:go	✅ Implemented	Individual .sha256 files	Per-platform
core:deno	✅ Implemented	Individual .sha256sum files	Per-platform
core:zig	✅ Implemented	JSON index with shasum/size	Cached
core:java	❌ Not implemented	Adoptium has SHA256 checksums	Need to parse Adoptium API response
core:python	❌ Not implemented	python.org has MD5 checksums	MD5 available, SHA256 would require pyenv plugin
core:ruby	❌ Not implemented	No upstream checksums	Would need to compute from download
core:elixir	❌ Not implemented	GitHub releases have no checksums	Would need to compute from download
core:erlang	❌ Not implemented	erlang.org has no checksums	Would need to compute from download
core:rust	❌ Not implemented	rustup handles checksums internally	N/A - uses rustup
core:swift	❌ Not implemented	swift.org has signatures but no checksums	Would need GPG verification or compute
aqua	✅ Already implemented	Aqua registry checksums	Some packages have checksums in registry
github	✅ Already implemented	GitHub release checksums files	Looks for SHASUMS/checksums files
conda	✅ Already implemented	Conda package metadata	Built into conda
ubi	❌ Not implemented	No upstream checksums	ubi downloads don't have checksums
cargo	❌ N/A	Cargo handles verification	Built into cargo
npm	❌ N/A	npm handles verification	Built into npm
pipx	❌ N/A	pip handles verification	Built into pip
gem	❌ N/A	gem handles verification	Built into gem
asdf/vfox	❌ Plugin-dependent	Varies by plugin	Would need per-plugin support

HTTP Caching

Added HTTP.get_text_cached() and HTTP_FETCH.json_cached() methods that use a per-URL OnceCell to:

• Prevent duplicate concurrent requests to the same URL
• Cache results for the duration of the mise lock operation
• Share results across multiple platform targets

This addresses the issue where checksums were only being added during installation (via blake3 hash of downloaded files) rather than during mise lock, which caused autofix CI to add checksums on release branches.

Test plan

• Build succeeds
• Lint passes
• Run mise lock with these tools and verify checksums are populated
• Run CI

🤖 Generated with Claude Code

---

Note

Add resolve_lock_info to core backends to populate URLs/checksums during mise lock, with per-URL HTTP caching and platform variant support.

• Locking flow:
  • Implement Backend::resolve_lock_info across core:node, core:bun, core:go, core:deno, core:zig, and core:ruby to return download url and checksum (and size for zig) without installing.
  • cli lock expands backend-declared platform variants and processes each variant in parallel; dry-run reflects variants.
• Backends:
  • node: Build filename per target; parse checksum from SHASUMS256.txt.
  • bun: Handle baseline/musl variants; derive filename; parse checksum from SHASUMS256.txt; override get_platform_key; expose platform_variants.
  • go: Construct tarball URL; read .sha256 sidecar (honors go_skip_checksum).
  • deno: Construct URL; read .sha256sum sidecar.
  • zig: Read index JSON (cached) for URL/checksum/size; fallback URL for numbered versions.
  • ruby: Parse ruby index for source tarball URL and sha256 (MRI only).
• HTTP/caching:
  • Add HTTP.get_text_cached and HTTP_FETCH.json_cached using per-URL OnceCell to dedupe concurrent/repeated requests.
• Shared helpers:
  • Add fetch_checksum_from_shasums and fetch_checksum_from_file for checksum retrieval.
• Platform/lockfile:
  • Platform parsing supports compound qualifiers (e.g., musl-baseline) and validates new qualifiers.
  • Add Backend::platform_variants hook; default returns base platform.
  • Lockfile PlatformInfo::is_empty; set_platform_info now merges with existing data and skips empty entries.
  • Lock tool selection constrained to current config root.

^{Written by Cursor Bugbot for commit 733c67f. This will update automatically on new commits. Configure here.}

[Copilot]

Pull request overview

This PR implements resolve_lock_info for core backends (node, bun, go, deno, zig) to enable checksum fetching during mise lock operations without downloading full tarballs. It also introduces HTTP caching infrastructure to prevent redundant network requests when fetching checksums for multiple platforms.

Key Changes:

• Added resolve_lock_info implementations for 5 core backends to fetch checksums from upstream sources
• Introduced HTTP caching with per-URL OnceCell to deduplicate concurrent requests
• Added shared helper functions to reduce code duplication across backends

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/plugins/core/zig.rs	Implements resolve_lock_info using cached JSON index with embedded checksums/sizes
src/plugins/core/node.rs	Implements resolve_lock_info using cached SHASUMS256.txt file
src/plugins/core/go.rs	Implements resolve_lock_info using individual .sha256 files per tarball
src/plugins/core/deno.rs	Implements resolve_lock_info using individual .sha256sum files per zip
src/plugins/core/bun.rs	Implements resolve_lock_info using cached SHASUMS256.txt from GitHub releases
src/http.rs	Adds get_text_cached and json_cached methods with per-URL OnceCell caching
src/backend/static_helpers.rs	Adds fetch_checksum_from_shasums and fetch_checksum_from_file helper functions

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The tarball filename format is incorrect - it should be zig-{os}-{arch}-{version}.tar.xz but the code generates zig-{version}-{os}-{arch}.tar.xz. The correct order based on standard Zig release naming is zig-{os}-{arch}-{version}.tar.xz.

[Copilot]

The HashMap uses String keys which requires cloning the URL string. Consider using Arc<str> or a reference-counted key to avoid string clones on cache hits.

[Copilot]

Using unwrap() here will panic on invalid URLs without a helpful error message. Consider using ? operator to propagate the error with proper context, or provide a descriptive error message.

Suggested change

	let url = url.into_url().unwrap();
	let url = url.into_url().map_err(Into::into)?;

[Copilot]

Pull request overview

Copilot reviewed 9 out of 10 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The is_empty() method doesn't check the size field. If size is the only populated field, this method will incorrectly return true. Either include size in the check or document why it's intentionally excluded.

Suggested change

	self.checksum.is_none() && self.url.is_none() && self.url_api.is_none()
	self.checksum.is_none()
	&& self.size.is_none()
	&& self.url.is_none()
	&& self.url_api.is_none()

[Copilot]

Using unwrap() on a Mutex::lock() can cause panics if the mutex is poisoned. Consider using lock().expect() with a descriptive message or handle the poison error explicitly to improve debugging.

Suggested change

	let mut cache = HTTP_CACHE.lock().unwrap();
	let mut cache = HTTP_CACHE.lock().expect("Failed to lock HTTP_CACHE mutex (possibly poisoned)");

[Copilot]

[nitpick] The version appears twice in the URL format string (positions 1 and 4). Consider using a temporary variable to make this clearer and avoid potential inconsistencies if the format string is modified.

Suggested change

	Ok(PlatformInfo {
	url: Some(format!(
	"https://ziglang.org/download/{}/zig-{}-{}-{}.tar.xz",
	tv.version, os, arch, tv.version
	let version = &tv.version;
	Ok(PlatformInfo {
	url: Some(format!(
	"https://ziglang.org/download/{}/zig-{}-{}-{}.tar.xz",
	version, os, arch, version

[cursor]

Bug: Node flavor setting incorrectly applied to all platforms

The build_platform_slug method unconditionally applies the local node.flavor setting (like "glibc") to all target platforms during mise lock. However, flavor variants are platform-specific (e.g., glibc only exists for Linux). The original slug() function correctly uses the current platform's OS and arch, but this new method applies the local flavor to cross-platform targets like macOS, generating invalid URLs like node-v24-darwin-arm64-glibc.tar.gz. The checksum lookup in SHASUMS256.txt will fail to find these non-existent files.

src/plugins/core/node.rs#L668-L680

mise/src/plugins/core/node.rs

Lines 668 to 680 in b533ed6

	/// This mirrors the logic from BuildOpts::new() and slug() function
	fn build_platform_slug(&self, version: &str, target: &PlatformTarget) -> String {
	let settings = Settings::get();
	let os = Self::map_os(target.os_name());
	let arch = Self::map_arch(target.arch_name());
	if let Some(flavor) = &settings.node.flavor {
	format!("node-v{version}-{os}-{arch}-{flavor}")
	} else {
	format!("node-v{version}-{os}-{arch}")
	}
	}

 

---

[jdx]

bugbot run

[jdx]

bugbot run

[cursor]

Bug: Compound qualifiers cannot be parsed from platform keys

The Platform::parse function splits platform strings by - and only handles 2 or 3 parts. However, this PR adds "musl-baseline" as a valid qualifier (which contains a hyphen). When a Platform with this qualifier calls to_key(), it produces "linux-x64-musl-baseline" (4 parts when split). This cannot be parsed back because Platform::parse rejects strings with more than 3 hyphen-separated parts. This affects the lock command's determine_target_platforms function which silently ignores lockfile platform keys that fail to parse, and prevents users from explicitly specifying compound qualifier platforms via --platform.

src/platform.rs#L14-L33

mise/src/platform.rs

Lines 14 to 33 in 852f661

	/// Parse a platform string in the format "os-arch" or "os-arch-qualifier"
	pub fn parse(platform_str: &str) -> Result<Self> {
	let parts: Vec<&str> = platform_str.split('-').collect();
	match parts.len() {
	2 => Ok(Platform {
	os: parts[0].to_string(),
	arch: parts[1].to_string(),
	qualifier: None,
	}),
	3 => Ok(Platform {
	os: parts[0].to_string(),
	arch: parts[1].to_string(),
	qualifier: Some(parts[2].to_string()),
	}),
	_ => bail!(
	"Invalid platform format '{}'. Expected 'os-arch' or 'os-arch-qualifier'",
	platform_str
	),
	}

src/plugins/core/bun.rs#L225-L230

mise/src/plugins/core/bun.rs

Lines 225 to 230 in 852f661

	});
	variants.push(Platform {
	os: platform.os.clone(),
	arch: platform.arch.clone(),
	qualifier: Some("musl-baseline".to_string()),
	});

 

---

[github-actions]

Hyperfine Performance

mise x -- echo

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2025.11.11 x -- echo	19.0 ± 0.4	18.4	21.7	1.00
mise x -- echo	19.0 ± 0.3	18.4	20.2	1.00 ± 0.02

mise env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2025.11.11 env	18.3 ± 0.3	17.8	19.3	1.00
mise env	18.7 ± 0.5	17.9	22.4	1.02 ± 0.03

mise hook-env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2025.11.11 hook-env	18.5 ± 0.4	17.9	23.4	1.00
mise hook-env	18.7 ± 0.4	18.0	20.6	1.01 ± 0.03

mise ls

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2025.11.11 ls	15.7 ± 0.3	15.1	16.9	1.00
mise ls	16.0 ± 0.4	15.3	18.1	1.02 ± 0.03

xtasks/test/perf

Command	mise-2025.11.11	mise	Variance
install (cached)	105ms	106ms	+0%
ls (cached)	64ms	64ms	+0%
bin-paths (cached)	70ms	70ms	+0%
task-ls (cached)	430ms	421ms	+2%