Auto-trust mise config files in workspace (#328) (#331)

mensfeld · web-flow · commit 339d854ca6e4 · 2026-04-14T19:24:17.000+02:00
* Auto-trust mise config files in workspace (#328) Set MISE_TRUSTED_CONFIG_PATHS to the container workspace path via /etc/profile.d/coi-mise-trust.sh so mise doesn't prompt or error when the workspace contains mise.toml / .tool-versions. * Fix mise trust for non-login shells + add to coi run + integration tests The /etc/profile.d/ approach only works for login shells, but the bash session inside containers (via tmux) is a non-login shell that only sources ~/.bashrc. mise activate in ~/.bashrc runs before the env var is set, causing trust errors. Fix: also prepend MISE_TRUSTED_CONFIG_PATHS to /etc/bash.bashrc which is sourced before ~/.bashrc for all interactive shells. Extract SetupMiseTrust into a shared function and call it from both coi shell (setup.go) and coi run (run.go). Add integration tests verifying the env var is set in both login and non-login shell contexts.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -116,6 +116,7 @@
 - [Feature] **Minimum nftables version check (>= 0.9.0)** — `coi health` now validates the installed nftables version and fails if it is below the minimum required 0.9.0 for network monitoring features. The nft version is also displayed in the health check output. Includes reusable version parsing utilities and unit/integration tests.
 - [Feature] **Split version checks between health (warn) and CLI commands (fail)** — `coi health` now reports old Incus/nftables versions as warnings (degraded, not unhealthy), while `coi shell`, `coi run`, and `coi build` fail with a clear error if Incus < 6.1. Added `container.CheckMinimumVersion()` helper. (#214)
 - [Feature] **Improved firewalld setup UX with masquerade checks and auto-setup** — `coi health` now reports granular firewall state (installed/running/masquerade) with actionable fix commands. `install.sh` offers interactive auto-setup for firewalld (install, start, enable masquerade, configure passwordless sudo). (#216)
+- [Feature] **Auto-trust mise config files in workspace** — Workspaces containing `mise.toml` or `.tool-versions` no longer require manual `mise trust` inside the container. COI now sets `MISE_TRUSTED_CONFIG_PATHS` to the container workspace path via `/etc/profile.d/coi-mise-trust.sh`, which is sourced alongside the existing mise activation script. This covers all mise config file types and subdirectories. Non-fatal — logs a warning if the profile.d file cannot be created. (#328)
 
 ### Bug Fixes
 
diff --git a/internal/cli/run.go b/internal/cli/run.go
@@ -279,6 +279,11 @@ func runCommand(cmd *cobra.Command, args []string) error {
 	// Configure timezone in container filesystem
 	tz := applyContainerTimezone(mgr)
 
+	// Auto-trust mise config files in the workspace
+	session.SetupMiseTrust(mgr, containerWorkspacePath, func(msg string) {
+		fmt.Fprintf(os.Stderr, "%s\n", msg)
+	})
+
 	// Execute command directly (args are already the full command to run)
 	fmt.Fprintf(os.Stderr, "Executing: %s\n", strings.Join(args, " "))
 
diff --git a/internal/session/setup.go b/internal/session/setup.go
@@ -526,6 +526,10 @@ func Setup(opts SetupOptions) (*SetupResult, error) {
 		opts.Logger("Reusing existing workspace and mount configurations")
 	}
 
+	// 10.2 Auto-trust mise config files in the workspace so mise doesn't
+	// prompt or error when the workspace contains mise.toml / .tool-versions.
+	SetupMiseTrust(result.Manager, result.ContainerWorkspacePath, opts.Logger)
+
 	// 10.5 Set auto-context path for config-based tools (must happen before setupCLIConfig
 	// so the path is included in GetSandboxSettings output)
 	if opts.Tool != nil && config.BoolVal(opts.AutoContext) {
diff --git a/internal/session/setup_helpers.go b/internal/session/setup_helpers.go
@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/mensfeld/code-on-incus/internal/config"
+	"github.com/mensfeld/code-on-incus/internal/container"
 )
 
 // isColimaOrLimaEnvironment detects if we're running inside a Colima or Lima VM
@@ -44,6 +45,24 @@ func buildJSONFromSettings(settings map[string]interface{}) (string, error) {
 	return string(jsonBytes), nil
 }
 
+// SetupMiseTrust configures MISE_TRUSTED_CONFIG_PATHS so mise automatically
+// trusts config files (mise.toml, .tool-versions, etc.) in the workspace.
+// The env var is written to both /etc/profile.d/ (login shells) and prepended
+// to /etc/bash.bashrc (non-login interactive shells, sourced before ~/.bashrc
+// where mise activates). Non-fatal: logs a warning on failure.
+func SetupMiseTrust(mgr *container.Manager, containerWorkspacePath string, logger func(string)) {
+	exportLine := fmt.Sprintf(`export MISE_TRUSTED_CONFIG_PATHS="%s"`, containerWorkspacePath)
+	trustCmd := fmt.Sprintf(
+		`printf '%%s\n' '%s' > /etc/profile.d/coi-mise-trust.sh && `+
+			`sed -i '/MISE_TRUSTED_CONFIG_PATHS/d' /etc/bash.bashrc && `+
+			`sed -i '1i %s' /etc/bash.bashrc`,
+		exportLine, exportLine,
+	)
+	if _, err := mgr.ExecCommand(trustCmd, container.ExecCommandOptions{Capture: true}); err != nil {
+		logger(fmt.Sprintf("Warning: Failed to configure mise workspace trust: %v", err))
+	}
+}
+
 // hasLimits checks if any limits are configured
 func hasLimits(cfg *config.LimitsConfig) bool {
 	if cfg == nil {
diff --git a/tests/run/run_mise_trust_workspace.py b/tests/run/run_mise_trust_workspace.py
@@ -0,0 +1,101 @@
+"""
+Test that MISE_TRUSTED_CONFIG_PATHS is set to the workspace path in container shells.
+
+The env var is written to both /etc/profile.d/coi-mise-trust.sh (login shells)
+and /etc/bash.bashrc (non-login interactive shells) during session setup,
+so mise automatically trusts config files in the workspace.
+"""
+
+import subprocess
+
+
+def test_mise_trust_env_login_shell(coi_binary, cleanup_containers, workspace_dir):
+    """
+    Test MISE_TRUSTED_CONFIG_PATHS is set in a login shell.
+
+    Login shells source /etc/profile.d/*.sh, where coi-mise-trust.sh sets the var.
+    """
+    result = subprocess.run(
+        [
+            coi_binary,
+            "run",
+            "--workspace",
+            workspace_dir,
+            "--",
+            "bash",
+            "-l",
+            "-c",
+            "echo TRUST_PATH=$MISE_TRUSTED_CONFIG_PATHS",
+        ],
+        capture_output=True,
+        text=True,
+        timeout=180,
+    )
+
+    assert result.returncode == 0, f"Run should succeed. stderr: {result.stderr}"
+
+    combined = result.stdout + result.stderr
+    assert "TRUST_PATH=/workspace" in combined, (
+        f"MISE_TRUSTED_CONFIG_PATHS should be /workspace in login shell. Got:\n{combined}"
+    )
+
+
+def test_mise_trust_env_nonlogin_shell(coi_binary, cleanup_containers, workspace_dir):
+    """
+    Test MISE_TRUSTED_CONFIG_PATHS is set in a non-login interactive shell.
+
+    Non-login shells source /etc/bash.bashrc (but NOT /etc/profile.d/),
+    where coi also injects the var so it's set before ~/.bashrc activates mise.
+    """
+    result = subprocess.run(
+        [
+            coi_binary,
+            "run",
+            "--workspace",
+            workspace_dir,
+            "--",
+            "bash",
+            "-c",
+            # Source /etc/bash.bashrc explicitly since bash -c is non-interactive
+            # and won't source it automatically. This mirrors what happens in
+            # interactive non-login shells (like tmux bash).
+            ". /etc/bash.bashrc 2>/dev/null; echo TRUST_PATH=$MISE_TRUSTED_CONFIG_PATHS",
+        ],
+        capture_output=True,
+        text=True,
+        timeout=180,
+    )
+
+    assert result.returncode == 0, f"Run should succeed. stderr: {result.stderr}"
+
+    combined = result.stdout + result.stderr
+    assert "TRUST_PATH=/workspace" in combined, (
+        f"MISE_TRUSTED_CONFIG_PATHS should be /workspace via bash.bashrc. Got:\n{combined}"
+    )
+
+
+def test_mise_trust_profile_d_file_exists(coi_binary, cleanup_containers, workspace_dir):
+    """
+    Test that /etc/profile.d/coi-mise-trust.sh is created with correct content.
+    """
+    result = subprocess.run(
+        [
+            coi_binary,
+            "run",
+            "--workspace",
+            workspace_dir,
+            "--",
+            "cat",
+            "/etc/profile.d/coi-mise-trust.sh",
+        ],
+        capture_output=True,
+        text=True,
+        timeout=180,
+    )
+
+    assert result.returncode == 0, f"File should exist. stderr: {result.stderr}"
+
+    combined = result.stdout + result.stderr
+    assert 'MISE_TRUSTED_CONFIG_PATHS="/workspace"' in combined, (
+        f"Profile.d file should contain the workspace path. Got:\n{combined}"
+    )
