feat(mise): apply security mitigation checklist

.chezmoiscripts/run_after_05-mise-trust.sh.tmpl

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+{{ if eq .chezmoi.os "windows" }}
+exit 0
+{{ else }}
+
+command -v mise >/dev/null 2>&1 || exit 0
+
+mise_config="${XDG_CONFIG_HOME:-$HOME/.config}/mise/config.toml"
+if [[ -f "$mise_config" ]]; then
+  mise trust -y "$mise_config" >/dev/null 2>&1 || true
+fi
+
+repo_mise="{{ .chezmoi.sourceDir }}/.mise.toml"
+if [[ -f "$repo_mise" ]]; then
+  mise trust -y "$repo_mise" >/dev/null 2>&1 || true
+fi
+
+{{ end }}

.github/workflows/pre-commit.yml

@@ -15,4 +15,11 @@ jobs:
         with:
           python-version: "3.12"
 
+      - uses: actions/setup-node@v5
+        with:
+          node-version: "20"
+
+      - name: Install prettier for system hook
+        run: npm install -g prettier@3.1.0
+
       - uses: pre-commit/action@v3.0.1

.mise.toml

@@ -1,3 +1,5 @@
+# Repo-local QA toolchain. Refresh lockfile after version bumps: mise lock
+# Lock enforcement: qa.just uses `mise exec --locked` (see mise-security skill).
 [tools]
 shellcheck = "0.11.0"
 shfmt = "3.12.0"

.pre-commit-config.yaml

@@ -9,8 +9,12 @@ repos:
         args: [--markdown-linebreak-ext=md]
         files: \.md$
 
-  - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: v3.1.0
+  # System prettier avoids npm install during hook setup (Workiva npm registry
+  # in ~/.wk/config/npm.toml breaks mirrors-prettier node hooks locally).
+  - repo: local
     hooks:
       - id: prettier
+        name: prettier (markdown)
+        entry: prettier --write --ignore-unknown
+        language: system
         types_or: [markdown]

Documents/PowerShell/Microsoft.PowerShell_profile.ps1.tmpl

@@ -14,6 +14,10 @@ if (-not $miseExe -and (Test-Path -LiteralPath $miseFallback)) {
 }
 
 if ($miseExe) {
+    if (-not $env:MISE_PARANOID) { $env:MISE_PARANOID = "1" }
+    if (-not $env:MISE_CEILING_PATHS) { $env:MISE_CEILING_PATHS = $HOME }
+    if (-not $env:MISE_EXPERIMENTAL) { $env:MISE_EXPERIMENTAL = "0" }
+
     $miseBin = Split-Path -Parent $miseExe
     if (-not (($env:PATH -split ';') -contains $miseBin)) {
         $env:PATH = "$miseBin;$env:PATH"

Documents/WindowsPowerShell/Microsoft.PowerShell_profile.ps1.tmpl

@@ -14,6 +14,10 @@ if (-not $miseExe -and (Test-Path -LiteralPath $miseFallback)) {
 }
 
 if ($miseExe) {
+    if (-not $env:MISE_PARANOID) { $env:MISE_PARANOID = "1" }
+    if (-not $env:MISE_CEILING_PATHS) { $env:MISE_CEILING_PATHS = $HOME }
+    if (-not $env:MISE_EXPERIMENTAL) { $env:MISE_EXPERIMENTAL = "0" }
+
     $miseBin = Split-Path -Parent $miseExe
     if (-not (($env:PATH -split ';') -contains $miseBin)) {
         $env:PATH = "$miseBin;$env:PATH"

OneDrive/Documents/PowerShell/Microsoft.PowerShell_profile.ps1.tmpl

@@ -14,6 +14,10 @@ if (-not $miseExe -and (Test-Path -LiteralPath $miseFallback)) {
 }
 
 if ($miseExe) {
+    if (-not $env:MISE_PARANOID) { $env:MISE_PARANOID = "1" }
+    if (-not $env:MISE_CEILING_PATHS) { $env:MISE_CEILING_PATHS = $HOME }
+    if (-not $env:MISE_EXPERIMENTAL) { $env:MISE_EXPERIMENTAL = "0" }
+
     $miseBin = Split-Path -Parent $miseExe
     if (-not (($env:PATH -split ';') -contains $miseBin)) {
         $env:PATH = "$miseBin;$env:PATH"

OneDrive/Documents/WindowsPowerShell/Microsoft.PowerShell_profile.ps1.tmpl

@@ -14,6 +14,10 @@ if (-not $miseExe -and (Test-Path -LiteralPath $miseFallback)) {
 }
 
 if ($miseExe) {
+    if (-not $env:MISE_PARANOID) { $env:MISE_PARANOID = "1" }
+    if (-not $env:MISE_CEILING_PATHS) { $env:MISE_CEILING_PATHS = $HOME }
+    if (-not $env:MISE_EXPERIMENTAL) { $env:MISE_EXPERIMENTAL = "0" }
+
     $miseBin = Split-Path -Parent $miseExe
     if (-not (($env:PATH -split ';') -contains $miseBin)) {
         $env:PATH = "$miseBin;$env:PATH"

docs/repo-maintenance.md

@@ -73,6 +73,12 @@ Install QA tools with mise in this repo:
 mise install
 ```
 
+Lockfiles (`mise.lock`) pin exact binary hashes for QA and global tools. After
+bumping a tool version, run `mise lock` (or `mise lock --global`) and commit the
+lockfile. QA recipes pass `--locked` to `mise exec`. Global mise security
+settings (paranoid mode, ceiling paths, disabled asdf backend) are managed by
+chezmoi — see `~/.agents/skills/mise-security/SKILL.md`.
+
 Run internal QA recipes via `qa.just`:
 
 ```bash

dot_agents/skills/mise-security/SKILL.md

@@ -0,0 +1,70 @@
+---
+name: mise-security
+description: >-
+  Security mitigation checklist for mise: supply-chain backends, paranoid trust,
+  ceiling paths, lockfiles, secrets handling, and CI hardening. Use when adding
+  mise tools, trusting a new mise.toml, or reviewing mise configuration in this
+  dotfiles repo or project checkouts.
+---
+
+# mise security mitigation checklist
+
+These settings are applied globally via chezmoi (`~/.config/mise/config.toml`,
+`~/.config/chezmoi/profile.d/mise-security.sh`) and in this repo's `.mise.toml`.
+
+## Supply chain
+
+| Action                                                                         | Status here                   |
+| ------------------------------------------------------------------------------ | ----------------------------- |
+| **Disable legacy backends** — `disable_backends = ["asdf"]` in global config   | Applied                       |
+| **Prefer verified backends** — use `aqua:`, `vfox:`, or `cargo:` when possible | Documented; QA tools use aqua |
+
+## Configuration
+
+| Action                                                                                                                             | Status here          |
+| ---------------------------------------------------------------------------------------------------------------------------------- | -------------------- |
+| **Paranoid mode** — `MISE_PARANOID=1` before `mise activate`                                                                       | Applied in profile.d |
+| **Directory ceilings** — `MISE_CEILING_PATHS="$HOME"`                                                                              | Applied in profile.d |
+| **Trusted dotfiles source** — chezmoi source in `trusted_config_paths`; `chezmoi apply` runs `mise trust` on global + repo configs | Applied              |
+
+Before running `mise trust` on a **new** repository, manually inspect `[tasks]`
+and `[env]` in its `mise.toml` (and any `_.file` includes).
+
+## Reproducibility
+
+| Action                                                 | Status here                                                                       |
+| ------------------------------------------------------ | --------------------------------------------------------------------------------- |
+| **Enforce lockfiles** — `mise lock` pins binary hashes | Global `~/.config/mise/mise.lock`; repo `mise.lock`; QA uses `mise exec --locked` |
+
+After bumping a tool version:
+
+```bash
+mise lock --global    # ~/.config/mise
+mise lock             # chezmoi source (QA tools)
+```
+
+Commit updated lockfiles with the version bump.
+
+## Secrets management
+
+| Action                      | Guidance                                                                                                                            |
+| --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| **Programmatic first**      | Fetch infra secrets at runtime via centralized managers (AWS Secrets Manager, Vault, etc.) in shell hooks — not committed env files |
+| **Encrypted local storage** | For local-only overrides, encrypt at rest with SOPS + age; reference via `_.file` in `mise.toml`                                    |
+
+## CI/CD hardening
+
+| Action                                                    | Status here                                                                       |
+| --------------------------------------------------------- | --------------------------------------------------------------------------------- |
+| **Disable experimental features** — `MISE_EXPERIMENTAL=0` | Applied in profile.d (default); override only when testing unstable mise features |
+
+In CI scripts that invoke mise, export the same vars or pass
+`mise exec --locked`.
+
+## Quick verification
+
+```bash
+mise settings disable_backends   # expect: ["asdf"]
+echo "$MISE_PARANOID $MISE_CEILING_PATHS $MISE_EXPERIMENTAL"
+mise exec --locked -- shellcheck --version   # from chezmoi source
+```

dot_config/chezmoi/profile.d/mise-security.sh.tmpl

@@ -0,0 +1,7 @@
+# mise security env — loaded before `mise activate` in dot_bash_profile / dot_zshrc.
+# See ~/.agents/skills/mise-security/SKILL.md
+{{- if ne .chezmoi.os "windows" }}
+export MISE_PARANOID="${MISE_PARANOID:-1}"
+export MISE_CEILING_PATHS="${MISE_CEILING_PATHS:-$HOME}"
+export MISE_EXPERIMENTAL="${MISE_EXPERIMENTAL:-0}"
+{{- end }}

dot_config/mise/config.toml.tmpl

@@ -0,0 +1,15 @@
+# mise global config — security posture in ~/.agents/skills/mise-security/SKILL.md
+#
+# Supply chain: block legacy asdf shell-script backends; prefer aqua, vfox, or
+# cargo (checksums / attestations) when adding tools.
+[settings]
+disable_backends = ["asdf"]
+# Dotfiles chezmoi source: repo-local QA .mise.toml (no tasks/env); auto-trusted under paranoid mode.
+trusted_config_paths = [
+  "{{ if hasPrefix .chezmoi.homeDir .chezmoi.sourceDir }}{{ replace .chezmoi.homeDir "~" .chezmoi.sourceDir }}{{ else }}{{ .chezmoi.sourceDir }}{{ end }}",
+]
+
+# Reproducibility: refresh after version bumps with `mise lock --global`.
+[tools]
+bun = "1.3.13"
+python = "3.13.0"