Skip to content

chore(ai): adopt apm install --root + apm compile --root (pin to fork, upstream #928)#716

Open
srid wants to merge 1 commit intomasterfrom
chore/apm-root-flag
Open

chore(ai): adopt apm install --root + apm compile --root (pin to fork, upstream #928)#716
srid wants to merge 1 commit intomasterfrom
chore/apm-root-flag

Conversation

@srid
Copy link
Copy Markdown
Member

@srid srid commented Apr 25, 2026
edited
Loading

just ai::apm-sync used to rsync the whole worktree into a scratch directory, run install + compile inside it, then recursively diff every deploy dir against the live tree — all to catch post-install drift without mutating .claude/ while a Claude Code session was active in the same worktree (#468).

Two upstream apm improvements retire the entire scaffolding:

microsoft/apm#889 (merged) finally closes microsoft/apm#684 by wiring content-integrity hash verification into apm audit --ci. Every APM-managed file — everything under .claude/, .codex/, .agents/, .opencode/, plus opencode.json and MCP configs — is now checked against its lockfile-recorded hash. The recursive diff -r loop that re-installed into scratch and compared each deploy dir is redundant and goes away.

microsoft/apm#888 adds apm install --root <dir> and apm compile --root <dir>. Both commands redirect their writes (apm_modules/, apm.lock.yaml, .claude/, .codex/, .agents/, .opencode/, AGENTS.md, CLAUDE.md) into an arbitrary directory while sources continue resolving from $PWD. Together they collapse the entire scratch-staging dance into two flag invocations — no rsync, no cd, no symlinks. Upstream PR: microsoft/apm#928 (draft, pending maintainer review on a chdir-vs-refactor design call surfaced by Hickey/Lowy structural review).

Until #928 lands we pin apm_cmd to juspay/apm@feat/install-compile-root-flag — the same branch the upstream PR is built from. Once it merges, flip the pin back to microsoft/apm.

What's left in apm-sync

A single cp of apm.lock.yaml (so install resolves to the same commits as the live tree) plus the apm install --root + apm compile --root pair. That's it. The per-AGENTS.md diff loop stays because compile outputs aren't in the lockfile's deployed_files, so audit doesn't cover them.

agents/ai.just drops from 127 lines to 38 for the apm-related recipes (apm-sync went from ~60+ lines to ~16). All seven audit checks pass, every AGENTS.md output matches the live tree byte-for-byte.

Test plan

  • just ai::apm-sync green locally (all 7 audit checks pass + every AGENTS.md matches)
  • just ci green
  • Upstream microsoft/apm#928 merges → flip apm_cmd pin back to microsoft/apm

🤖 Generated with Claude Code

@srid srid force-pushed the chore/apm-root-flag branch from e03da4a to 97e5e8b Compare April 25, 2026 01:47
@srid srid marked this pull request as ready for review April 25, 2026 01:54
@srid srid mentioned this pull request Apr 25, 2026
Draft
@srid
chore(ai): adopt apm install --root + audit-based verification
ddf3a08 
Rewrite `just ai::apm-sync` around two upstream apm improvements:

* microsoft/apm#889 (merged) wires content-integrity hash verification
  into `apm audit --ci` — every APM-managed file (`.claude/`, `.codex/`,
  `.agents/`, `.opencode/`, `opencode.json`, MCP configs) is now
  checked against the lockfile's recorded hashes.  The recursive
  `diff -r` loop that re-installed into scratch and compared each
  deploy dir is redundant and goes away.

* microsoft/apm#888 (`apm install --root`) replaces the rsync-the-
  worktree-into-scratch dance with a single flag.  The scratch
  staging that remains is purely for the `apm compile` leg — apm's
  distributed compiler scans the project tree to score AGENTS.md
  placement, so the scratch needs the source file inventory.  It
  drops to an `rsync -aH` with one set of excludes (down from ~20
  lines of setup + 25 lines of diff gates).

* Staged on juspay/apm@feat/install-compile-root-flag until #888 lands
  in microsoft/apm — revert the `apm_cmd` pin once that happens.

Net: the recipe trims from 127 lines to 51; all seven audit checks
pass, and the per-AGENTS.md diff loop still catches compile-output
drift that audit can't (AGENTS.md files aren't lockfile-tracked).
@srid srid force-pushed the chore/apm-root-flag branch from 97e5e8b to ddf3a08 Compare April 25, 2026 02:09
@srid srid changed the title chore(ai): adopt apm install --root + drop scratch-diff hack chore(ai): adopt apm install --root + apm compile --root (pin to fork, upstream #928) Apr 25, 2026
@srid
Copy link
Copy Markdown
Member Author

srid commented Apr 25, 2026

Future simplification path

Traced what else upstream has cooking for apm-sync-style verification. Three tiers:

Once microsoft/apm#842 lands (open; adds apm compile --check, read-only drift verification with exit code 1 on drift):

apm audit --ci && apm compile --check --target codex,opencode

That kills the scratch dir entirely — no mktemp, no cp apm.lock.yaml, no install --root, no compile --root, no AGENTS.md diff loop. agents/ai.just's apm-sync recipe collapses to those two commands.

Once microsoft/apm#898 Epic also lands (per-asset lockfile granularity + apm audit --drift alias + dependency-closure policy): skill bundle internals (e.g. hand-edits inside .claude/skills/do/assets/…) become visible to audit --ci too. Already-covered surfaces stay covered; this just plugs an existing hole. No change to the apm-sync recipe — it simply becomes stronger.

The still-missing piece, even after both land — compile outputs (AGENTS.md, distributed AGENTS.md under packages/**, CLAUDE.md) are not lockfile-tracked, so apm audit --ci never sees them. The Epic's "producer-produced map" names install/pack/audit/manifest-resolution as producers; compile is deliberately absent from the audit scope. That's why kolu will always need the second verb (compile --check) alongside audit unless audit grows a compile-drift lane of its own (compile writes per-file hashes into the lockfile → audit walks them → one command verifies everything).

The one upstreamable ask left is that audit-extension. Small issue, clean framing ("after #842 the only thing stopping apm audit --ci from being the sole verification verb is compile-outputs aren't in the lockfile — close the loop"). Not blocking this PR, but worth filing once #842 / #898 settle so the roadmap stays visible. Track as follow-up.

For now the shipped state here (apm audit --ci + apm install --root + apm compile --root + the AGENTS.md diff loop) is correct, tested, and structurally the best we can do with what upstream ships today.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

audit --ci: verify deployed file content, not just existence

1 participant

@srid