[docs] Update documentation for features from 2026-05-14#1315
Closed
danielmeppiel wants to merge 1 commit into
Closed
[docs] Update documentation for features from 2026-05-14#1315danielmeppiel wants to merge 1 commit into
danielmeppiel wants to merge 1 commit into
Conversation
Add the manifest-missing check to baseline-checks.md (at-a-glance table, dedicated section, run-order paragraph) and update the check list in concepts/lifecycle.md. The check was introduced in PR #1255 but shipped without docs. It detects a deleted apm.yml when APM artifacts (.apm/, apm.lock.yaml, or legacy apm.lock) are still present -- advisory warning in normal mode, hard failure in CI mode (apm audit --ci). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
danielmeppiel
added
automation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Starlight docs to reflect the recently introduced manifest-missing baseline CI check and to correct the baseline-check list shown in the lifecycle documentation for apm audit --ci.
Changes:
- Added
manifest-missingto the baseline checks reference (table, dedicated section, and run-order paragraph). - Updated the lifecycle “CI mode” checklist to include the conditional
manifest-parseandmanifest-missingchecks.
Show a summary per file
| File | Description |
|---|---|
| docs/src/content/docs/reference/baseline-checks.md | Documents the new manifest-missing baseline check and updates the stated baseline check run order. |
| docs/src/content/docs/concepts/lifecycle.md | Updates the apm audit --ci baseline-check list to include manifest-parse and manifest-missing. |
Copilot's findings
Comments suppressed due to low confidence (2)
docs/src/content/docs/reference/baseline-checks.md:65
- The non-CI behavior is described inconsistently: the "Fails when" bullet says it "passes with a warning message", but the "Effect" bullet says it records a pass with an informational message. Please align these to the actual behavior (it sets passed=True outside --ci and surfaces an advisory message).
- **Fails when.** `apm.yml` is absent **and** at least one of `.apm/`, `apm.lock.yaml`, or `apm.lock` is present **and** the audit is running in CI mode (`apm audit --ci`). Outside CI mode the check is advisory (passes with a warning message).
- **Effect.** In CI mode (`--ci`), exits `1` and stops further checks. In non-CI mode, records the check as passed with an informational message.
docs/src/content/docs/reference/baseline-checks.md:130
- The documented run order lists manifest-missing before lockfile-exists, but in run_baseline_checks the lockfile-exists check is appended first, and manifest-missing is only appended later in the early-return branch when apm.yml is missing and artifacts exist. Please update this sentence so the order and conditional path match the implementation.
The aggregate runner in `run_baseline_checks` evaluates checks in this order: `manifest-parse` (only when `apm.yml` is unparseable), `manifest-missing` (only when `apm.yml` is absent but APM artifacts exist), `lockfile-exists`, `ref-consistency`, `deployed-files-present`, `no-orphaned-packages`, `skill-subset-consistency`, `config-consistency`, `content-integrity`, `includes-consent`. Drift is invoked separately by the audit command after the baseline batch.
- Files reviewed: 2/2 changed files
- Comments generated: 2
|
|
||
| ### `manifest-missing` | ||
|
|
||
| - **What it verifies.** That `apm.yml` is not absent while APM artifacts still exist on disk. Absent artifacts (`.apm/` directory, `apm.lock.yaml`, or the legacy `apm.lock`) with no `apm.yml` are evidence that the manifest may have been deleted to bypass policy and baseline enforcement. |
| **Local mode** (`apm audit`, optionally with `--strip` or `--file <path>`) scans installed primitives -- or any file you point at -- for hidden Unicode and reports findings as text, JSON, SARIF, or markdown. With `--strip`, it removes hidden characters in place, preserving emoji and whitespace. Use `--dry-run` to preview the strip. | ||
|
|
||
| **CI mode** (`apm audit --ci`) runs the eight baseline consistency checks in order: `lockfile-exists`, `ref-consistency`, `deployed-files-present`, `no-orphaned-packages`, `skill-subset-consistency`, `config-consistency`, `content-integrity`, and `includes-consent`. After those pass, it performs an install-replay drift check. APM rebuilds the deployed context in a scratch directory and diffs it against your working tree, catching hand-edits to `apm_modules/` or generated files before they ship. Pass `--no-drift` to skip the replay in performance-constrained loops; pass `--no-fail-fast` to run all checks even after a failure. With `--policy <source>` it also evaluates org policy against the lockfile. | ||
| **CI mode** (`apm audit --ci`) runs the baseline consistency checks in order: `manifest-parse` (only when `apm.yml` is unparseable), `manifest-missing` (only when `apm.yml` is absent but APM artifacts exist), `lockfile-exists`, `ref-consistency`, `deployed-files-present`, `no-orphaned-packages`, `skill-subset-consistency`, `config-consistency`, `content-integrity`, and `includes-consent`. After those pass, it performs an install-replay drift check. APM rebuilds the deployed context in a scratch directory and diffs it against your working tree, catching hand-edits to `apm_modules/` or generated files before they ship. Pass `--no-drift` to skip the replay in performance-constrained loops; pass `--no-fail-fast` to run all checks even after a failure. With `--policy <source>` it also evaluates org policy against the lockfile. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Documentation Updates - 2026-05-14
This PR updates the documentation based on features merged in the last 24 hours.
Features Documented
manifest-missingbaseline CI check (from fix: warn when apm.yml is missing but APM artifacts exist (closes #1056) #1255)Changes Made
docs/src/content/docs/reference/baseline-checks.md:manifest-missingrow to the "At a glance" table### manifest-missingsection describing what it verifies, when it fails, its effect, and remediation stepsmanifest-missingdocs/src/content/docs/concepts/lifecycle.md:manifest-parseandmanifest-missing(previously the list started atlockfile-existsand omitted both conditional checks)Merged PRs Referenced
fix: warn when apm.yml is missing but APM artifacts exist-- introduced themanifest-missingcheck inci_checks.pyandmodels.pywithout a corresponding docs updatedependencies.require/denywithextends: org(bug fix, no user-facing docs needed)enforce-in-ci.md,drift-detection.md,ci-cd.md)Notes
The
manifest-missingcheck is advisory (passes with a warning) in non-CI mode and a hard failure in CI mode (apm audit --ci). It is triggered whenapm.ymlis absent but.apm/,apm.lock.yaml, or the legacyapm.lockfile is present -- evidence that the manifest may have been deleted to bypass policy enforcement.Note
🔒 Integrity filter blocked 2 items
The following items were blocked because they don't meet the GitHub integrity level.
search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".To allow these resources, lower
min-integrityin your GitHub frontmatter: