fix(compile): discover local-bundle instructions in apm_modules/

[danielmeppiel]

Fixes #1363

WHY

Closes the narrowed sub-issue of #1363. The other two sub-issues are already fixed by #1336 and #1207; this PR fixes the third.

apm install <local-bundle> -t opencode|codex|gemini stages bundle instructions under apm_modules/<slug>/.apm/instructions/ (src/apm_cli/install/services.py:660) but apm compile never discovers them. Root cause: scan_dependency_primitives (src/apm_cli/primitives/discovery.py:196-220) only visits paths returned by get_dependency_declaration_order(), which reads from apm.yml dependencies: + apm.lock.yaml dependencies[]. Local bundles intentionally do NOT mutate apm.yml (documented contract at services.py:489-490), so a local-bundle install leaves apm.lock.yaml dependencies: [] and the staged file is invisible to compile.

Result before fix: Compilation completed but produced no output files, no AGENTS.md / GEMINI.md.

WHAT

Extend get_dependency_declaration_order to also derive bundle slugs from the existing local_deployed_files top-level lockfile field (written by local_bundle_handler.py:194-199). For every entry matching apm_modules/<slug>/.apm/..., append <slug> to the dependency declaration order if it isn't already present. Slugs are deduplicated and sorted alphabetically for deterministic output. Registry/declared dependencies still win on name collision (they are appended first).

Design + alternatives considered

Three options were evaluated (full design synthesis in the session plan):

Option	Verdict
A. Auto-register local bundles in apm.lock.yaml dependencies[]	Rejected. python-architect flagged it would ripple into repo_url/get_install_path plumbing and the lockfile schema (source: local, integrity model). Breaks the "does NOT mutate apm.yml" contract at services.py:489-490.
B. Broad filesystem walk of apm_modules/	Rejected. supply-chain-security-expert flagged this destroys cleanup provenance and enables phantom-injection (any directory dropped into apm_modules/ becomes a compile input with no lockfile attestation).
C (chosen). Derive slugs from existing local_deployed_files lockfile field	Accepted. Reuses the lockfile attestation that already exists for apm uninstall. No schema change. apm uninstall already removes those entries, so discovery self-heals. Cannot be spoofed by raw apm_modules/ writes — a lockfile record is required.

Validation evidence

Tests (all green)

• 6 new unit tests in TestLocalBundleStagedSlugs cover: staged slug appended, no-lockfile -> no slug (phantom-injection defense), declared dep wins on collision, deterministic ordering across multiple bundles, non-apm_modules paths ignored, non-instructions/ subdirs (e.g. context/) also recognized.
• 3 new E2E parametrized tests in TestLocalBundleCompileRoundTrip[opencode|codex|gemini] exercise the full install -> compile flow and assert the target's output file contains the staged instruction marker.
• Full unit suite: 8739 passed, 1 skipped (uv run --extra dev pytest tests/unit -x).
• Lint pair silent: uv run --extra dev ruff check src/ tests/ && uv run --extra dev ruff format --check src/ tests/.

Empirical repro (issue scenario, now passes)

Built a real plugin bundle with one pep8.instructions.md, installed via apm install <bundle.tar.gz> -t opencode, then apm compile:

===== STEP 1: apm install /tmp/apm-1363-repro/bundle.tar.gz -t opencode =====
[>] Installing local bundle from /tmp/apm-1363-repro/bundle.tar.gz
[*] Installed 1 file(s) from local bundle
[!] Bundle staged 1 instruction(s) for compile (target: opencode). Run 'apm compile' to merge them into AGENTS.md /
GEMINI.md / equivalent.

===== Lockfile (local_deployed_files block) =====
local_deployed_files:
- apm_modules/bundle-1363-repro/.apm/instructions/pep8.instructions.md

===== Staged files on disk =====
apm_modules/bundle-1363-repro/.apm/instructions/pep8.instructions.md

===== STEP 2: apm compile =====
  Pattern         Source                 Coverage     Placement
  **/*.py         pep8.instructions.md   0/1          ./AGENTS.md

Generated 1 AGENTS.md file
[+] Compilation completed successfully!

===== STEP 3: produced AGENTS.md =====
# AGENTS.md
<!-- Generated by APM CLI from distributed .apm/ primitives -->
<!-- Source: dependency:bundle-1363-repro -->

## Files matching `**/*.py`

<!-- Source: dependency:bundle-1363-repro apm_modules/bundle-1363-repro/.apm/instructions/pep8.instructions.md -->
# Style
Follow PEP8 (REPRO-MARKER-issue-1363).

Before the fix the same flow ended at Compilation completed but produced no output files with no AGENTS.md written.

Out of scope

• Discovery still requires the canonical *.instructions.md filename (matches existing convention in discovery.py:33-35). A bundle that ships raw .md files in an instructions/ directory is staged byte-for-byte but is invisible to compile; that's a separate validation gap from this fix's scope.
• The other two [BUG] apm install #1363 sub-issues (already fixed by fix: respect targets: whitelist for all runtimes during MCP install #1336 and [BUG] apm pack -> install #1207) are not re-addressed here.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Fixes apm compile failing to discover primitives staged by apm install <local-bundle> ... under apm_modules/<slug>/.apm/... by deriving bundle slugs from lockfile provenance (local_deployed_files).

Changes:

• Extend dependency declaration order discovery to append local-bundle slugs sourced from apm.lock.yaml local_deployed_files.
• Add unit tests covering slug derivation behavior (including provenance gating and deterministic ordering).
• Add integration tests validating install→compile round-trip for compile-only targets (opencode/codex/gemini).

Show a summary per file

File	Description
src/apm_cli/primitives/discovery.py	Appends local-bundle slugs from local_deployed_files to the discovery scan list.
tests/unit/primitives/test_discovery_parser.py	Adds focused unit/regression tests for local-bundle slug derivation and provenance rules.
tests/integration/test_install_local_bundle_e2e.py	Adds E2E regression tests verifying local-bundle staged instructions produce compile outputs across targets.

Copilot's findings

• Files reviewed: 3/3 changed files
• Comments generated: 4

[danielmeppiel]

Addressed in e084a6a — discovery now reads the lockfile once (LockFile.read on the resolved path with legacy fallback) and reuses the parsed LockFile for both the transitive-paths walk (lock.get_installed_paths) and the local_deployed_files slug derivation. Eliminates the duplicate YAML parse.

[danielmeppiel]

Addressed in e084a6a — cwd is now pinned explicitly via monkeypatch.chdir(project) immediately before runner.invoke(["compile", ...]), so the E2E no longer depends on _invoke_install's side-effect.

[danielmeppiel]

Addressed in e084a6a — same fix as above (monkeypatch.chdir(project) before runner.invoke(["compile", ...])).

[danielmeppiel]

Addressed in e084a6a — assertion tightened to (a) assert real-bundle is present and (b) assert specific phantom slugs derived from the non-apm_modules entries (style, .github, coding, .agents) are absent, without forbidding unrelated dependency entries from coexisting.