[BUG] Reject schema-invalid manifest identity and policy keys at their parser boundaries#2143
Open
danielmeppiel wants to merge 3 commits into
Open
[BUG] Reject schema-invalid manifest identity and policy keys at their parser boundaries#2143danielmeppiel wants to merge 3 commits into
danielmeppiel wants to merge 3 commits into
Conversation
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Tightens validation at the native parser boundaries for apm.yml manifest identity and apm-policy.yml policy schema types, and threads unknown-key warnings through policy discovery, caching, and apm policy status output so they remain visible in both JSON and table renderers.
Changes:
- Enforce non-empty string
name/versioninAPMPackage.from_apm_yml. - Extend
validate_policyto reject wrong-typed YAML containers/items while keeping unknown top-level keys as warnings. - Preserve and persist policy warnings through discovery + cache and surface them in
apm policy statusoutput; add regression tests and docs/changelog guidance.
Show a summary per file
| File | Description |
|---|---|
src/apm_cli/models/apm_package.py |
Rejects empty / non-string manifest identity fields early in from_apm_yml. |
src/apm_cli/policy/parser.py |
Adds schema-type validation (mappings/lists/items) and preserves unknown-key warnings even when raising validation errors. |
src/apm_cli/policy/discovery.py |
Carries warnings through fetch/discovery/cache paths and bumps cache schema version for metadata changes. |
src/apm_cli/commands/policy.py |
Includes warnings in the status report and renders them in table output. |
tests/test_apm_package_models.py |
Adds regression coverage for invalid manifest identity field types/empties. |
tests/unit/policy/test_parser.py |
Adds regression coverage for typo warnings + wrong-typed native YAML values being diagnosed. |
tests/unit/policy/test_discovery.py |
Adds regression coverage that warnings survive a cache round-trip. |
tests/unit/commands/test_policy_status.py |
Adds regression coverage that status JSON surfaces/preserves warnings on both valid and malformed policies. |
docs/src/content/docs/reference/policy-schema.md |
Documents warning surfacing in --json and the new “wrong native type => error” behavior. |
docs/src/content/docs/concepts/package-anatomy.md |
Documents that name/version must be non-empty strings and numeric versions should be quoted. |
packages/apm-guide/.apm/skills/apm-usage/package-authoring.md |
Updates packaged usage guide to reflect stricter manifest identity requirements. |
packages/apm-guide/.apm/skills/apm-usage/governance.md |
Updates packaged governance guidance on unknown-key warnings vs wrong-typed known fields. |
CHANGELOG.md |
Adds an Unreleased entry with migration guidance for the tightened validation. |
Review details
- Files reviewed: 13/13 changed files
- Comments generated: 2
- Review effort level: Low
Comment on lines
1517
to
1519
| chain_refs=meta.get("chain_refs", [repo_ref]), | ||
| warnings=meta.get("warnings", []), | ||
| fingerprint=meta.get("fingerprint", ""), |
Comment on lines
+12
to
+14
| - Manifest and policy parsers now reject wrong-typed native schema values and | ||
| report unknown policy keys. Migration: quote numeric `apm.yml` versions, use | ||
| non-empty string identities, and use mappings/lists for policy blocks. (closes #2137) |
The stricter APMPackage.from_apm_yml identity validation (this PR) is the correct authority for audit/policy surfaces, but it leaked into the deps list/info display helpers: a manifest that merely empties 'version' now raised, collapsing the graceful '@unknown' render into an alarming '@error' that masks the package. Add a shared _tolerant_identity fallback so the display surface stays lenient (empty/missing version -> unknown) while genuinely unparsable YAML still reports error. Make deps info symmetric with deps list and cover both with regressions. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
apm-spec-waiver: Tightens existing manifest-identity and policy-key validation at their native parser boundaries; enforces existing schema semantics with no new OpenAPM artifact or wire behavior. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix(validation): reject schema-invalid manifest and policy inputs
TL;DR
Reject invalid
apm.ymlidentity values and wrong-typedapm-policy.ymlvalues at their native parser boundaries. Preserve unknown-policy-key warnings through discovery, malformed results, cache round trips, andapm policy statusJSON/table output.Note
This intentionally tightens accepted input. The CHANGELOG includes migration guidance.
Problem (WHY)
Fixes #2137.
apm audit --ciexited 0 whennamewas empty/list-valued orversionwas an integer.apm policy status --checksilently defaultedcache: []anddependencies.allow: "".Approach (WHAT)
nameandversioninAPMPackage.from_apm_yml.validate_policy.Implementation (HOW)
src/apm_cli/models/apm_package.pyvalidates required identity values before parsing the rest of the manifest.src/apm_cli/policy/parser.pydiagnoses unknown keys and rejects wrong native YAML container/item types.src/apm_cli/policy/discovery.pypreserves warnings across local, URL, GitHub, ADO, inheritance, malformed, stale, and cached paths; cache schema v4 invalidates warning-less legacy cache entries.src/apm_cli/commands/policy.pyexposes warnings in both renderers.Diagram
Legend: invalid native inputs now stop at their owning parser, while valid policy warnings remain visible through discovery and rendering.
flowchart LR M[apm.yml] --> MV[Manifest identity validation] P[policy.yml] --> PV[Policy schema validation] MV -->|valid| A[Audit] MV -->|invalid| E[Nonzero diagnostic] PV -->|errors| E PV -->|valid with warnings| D[Policy discovery and cache] D --> S[Policy status JSON or table] classDef new stroke-dasharray: 5 5; class MV,PV,D,S new;Trade-offs
Benefits
apm audit --ciexit 1.Validation
Regression tests were written first and failed on the base revision for the missing validations and warning propagation.
Targeted suites:
tests/test_apm_package_models.py::TestAPMPackagetests/unit/test_apm_package.pytests/unit/policy/test_parser.pytests/unit/policy/test_discovery.pytests/unit/commands/test_policy_status.pyManual CLI evidence:
Lint evidence:
Scenario Evidence
apm audit --cirejects empty, list-valued, or non-string manifest identitytests/test_apm_package_models.py::TestAPMPackage::test_from_apm_yml_rejects_invalid_identity(regression-trap for #2137)tests/unit/policy/test_parser.py::TestValidatePolicy::test_typo_and_wrong_typed_native_values_are_diagnosed(regression-trap for #2137)tests/unit/commands/test_policy_status.py::TestStatusPolicySourceOverride::test_json_preserves_warning_when_policy_has_schema_errors;tests/unit/policy/test_discovery.py::TestCacheReadWrite::test_policy_warnings_survive_cache_round_tripHow to test
uv run apm audit --ci --no-policy -f jsonwithname: ""andversion: 123; expect exit 1 and an identity diagnostic.name: [a, b]; expect exit 1.name: valid-pkgandversion: 1.0.0; expect exit 0.uv run apm policy status --check --policy-source policy.yml --jsonwith the issue repro policy; expect exit 1, both type errors, and an unknown-key warning.Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com