feat(policy): Phase 1 — org-level policy engine for apm audit --ci

[danielmeppiel]

Summary

Introduces the APM policy engine (Phase 1) — org-level governance for agent packages via apm-policy.yml files discovered from .github repos.

What's new

Policy module (src/apm_cli/policy/)

• Schema — 10 frozen dataclasses modeling apm-policy.yml (dependencies allow/deny/require, MCP server policies, compilation settings, unmanaged file controls)
• Parser — YAML loading with validation, auto-coercion of YAML 1.1 boolean quirks (off → string)
• Matcher — Glob pattern matching (* single-segment, ** recursive) with @lru_cache for perf
• Discovery — Auto-discovers org policy from git remote → {org}/.github/apm-policy.yml via GitHub Contents API; supports explicit --policy <file> override; cache with configurable TTL
• Inheritance — Three-level chain (extends: hub → org → repo) with tighten-only merge semantics (deny=union, allow=intersection, require=union, enforcement escalates)
• CI checks — 6 baseline checks (lockfile, drift, integrity, version pinning, resolution, required fields) + 16 policy-enhanced checks (allow/deny lists, MCP server validation, compilation enforcement, unmanaged file detection)

CLI changes (apm audit)

• --ci flag — runs baseline CI checks, outputs structured JSON/SARIF
• --ci --policy <file|url> — adds policy-enhanced checks
• --no-cache — bypasses policy cache for tighter CI environments

Test fixtures (live on GitHub)

• DevExpGbb/.github/apm-policy.yml — org-level test policy
• DevExpGbb/apm-policy-test-fixture — repo with manifest + repo-level override (extends: org)

Test coverage

Suite	Count	Status
Unit tests	2,334	✅
Integration tests	127	✅
Policy unit tests	298	✅ (included in unit total)
Live API E2E tests	6	✅ (against DevExpGbb org)
Release validation	Hero scenarios 1 & 2	✅
Integration script	10 suites	✅

Documentation

• docs/.../enterprise/policy-reference.md — full schema reference
• docs/.../guides/ci-policy-setup.md — CI setup guide
• templates/policy-ci-workflow.yml — GitHub Actions workflow template
• Updated governance, CI/CD, rulesets, CLI reference, lockfile spec docs

Design doc

See WIP/apm-policies/apm-policies.md for the full design including Phase 2 (runtime hooks, IDE feedback) and the strategic amendments addressing side-loading, fail-open/fail-closed, cache staleness, and conflict resolution.

---

Closes the Phase 1 scope from the APM Policies design. Phase 2 (runtime hooks, pre-commit integration) is planned separately.

[Copilot]

Pull request overview

Introduces Phase 1 of an org-level policy engine that extends apm audit --ci with optional policy discovery (--policy org|<file>|<url>), plus a new baseline CI gate mode for lockfile consistency reporting (JSON/SARIF/text).

Changes:

• Adds src/apm_cli/policy/ (schema, parser/validation, glob matcher, inheritance merge, org policy discovery+cache, baseline+policy CI checks).
• Extends apm audit with --ci, --policy, and --no-cache, including JSON/SARIF reporting for CI.
• Adds extensive unit/integration/E2E tests, fixtures, workflow template, and documentation updates for policy/CI setup.

Reviewed changes

Copilot reviewed 32 out of 33 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
uv.lock	Bumps local editable apm-cli version.
tests/unit/test_audit_policy_command.py	CLI-level tests for apm audit --ci --policy flows and --no-cache.
tests/unit/test_audit_ci_command.py	CLI-level tests for baseline apm audit --ci behavior, outputs, and exit codes.
tests/unit/policy/test_schema.py	Validates default/frozen behavior of policy schema dataclasses.
tests/unit/policy/test_policy_checks.py	Unit tests for individual policy checks and run_policy_checks.
tests/unit/policy/test_parser.py	Tests YAML parsing + validation behavior for policy files.
tests/unit/policy/test_matcher.py	Tests glob matching semantics and allow/deny evaluation.
tests/unit/policy/test_inheritance.py	Tests tighten-only inheritance merge semantics + chain validation.
tests/unit/policy/test_fixtures.py	Smoke tests that fixture policies parse and contain expected fields.
tests/unit/policy/test_discovery.py	Tests policy discovery from file/url/repo/org plus caching and GitHub API fetch handling.
tests/unit/policy/test_ci_checks.py	Tests baseline CI checks engine + serialization (JSON/SARIF).
tests/unit/policy/init.py	Declares the unit-test policy package namespace.
tests/integration/test_policy_discovery_e2e.py	Optional gated E2E tests for discovery + (optionally) live GitHub API calls.
tests/fixtures/policy/repo-override-policy.yml	Repo-level override fixture (extends: org).
tests/fixtures/policy/org-policy.yml	Org policy fixture used across unit/integration/E2E tests.
tests/fixtures/policy/minimal-policy.yml	Minimal policy fixture to validate defaults.
tests/fixtures/policy/enterprise-hub-policy.yml	Enterprise hub fixture to validate stricter inheritance behavior.
templates/policy-ci-workflow.yml	GitHub Actions workflow template for baseline + policy CI checks with SARIF upload.
src/apm_cli/policy/schema.py	Frozen dataclasses representing apm-policy.yml schema.
src/apm_cli/policy/parser.py	YAML loading + validation/coercion into schema objects.
src/apm_cli/policy/matcher.py	Cached glob-pattern matcher for allow/deny policies.
src/apm_cli/policy/inheritance.py	Tighten-only merge + chain validation helpers.
src/apm_cli/policy/discovery.py	Org policy discovery from git remote + GitHub Contents API + TTL cache.
src/apm_cli/policy/ci_checks.py	Baseline and policy CI checks + JSON/SARIF serialization.
src/apm_cli/policy/init.py	Public policy module exports.
src/apm_cli/commands/audit.py	Adds --ci, --policy, --no-cache, and CI result rendering/output.
docs/src/content/docs/reference/lockfile-spec.md	Updates CI guidance to reflect apm audit --ci and --policy org.
docs/src/content/docs/reference/cli-commands.md	Documents new CLI flags and CI-mode exit codes/examples.
docs/src/content/docs/integrations/github-rulesets.md	Updates rulesets guidance to include apm audit --ci + policy enforcement.
docs/src/content/docs/integrations/ci-cd.md	Adds lockfile consistency and policy enforcement section for CI/CD.
docs/src/content/docs/guides/ci-policy-setup.md	New guide: how to set up org policy + CI enforcement.
docs/src/content/docs/enterprise/policy-reference.md	New policy reference doc (schema, checks, inheritance, patterns).
docs/src/content/docs/enterprise/making-the-case.md	Updates enterprise narrative to reflect CI policy enforcement availability.
docs/src/content/docs/enterprise/governance.md	Adds org policy governance and apm audit --ci baseline details.

[sergio-sisternes-epam]

Performance & Architecture Review — PR #365

Scale model for analysis

A large-org monorepo:

• D = 200 direct + transitive APM dependencies
• F = 1,500 deployed files (instructions, prompts, skills, rules across ~200 packages)
• P = 40 patterns in policy allow/deny lists
• R = 15 required packages
• G = 500 files in governance directories (.github/agents/, .cursor/rules/, etc.)

---

P1 — _check_content_integrity does full-disk I/O scan on every --ci run

Complexity: O(F x C) where F = deployed files and C = characters per file

def _check_content_integrity(project_root, lock):
    from ..commands.audit import _scan_lockfile_packages
    findings_by_file, _files_scanned = _scan_lockfile_packages(project_root)

This calls _scan_lockfile_packages -> iterates all lockfile deps -> reads every deployed file from disk -> runs the character-level Unicode scanner on each. The scanner itself iterates every character in every file (ContentScanner.scan_text loops over lines x chars).

At monorepo scale: 1,500 file reads + 1,500 full-text scans, every CI run. The scanner's isascii() fast-path helps for pure-ASCII files (~1us skip), but prompt files with emoji, non-Latin characters, or markdown syntax will fall through to the O(C) character loop.

Additional concern — circular import: policy/ci_checks.py imports _scan_lockfile_packages from commands/audit.py. This makes the policy module depend on its own consumer — an inversion that also prevents the function from being independently benchmarked or optimized.

---

P2 — _check_unmanaged_files does recursive rglob("*") on governance directories

Complexity: O(G) where G = total files across all governance directories

for gov_dir in dirs:
    dir_path = project_root / gov_dir
    for file_path in dir_path.rglob("*"):
        if file_path.is_file():
            rel = file_path.relative_to(project_root).as_posix()
            if rel not in deployed:   # <- set lookup, O(1) — good
                unmanaged.append(rel)

The rglob("*") is an unconstrained filesystem walk with no depth limit or file-count cap.

At monorepo scale: 500+ stat() calls + 500+ relative_to() path computations per CI run across .github/agents/, .github/instructions/, .cursor/rules/, .claude/, .opencode/.

---

P3 — O(R x D x L) in required-packages checks

Three functions iterate required packages x manifest deps x lockfile deps:

_check_required_packages — O(R x D), _check_required_packages_deployed — O(R x D) + O(R x L), _check_required_package_version — O(R x L).

At monorepo scale: 15 required x 200 deps x 200 lockfile entries = 600,000 iterations across the three functions. The startswith comparison is also semantically fragile — org/package-v2 would match a requirement for org/package.

---

P4 — Pattern matching: fine for Phase 1, worth noting for future

The @lru_cache(maxsize=512) on _compile_pattern is correctly sized for patterns (~40 entries vs 512 capacity). The O(P x D) regex match cost is amortized well. No action needed for Phase 1 — note only.

---

P5 — _check_deployed_files_present does O(F_total) individual stat() calls

for _dep_key, dep in lock.dependencies.items():
    for rel_path in dep.deployed_files:
        abs_path = project_root / rel_path
        if not abs_path.exists():          # stat() syscall per file

At monorepo scale: 1,500 os.stat() calls. ~1-10us on local disk, but 1-10ms on network-mounted CI filesystems.

---

P6 — All 22 checks run unconditionally even when early failures make the result predetermined

The baseline runner short-circuits on lockfile-exists failure (good), but all 5 remaining baseline checks always run. The policy runner always executes all 16 checks regardless of earlier failures.

At monorepo scale: If ref-consistency fails, the expensive content-integrity check still runs (1,500 file reads) for a result that is already exit code 1.

---

P7 — No file-exclusion mechanism for any of the I/O-heavy checks

There is no .apmignore file, no exclude patterns in the policy schema, and no skip-list anywhere in the scanning pipeline.

Check	What it scans	Exclusion logic
content-integrity	Every file in lock.deployed_files	None
deployed-files-present	Every file in lock.deployed_files	Path traversal safety only
unmanaged-files	rglob("*") on 6 governance dirs	None

Large orgs with vendored configs, generated instruction files, or documentation alongside agent configs have no way to control scanning scope.

---

P8 — God files and god functions will hinder Phase 2 velocity

ci_checks.py (1,112 lines) — contains 3 distinct layers (result model ~110 lines, 6 baseline checks ~350 lines, 16 policy checks ~650 lines) with different dependencies and change velocities.

audit.py (570 -> ~740 lines) — now handles two completely independent modes (content scan + CI) sharing no logic. The audit() function grows to ~90 lines / 11 parameters. Phase 2 adds --drift as a third mode.

run_policy_checks (~50 statements) — sequential dispatch appending 16 results. Independently testable checks are colocated in a single module.

---

Complexity Budget Summary

Check	Current complexity	At scale (200D, 1500F, 40P, 15R, 500G)	Bottleneck type
content-integrity	O(F x C)	1,500 file reads + char scans	Disk I/O
unmanaged-files	O(G)	500 stat + path ops	Disk I/O
deployed-files-present	O(F_total)	1,500 stat calls	Disk I/O
required-packages (3 checks)	O(R x D x L)	~600K string ops	CPU
Pattern matching (allow/deny)	O(P x D)	~8K regex matches	CPU (cached)
All others	O(D) or O(1)	Negligible	—

Three of the top four bottlenecks are disk I/O. The most impactful optimizations avoid unnecessary file I/O via fail-fast, exclusion patterns, incremental scanning, or batched stat operations.

---

Recommended Implementation Plan

We recommend addressing all items below before merging this PR to establish the right architectural foundation for the policy module. If timeline pressures require a phased approach, each phase maps cleanly to a standalone follow-up issue.

Phase A — Structural refactors (no logic changes, low risk)

These are mechanical moves — relocate code, update imports, verify tests still pass. They unblock everything else and set the pattern for the new policy/ module.

1. Split ci_checks.py into 3 modules

   • policy/models.py — CheckResult, CIAuditResult with to_json(), to_sarif() (~110 lines)
   • policy/ci_checks.py — 6 baseline checks + run_baseline_checks (~350 lines)
   • policy/policy_checks.py — 16 policy checks + run_policy_checks + _load_raw_apm_yml (~650 lines)

2. Extract _scan_lockfile_packages from commands/audit.py to security/file_scanner.py

   • Breaks the circular import (policy/ -> commands/)
   • Enables independent testing and benchmarking of the scanner
   • Update imports in both audit.py and ci_checks.py

3. Extract CI mode from audit() into _run_ci_mode() helper

   • Keeps audit() as a thin dispatcher with clear mode branches
   • Prepares the command for Phase 2's --drift mode
   • Move _render_ci_results to a to_text() method on CIAuditResult (parallel to to_json()/to_sarif())

Phase B — Performance quick wins (small logic changes, high impact)

4. Add fail-fast mode to CI checks

   • Default --ci stops after the first check failure (skips expensive I/O checks when result is already exit 1)
   • Add --no-fail-fast flag for users who want the full diagnostic report
   • Estimated latency reduction at monorepo scale: ~70% in common failure paths

5. Pre-index dependencies in required-packages checks

   • Build dep_by_canonical dict and lock_by_key dict once before the check loops
   • Replace O(R x D) linear scans with O(1) dict lookups
   • Fixes the startswith prefix-collision bug (e.g., org/package-v2 matching org/package)
   • Reduces 600K iterations to ~215 dict lookups at scale

6. Add max_files safety threshold to _check_unmanaged_files

   • Cap rglob("*") traversal at 10,000 files with a warning
   • Prevents runaway scanning in repos with large governance directories

Phase C — Exclusion mechanism (medium effort, strategic)

7. Add exclude patterns to the unmanaged_files policy section

   unmanaged_files:
     action: warn
     directories:
       - .github/agents
     exclude:
       - .github/agents/generated/**
       - .cursor/rules/vendor/**

   • Reuse the existing matches_pattern() glob engine from policy/matcher.py
   • Gives orgs a self-service knob to control scanning cost

8. Support .apmignore at project level (or audit.exclude in policy)

   • Applies to content-integrity and deployed-files-present checks
   • Analogous to .gitignore — familiar pattern for developers
   • Can share the same glob engine as the policy exclude patterns

Phase D — Advanced I/O optimizations (medium effort, monorepo-scale payoff)

9. Incremental content scanning

   • Only scan deployed files whose mtime is newer than lockfile's generated_at timestamp
   • For PR-triggered CI, this typically limits the scan to 2-5 changed files instead of 1,500
   • Estimated latency reduction: ~90% for typical CI runs

10. Batch stat() calls in _check_deployed_files_present

    • Walk unique parent directories once via os.scandir() to build a set of existing files
    • Replace 1,500 individual stat() calls with ~20 scandir() calls + O(1) set lookups
    • Estimated improvement: ~10x on network-mounted CI filesystems

---

Our recommendation: Phases A-B should ship with this PR — they are low-risk structural and algorithmic improvements that establish the right foundation. Phase C is the most strategic for enterprise adoption and should follow immediately. Phase D can be tracked as optimization issues and addressed when real-world monorepo telemetry confirms the bottlenecks.

If any phase needs to be deferred, each one is self-contained and can be extracted as a follow-up issue with the scope and acceptance criteria described above.

[sergio-sisternes-epam]

Gap: No policy control over which MCP registries are approved sources

The mcp.allow/mcp.deny lists match against server names only (via check_mcp_allowed() in matcher.py). The MCPDependency.registry field — which can be None (default), False (self-defined), or a custom URL string — is never inspected by any policy check.

This means a developer can point to an arbitrary registry URL in their apm.yml:

mcp:
  - name: my-server
    registry: "https://untrusted-registry.example.com"

...and it will pass all MCP policy checks as long as the server name matches an allowed pattern.

Suggested addition to McpPolicy schema:

mcp:
  registries:
    allow:
      - "https://registry.mcphub.io"
      - "https://internal.corp.net/mcp"
    deny:
      - "https://*.untrusted.example.com"
  allow: ["*"]          # existing server-name allow list
  self_defined: deny    # existing self-defined control

The check would inspect MCPDependency.registry for every MCP dep and validate it against the registry allow/deny list using the same _check_allow_deny() glob engine already in matcher.py.

This is especially relevant for enterprise supply-chain security — orgs need to ensure MCP servers are only resolved from vetted registries, not arbitrary endpoints.

Not necessarily a Phase 1 blocker, but worth tracking as a follow-up since the schema is being established now and adding registries later would be non-breaking.