Context
Follow-up from PR #365 review (EPAM Phase C recommendation).
Problem
The _check_unmanaged_files and content-integrity CI checks have no exclusion mechanism. Large orgs with vendored configs, generated instruction files, or documentation alongside agent configs have no way to control scanning scope.
Proposed Solution
1. Policy-level exclusion for unmanaged files
unmanaged_files:
action: warn
directories:
- .github/agents
exclude:
- .github/agents/generated/**
- .cursor/rules/vendor/**Reuse the existing matches_pattern() glob engine from policy/matcher.py.
2. .apmignore at project level
Applies to content-integrity and deployed-files-present checks. Analogous to .gitignore — familiar pattern for developers. Can share the same glob engine as the policy exclude patterns.
Acceptance Criteria
Context
Follow-up from PR #365 review (EPAM Phase C recommendation).
Problem
The
_check_unmanaged_filesandcontent-integrityCI checks have no exclusion mechanism. Large orgs with vendored configs, generated instruction files, or documentation alongside agent configs have no way to control scanning scope.Proposed Solution
1. Policy-level exclusion for unmanaged files
Reuse the existing
matches_pattern()glob engine frompolicy/matcher.py.2.
.apmignoreat project levelApplies to
content-integrityanddeployed-files-presentchecks. Analogous to.gitignore— familiar pattern for developers. Can share the same glob engine as the policyexcludepatterns.Acceptance Criteria
unmanaged_files.excludepatterns inapm-policy.ymlare respected.apmignorefile at project root controls content scanning scopematches_pattern()glob engine