fix: --update flag now bypasses lockfile SHA to fetch latest content

[sergio-sisternes-epam]

Summary

Fixes #190 — apm install --update was not updating subdirectory packages (or any packages) because the download reference was unconditionally overridden with the lockfile's pinned SHA, even when --update explicitly requests the latest version.

Root Cause

Three code paths in _install_apm_dependencies() did not respect the update_refs flag:

1. Pre-download ref construction — The parallel pre-download loop built _pd_dlref using the lockfile SHA regardless of --update
2. Sequential download ref construction — The sequential fallback path did the same
3. skip_download condition — already_resolved (set when the BFS resolver callback pre-downloaded a package) bypassed --update, causing the stale cached version to be used

Fix

• Gate lockfile SHA overrides behind not update_refs in both download ref construction paths
• Gate already_resolved behind not update_refs in the skip_download condition

Note on the reported symptom

The issue reports git remote -v inside apm_modules/owner/repo/ showing the consuming project's remote. This is a red herring — subdirectory packages are extracted from a temp clone (no .git directory is kept), so running git remote -v inside them walks up to the project root's .git. The actual symptom is stale content after --update.

Tests

• 14 new unit tests across 3 test classes in tests/unit/test_install_update.py
• Full test suite passes (1677 passed, 1 pre-existing unrelated failure)
• Tested locally with sample project as well

---

🤖 Test Improver here - I'm an automated AI assistant focused on improving tests for this repository.

Activity for March 2026

Suggested Actions for Maintainer

• Review PR [Test Improver] test: add workflow runner tests (22%→100%) + fix ANSI test failure - Review

(Previously submitted PRs may have been merged or are pending - check recent PR list for [Test Improver] prefix PRs.)

Maintainer Priorities

No specific priorities communicated yet.

Testing Opportunities Backlog

1. agents_compiler.py — 69% coverage, medium priority (complex compilation logic)
2. workflow/runner.py — done this run (22%→100%)
3. codex.py adapter — 44% coverage, low priority (network-heavy)
4. commands/deps.py — 6% coverage, low priority (complex, large file)
5. copilot.py adapter — 8% coverage, low priority (network-heavy)

Discovered Commands

# Install dev deps
python3 -m uv sync --extra dev

# Run tests
python3 -m uv run pytest tests/unit/ --no-header -q

# Run tests with coverage
python3 -m uv run pytest tests/unit/ --no-header -q --cov=apm_cli --cov-report=term-missing

# Format
python3 -m uv run black . && python3 -m uv run isort .

Note: uv is not on PATH in CI — use pip install uv --break-system-packages then python3 -m uv

Run History

2026-03-09 01:06 UTC - Run

• 🔧 Fixed ANSI test failure in test_install_command.py (Rich markup wrapping (org/repo))
• 🔧 Added 22 tests for workflow/runner.py: find_workflow_by_name, run_workflow, preview_workflow, collect_parameters missing-params branch
• 📊 Coverage: workflow/runner.py 22% → 100%; total 54% (1307 passing, 0 failing)
• 🔧 Created PR: test: add workflow runner tests (22%→100%) + fix ANSI test failure

2026-03-08 01:07 UTC - Run

• 🔧 Added 55 unit tests for distributed_compiler.py (50%→97%)
• 🔧 Fixed ANSI test failure in test_install_command.py
• 📊 Coverage: total 55%, 1339 passing, 0 failing
• 🔧 Created PR: test-assist/distributed-compiler-coverage

2026-03-07 01:06 UTC - Run

• 🔧 Added 32 unit tests for collection_parser.py (0%→100%)
• 🔧 Fixed ANSI test failure in test_install_command.py
• 📊 Coverage: 1307 passing, 0 failing
• 🔧 Created PR: test-assist/collection-parser-ansi-fix

2026-03-06 01:08 UTC - Run

• 🔧 Added 65 unit tests: apm_resolver.py (9%→98%), dependency_graph.py (59%→100%)
• 🔧 Created PR: test-assist/apm-resolver-coverage

2026-03-05 01:07 UTC - Run

• 🔧 Added 53 unit tests for GitHubTokenManager (20%→99%)
• 🔧 Created PR: test-assist/token-manager-coverage

2026-03-04 01:07 UTC - Run

• 🔧 Added 52 unit tests: core/operations.py (0%→100%), runtime/manager.py (17%→84%)
• 🔧 Created PR: test-assist/core-operations-runtime-manager-coverage

2026-03-03 19:54 UTC - Run

• 🔧 Added 41 unit tests: registry/operations.py (6%→88%)
• 🔧 Created PR: test-assist/registry-operations-coverage

2026-03-03 16:56 UTC - Run

• 🔧 Added 37 unit tests: package_validator.py (10%→100%); fixed UnboundLocalError bug
• 🔧 Created PR: test-assist/package-validator-coverage

2026-03-03 10:55 UTC - Run

• 🔧 Added 41 unit tests: constitution_block.py (53%→100%), injector.py (44%→93%)
• 🔧 Branch ready: test-assist/constitution-injector-coverage

Generated by Daily Test Improver · ◷

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/daily-test-improver.md@b87234850bf9664d198f28a02df0f937d0447295

[Copilot]

Pull request overview

Fixes apm install --update so it truly refreshes dependencies by preventing lockfile-pinned SHAs (and the “already resolved” short-circuit) from overriding --update behavior during install.

Changes:

• Gate lockfile SHA overrides behind not update_refs in both the parallel pre-download and sequential download ref construction paths.
• Gate already_resolved behind not update_refs in the skip_download condition so --update won’t silently reuse a previously-resolved package.
• Add new unit tests covering --update interactions with lockfile overrides and skip conditions.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
src/apm_cli/cli.py	Ensures --update bypasses lockfile SHA pinning and avoids stale “already resolved” reuse during install.
tests/unit/test_install_update.py	Adds regression coverage for the --update/lockfile/skip-download behavior.

---

You can also share your feedback on Copilot code review. Take the survey.