chore: prepare v0.9.1 release

[danielmeppiel]

Summary

Bumps to v0.9.1 and rolls the [Unreleased] changelog into [0.9.1] - 2026-04-22.

Audit pass — 1 PR = 1 entry

The Unreleased section had grown to 22 lines spanning issue numbers (#827, #829, #831, #834) instead of PR numbers, with the same PR (#832) cited 7 times across Added / Changed / Removed / Security / Fixed. This release prep collapses the changelog to one line per PR per the project convention:

• feat(policy): enforce apm-policy.yml at install time #832 (install-time policy enforcement): one Added line that names the four closed issues inline and keeps the enforcement: block migration warning visible
• fix(workflows): allow fork PRs in pr-review-panel #826, fix(panel-workflow): only fire on label, add dispatch path for fork PRs #836, fix(panel-workflow): use pull_request_target so labelled fork PRs run #837 (fork-PR fixes for pr-review-panel): combined into one Fixed entry per the multi-PR convention ((#X, #Y, #Z))
• ci(docs): deploy site only on stable APM releases #822, chore: dogfood APM by migrating primitives from .github/ to .apm/ #823, feat(workflows): automate apm-review-panel via github/gh-aw #824: untouched, already one-line

Highlights

• Install-time enforcement of org apm-policy.yml (feat(policy): enforce apm-policy.yml at install time #832) — covers deps deny/allow/require, MCP deny/transport/trust-transitive, compilation.target.allow, extends: chains, policy.fetch_failure knob, policy.hash pin. Includes --no-policy escape hatch, --dry-run preview, and the new apm policy status diagnostic.
• pr-review-panel gh-aw workflow (feat(workflows): automate apm-review-panel via github/gh-aw #824) plus three follow-ups (fix(workflows): allow fork PRs in pr-review-panel #826, fix(panel-workflow): only fire on label, add dispatch path for fork PRs #836, fix(panel-workflow): use pull_request_target so labelled fork PRs run #837) so labelled fork PRs trigger correctly.
• Docs site publishes only on stable releases (ci(docs): deploy site only on stable APM releases #822).
• Repository dogfoods APM via .apm/ as the source of truth (chore: dogfood APM by migrating primitives from .github/ to .apm/ #823).

Migration

Orgs that publish enforcement: block in apm-policy.yml may see installs that previously succeeded now fail. Preview verdicts before upgrading:

apm install --dry-run

Verification

• uv lock regenerated; pyproject.toml and uv.lock both at 0.9.1
• Full unit suite: 5186 passed (1 unrelated preexisting failure in test_global_mcp_scope.py)

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

[Copilot]

Pull request overview

Prepares the v0.9.1 release by bumping the Python package version and rolling the existing [Unreleased] changelog entries into a dated 0.9.1 section.

Changes:

• Bump apm-cli version to 0.9.1 in pyproject.toml.
• Move [Unreleased] entries into ## [0.9.1] - 2026-04-22 and collapse to one line per PR.

Show a summary per file

File	Description
pyproject.toml	Updates the project version to 0.9.1.
CHANGELOG.md	Rolls Unreleased content into the 0.9.1 release section and consolidates entries.

Copilot's findings

• Files reviewed: 2/3 changed files
• Comments generated: 1

[Copilot]

The CLI version is bumped to 0.9.1 here, but the repo's root apm.yml still declares version: 0.9.0. Since apm config reports both the project (apm.yml) version and the CLI version, leaving these out of sync can be confusing and may also affect bundle/pack metadata that reads apm.yml. Consider bumping apm.yml to 0.9.1 as part of the release prep (or document why it intentionally differs).