microsoft · danielmeppiel · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026
@@ -9,6 +9,10 @@ import mermaid from 'astro-mermaid';
 export default defineConfig({
 	site: 'https://microsoft.github.io',
 	base: '/apm/',
+	redirects: {
+		'/enterprise/teams': '/enterprise/making-the-case',
+		'/enterprise/governance': '/enterprise/governance-guide',
+	},
 	integrations: [
 		mermaid(),
 		starlight({
@@ -78,14 +82,14 @@ export default defineConfig({
 				{
 					label: 'Enterprise',
 					items: [
-						{ label: 'APM for Teams', slug: 'enterprise/teams' },
-						{ label: 'Governance Guide', slug: 'enterprise/governance-guide' },
-						{ label: 'Governance & Compliance', slug: 'enterprise/governance' },
-						{ label: 'apm-policy.yml', slug: 'enterprise/apm-policy' },
-						{ label: 'Policy Reference', slug: 'enterprise/policy-reference' },
-						{ label: 'Security Model', slug: 'enterprise/security' },
-						{ label: 'Adoption Playbook', slug: 'enterprise/adoption-playbook' },
+						{ label: 'Enterprise', slug: 'enterprise' },
 						{ label: 'Making the Case', slug: 'enterprise/making-the-case' },
+						{ label: 'Adoption Playbook', slug: 'enterprise/adoption-playbook' },
+						{ label: 'Security Model', slug: 'enterprise/security' },
+						{ label: 'Governance', slug: 'enterprise/governance-guide' },
+						{ label: 'Registry Proxy & Air-gapped', slug: 'enterprise/registry-proxy' },
+						{ label: 'Policy Files', slug: 'enterprise/apm-policy' },
+						{ label: 'Policy Reference', slug: 'enterprise/policy-reference' },
 					],
 				},
 				{

@@ -2,7 +2,7 @@
 title: "Adoption Playbook"
 description: "A phased guide to rolling out APM from a pilot team to organization-wide adoption."
 sidebar:
-  order: 7
+  order: 3
 ---
 
 APM adoption follows a proven pattern: start small, prove value, expand.

@@ -1,8 +1,8 @@
 ---
-title: "apm-policy.yml"
+title: "Policy Files"
 description: "One org-wide policy file with tighten-only inheritance for AI agent dependencies, MCP servers, and compilation targets."
 sidebar:
-  order: 4
+  order: 7
 ---
 
 For the full enterprise rollout playbook and bypass contract, see the [Governance Guide](../governance-guide/).

@@ -1,8 +1,8 @@
 ---
-title: Governance Guide
+title: Governance
 description: How APM controls, governs, and enforces agent configuration -- with explicit guarantees, bypass surfaces, and known limitations.
 sidebar:
-  order: 2
+  order: 5
 ---
 
 :::note[Policy Engine Maturity]
@@ -323,6 +323,8 @@ You are NOT guaranteed:
 
 ## 9. Air-gapped and offline
 
+This section covers offline **policy** enforcement (the `apm-policy.yml` cache). For offline **dependency traffic** (routing installs through Artifactory), see [Registry Proxy & Air-gapped](../registry-proxy/).
+
 **For air-gapped CI, run `apm audit --ci --policy ./vendored-policy.yml` as your gating check; do not rely on `apm install` enforcement.**
 
 | Network state | Install gate | Install `--mcp` | `apm audit --ci --policy <file>` | `apm audit --ci` (auto-discovery) |

@@ -0,0 +1,32 @@
+---
+title: "Enterprise"
+description: "APM for organizations: making the case, rolling out at scale, securing the agent supply chain, and governing dependencies by policy."
+sidebar:
+  order: 1
+---
+
+APM for organizations rests on three pillars:
+
+- **[Portable by manifest](../getting-started/quick-start/)** -- one `apm.yml` declares every dependency; `apm.lock.yaml` pins exact versions; every developer and every CI run gets the same agent setup.
+- **[Secure by default](./security/)** -- `apm install` scans every package for hidden Unicode and other tampering before agents read it. Attack surface, scanners, and the MCP trust boundary are documented for procurement review.
+- **[Governed by policy](./governance-guide/)** -- `apm-policy.yml` lets platform teams allow-list dependencies, restrict deploy targets, and enforce trust rules at install time across every repo, from a single source of truth.
+
+## Where to start
+
+| If you are... | Start here |
+|---|---|
+| A CISO or security reviewer | [Security Model](./security/) -> [Governance](./governance-guide/) -> [Registry Proxy & Air-gapped](./registry-proxy/) |
+| A VP of Engineering or Tech Lead evaluating APM | [Governance](./governance-guide/) -> [Adoption Playbook](./adoption-playbook/) |
+| A platform engineer rolling out APM org-wide | [Adoption Playbook](./adoption-playbook/) -> [Registry Proxy & Air-gapped](./registry-proxy/) |
+| A champion building an internal pitch | [Making the Case](./making-the-case/) -> [Adoption Playbook](./adoption-playbook/) |
+| An engineer authoring policy | [Policy Files](./apm-policy/) -> [Policy Reference](./policy-reference/) |
+
+## Section map
+
+- [Making the Case](./making-the-case/) -- problem-at-scale narrative, talking points by audience, objection handling, sample RFC, ROI framework.
+- [Adoption Playbook](./adoption-playbook/) -- phased rollout from pilot team to organization-wide, with milestones, success metrics, and rollback options.
+- [Security Model](./security/) -- supply-chain posture: pre-deploy gate, content scanners, hidden-Unicode threat model, MCP trust boundary. Consumed verbatim by procurement and security reviewers.
+- [Governance](./governance-guide/) -- the flagship trust contract: bypass surfaces, install-gate guarantees, audit-log schema, rollout playbook, known gaps. Read this if you are deciding whether to make `apm audit --ci` a required check.
+- [Registry Proxy & Air-gapped](./registry-proxy/) -- route dependency and marketplace traffic through Artifactory or a compatible proxy; bypass-prevention contract; air-gapped CI playbook for both online-proxy and offline-bundle shapes.
+- [Policy Files](./apm-policy/) -- conceptual model of `apm-policy.yml`: what it is, what it declares, how to start one.
+- [Policy Reference](./policy-reference/) -- complete schema for every `apm-policy.yml` field.