docs: clarify dev-only primitives and the .apm/ scanner boundary#949
Merged
danielmeppiel merged 1 commit intomainfrom Apr 26, 2026
Merged
docs: clarify dev-only primitives and the .apm/ scanner boundary#949danielmeppiel merged 1 commit intomainfrom
danielmeppiel merged 1 commit intomainfrom
Conversation
Add a new guide that documents the canonical maintainer-only authoring
pattern: author dev-only primitives OUTSIDE .apm/ and reference them via
a local-path devDependency. This pattern works around three otherwise
surprising behaviors:
1. The local-content scanner does not honor the devDep marker; it
bundles everything under .apm/ at pack time.
2. `includes:` is allow-list only -- no exclude form.
3. Plain `apm install` deploys both deps and devDeps; there is no
--omit=dev flag today.
Also adds short cross-references from anatomy-of-an-apm-package (FAQ),
manifest-schema (sections 3.9 and 5), guides/dependencies, guides/
pack-distribute, and guides/skills (Option 5).
Docs-only. No schema or CLI changes.
Co-authored-by: Copilot <copilot@github.com>
danielmeppiel
force-pushed
the
docs/dev-only-primitives-clarification
branch
from
a91ad0c to
a11f230
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds documentation clarifying how dev-only primitives should be authored to avoid being bundled by the .apm/ local-content scanner during apm pack --format plugin, and updates the PR Review Panel workflow to cost-gate execution on the panel-review label.
Changes:
- Add a new guide documenting the canonical "dev-only primitives" pattern (author outside
.apm/, reference via local-pathdevDependencies). - Add cross-references and caveats across existing docs to explain scanner behavior,
includes:limitations, and install/pack devDep semantics. - Update PR Review Panel workflow to enforce a deterministic pre-activation label gate.
Show a summary per file
| File | Description |
|---|---|
| docs/src/content/docs/reference/manifest-schema.md | Adds explicit notes about includes: being allow-list-only and clarifies devDeps behavior vs .apm/ scanning. |
| docs/src/content/docs/introduction/anatomy-of-an-apm-package.md | Adds FAQ guidance pointing to the new dev-only primitives guide. |
| docs/src/content/docs/guides/skills.md | Adds a new "Maintainer-only Skill (Dev-only)" option referencing the canonical pattern. |
| docs/src/content/docs/guides/pack-distribute.md | Clarifies devDependencies exclusion and adds caveat about .apm/ local-content scanning. |
| docs/src/content/docs/guides/dev-only-primitives.md | New canonical guide describing the pattern, rationale, and verification steps. |
| docs/src/content/docs/guides/dependencies.md | Adds an explicit caveat about apm install deploying devDeps and .apm/ scanning behavior. |
| .github/workflows/pr-review-panel.md | Adds a workflow-level label filter step intended to skip non-panel-review label events early. |
| .github/workflows/pr-review-panel.lock.yml | Regenerates the compiled lockfile to reflect the workflow changes. |
Copilot's findings
- Files reviewed: 6/6 changed files
- Comments generated: 2
| This keeps development-only packages (test helpers, lint rules) out of distributed plugins. | ||
| This keeps third-party development-only packages (test helpers, lint rules) out of distributed plugins. | ||
|
|
||
| **Caveat for primitives you author yourself:** the dev/prod split is enforced via the lockfile's `is_dev` marker for resolved dependencies. The local-content scanner that ships your own `.apm/` content does NOT consult that marker -- it bundles everything under `.apm/`. To keep maintainer-only primitives (release-checklist skills, internal debugging agents) out of plugin bundles, author them OUTSIDE `.apm/` (e.g. under `dev/`) and reference them via a local-path devDependency. See [Dev-only Primitives](./dev-only-primitives/). |
There was a problem hiding this comment.
Intra-guides links elsewhere in the docs use the ../<page>/ form (e.g. guides/dependencies.md -> ../pack-distribute/). Using ./dev-only-primitives/ here will resolve under the current page path in the built site (e.g. /guides/pack-distribute/dev-only-primitives/), which breaks navigation. Recommend switching this to ../dev-only-primitives/ for consistency and correct routing.
Suggested change
| **Caveat for primitives you author yourself:** the dev/prod split is enforced via the lockfile's `is_dev` marker for resolved dependencies. The local-content scanner that ships your own `.apm/` content does NOT consult that marker -- it bundles everything under `.apm/`. To keep maintainer-only primitives (release-checklist skills, internal debugging agents) out of plugin bundles, author them OUTSIDE `.apm/` (e.g. under `dev/`) and reference them via a local-path devDependency. See [Dev-only Primitives](./dev-only-primitives/). | |
| **Caveat for primitives you author yourself:** the dev/prod split is enforced via the lockfile's `is_dev` marker for resolved dependencies. The local-content scanner that ships your own `.apm/` content does NOT consult that marker -- it bundles everything under `.apm/`. To keep maintainer-only primitives (release-checklist skills, internal debugging agents) out of plugin bundles, author them OUTSIDE `.apm/` (e.g. under `dev/`) and reference them via a local-path devDependency. See [Dev-only Primitives](../dev-only-primitives/). |
| - [Anatomy of an APM Package](../../introduction/anatomy-of-an-apm-package/) -- why `.apm/` is the publishable source root. | ||
| - [Manifest Schema 3.9 -- `includes`](../../reference/manifest-schema/#39-includes) -- allow-list semantics, no exclude form. | ||
| - [Manifest Schema 5 -- `devDependencies`](../../reference/manifest-schema/#5-devdependencies) -- the field reference. | ||
| - [Pack & Distribute -- Plugin format](./pack-distribute/#plugin-format) -- what the scanner emits. |
There was a problem hiding this comment.
This link uses ./pack-distribute/#plugin-format, but other pages in guides consistently link to sibling pages with ../<page>/... (because routes are /guides/<page>/). As written, it will resolve under /guides/dev-only-primitives/pack-distribute/ in the built site. Suggest changing it to ../pack-distribute/#plugin-format.
Suggested change
| - [Pack & Distribute -- Plugin format](./pack-distribute/#plugin-format) -- what the scanner emits. | |
| - [Pack & Distribute -- Plugin format](../pack-distribute/#plugin-format) -- what the scanner emits. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Maintainers hit a recurring surprise: declare a local-path
devDependencypointing at a skill under.apm/skills/, expectapm pack --format pluginto strip it, and the pack scanner picks it up anyway. The docs do not explain that the local-content scanner operates on.apm/only and does NOT consult the devDependency marker. Three behaviors compound the confusion:.apm/at pack time.includes:is allow-list only -- there is noexclude:form, so users cannot fence off subdirectories of.apm/.apm install(no flag) deploys bothdependenciesanddevDependencies; there is no--omit=devflag today.A real-world example of the cure:
dadff60indanielmeppiel/genesismoves a maintainer-only skill out of.apm/and references it via a local-path devDependency.What
docs/src/content/docs/guides/dev-only-primitives.md-- the canonical pattern (author outside.apm/, reference via local-path devDependency), with worked example, the three behaviors it works around, when to use / when not, and a verification recipe.introduction/anatomy-of-an-apm-package.md-- new FAQ entry pointing to the guide.reference/manifest-schema.md3.9 -- explicit note thatincludes:has no exclude form.reference/manifest-schema.md5 -- caveat on plainapm installdeploying devDeps + scanner caveat + local-path devDep example.guides/dependencies.md-- caveat in Development Dependencies section.guides/pack-distribute.md-- caveat in devDependencies exclusion section.guides/skills.md-- new Option 5 for maintainer-only skills.How
Audit followed the PROSE methodology: single source of truth lives in the new guide; every other page gets a 1-2 sentence summary and a relative cross-reference. Total addition is one new ~580-word guide plus ~125 lines of inserts -- all surgical, no rewrites of surrounding prose.
ASCII-only throughout my changes (box-drawing in the new guide and the Option 5 tree use
+--/|, matching the audit's convention).Verification
npm run buildindocs/succeeds; starlight-links-validator reports all internal links valid (47 pages built).grep -rln dev-only-primitives docs/src/content/docs/resolves to all 5 patched files plus the new guide.apm pack --format plugin --dry-runrecipe in the new guide is the empirical check users can run today.Out of scope
dependencies.mdline 267 schema bug (- source: owner/test-helpersdoes not match the manifest schema). Will file separately.--omit=devflag,includes: exclude:form, scanner honoring devDep marker). Docs-only PR.Co-authored-by: Copilot copilot@github.com