apm-cli 0.8.5__tar.gz → 0.8.6__tar.gz

{apm_cli-0.8.5/src/apm_cli.egg-info → apm_cli-0.8.6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: apm-cli
-Version: 0.8.5
+Version: 0.8.6
 Summary: MCP configuration tool
 Author-email: Daniel Meppiel <user@example.com>
 License: MIT License

{apm_cli-0.8.5 → apm_cli-0.8.6}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "apm-cli"
-version = "0.8.5"
+version = "0.8.6"
 description = "MCP configuration tool"
 readme = "README.md"
 requires-python = ">=3.10"

{apm_cli-0.8.5 → apm_cli-0.8.6}/src/apm_cli/commands/install.py

@@ -35,6 +35,12 @@ set = builtins.set
 list = builtins.list
 dict = builtins.dict
 
+# AuthResolver has no optional deps (stdlib + internal utils only), so it must
+# be imported unconditionally here -- NOT inside the APM_DEPS_AVAILABLE guard.
+# If it were gated, a missing optional dep (e.g. GitPython) would cause a
+# NameError in install() before the graceful APM_DEPS_AVAILABLE check fires.
+from ..core.auth import AuthResolver
+
 # APM Dependencies (conditional import for graceful degradation)
 APM_DEPS_AVAILABLE = False
 _APM_IMPORT_ERROR = None
@@ -56,7 +62,7 @@ except ImportError as e:
 # ---------------------------------------------------------------------------
 
 
-def _validate_and_add_packages_to_apm_yml(packages, dry_run=False, dev=False, logger=None):
+def _validate_and_add_packages_to_apm_yml(packages, dry_run=False, dev=False, logger=None, auth_resolver=None):
     """Validate packages exist and can be accessed, then add to apm.yml dependencies section.
 
     Implements normalize-on-write: any input form (HTTPS URL, SSH URL, FQDN, shorthand)
@@ -68,6 +74,7 @@ def _validate_and_add_packages_to_apm_yml(packages, dry_run=False, dev=False, lo
         dry_run: If True, only show what would be added.
         dev: If True, write to devDependencies instead of dependencies.
         logger: InstallLogger for structured output.
+        auth_resolver: Shared auth resolver for caching credentials.
 
     Returns:
         Tuple of (validated_packages list, _ValidationOutcome).
@@ -146,7 +153,7 @@ def _validate_and_add_packages_to_apm_yml(packages, dry_run=False, dev=False, lo
 
         # Validate package exists and is accessible
         verbose = bool(logger and logger.verbose)
-        if _validate_package_exists(package, verbose=verbose):
+        if _validate_package_exists(package, verbose=verbose, auth_resolver=auth_resolver):
             valid_outcomes.append((canonical, already_in_deps))
             if logger:
                 logger.validation_pass(canonical, already_present=already_in_deps)
@@ -258,7 +265,7 @@ def _local_path_no_markers_hint(local_dir, verbose_log=None):
         _rich_echo(f"      ... and {len(found) - 5} more", color="dim")
 
 
-def _validate_package_exists(package, verbose=False):
+def _validate_package_exists(package, verbose=False, auth_resolver=None):
     """Validate that a package exists and is accessible on GitHub, Azure DevOps, or locally."""
     import os
     import subprocess
@@ -266,7 +273,9 @@ def _validate_package_exists(package, verbose=False):
     from apm_cli.core.auth import AuthResolver
 
     verbose_log = (lambda msg: _rich_echo(f"  {msg}", color="dim")) if verbose else None
-    auth_resolver = AuthResolver()
+    # Use provided resolver or create new one if not in a CLI session context
+    if auth_resolver is None:
+        auth_resolver = AuthResolver()
 
     try:
         # Parse the package to check if it's a virtual package or ADO
@@ -300,8 +309,8 @@ def _validate_package_exists(package, verbose=False):
             org = dep_ref.repo_url.split('/')[0] if dep_ref.repo_url and '/' in dep_ref.repo_url else None
             if verbose_log:
                 verbose_log(f"Auth resolved: host={host}, org={org}, source={ctx.source}, type={ctx.token_type}")
-            downloader = GitHubPackageDownloader(auth_resolver=auth_resolver)
-            result = downloader.validate_virtual_package_exists(dep_ref)
+            virtual_downloader = GitHubPackageDownloader(auth_resolver=auth_resolver)
+            result = virtual_downloader.validate_virtual_package_exists(dep_ref)
             if not result and verbose_log:
                 try:
                     err_ctx = auth_resolver.build_error_context(host, f"accessing {package}", org=org)
@@ -316,26 +325,39 @@ def _validate_package_exists(package, verbose=False):
         if dep_ref.is_azure_devops() or (dep_ref.host and dep_ref.host != "github.com"):
             from apm_cli.utils.github_host import is_github_hostname, is_azure_devops_hostname
 
-            downloader = GitHubPackageDownloader()
+            # Determine host type before building the URL so we know whether to
+            # embed a token.  Generic (non-GitHub, non-ADO) hosts are excluded
+            # from APM-managed auth; they rely on git credential helpers via the
+            # relaxed validate_env below.
+            is_generic = not is_github_hostname(dep_ref.host) and not is_azure_devops_hostname(dep_ref.host)
+
+            # For GHES / ADO: resolve per-dependency auth up front so the URL
+            # carries an embedded token and avoids triggering OS credential
+            # helper popups during git ls-remote validation.
+            _url_token = None
+            if not is_generic:
+                _dep_ctx = auth_resolver.resolve_for_dep(dep_ref)
+                _url_token = _dep_ctx.token
+
+            ado_downloader = GitHubPackageDownloader(auth_resolver=auth_resolver)
             # Set the host
             if dep_ref.host:
-                downloader.github_host = dep_ref.host
+                ado_downloader.github_host = dep_ref.host
 
-            # Build authenticated URL using downloader's auth
-            package_url = downloader._build_repo_url(
-                dep_ref.repo_url, use_ssh=False, dep_ref=dep_ref
+            # Build authenticated URL using the resolved per-dep token.
+            package_url = ado_downloader._build_repo_url(
+                dep_ref.repo_url, use_ssh=False, dep_ref=dep_ref, token=_url_token
             )
 
             # For generic hosts (not GitHub, not ADO), relax the env so native
             # credential helpers (SSH keys, macOS Keychain, etc.) can work.
             # This mirrors _clone_with_fallback() which does the same relaxation.
-            is_generic = not is_github_hostname(dep_ref.host) and not is_azure_devops_hostname(dep_ref.host)
             if is_generic:
-                validate_env = {k: v for k, v in downloader.git_env.items()
+                validate_env = {k: v for k, v in ado_downloader.git_env.items()
                                 if k not in ('GIT_ASKPASS', 'GIT_CONFIG_GLOBAL', 'GIT_CONFIG_NOSYSTEM')}
                 validate_env['GIT_TERMINAL_PROMPT'] = '0'
             else:
-                validate_env = {**os.environ, **downloader.git_env}
+                validate_env = {**os.environ, **ado_downloader.git_env}
 
             if verbose_log:
                 verbose_log(f"Trying git ls-remote for {dep_ref.host}")
@@ -513,8 +535,19 @@ def _validate_package_exists(package, verbose=False):
     default=False,
     help="Install as development dependency (devDependencies)",
 )
+@click.option(
+    "--target",
+    "-t",
+    "target",
+    type=click.Choice(
+        ["copilot", "claude", "cursor", "opencode", "vscode", "agents", "all"],
+        case_sensitive=False,
+    ),
+    default=None,
+    help="Force deployment to a specific target (overrides auto-detection)",
+)
 @click.pass_context
-def install(ctx, packages, runtime, exclude, only, update, dry_run, force, verbose, trust_transitive_mcp, parallel_downloads, dev):
+def install(ctx, packages, runtime, exclude, only, update, dry_run, force, verbose, trust_transitive_mcp, parallel_downloads, dev, target):
     """Install APM and MCP dependencies from apm.yml (like npm install).
 
     This command automatically detects AI runtimes from your apm.yml scripts and installs
@@ -539,6 +572,10 @@ def install(ctx, packages, runtime, exclude, only, update, dry_run, force, verbo
         is_partial = bool(packages)
         logger = InstallLogger(verbose=verbose, dry_run=dry_run, partial=is_partial)
 
+        # Create shared auth resolver for all downloads in this CLI invocation
+        # to ensure credentials are cached and reused (prevents duplicate auth popups)
+        auth_resolver = AuthResolver()
+
         # Check if apm.yml exists
         apm_yml_exists = Path(APM_YML_FILENAME).exists()
 
@@ -560,7 +597,7 @@ def install(ctx, packages, runtime, exclude, only, update, dry_run, force, verbo
         # If packages are specified, validate and add them to apm.yml first
         if packages:
             validated_packages, outcome = _validate_and_add_packages_to_apm_yml(
-                packages, dry_run, dev=dev, logger=logger,
+                packages, dry_run, dev=dev, logger=logger, auth_resolver=auth_resolver,
             )
             # Short-circuit: all packages failed validation — nothing to install
             if outcome.all_failed:
@@ -661,6 +698,8 @@ def install(ctx, packages, runtime, exclude, only, update, dry_run, force, verbo
                     apm_package, update, verbose, only_pkgs, force=force,
                     parallel_downloads=parallel_downloads,
                     logger=logger,
+                    auth_resolver=auth_resolver,
+                    target=target,
                 )
                 apm_count = install_result.installed_count
                 prompt_count = install_result.prompts_integrated
@@ -874,12 +913,20 @@ def _integrate_package_primitives(
             package_info, project_root,
             diagnostics=diagnostics, managed_files=managed_files, force=force,
         )
+        # Build human-readable list of target dirs from deployed paths
+        _skill_target_dirs: set[str] = set()
+        for tp in skill_result.target_paths:
+            rel = tp.relative_to(project_root)
+            if rel.parts:
+                _skill_target_dirs.add(rel.parts[0])
+        _skill_targets = sorted(_skill_target_dirs)
+        _skill_target_str = ", ".join(f"{d}/skills/" for d in _skill_targets) or "skills/"
         if skill_result.skill_created:
             result["skills"] += 1
-            _log_integration(f"  └─ Skill integrated -> .github/skills/")
+            _log_integration(f"  |-- Skill integrated -> {_skill_target_str}")
         if skill_result.sub_skills_promoted > 0:
             result["sub_skills"] += skill_result.sub_skills_promoted
-            _log_integration(f"  └─ {skill_result.sub_skills_promoted} skill(s) integrated -> .github/skills/")
+            _log_integration(f"  |-- {skill_result.sub_skills_promoted} skill(s) integrated -> {_skill_target_str}")
         for tp in skill_result.target_paths:
             deployed.append(tp.relative_to(project_root).as_posix())
 
@@ -951,19 +998,20 @@ def _integrate_package_primitives(
         deployed.append(tp.relative_to(project_root).as_posix())
 
     # --- commands (.claude) ---
-    command_result = command_integrator.integrate_package_commands(
-        package_info, project_root,
-        force=force, managed_files=managed_files,
-        diagnostics=diagnostics,
-    )
-    if command_result.files_integrated > 0:
-        result["commands"] += command_result.files_integrated
-        _log_integration(f"  └─ {command_result.files_integrated} commands integrated -> .claude/commands/")
-    if command_result.files_updated > 0:
-        _log_integration(f"  └─ {command_result.files_updated} commands updated")
-    result["links_resolved"] += command_result.links_resolved
-    for tp in command_result.target_paths:
-        deployed.append(tp.relative_to(project_root).as_posix())
+    if integrate_claude:
+        command_result = command_integrator.integrate_package_commands(
+            package_info, project_root,
+            force=force, managed_files=managed_files,
+            diagnostics=diagnostics,
+        )
+        if command_result.files_integrated > 0:
+            result["commands"] += command_result.files_integrated
+            _log_integration(f"  └─ {command_result.files_integrated} commands integrated -> .claude/commands/")
+        if command_result.files_updated > 0:
+            _log_integration(f"  └─ {command_result.files_updated} commands updated")
+        result["links_resolved"] += command_result.links_resolved
+        for tp in command_result.target_paths:
+            deployed.append(tp.relative_to(project_root).as_posix())
 
     # --- OpenCode commands (.opencode) ---
     opencode_command_result = command_integrator.integrate_package_commands_opencode(
@@ -1071,6 +1119,8 @@ def _install_apm_dependencies(
     force: bool = False,
     parallel_downloads: int = 4,
     logger: "InstallLogger" = None,
+    auth_resolver: "AuthResolver" = None,
+    target: str = None,
 ):
     """Install APM package dependencies.
 
@@ -1082,6 +1132,8 @@ def _install_apm_dependencies(
         force: Whether to overwrite locally-authored files on collision
         parallel_downloads: Max concurrent downloads (0 disables parallelism)
         logger: InstallLogger for structured output
+        auth_resolver: Shared auth resolver for caching credentials
+        target: Explicit target override from --target CLI flag
     """
     if not APM_DEPS_AVAILABLE:
         raise RuntimeError("APM dependency system not available")
@@ -1114,8 +1166,12 @@ def _install_apm_dependencies(
     apm_modules_dir = project_root / APM_MODULES_DIR
     apm_modules_dir.mkdir(exist_ok=True)
 
+    # Use provided resolver or create new one if not in a CLI session context
+    if auth_resolver is None:
+        auth_resolver = AuthResolver()
+
     # Create downloader early so it can be used for transitive dependency resolution
-    downloader = GitHubPackageDownloader()
+    downloader = GitHubPackageDownloader(auth_resolver=auth_resolver)
 
     # Track direct dependency keys so the download callback can distinguish them from transitive
     direct_dep_keys = builtins.set(dep.get_unique_key() for dep in apm_deps)
@@ -1302,23 +1358,27 @@ def _install_apm_dependencies(
         # Get config target from apm.yml if available
         config_target = apm_package.target
 
-        # Auto-create .github/ if neither .github/ nor .claude/ exists.
-        # Per skill-strategy Decision 1, .github/skills/ is the standard skills location;
-        # creating .github/ here ensures a consistent skills root and also enables
-        # VSCode/Copilot integration by default (quick path to value), even for
-        # projects that don't yet use .claude/.
-        github_dir = project_root / GITHUB_DIR
-        claude_dir = project_root / CLAUDE_DIR
-        if not github_dir.exists() and not claude_dir.exists():
-            github_dir.mkdir(parents=True, exist_ok=True)
-            if logger:
-                logger.verbose_detail(
-                    "Created .github/ as standard skills root (.github/skills/) and to enable VSCode/Copilot integration"
-                )
+        # Resolve effective explicit target: CLI --target wins, then apm.yml
+        _explicit = target or config_target or None
+
+        # Determine active targets.  When --target or apm.yml target is set
+        # the user's choice wins.  Otherwise auto-detect from existing dirs,
+        # falling back to copilot when nothing is found.
+        from apm_cli.integration.targets import active_targets as _active_targets
+
+        _targets = _active_targets(project_root, explicit_target=_explicit)
+        for _t in _targets:
+            _target_dir = project_root / _t.root_dir
+            if not _target_dir.exists():
+                _target_dir.mkdir(parents=True, exist_ok=True)
+                if logger:
+                    logger.verbose_detail(
+                        f"Created {_t.root_dir}/ ({_t.name} target)"
+                    )
 
         detected_target, detection_reason = detect_target(
             project_root=project_root,
-            explicit_target=None,  # No explicit flag for install
+            explicit_target=_explicit,
             config_target=config_target,
         )
 
@@ -1472,13 +1532,9 @@ def _install_apm_dependencies(
         _pre_downloaded_keys = builtins.set(_pre_download_results.keys())
 
         # Create progress display for sequential integration
-        _auth_resolver = None
-        if verbose:
-            try:
-                from apm_cli.core.auth import AuthResolver
-                _auth_resolver = AuthResolver()
-            except Exception:
-                pass
+        # Reuse the shared auth_resolver (already created in this invocation) so
+        # verbose auth logging does not trigger a duplicate credential-helper popup.
+        _auth_resolver = auth_resolver
 
         with Progress(
             SpinnerColumn(),
@@ -2109,9 +2165,16 @@ def _install_apm_dependencies(
                             existing.add_dependency(dep)
                         lockfile = existing
 
-                lockfile.save(lockfile_path)
-                if logger:
-                    logger.verbose_detail(f"Generated apm.lock.yaml with {len(lockfile.dependencies)} dependencies")
+                # Only write when the semantic content has actually changed
+                # (avoids generated_at churn in version control).
+                existing_lockfile = LockFile.read(lockfile_path) if lockfile_path.exists() else None
+                if existing_lockfile and lockfile.is_semantically_equivalent(existing_lockfile):
+                    if logger:
+                        logger.verbose_detail("apm.lock.yaml unchanged -- skipping write")
+                else:
+                    lockfile.save(lockfile_path)
+                    if logger:
+                        logger.verbose_detail(f"Generated apm.lock.yaml with {len(lockfile.dependencies)} dependencies")
             except Exception as e:
                 _lock_msg = f"Could not generate apm.lock.yaml: {e}"
                 diagnostics.error(_lock_msg)

{apm_cli-0.8.5 → apm_cli-0.8.6}/src/apm_cli/compilation/claude_formatter.py

@@ -291,7 +291,10 @@ class ClaudeFormatter:
                 sections.append(f"## Files matching `{pattern}`")
                 sections.append("")
                 
-                for instruction in pattern_instructions:
+                for instruction in sorted(
+                    pattern_instructions,
+                    key=lambda i: portable_relpath(i.file_path, self.base_dir),
+                ):
                     content = instruction.content.strip()
                     if content:
                         # Add source attribution comment

{apm_cli-0.8.5 → apm_cli-0.8.6}/src/apm_cli/compilation/context_optimizer.py

@@ -172,8 +172,9 @@ class ContextOptimizer:
             self._file_list_cache = []
             for root, dirs, files in os.walk(self.base_dir):
                 # Skip hidden and excluded directories for performance
-                dirs[:] = [d for d in dirs if not d.startswith('.') and d not in DEFAULT_EXCLUDED_DIRNAMES]
-                for file in files:
+                # Sort to guarantee deterministic traversal order across filesystems
+                dirs[:] = sorted(d for d in dirs if not d.startswith('.') and d not in DEFAULT_EXCLUDED_DIRNAMES)
+                for file in sorted(files):
                     if not file.startswith('.'):
                         self._file_list_cache.append(Path(root) / file)
         return self._file_list_cache

{apm_cli-0.8.5 → apm_cli-0.8.6}/src/apm_cli/compilation/distributed_compiler.py

@@ -536,7 +536,10 @@ class DistributedAgentsCompiler:
             sections.append(f"## Files matching `{pattern}`")
             sections.append("")
             
-            for instruction in pattern_instructions:
+            for instruction in sorted(
+                pattern_instructions,
+                key=lambda i: portable_relpath(i.file_path, self.base_dir),
+            ):
                 content = instruction.content.strip()
                 if content:
                     # Add source attribution for individual instructions

{apm_cli-0.8.5 → apm_cli-0.8.6}/src/apm_cli/compilation/template_builder.py

@@ -34,12 +34,12 @@ def build_conditional_sections(instructions: List[Instruction]) -> str:
     
     sections = []
     
-    for pattern, pattern_instructions in pattern_groups.items():
+    for pattern, pattern_instructions in sorted(pattern_groups.items()):
         sections.append(f"## Files matching `{pattern}`")
         sections.append("")
-        
+
         # Combine content from all instructions for this pattern
-        for instruction in pattern_instructions:
+        for instruction in sorted(pattern_instructions, key=lambda i: portable_relpath(i.file_path, Path.cwd())):
             content = instruction.content.strip()
             if content:
                 # Add source file comment before the content

{apm_cli-0.8.5 → apm_cli-0.8.6}/src/apm_cli/core/auth.py

@@ -182,25 +182,30 @@ class AuthResolver:
         """Resolve auth for *(host, org)*.  Cached & thread-safe."""
         key = (host.lower() if host else host, org.lower() if org else org)
         with self._lock:
-            if key in self._cache:
-                return self._cache[key]
-
-        host_info = self.classify_host(host)
-        token, source = self._resolve_token(host_info, org)
-        token_type = self.detect_token_type(token) if token else "unknown"
-        git_env = self._build_git_env(token)
-
-        ctx = AuthContext(
-            token=token,
-            source=source,
-            token_type=token_type,
-            host_info=host_info,
-            git_env=git_env,
-        )
-
-        with self._lock:
+            cached = self._cache.get(key)
+            if cached is not None:
+                return cached
+
+            # Hold lock during entire credential resolution to prevent duplicate
+            # credential-helper popups when parallel downloads resolve the same
+            # (host, org) concurrently.  The first caller fills the cache; all
+            # subsequent callers for the same key become O(1) cache hits.
+            # Bounded by APM_GIT_CREDENTIAL_TIMEOUT (default 60s). No deadlock
+            # risk: single lock, never nested.
+            host_info = self.classify_host(host)
+            token, source = self._resolve_token(host_info, org)
+            token_type = self.detect_token_type(token) if token else "unknown"
+            git_env = self._build_git_env(token)
+
+            ctx = AuthContext(
+                token=token,
+                source=source,
+                token_type=token_type,
+                host_info=host_info,
+                git_env=git_env,
+            )
             self._cache[key] = ctx
-        return ctx
+            return ctx
 
     def resolve_for_dep(self, dep_ref: "DependencyReference") -> AuthContext:
         """Resolve auth from a ``DependencyReference``."""

{apm_cli-0.8.5 → apm_cli-0.8.6}/src/apm_cli/deps/github_downloader.py

@@ -85,27 +85,11 @@ def _close_repo(repo) -> None:
 def _rmtree(path) -> None:
     """Remove a directory tree, handling read-only files and brief Windows locks.
 
-    Git pack/index files are often read-only, and on Windows git processes may
-    hold brief locks even after the Repo object is closed.  This wrapper uses
-    an onerror callback for read-only files and a single retry for lock races.
+    Delegates to :func:`robust_rmtree` which retries with exponential backoff
+    on transient lock errors (e.g. antivirus scanning on Windows).
     """
-    def _on_readonly(func, fpath, _exc_info):
-        """onerror callback: make read-only files writable and retry."""
-        try:
-            os.chmod(fpath, stat.S_IWRITE)
-            func(fpath)
-        except OSError:
-            pass
-
-    try:
-        shutil.rmtree(path, onerror=_on_readonly)
-    except PermissionError:
-        if sys.platform == 'win32':
-            # Single retry after a brief wait for lingering git handles
-            time.sleep(0.5)
-            shutil.rmtree(path, ignore_errors=True)
-        # On all platforms: don't raise from cleanup — just leave the
-        # temp dir behind (the OS will clean it up eventually).
+    from ..utils.file_ops import robust_rmtree
+    robust_rmtree(path, ignore_errors=True)
 
 
 class GitProgressReporter(RemoteProgress):
@@ -202,20 +186,18 @@ class GitHubPackageDownloader:
         else:
             env['GIT_CONFIG_GLOBAL'] = '/dev/null'
 
-        # Resolve default host tokens via AuthResolver (backward compat properties)
-        default_ctx = self.auth_resolver.resolve(default_host())
-        self._default_github_ctx = default_ctx
-        self.github_token = default_ctx.token
-        self.has_github_token = default_ctx.token is not None
-        self._github_token_from_credential_fill = (
-            self.has_github_token
-            and self.token_manager.get_token_for_purpose('modules', env) is None
-        )
+        # IMPORTANT: Do not resolve credentials via helpers at construction time.
+        # AuthResolver.resolve(...) can trigger OS credential helper UI. If we do
+        # this eagerly (host-only key) and later resolve per-dependency (host+org),
+        # users can see duplicate auth prompts. Keep constructor token state env-only
+        # and resolve lazily per dependency during clone/validate flows.
+        self.github_token = self.token_manager.get_token_for_purpose('modules', env)
+        self.has_github_token = self.github_token is not None
+        self._github_token_from_credential_fill = False
 
-        # Azure DevOps
-        ado_ctx = self.auth_resolver.resolve("dev.azure.com")
-        self.ado_token = ado_ctx.token
-        self.has_ado_token = ado_ctx.token is not None
+        # Azure DevOps (env-only at init; lazy auth resolution happens per dep)
+        self.ado_token = self.token_manager.get_token_for_purpose('ado_modules', env)
+        self.has_ado_token = self.ado_token is not None
 
         # JFrog Artifactory (not host-based, uses dedicated env var)
         self.artifactory_token = self.token_manager.get_token_for_purpose('artifactory_modules', env)
@@ -664,7 +646,9 @@ class GitHubPackageDownloader:
                 f"If this package lives on a different server (e.g., github.com), "
                 f"use the full hostname in apm.yml: {suggested}"
             )
-        elif not self.has_github_token:
+        elif not has_token:
+            # No auth was resolved (neither env var nor credential helper).
+            # Guide the user through setting up authentication.
             host = dep_host or default_host()
             org = dep_ref.repo_url.split('/')[0] if dep_ref and dep_ref.repo_url else None
             error_msg += self.auth_resolver.build_error_context(host, "clone", org=org)
@@ -1626,14 +1610,16 @@ author: {dep_ref.repo_url.split('/')[0]}
                 _rmtree(target_path)
                 target_path.mkdir(parents=True, exist_ok=True)
 
-            # Copy subdirectory contents to target
+            # Copy subdirectory contents to target (retry on transient
+            # file-lock errors caused by antivirus scanning on Windows).
+            from ..utils.file_ops import robust_copytree, robust_copy2
             for item in source_subdir.iterdir():
                 src = source_subdir / item.name
                 dst = target_path / item.name
                 if src.is_dir():
-                    shutil.copytree(src, dst)
+                    robust_copytree(src, dst)
                 else:
-                    shutil.copy2(src, dst)
+                    robust_copy2(src, dst)
 
             # Capture commit SHA; close the Repo object immediately so its file
             # handles are released before _rmtree() runs in the finally block.
@@ -1723,16 +1709,17 @@ author: {dep_ref.repo_url.split('/')[0]}
                     f"Artifactory ({host}/{prefix}/{owner}/{repo}#{ref})"
                 )
             target_path.mkdir(parents=True, exist_ok=True)
+            from ..utils.file_ops import robust_rmtree, robust_copytree, robust_copy2
             if target_path.exists() and any(target_path.iterdir()):
-                shutil.rmtree(target_path)
+                robust_rmtree(target_path)
                 target_path.mkdir(parents=True, exist_ok=True)
             for item in source_subdir.iterdir():
                 src = source_subdir / item.name
                 dst = target_path / item.name
                 if src.is_dir():
-                    shutil.copytree(src, dst)
+                    robust_copytree(src, dst)
                 else:
-                    shutil.copy2(src, dst)
+                    robust_copy2(src, dst)
 
         if progress_obj and progress_task_id is not None:
             progress_obj.update(progress_task_id, completed=80, total=100)
@@ -1771,7 +1758,8 @@ author: {dep_ref.repo_url.split('/')[0]}
 
         _debug(f"Downloading from Artifactory: {host}/{prefix}/{owner}/{repo}#{ref}")
         if target_path.exists() and any(target_path.iterdir()):
-            shutil.rmtree(target_path)
+            from ..utils.file_ops import robust_rmtree
+            robust_rmtree(target_path)
         target_path.mkdir(parents=True, exist_ok=True)
         if progress_obj and progress_task_id is not None:
             progress_obj.update(progress_task_id, total=100, completed=10)

{apm_cli-0.8.5 → apm_cli-0.8.6}/src/apm_cli/deps/lockfile.py

@@ -302,6 +302,26 @@ class LockFile:
         """Save lock file to disk (alias for write)."""
         self.write(path)
 
+    def is_semantically_equivalent(self, other: "LockFile") -> bool:
+        """Return True if *other* has the same deps, MCP servers, and configs.
+
+        Ignores ``generated_at`` and ``apm_version`` so that a no-change
+        install does not dirty the lockfile.
+        """
+        if self.lockfile_version != other.lockfile_version:
+            return False
+        if set(self.dependencies.keys()) != set(other.dependencies.keys()):
+            return False
+        for key, dep in self.dependencies.items():
+            other_dep = other.dependencies[key]
+            if dep.to_dict() != other_dep.to_dict():
+                return False
+        if sorted(self.mcp_servers) != sorted(other.mcp_servers):
+            return False
+        if self.mcp_configs != other.mcp_configs:
+            return False
+        return True
+
     @classmethod
     def installed_paths_for_project(cls, project_root: Path) -> List[str]:
         """Load apm.lock.yaml from project_root and return installed paths.