Skip to content

[docs] Update documentation for features from 2026-04-25 #929

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
danielmeppiel wants to merge 2 commits into from
Closed

[docs] Update documentation for features from 2026-04-25 #929

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
23af65d
docs: add CHANGELOG entry for policy cache path fix on Windows (#886,…
Copilot Apr 25, 2026
7f8185f
Merge branch 'main' into docs/update-changelog-2026-04-25-4d731ed1b3d…
danielmeppiel Apr 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

### Removed

- CI: deleted `ci-integration-pr-stub.yml`. The four stubs were a holdover from the pre-merge-gate model where branch protection required each Tier 2 check name directly. After #867, branch protection requires only `gate`, so the stubs are dead weight. Reduced `EXPECTED_CHECKS` in `merge-gate.yml` to just `Build & Test (Linux)`.

### Fixed

- `apm update` sanitises the subprocess environment before invoking the platform installer so the bundled PyInstaller `LD_LIBRARY_PATH` / `DYLD_*` no longer leak into system binaries (`curl`, `tar`, `sudo`) spawned by `install.sh`. Previously the installer's first `curl` call could abort with `libssl.so.3: version 'OPENSSL_3.2.0' not found` on distros whose system `libcurl` requires a newer OpenSSL ABI than the APM bundle ships (Debian trixie arm64 dev-containers, Fedora 43, and similar). Restoration uses PyInstaller's official `<VAR>_ORIG` protocol, preserving the user's own `LD_LIBRARY_PATH` exports. Closes #894
- Policy cache path resolution on Windows: `discover_policy` now resolves `project_root` to its canonical long-name form before computing the cache path, preventing 8.3 short-name/long-name mismatches from triggering a false `PathTraversalError` on Windows. (#886, #895)
Comment on lines 49 to +52

Copilot AI Apr 25, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Under ## [Unreleased], ### Fixed appears twice (once at line 30 and again at line 40), which breaks the Keep a Changelog structure and makes entries easy to miss. Please consolidate into a single ### Fixed section and place this new bullet under that single section (also worth double-checking the rest of the file for any merge artifacts).

See below for a potential fix:

- `apm update` sanitises the subprocess environment before invoking the platform installer so the bundled PyInstaller `LD_LIBRARY_PATH` / `DYLD_*` no longer leak into system binaries (`curl`, `tar`, `sudo`) spawned by `install.sh`. Previously the installer's first `curl` call could abort with `libssl.so.3: version 'OPENSSL_3.2.0' not found` on distros whose system `libcurl` requires a newer OpenSSL ABI than the APM bundle ships (Debian trixie arm64 dev-containers, Fedora 43, and similar). Restoration uses PyInstaller's official `<VAR>_ORIG` protocol, preserving the user's own `LD_LIBRARY_PATH` exports. Closes #894
- Policy cache path resolution on Windows: `discover_policy` now resolves `project_root` to its canonical long-name form before computing the cache path, preventing 8.3 short-name/long-name mismatches from triggering a false `PathTraversalError` on Windows. (#886, #895)

### Removed

- CI: deleted `ci-integration-pr-stub.yml`. The four stubs were a holdover from the pre-merge-gate model where branch protection required each Tier 2 check name directly. After #867, branch protection requires only `gate`, so the stubs are dead weight. Reduced `EXPECTED_CHECKS` in `merge-gate.yml` to just `Build & Test (Linux)`.

Copilot uses AI. Check for mistakes.

Copilot AI Apr 25, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new entry says discover_policy resolves project_root before computing the cache path, but the actual fix (per #886/#895) is in _get_cache_dir() / ensure_path_within() path normalization. Consider rewording to describe the behavior change (policy cache path normalization on Windows) without attributing it to the wrong function name.

Suggested change
- Policy cache path resolution on Windows: `discover_policy` now resolves `project_root` to its canonical long-name form before computing the cache path, preventing 8.3 short-name/long-name mismatches from triggering a false `PathTraversalError` on Windows. (#886, #895)
- Policy cache path handling on Windows now normalises paths consistently, preventing 8.3 short-name/long-name mismatches from triggering a false `PathTraversalError`. (#886, #895)

Copilot uses AI. Check for mistakes.
- CI: deleted `ci-integration-pr-stub.yml`. The four stubs were a holdover from the pre-merge-gate model where branch protection required each Tier 2 check name directly. After #867, branch protection requires only `gate`, so the stubs are dead weight. Reduced `EXPECTED_CHECKS` in `merge-gate.yml` to just `Build & Test (Linux)`. (#875)

## [0.9.2] - 2026-04-23
Expand Down
Loading