From 1304e1082ddd393a617aad1cf40d1bc655f9227f Mon Sep 17 00:00:00 2001
From: Peter Mounce <pete@neverrunwithscissors.com>
Date: Thu, 23 Apr 2026 11:14:58 +0100
Subject: [PATCH 1/4] feat: add pre-commit hook

... for shifting-left `apm audit` runs to developers who use [pre-commit](https://pre-commit.com/) or [prek](https://prek.j178.dev/).

Please note prose in the `description` attribute. My choices with the files multiline regex may need extension to every `target` apm supports.

Users can use the hook by pasting:

```yaml
repos:
...
  - repo: https://github.com/microsoft/apm
    rev: {some tag or sha}
    hooks:
      id: apm_audit
```

... into their `.pre-commit-config.yaml`. They can override any attribute in `-hooks` within their user-side config, which is how come I'm not overly concerned by the files regex being incomplete w.r.t. each supported `target`.

I turned `pass_filenames` off because the command does not receive filenames as positional args (pre-commit will, as standard, pass a list of files to every hook; that list may be filtered to only contain the files changed in a given diff, to optimise runtime).

Background docs: https://pre-commit.com/#new-hooks

(I also noticed that `apm audit --help` suggests the command is just for finding hidden Unicode characters; that sounds stale given what else the command seems to do)
---
 .pre-commit-hooks.yaml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 .pre-commit-hooks.yaml

diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
new file mode 100644
index 00000000..64c6d129
--- /dev/null
+++ b/.pre-commit-hooks.yaml
@@ -0,0 +1,29 @@
+---
+- id: apm_audit
+  name: apm_audit
+  description: |
+    Check that apm dependencies are in sync and policy compliant.
+
+    Note: `args` can have `--policy {apm-policy.yml}` passed to run further checks - that file can live in an org's `org/.github` repository for centralizing compliance. For that, use `--policy org`.
+
+    Note: `files` should include:
+
+    - apm*yml configuration files (and schema).
+    - toolchain manager configuration files (to trigger this when apm changes versions).
+    - agent configuration directories - to cause audit to detect if apm-delivered assets become modified.
+  entry: apm audit --ci
+  files: |-
+    (?x)^(
+      apm.yml|
+      apm.lock.yaml|
+      apm-policy\.yml|
+      .claude/.*|
+      .cursor/.*|
+      .github/agents/.*|
+      .github/instructions/.*|
+      .github/hooks/.*|
+      .opencode/.*|
+      .agents/.*
+    )$
+  language: system
+  pass_filenames: false

From 64662a173784c645bd7ec63723329cf49bb7b4e4 Mon Sep 17 00:00:00 2001
From: Peter Mounce <pete@neverrunwithscissors.com>
Date: Thu, 23 Apr 2026 13:12:48 +0100
Subject: [PATCH 2/4] Fix regex

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .pre-commit-hooks.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
index 64c6d129..bc65a933 100644
--- a/.pre-commit-hooks.yaml
+++ b/.pre-commit-hooks.yaml
@@ -14,8 +14,8 @@
   entry: apm audit --ci
   files: |-
     (?x)^(
-      apm.yml|
-      apm.lock.yaml|
+      apm\.yml|
+      apm\.lock\.yaml|
       apm-policy\.yml|
       .claude/.*|
       .cursor/.*|

From b0a9d56cb63182da2031e9240e8941b742fe5b9a Mon Sep 17 00:00:00 2001
From: Peter Mounce <pete@neverrunwithscissors.com>
Date: Thu, 23 Apr 2026 13:13:41 +0100
Subject: [PATCH 3/4] Fix regex

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .pre-commit-hooks.yaml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
index bc65a933..a743abc2 100644
--- a/.pre-commit-hooks.yaml
+++ b/.pre-commit-hooks.yaml
@@ -17,13 +17,13 @@
       apm\.yml|
       apm\.lock\.yaml|
       apm-policy\.yml|
-      .claude/.*|
-      .cursor/.*|
-      .github/agents/.*|
-      .github/instructions/.*|
-      .github/hooks/.*|
-      .opencode/.*|
-      .agents/.*
+      \.claude/.*|
+      \.cursor/.*|
+      \.github/agents/.*|
+      \.github/instructions/.*|
+      \.github/hooks/.*|
+      \.opencode/.*|
+      \.agents/.*
     )$
   language: system
   pass_filenames: false

From 2ac302f22a8992f92791a8cfaea254224cf84fe7 Mon Sep 17 00:00:00 2001
From: Peter Mounce <pete@neverrunwithscissors.com>
Date: Thu, 23 Apr 2026 13:18:57 +0100
Subject: [PATCH 4/4] Capture other target possibilities

---
 .pre-commit-hooks.yaml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
index a743abc2..68e192f3 100644
--- a/.pre-commit-hooks.yaml
+++ b/.pre-commit-hooks.yaml
@@ -4,6 +4,8 @@
   description: |
     Check that apm dependencies are in sync and policy compliant.
 
+    Note: `apm` must be installed and present on `PATH`.
+
     Note: `args` can have `--policy {apm-policy.yml}` passed to run further checks - that file can live in an org's `org/.github` repository for centralizing compliance. For that, use `--policy org`.
 
     Note: `files` should include:
@@ -17,13 +19,15 @@
       apm\.yml|
       apm\.lock\.yaml|
       apm-policy\.yml|
+      \.agents/.*|
       \.claude/.*|
+      \.codex/.*|
       \.cursor/.*|
       \.github/agents/.*|
       \.github/instructions/.*|
       \.github/hooks/.*|
-      \.opencode/.*|
-      \.agents/.*
+      \.github/skills/.*|
+      \.opencode/.*
     )$
   language: system
   pass_filenames: false