You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For skills containing relative links, the deployed_file_hashes and content_hash change with the install scope (project vs --global), even for the same resolved_commit. This makes the lockfile non-portable across scopes, so I'd like to confirm whether that is the intended premise.
When a skill contains an intra-package relative link (e.g. SKILL.md → ../../commands/foo.md), apm rewrites that link to be anchored at the deployment location during install (src/apm_cli/deps/path_anchoring.py). The result differs by scope:
The difference is just the single .apm/ segment, but because the SKILL.md content changes, the deployed_file_hashes / content_hash change even for the same commit.
Observed (same skill, same commit):
generated with project scope: content_hash: sha256:e36a77ef…
generated with --global: content_hash: sha256:04da55da…
As a result, a lockfile generated under one scope, when used for an install under a different scope, always has a content mismatch for skills containing relative links.
How this differs from existing issues
The "apm install rewrites the lockfile on every run" lineage (#450 / #1532 / #1702 / #2078, all closed) were idempotency false positives — the lock was rewritten in the same scope even though content was unchanged. This case is different: the content genuinely differs by scope, so those fixes do not address it.
#2187 (open) is also a content_hash portability problem, but its cause is OS line-ending differences (CRLF/LF); this case is same-OS, scope-driven — a different axis. In the same spirit as #1959 (which normalized line endings out of the hash), the question is whether deploy-scope-dependent relative links should likewise be excluded from the hash.
Minimal reproduction
Prepare a skill package containing a SKILL.md and a commands/foo.md that the SKILL.md references via a relative path.
Run apm install (project scope) in some project directory; record the skill's content_hash.
With the same apm.yml / apm.lock.yaml, run apm install --global; observe that content_hash changes.
Confirm that the link inside the deployed SKILL.md differs between apm_modules/… and .apm/apm_modules/….
Questions
Is content_hash (which includes the deploy-scope-dependent rewritten relative links) intended to be install-scope-specific?
Or should the lockfile be portable across scopes, i.e. should content_hash be scope-independent?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
For skills containing relative links, the
deployed_file_hashesandcontent_hashchange with the install scope (project vs--global), even for the sameresolved_commit. This makes the lockfile non-portable across scopes, so I'd like to confirm whether that is the intended premise.Environment
Actual
When a skill contains an intra-package relative link (e.g.
SKILL.md→../../commands/foo.md), apm rewrites that link to be anchored at the deployment location during install (src/apm_cli/deps/path_anchoring.py). The result differs by scope:../../../apm_modules/<repo>/commands/foo.md--global:../../../.apm/apm_modules/<repo>/commands/foo.mdThe difference is just the single
.apm/segment, but because theSKILL.mdcontent changes, thedeployed_file_hashes/content_hashchange even for the same commit.Observed (same skill, same commit):
content_hash: sha256:e36a77ef…--global:content_hash: sha256:04da55da…As a result, a lockfile generated under one scope, when used for an install under a different scope, always has a content mismatch for skills containing relative links.
How this differs from existing issues
The "
apm installrewrites the lockfile on every run" lineage (#450 / #1532 / #1702 / #2078, all closed) were idempotency false positives — the lock was rewritten in the same scope even though content was unchanged. This case is different: the content genuinely differs by scope, so those fixes do not address it.#2187 (open) is also a
content_hashportability problem, but its cause is OS line-ending differences (CRLF/LF); this case is same-OS, scope-driven — a different axis. In the same spirit as #1959 (which normalized line endings out of the hash), the question is whether deploy-scope-dependent relative links should likewise be excluded from the hash.Minimal reproduction
SKILL.mdand acommands/foo.mdthat theSKILL.mdreferences via a relative path.apm install(project scope) in some project directory; record the skill'scontent_hash.apm.yml/apm.lock.yaml, runapm install --global; observe thatcontent_hashchanges.SKILL.mddiffers betweenapm_modules/…and.apm/apm_modules/….Questions
content_hash(which includes the deploy-scope-dependent rewritten relative links) intended to be install-scope-specific?content_hashbe scope-independent?Beta Was this translation helpful? Give feedback.
All reactions