feat(deps): add 'apm deps why <pkg>' to explain transitive dependencies

[danielmeppiel]

TL;DR

Adds apm deps why <pkg> -- the bottom-up companion to apm deps tree.
When something unexpected lands in apm_modules/, this command walks
the lockfile back to one or more direct dependencies that pulled it in,
fully offline, and explains the chain. Inspired by npm why,
yarn why, and cargo tree -i. Closes #1490.

Note

Soft dependency on #1488. Constraint annotations
([constraint: ^1.2.0, declared in apm.yml]) only appear once the
constraint field lands on LockedDependency. Until then they
collapse to [declared in apm.yml]. The walker uses getattr and a
dedicated regression test pins the graceful-degrade path -- no code
change is needed when #1488 merges.

Problem (WHY)

apm deps tree shows the dependency graph top-down. After running
apm install, apm_modules/ may contain transitive packages the
consumer did not declare directly. When something breaks -- an
unexpected MCP server, a skill that surprises the author, a version
that triggers a policy block -- the only way to find out who pulled
it in today is to read apm.lock.yaml by hand and trace resolved_by
chains.

apm deps why <pkg> is the inverted view. It answers "how did this
get here?" without leaving the terminal and without hitting the
network.

Approach (WHAT)

Two-module split mirroring the existing _build_dep_tree /
tree pattern in commands/deps/cli.py:

Module	Responsibility
src/apm_cli/deps/why_walker.py	Pure data-structure walker over an in-memory LockFile. No Click, no I/O. Inverts resolved_by edges and collects every root-to-target chain.
src/apm_cli/commands/deps/why.py	Click command. Loads the lockfile (project or --global user scope), runs the walker, renders human or JSON output, owns exit codes.

The Click command is registered into the existing deps group with one
line in commands/deps/cli.py -- no restructuring of any existing
module.

Implementation (HOW)

Walker (why_walker.py)

flowchart LR
    Q[query string] --> R[resolve_package_query]
    R -->|exact key| T[target LockedDependency]
    R -->|owner/repo| T
    R -->|basename| T
    R -.->|ambiguous| AE[AmbiguousPackageError]
    R -.->|none| PE[PackageNotInstalledError]
    T --> W[compute_why]
    W -->|direct| Direct[WhyResult is_direct=True]
    W -->|transitive| Walk[iterative parent walk]
    Walk --> WR[WhyResult is_direct=False<br/>paths: tuple of WhyPath]

Loading

Key invariants:

• Cycle safety: per-traversal visited frozen set; each repo_url
  appears at most once per chain. Defensive depth cap of
  max(64, len(deps)+1).
• Deterministic ordering: paths are sorted by their stringified
  chain so JSON snapshots and human output are stable.
• Backward compat: _dep_constraint is getattr(dep, "constraint", None). Soft-couples to feat(deps): resolve semver constraints on git-source dependencies against repo tags #1488.

Result types are frozen dataclasses (WhyEdge, WhyPath, WhyResult)
to keep snapshots deterministic and prevent accidental mutation.

Command (commands/deps/why.py)

flowchart TD
    CLI[apm deps why PKG] --> Scope{--global?}
    Scope -->|no| Proj[get_apm_dir PROJECT]
    Scope -->|yes| User[get_apm_dir USER]
    Proj & User --> LF[load lockfile]
    LF -->|missing| E2[exit 2 + error]
    LF -->|ok| RES[resolve_package_query]
    RES -->|ambiguous| E1A[exit 1 + matches list]
    RES -->|not found| E1B[exit 1 + hint]
    RES -->|hit| CW[compute_why]
    CW --> Render{--json?}
    Render -->|no| Human[plain ASCII indented tree]
    Render -->|yes| JSON[stable JSON schema]

Loading

Rendering choices (per design pack convergence note):

• No rich.tree. A list of N short chains is not a single
  hierarchy; rich.tree would visually imply one that does not exist.
  Plain indented text with ASCII +-- markers is more scannable and
  keeps snapshot tests deterministic.
• STATUS_SYMBOLS convention. Header uses [i] (matches
  _rich_info). Constraint and declaration metadata wrapped in
  [brackets] -- pure ASCII, Windows-cp1252-safe.

Wiring

# src/apm_cli/commands/deps/cli.py
from .why import why as _why_cmd
deps.add_command(_why_cmd)

# src/apm_cli/commands/deps/__init__.py
from .why import why
__all__ = [..., "why"]

Trade-offs

Decision	Alternative	Why this one
Plain ASCII tree	rich.tree	Output isn't a single tree; rich would mislead. Plain text snapshot tests are deterministic across terminals.
getattr for constraint	Hard-import + bump on #1488	Decouples themes -- this PR works on main today and gains the annotation automatically once #1488 merges. No follow-up commit required.
Walker keys parents by repo_url	Track full diamond fan-in	LockedDependency records one parent (resolved_by); a true multi-parent diamond would need lockfile-schema changes. Out of scope for #1490.
Exit code split (1 vs 2)	Single 1 for all errors	Lets CI distinguish "you forgot to run install" (2) from "wrong package name" (1).

Validation evidence

Gate	Result
ruff check src/ tests/	clean
ruff format --check src/ tests/	clean
pylint -e R0801 --min-similarity-lines=10 --fail-on=R0801	10.00/10
bash scripts/lint-auth-signals.sh	clean
File-length cap (2450)	cli.py at 931, why.py at 226, why_walker.py at 274
New unit tests	22 passing (13 walker + 9 command)
New integration tests	4 passing
Regression on existing deps-area tests	242 / 242 passing
No-network trap	subprocess.run and urlopen mocked, asserted untouched in both human and JSON paths

How to test

# In a project with a lockfile:
apm deps why <some-transitive-pkg>           # human output
apm deps why <some-transitive-pkg> --json    # JSON for scripts
apm deps why <some-pkg> --global             # user-scope lockfile

# Negative paths:
apm deps why unknown-pkg                     # exit 1, suggests `apm deps list`
apm deps why <ambiguous-basename>            # exit 1, lists matches
cd /tmp/empty && apm deps why anything       # exit 2, suggests `apm install`

# Run the new tests:
uv run --extra dev pytest \
    tests/unit/deps/test_why_walker.py \
    tests/unit/commands/deps/test_why_command.py \
    tests/integration/test_deps_why_e2e.py -v

[Copilot]

Pull request overview

Adds a new apm deps why <pkg> command to explain (offline) why a dependency is present by walking parent links (resolved_by) in apm.lock.yaml, complementing the existing top-down apm deps tree.

Changes:

• Introduces a pure lockfile walker (deps/why_walker.py) to resolve a package query and compute the parent chain(s).
• Adds a Click command (commands/deps/why.py) with human and JSON output modes plus --global support, and wires it into apm deps.
• Adds unit/integration tests and updates user docs + the apm-usage command reference.

Show a summary per file

File	Description
src/apm_cli/deps/why_walker.py	Implements query resolution and upward parent-chain computation over LockFile.
src/apm_cli/commands/deps/why.py	Adds the apm deps why CLI surface, formatting, exit codes, and lockfile loading.
src/apm_cli/commands/deps/cli.py	Registers the new why subcommand under the existing deps group.
src/apm_cli/commands/deps/__init__.py	Exports the new why command.
tests/unit/deps/test_why_walker.py	Unit tests for query resolution and chain computation behavior.
tests/unit/commands/deps/test_why_command.py	CLI-level tests for output formats, exit codes, --global, and offline behavior.
tests/integration/test_deps_why_e2e.py	End-to-end CLI test using a real on-disk lockfile (no network).
packages/apm-guide/.apm/skills/apm-usage/commands.md	Adds the new command to the apm-usage command matrix.
docs/src/content/docs/consumer/manage-dependencies.md	Documents apm deps why usage, output shape, and exit codes.

Copilot's findings

• Files reviewed: 9/10 changed files
• Comments generated: 6

[danielmeppiel]

APM Review Panel: ship-after-fold-in

Eight-persona advisory pass on PR #1495. Strong consensus: feature is well-shaped, well-tested, lockfile-only (no network), and ready to land once a convergent --json stream-discipline regression is fixed. That fix has been pushed as a39b095.

cc @danielmeppiel @sergio-sisternes-epam -- a fresh advisory pass is ready for your review.

Three personas (cli-logging-expert, devx-ux-expert, supply-chain-security-expert) converged on the same defect: under --json, both human logger output (logger.error, logger.info) and the JSON error envelopes were emitted to stdout, breaking apm deps why <pkg> --json | jq as soon as anything went wrong. Fixed in a39b095 by mirroring the apm pack --json pattern: set_console_stderr(True) early when as_json is truthy, plus err=True on every JSON error envelope. Pinned by a new regression-trap test asserting an empty stdout under --json when no lockfile exists. Docs (CLI reference page + manage-dependencies switcher callout + CHANGELOG entry) and python-architect's docstring/test-name tightening also folded into the same commit. Outstanding items are nits or future-multi-parent defenses worth a separate issue.

Aligned with: ship the simple thing first; lockfile is the source of truth; offline-by-default; cross-tool mental model (npm/yarn/cargo analogue).

Growth signal. apm deps why closes a real "why is this on disk?" gap that every package-manager refugee will ask about within their first hour. The switcher callout ("Coming from npm/yarn/cargo?") in the consumer guide makes the analogue explicit and lowers the conceptual bridge.

Panel summary

Persona	B	R	N	Takeaway
Python architect	0	1	3	Walker is clean; docstring overpromised "all paths" -- tightened in fold-in.
CLI logging UX	0	1	3	--json stream discipline missing -- fixed in fold-in.
DevX UX	0	2	3	CLI reference page missing the command -- added in fold-in.
Supply-chain security	0	0	2	No-network guarantee solid; added defensive max_paths cap.
OSS growth	0	0	5	CHANGELOG + switcher hook + analogue note -- all folded in.
Auth	--	--	--	Inactive: no auth surfaces touched.
Doc writer	0	2	2	Cross-links + inline identifier styles + indentation fix -- folded in.
Test coverage	0	0	1	Critical paths covered; added --json no-lockfile regression trap.

B = blocking-severity findings, R = recommended, N = nits.
Counts are signal strength, not gates. The maintainer ships.

Top 5 follow-ups

1. [cli-logging-expert] Route logger output and JSON error envelopes to stderr under --json -- otherwise apm deps why pkg --json | jq breaks on every error path. (DONE in a39b095.)
2. [devx-ux-expert] Add apm deps why to docs/src/content/docs/reference/cli/deps.md -- the canonical CLI reference must list every subcommand. (DONE in a39b095.)
3. [oss-growth-hacker] Add a CHANGELOG [Unreleased] / Added entry and a "Coming from npm/yarn/cargo?" switcher callout in the consumer guide -- this is the conversion surface for refugees. (DONE in a39b095.)
4. [python-architect] Tighten compute_why docstring (single resolved_by chain today, not "all paths") and rename the misleading diamond test. (DONE in a39b095.)
5. [supply-chain-security-expert] Open a follow-up to surface a top-level apm why alias and consider exposing max_paths as a flag once feat(deps): resolve semver constraints on git-source dependencies against repo tags #1488 lands multi-parent fan-in -- defer-to-issue, not in scope here.

Architecture

classDiagram
    class LockedDependency {
        +str repo_url
        +str version
        +int depth
        +str resolved_by
    }
    class WhyEdge {
        +str parent_key
        +str child_key
        +str constraint
    }
    class WhyPath {
        +tuple chain
    }
    class WhyResult {
        +LockedDependency target
        +bool is_direct
        +tuple paths
    }
    LockedDependency <.. WhyResult : borrowed ref
    WhyEdge --o WhyPath : composes
    WhyPath --o WhyResult : aggregates

Loading

flowchart LR
    CLI["apm deps why pkg"] --> Cmd["commands/deps/why.py"]
    Cmd -->|load| Lock["LockFile.read()"]
    Cmd -->|resolve| Resolve["resolve_package_query()"]
    Cmd -->|walk| Walk["compute_why()"]
    Walk -->|WhyResult| Render{as_json?}
    Render -->|no| Human["_render_human (stdout)"]
    Render -->|yes| JSON["_render_json (stdout)"]
    Cmd -.->|logs/errors| Stderr["set_console_stderr(True) under --json"]

Loading

Recommendation

Ship. The fold-in commit a39b095 addresses every convergent and recommended finding from round 1; remaining items are documented nits or future-multi-parent defensive work that should land as separate follow-up issues once #1488 evolves the resolver. The feature itself is small (~500 LOC), pure, offline-by-default, and exhaustively tested (27 dedicated tests + 10,030 regression tests green). The cross-tool mental-model framing (npm why / yarn why analogue) makes this a natural conversion surface for package-manager refugees -- the docs now state that analogue explicitly.

---

Full per-persona findings

Python architect

• [recommended] compute_why docstring overpromises "all paths" when the walker today produces a single resolved_by chain. Reword to make the single-parent reality explicit; note the iterative worklist generalises to N paths once feat(deps): resolve semver constraints on git-source dependencies against repo tags #1488 evolves multi-parent fan-in. Suggested: tighten the docstring. DONE.
• [nit] WhyResult.target is a borrowed reference to a mutable LockedDependency; document with a NOTE so callers do not assume frozen semantics extend transitively. DONE.
• [nit] Test test_compute_why_diamond_dependency_lists_both_routes name misleads -- it actually asserts len(paths) == 1. Rename to match the assertion. DONE.
• [nit] Eager top-level import of why.py adds to cold start (consistent with existing deps pattern; informational only). Defer.

CLI logging UX

• [blocking] Under --json, logger.error() / logger.progress() and the JSON error envelopes were both written to stdout, corrupting any | jq pipeline. Adopt the apm pack --json pattern: set_console_stderr(True) early when as_json is truthy, and route all JSON error envelopes through click.echo(..., err=True). DONE.
• [nit] logger.progress("Hint: ...") should be logger.info (progress may be suppressed in future quiet mode). DONE.
• [nit] Raw [i] literal at line ~86 bypasses STATUS_SYMBOLS. Defer (cosmetic, isolated string).
• [nit] CommandLogger lacks a verbose= kwarg here -- not blocking but worth a follow-up to align with the rest of the CLI. Defer-to-issue.

DevX UX

• [recommended] docs/src/content/docs/reference/cli/deps.md did not list apm deps why -- canonical CLI reference must enumerate every subcommand. DONE.
• [recommended] JSON error output written to stdout breaks | jq discipline (same defect as cli-logging finding). DONE.
• [nit] Bash examples lack $ prompt prefix. DONE.
• [nit] [i] symbol not explained in help text. Defer.
• [nit] Consider a top-level apm why alias for ergonomic parity with npm/yarn/cargo. Defer-to-issue.

Supply-chain security

• [nit] _render_json exposes the full 40-char resolved_commit while the human renderer truncates to 7 chars; consider consistency. Defer (JSON consumers want the full SHA).
• [nit] Worklist size is unbounded in the future multi-parent case; add a defensive max_paths cap. DONE (max_paths=256).

Confirmed: no-network guarantee is solid (regression-trap test asserts subprocess.run and urllib.request.urlopen are never called); no path traversal; no sensitive field leakage; malformed-lockfile-tolerant.

OSS growth

• [nit] CHANGELOG.md [Unreleased] was missing an entry for apm deps why. DONE.
• [nit] CLI reference page omitted the command. DONE.
• [nit] Missing "Coming from npm/yarn/cargo?" switcher callout in manage-dependencies.md. DONE.
• [nit] deps tree example should cross-link to apm deps why. Defer-to-issue.
• [nit] commands.md row could append "analogue of npm why / yarn why". DONE.

Auth -- inactive

No auth surfaces touched (no token resolution, no HostInfo, no AuthResolver calls). Correctly inactive.

Doc writer

• [recommended] No cross-links from the new section to "The lockfile" / apm deps tree / apm deps info. DONE.
• [recommended] "Same identifier styles as apm deps info" couples doc accuracy to a sibling resolver. State styles inline. DONE.
• [nit] Sample output uses 5-space indentation but the renderer emits 4. DONE.
• [nit] Examples missing short -g flag. DONE (one example uses -g).

Test coverage

• [nit] No --json variant of the no-lockfile test (just exit-code asserted, not the JSON envelope structure). DONE (test_why_no_lockfile_json_emits_error_envelope_on_stderr).

All 27 dedicated tests pass (1.05s). Critical surfaces (exit codes, --json schema, --global, no-network guarantee, lockfile load failure) all have integration-with-fixtures regression traps. Ship.

_{This panel is advisory. It does not block merge. Re-apply the panel-review label after addressing feedback to re-run.}

[danielmeppiel]

Follow-ups from the apm-review-panel pass have landed. Summary:

• cli-logging/devx-ux [blocking]: --json stream discipline -- set_console_stderr(True) early when as_json and err=True on JSON error envelopes -- resolved in a39b095.
• devx-ux [recommended]: apm deps why added to docs/src/content/docs/reference/cli/deps.md -- resolved in a39b095.
• oss-growth [recommended]: CHANGELOG [Unreleased] / Added entry + "Coming from npm/yarn/cargo?" switcher callout in manage-dependencies.md -- resolved in a39b095.
• python-architect [recommended]: compute_why docstring tightened (single resolved_by chain today); diamond test renamed to match the len(paths) == 1 assertion; WhyResult.target borrowed-ref NOTE added -- resolved in a39b095.
• supply-chain-security [nit]: defensive max_paths=256 cap added on the worklist -- resolved in a39b095.
• doc-writer [recommended]: cross-links to "The lockfile" / apm deps tree / apm deps info; identifier styles stated inline; sample-output indentation fix; -g example -- resolved in a39b095.
• test-coverage [nit]: --json no-lockfile regression-trap test (test_why_no_lockfile_json_emits_error_envelope_on_stderr) added -- pins the stream-discipline fix above; resolved in a39b095.

Lint contract: uv run --extra dev ruff check src/ tests/ and uv run --extra dev ruff format --check src/ tests/ both silent. Pylint R0801 duplication check 10.00/10. scripts/lint-auth-signals.sh clean. Targeted pytest -k "why or compute_why" over tests/unit/commands/deps tests/integration: 14 passed.

CI: gh pr checks 1495 -- 13 pass / 1 skip (deploy), 0 fail. Lint, Build & Test Shard 1/2 (Linux), Coverage Combine, CodeQL, PR Binary Smoke, APM Self-Check, NOTICE Drift Check, gate -- all green.

Ready for maintainer review.

[danielmeppiel]

Copilot review addendum

Addressed all six Copilot review threads (4 unresolved + 2 outdated) in commit 7e46abc4.

Substance:

• _render_human() no longer double-newlines (click.echo adds one)
• _render_human() / _render_json() now derive root / is_direct from edge.parent_key is None rather than chain position, so truncated chains (missing parent, cycle, depth cap) no longer mis-label non-root edges as direct dependencies
• Test test_compute_why_transitive_dep_with_multiple_paths renamed to test_compute_why_target_with_duplicate_repo_url_walks_recorded_parent (name now matches the single-parent-walk assertion)
• Docs (manage-dependencies.md) reworded: the lockfile records a single resolved parent per package, so one root-to-target chain is printed

Regression-trap tests (each verified via mutation-break gate):

• test_why_human_output_has_no_trailing_blank_line
• test_why_corrupt_chain_human_output_omits_declared_annotation
• test_why_json_corrupt_chain_marks_no_edge_as_direct

Validation: pytest -k 'why or compute_why' -> 30 passed. Lint chain (ruff check, ruff format --check, pylint R0801, lint-auth-signals.sh) clean. CI green on 7e46abc4.

All six threads resolved. Ready to merge.

[danielmeppiel]

Test-coverage addendum: e2e fold-in for apm deps why

Added one integration-tier test per user-visible promise so silent drift in the load -> walker -> renderer chain fails loudly before reaching a user. All run end-to-end via CliRunner against a real on-disk apm.lock.yaml.

Promise	Test	Defends
A	test_promise_a_..._human_chain_from_root_to_target	human chain renders root-to-target in order
B	test_promise_b_..._exit_0_..._nonzero_when_pkg_missing	exit 0 on success; exit 1 with clear named error when pkg missing
C	test_promise_c_..._json_to_stdout_..._errors_to_stderr	--json keeps stdout jq-safe; error envelope on stderr
D	test_promise_d_..._constraint_..._degrades_gracefully (parametrized with_constraint=[True, False])	constraint annotation surfaces post-#1488; degrades cleanly today
E	test_promise_e_..._single_collapsed_chain	shared transitive collapses to one chain per docs contract
F	test_promise_f_..._reflects_declared_root_not_position	is_direct derived from edge.parent_key is None, not idx == 0 (Copilot regression-trap lifted to e2e)
G	test_promise_g_..._project_root_cwd	lockfile resolves at cwd; sibling dir exits 2 (no upward walk)
H	test_promise_h_..._documents_actual_flags_and_argument	help text advertises the flag names actually wired to click

Tests added: 9 (one parametrized -> 10 cases).
File: tests/integration/test_deps_why_promises_e2e.py (no new production code, no new fixtures dir; uses tmp_path + the existing LockFile helpers).
Mutation-break gate: every test was verified to FAIL under a targeted production mutation (exit-code flip, dropped set_console_stderr, removed constraint render, position-based is_direct, renamed flag, etc.) and PASS once reverted.
Lint: ruff check + ruff format --check + pylint R0801 + scripts/lint-auth-signals.sh all clean.
CI: all checks green on commit 39a3392f.