bug: `apm marketplace check` resolves sourceBase entries against github.com (exit 128)

[leocamello]

Summary

After #1736 (closes #1519) added marketplace.sourceBase, apm pack resolves a relative package source against the declared base correctly — but apm marketplace check does not. For any entry whose effective host isn't the default (a sourceBase-composed relative source, or the pre-existing #1288 host.tld/owner/repo shorthand), check runs git ls-remote against github.com with no token and fails with exit 128, even though pack against the same apm.yml succeeds.

apm marketplace check is the CI gate the publishing guide recommends, so this blocks sourceBase authors — the feature's headline audience — from validating their marketplace in CI.

Environment

• Agent Package Manager (APM) CLI main (0.20.0 line). check.py is unchanged since the feat(marketplace): add sourceBase for package sources #1736 merge (6fa133fd) through the current tip, so this reproduces on latest main.

Reproduction

# apm.yml
name: sb
version: 0.0.1
marketplace:
  owner: { name: t }
  outputs: { claude: {} }
  sourceBase: https://gitlab.example.com/group/sub/team/project
  packages:
    - name: my-package
      source: my-package        # relative -> composes onto sourceBase
      version: "^0.1.0"

apm pack              # succeeds: marketplace.json has the composed gitlab URL + sha
apm marketplace check # fails:  [x] my-package -- "Git failed during ls-remote" (exit 1)

Deterministic confirmation of where check points (no network needed):

parsed entry         : host=None  source='my-package'   # sourceBase composes on the build path, not parse
check would ls-remote : https://github.com/my-package    # wrong host, no token -> exit 128

Root cause

src/apm_cli/commands/marketplace/check.py:

resolver = RefResolver(offline=offline)          # default host (github.com), no token
refs = resolver.list_remote_refs(entry.source)   # entry.source is the *relative* path; entry.host ignored

#1736 composes sourceBase at build time (MarketplaceBuilder._remote_source_coordinates), so the parsed PackageEntry keeps host=None and the relative source. check never goes through the builder, so it neither composes the base nor selects a per-host token — it just probes github.com. pack works only because composition + the per-host resolver live on the builder path that check doesn't share.

This was flagged on #1736 before merge but the routing fix didn't land with it.

Fix

PR #1763 makes check mirror the builder's routing: compose a host-less source onto sourceBase (via the shared split_source_base), honour per-entry host overrides, resolve the host's token through a shared marketplace/auth_helpers.resolve_token_for_host, and short-circuit local ./ packages. Adds three check regressions (composed → base host + token; host-prefixed override → github; local → zero ls-remote). Verified end-to-end against a real self-managed GitLab.

Related

• Authoring feature: marketplace.packages[].source: generalize beyond host/owner/repo (deeply-nested GitLab subgroups, arbitrary git hosts) #1519 / feat(marketplace): add sourceBase for package sources #1736.
• Distinct from the consumer-install host-stripping tracked in feat: ADO marketplace support (marketplace.yml with Azure DevOps repos) #1010 (that's apm install <pkg>@<marketplace>; this is apm marketplace check).

[github-actions]

Triage Panel Verdict -- Issue #1762

Report: bug: apm marketplace check resolves sourceBase entries against github.com (exit 128)
Author: @leocamello
Panel decision: ACCEPT -- confirmed bug, fix in progress (PR #1763)

---

Summary

apm marketplace check bypasses sourceBase routing entirely. It constructs a RefResolver against the default github.com host and passes entry.source (the raw relative path) directly -- ignoring both the composed URL and any per-host token. This makes the CI gate non-functional for all sourceBase users, which is exactly the headline audience of the feature shipped in #1519 / #1736.

Persona findings

DevX UX Expert: High severity. apm marketplace check is the CI gate the publishing guide recommends. The reporter demonstrates that apm pack succeeds while check fails against the same apm.yml -- a clear regression from a user perspective. External contributors who adopt sourceBase for non-GitHub hosts hit an immediate, hard wall in CI.

Supply Chain Security Expert: The broken CI gate creates a supply-chain integrity gap: operators who cannot run marketplace check may publish marketplace.json entries that were never validated against the actual upstream refs. No credential leakage (the bug is the opposite -- credentials are not forwarded where they should be), but the integrity gate is non-functional for non-default hosts. Moderate-to-high risk in enterprise CI pipelines.

APM CEO: The sourceBase feature was a deliberate portability expansion to support enterprise and self-managed GitLab authors. A CI validation tool that silently routes back to github.com undermines the entire value proposition for that audience. PR #1763 addresses the root cause (compose + per-host token resolution in check.py, mirroring the builder path). This should be fast-tracked.

Decision

Dimension	Value
Classification	Bug (regression post-#1736)
Severity	High
Area	Marketplace
Theme	Portability (multi-host support)
Status	In-flight (PR #1763)
Labels applied	type/bug area/marketplace priority/high theme/portability status/in-flight status/triaged
Milestone	Not assigned (defer to PR merge cycle)

Suggested next action

Review and merge PR #1763. The fix mirrors the builder's host-composition and per-host token resolution inside check.py. The issue body confirms three regression tests are included (composed source -> base host + token; host-prefixed override -> github; local source -> zero ls-remote).

---

Triage status: agentic proposal pending human ratification.
Silence is approval. Maintainers can:

• Override any label or milestone above by editing it directly --
  human edits are authoritative and will not be reverted on
  subsequent runs.
• Re-trigger triage by applying the status/needs-triage label, or
  by removing status/triaged to enroll the issue in the next
  daily sweep.

Posted by the Triage Panel workflow. See .apm/skills/apm-triage-panel for the panel skill.

Generated by Triage Panel · sonnet46 1.7M · ◷