feat: surface installed hook actions during apm install

[harshitlarl]

Summary

• show concise per-event hook action summaries during
• include the full rewritten hook JSON in verbose mode so developers can review deployed hook content
• add focused tests covering the new install-time transparency output

Testing

• . .venv/bin/activate && pytest tests/unit/test_install_hook_transparency.py tests/unit/integration/test_hook_integrator.py -n0

Closes #316

[harshitlarl]

@microsoft-github-policy-service agree

[Copilot]

Pull request overview

Adds install-time transparency for hook packages so developers can see what hook actions will run and (in verbose mode) inspect the deployed hook JSON content, addressing supply-chain visibility concerns from #316.

Changes:

• Emit per-event hook action summaries during apm install for integrated hooks.
• In --verbose mode, print the fully rewritten hook JSON that will be deployed/merged.
• Add focused unit tests covering the new hook transparency output.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
src/apm_cli/integration/hook_integrator.py	Adds hook action flattening/summarization and returns CLI display payloads alongside integration results.
src/apm_cli/commands/install.py	Logs hook action summaries and verbose hook JSON content during install.
tests/unit/test_install_hook_transparency.py	New unit tests validating the new install-time hook transparency output (normal + verbose).

[Copilot]

rendered_json is precomputed for every integrated hook via json.dumps(...), even when apm install is not in --verbose mode. This adds avoidable work/memory on the hot install path. Consider deferring JSON rendering until verbose logging is actually requested (e.g., store the rewritten dict, or store a callable/None and render in the logger code only when needed).

[Copilot]

The verbose display payload uses json.dumps(..., sort_keys=True), but the deployed JSON files are written with json.dump(..., indent=2) (no sort_keys). This means --verbose will show a key order that can differ from what was actually deployed, which undermines the goal of letting developers review the exact hook content. Align the verbose rendering with the on-disk serialization (or reuse the same serialization helper for both).

Suggested change

	"rendered_json": json.dumps(rewritten, indent=2, sort_keys=True),
	"rendered_json": json.dumps(rewritten, indent=2),

[Copilot]

For VSCode/GitHub hooks, the display payload sets output_path to target_filename only. This makes the verbose line render as hooks.json -> <filename> without the .github/hooks/ prefix, unlike the Claude/Cursor cases that include the full target path. Consider storing the full relative destination path (e.g. .github/hooks/<filename>) or using target_label when formatting the destination so the output is unambiguous.

Suggested change

	target_filename,
	rel_path,

[Copilot]

The new verbose hook transparency (Hook JSON ... + full rewritten JSON) changes what --verbose emits during apm install, but the CLI docs currently describe verbose mode only in terms of file paths + diagnostic details. Please update the Starlight docs (e.g. docs/src/content/docs/reference/cli-commands.md under apm install) to mention that verbose mode also prints the full rewritten hook JSON so users can review deployed hook content.

[sergio-sisternes-epam]

Great work on this, @harshitlarl! Hook transparency is a P0 security feature (#316) and we want to get this merged. A few things to address:

Rebase required

main has moved significantly since this PR was opened. The install pipeline was refactored and this PR now has merge conflicts. Key changes you'll need to adapt to:

1. HookIntegrationResult is now a subclass of IntegrationResult (in base_integrator.py), not a standalone @dataclass. Your display_payloads field needs to be wired through the new class hierarchy.
2. _integrate_package_primitives() moved to src/apm_cli/install/services.py and uses a generic target-dispatch loop — the three separate per-target hook blocks no longer exist. Your _log_hook_details() call needs to hook into the single dispatch loop (around line 124-136 in services.py).
3. Tests will need updated imports and the new function signature.

Code feedback

4. Defer rendered_json to verbose-only path. Currently json.dumps(rewritten, indent=2, sort_keys=True) runs for every hook even in non-verbose mode. Store the rewritten dict and serialise lazily only when logger.verbose is true — avoids unnecessary work on the hot install path.
5. Drop sort_keys=True — the deployed JSON doesn't sort keys, so --verbose would show a different key order than what's on disk, which undermines the transparency goal.
6. Missing CHANGELOG entry — please add one under [Unreleased] > Added.
7. Missing docs update — --verbose now shows hook JSON content; the Starlight docs page for apm install should mention this.

We can help

We know the rebase is non-trivial given the architecture changes. If you'd like, we're happy to push the rebase to your branch directly (maintainer edits are enabled). Just let us know — otherwise, take your time and reach out if you hit any blockers.