fix: use yaml.safe_dump for virtual package apm.yml generation

[edenfunf]

Problem

When a virtual file or collection dependency (e.g. a single .agent.md) has a : in its description field, apm install fails with:

Invalid YAML format in .../apm.yml: mapping values are not allowed here
  in "...apm.yml", line 3, column 72

Root cause: download_virtual_file_package and download_collection_package in github_downloader.py generated apm.yml by string interpolation (f"""name: {name}\ndescription: {description}\n"""). Any : in a value produces syntactically invalid YAML.

Concrete example from the issue — swe-subagent frontmatter:

description: 'Senior software engineer subagent for implementation tasks: feature development, debugging, refactoring, and testing.'

After stripping the surrounding quotes and dropping into the f-string, the : after "tasks" is parsed as a YAML mapping separator, causing the error.

Fix

Replace both f-string blocks with yaml_to_str() (backed by yaml.safe_dump), which correctly quotes strings that contain :, #, [, or other YAML special characters.

# Before
apm_yml_content = f"""name: {package_name}
version: 1.0.0
description: {description}
author: {dep_ref.repo_url.split('/')[0]}
"""

# After
apm_yml_data = {
    "name": package_name,
    "version": "1.0.0",
    "description": description,
    "author": dep_ref.repo_url.split('/')[0],
}
apm_yml_content = yaml_to_str(apm_yml_data)

yaml_to_str already exists in apm_cli/utils/yaml_io.py and is the established helper for this purpose throughout the codebase.

Tests

Three new unit tests in TestVirtualFilePackageYamlGeneration:

Test	What it checks
test_yaml_with_colon_in_description	Reproduces the exact swe-subagent failure from #703
test_yaml_with_colon_in_name	Colon in the package name field
test_yaml_without_special_characters_still_valid	Ordinary descriptions still work (regression guard)

Checklist

• Bug reproduced locally before fix
• Fix verified: yaml.safe_load on generated apm.yml succeeds after change
• Both affected code paths fixed (download_virtual_file_package and download_collection_package)
• New tests added and passing
• Existing test suite passes (79 pass, 1 pre-existing unrelated failure)

Closes #703

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR fixes invalid apm.yml generation for virtual file and collection packages when YAML-special characters (notably :) appear in unquoted metadata fields, by switching from f-string interpolation to yaml_to_str() (yaml.safe_dump).

Changes:

• Replace hand-built apm.yml strings with yaml_to_str() in download_virtual_file_package and download_collection_package.
• Preserve collection tags by adding them to the YAML data structure rather than string concatenation.
• Add unit tests to ensure generated apm.yml remains parseable when : appears in description or name.

Show a summary per file

File	Description
src/apm_cli/deps/github_downloader.py	Switches virtual package apm.yml generation to yaml_to_str() for correct quoting/escaping of special characters.
tests/test_github_downloader.py	Adds regression tests that reproduce the colon-in-metadata YAML failure and validate generated YAML via yaml.safe_load.

Copilot's findings

• Files reviewed: 2/2 changed files
• Comments generated: 3

[sergio-sisternes-epam]

Clean fix replacing f-string YAML generation with yaml_to_str() (backed by yaml.safe_dump). Both affected code paths fixed — virtual file and collection packages.

6 thorough tests covering colons in descriptions, names, and tags, plus regression guard for normal values. All Copilot findings addressed in follow-up commits.

Good use of the existing yaml_to_str helper — follows codebase conventions.