Documentation

Concepts & Guides

Deep dives into APX concepts, decision-making, and troubleshooting

Why APX Blocks

Understand when APX stops search, blocks PRs, and how to resolve infra/external constraints

Understanding Margins & Confidence

How APX calculates confidence margins for constraint satisfaction

Policy Pack Structure

Anatomy of a PackSpec and how to author custom constraint policies

Why APX Blocks

APX blocks PRs and halts constraint search when it encounters conditions that prevent safe semantic verification. This document explains the blocking mechanism, how to detect it, and how to resolve it.

Decision Flow

START

APX runs constraint check

Evaluate all constraints in policy pack

BRANCH

Does constraint fail?

NO → Continue to next constraint

YES → Check constraint metadata

Is solvability = infra OR external?

YES: Mark as blocked_by_infra=true

→ Halt search, set DECISION = BLOCK

→ Add to blockers list

NO (solvability = code):

→ Evaluate policy (PASS/WARN/BLOCK based on constraint kind)

→ Search continues

When APX Blocks

APX blocks in three scenarios:

1. Infra/External Blockers

Constraints marked with solvability: infra or solvability: external that fail evaluation.

These represent missing infrastructure dependencies (HSM/KMS, DEA gateway, etc.) that cannot be satisfied through code changes.

2. Hard Constraint Failures

Constraints marked kind: hard that fail when policy mandates BLOCK on hard failures.

Hard constraints are non-negotiable requirements (e.g., encryption-at-rest, access control). Policy determines if failures block merges.

3. Low Confidence (Policy-Dependent)

When constraint margins fall below policy thresholds and the policy is configured to block on low confidence.

Optional: Some policies treat low-confidence passing results as untrustworthy and block as a precaution.

How Blockers Are Detected

Constraint Metadata Structure

{
  "constraint_id": "DEA-1311.170",
  "kind": "hard",
  "solvability": "external",
  "description": "DEA e-prescribing gateway required for controlled substance Rx",
  "evaluation": {
    "satisfied": false,
    "confidence": 1.0,
    "margin": 0.0
  }
}
Step 1

APX evaluates constraint and finds satisfied: false

Step 2

Checks metadata: solvability ∈ {infra, external}

Step 3

Sets blocked_by_infra: true in evaluation result

Step 4

Halts search, adds constraint ID to blockers[], returns BLOCK decision

What You See

Console Output

$ apx check --json --policy strict-hipaa

🔍 APX Check (policy: strict-hipaa)
   ├─ Evaluating 47 constraints...
   ├─ ✓ 42 passed
   ├─ ⚠ 2 soft failures
   ├─ ✗ 1 hard failure
   └─ 🚫 2 infra/external blockers

❌ BLOCK: infra/external blockers → [KMS-AES256-1, HSM-FIPS-2]

Cannot satisfy policy safely; fix blockers and rerun.
See check.core.json for details.

PR Comment

APX Check Result: BLOCK

APX Check Result: BLOCK (policy: strict-hipaa)

  • - Hard failures: none
  • - Soft failures: none
  • - Blockers (infra/external): KMS-AES256-1, HSM-FIPS-2

⚠️ APX blocked: infra/external blockers [KMS-AES256-1, HSM-FIPS-2] — cannot satisfy policy safely; fix blockers and rerun.

JSON Output

{
  "decision": "BLOCK",
  "blocked_by_infra": true,
  "blockers": ["KMS-AES256-1", "HSM-FIPS-2"],
  "hard_failures": [],
  "soft_failures": [],
  "artifacts": {
    "core": "check.core.json",
    "receipt": "check.receipt.json",
    "health": "check.health.json"
  }
}

Common Blocker Examples

DEA E-Prescribing Gateway

DEA-1311.170

DEA-certified gateway required for controlled substance prescriptions (Schedule II-V)

Fix: Configure DEA gateway connection; obtain certification

KMS/HSM Missing

KMS-AES256-1, HSM-FIPS-2

Hardware security module or key management service required for encryption-at-rest

Fix: Provision AWS KMS, Azure Key Vault, or FIPS 140-2 HSM

PDB/HPA Baseline Missing

K8S-PDB-1, K8S-HPA-1

PodDisruptionBudget and HorizontalPodAutoscaler required for critical workloads

Fix: Deploy PDB and HPA manifests; configure autoscaling

Audit Log Storage

AUDIT-STORE-1

Immutable audit log storage (e.g., AWS CloudTrail, Azure Monitor) not configured

Fix: Enable CloudTrail/Monitor; configure S3 bucket with immutability

How to Fix and Rerun

  1. 1.

    Identify blockers

    Check console output, PR comment, or check.core.json for the blockers[] array

    $ jq '.blockers' check.core.json
["KMS-AES256-1", "HSM-FIPS-2"]
  2. 2.

    Resolve infrastructure dependencies

    For each blocker, provision the required infrastructure or enable the external service

    • Enable AWS KMS or Azure Key Vault
    • Configure DEA gateway credentials
    • Deploy PodDisruptionBudget/HorizontalPodAutoscaler
  3. 3.

    Rerun APX check

    Once infrastructure is in place, run the check again. Blockers should clear.

    $ apx check --json --policy strict-hipaa

✅ PASS: All constraints satisfied (policy: strict-hipaa)

Important Notes

  • Blockers cannot be resolved through code changes alone—they require infrastructure/external service configuration
  • APX will not search for alternative solutions when blockers are present (search is halted)
  • If you believe a constraint is incorrectly marked as infra/external, review the constraint definition or contact your APX administrator

If It's Not a Blocker

Not all failures are blockers. If a constraint fails but is not marked as infra or external, APX will:

1

Continue search: APX will keep looking for solutions; search is NOT halted

2

Apply policy decision: WARN or BLOCK based on constraint kind (hard/soft) and policy rules

3

Provide locations: Check check.core.json for exact file locations, line numbers, and margins

4

Generate audit trail: See check.receipt.json for complete evaluation history

These failures are code-solvable and can be fixed through code changes, configuration updates, or annotations. Use Studio Lite to explore violations and identify fix locations.

Related Resources

Visualize blockers in Studio LitePR Comment TemplateAPX CLI ReferenceMathematical Foundations