The Three Promises
APM ships three promises. They are deliberately small and load-bearing. Every command, every flag, every lockfile field exists to back one of these three.
Promise 1: Portable by manifest
Section titled “Promise 1: Portable by manifest”One apm.yml. Seven harnesses. Reproducible AI agent setup.
Every developer who clones the repo runs apm install and gets the
same skills, prompts, instructions, hooks, and MCP servers wired into
Copilot, Claude, Cursor, OpenCode, Codex, Gemini, and Windsurf. The
lockfile pins exact versions and content hashes. New contributor
onboarding for AI context goes from “follow this 12-step README” to
one command.
The 10-second demo:
git clone <repo> && cd <repo> && apm installProof in the source
Section titled “Proof in the source”src/apm_cli/models/apm_package.py— theapm.ymlschema: one manifest, one set of dependencies, one set ofagentsmd/chatmodes/instructions/prompts/mcpblocks consumed by every harness.src/apm_cli/integration/targets.py— the registered harnesses an install fans out to (Copilot, Claude, Cursor, Codex, Gemini, OpenCode, Windsurf, plus VS Code and thellmCLI as delivery surfaces).src/apm_cli/deps/lockfile.py— theLockEntry.content_hashfield (SHA-256 of the package file tree) that makes “same install on every clone” mean byte-for-byte the same.
Read more
Section titled “Read more”- Lifecycle of an install: Lifecycle
- Lockfile fields and semantics: CLI commands
Promise 2: Secure by default
Section titled “Promise 2: Secure by default”Every apm install scans for hidden Unicode before agents read it.
Agent context is executable — a prompt is a program for an LLM. APM
treats it that way. Each install scans for invisible Unicode that can
hijack agent behavior, pins content hashes in the lockfile, and gates
transitive MCP servers behind explicit trust prompts. apm audit
rebuilds context in scratch and diffs against your working tree to
catch hand-edits before they ship.
The 10-second demo:
apm auditProof in the source
Section titled “Proof in the source”src/apm_cli/security/content_scanner.py— theContentScannerclass and the Unicode tag / bidi / zero-width / invisible-operator ranges it flags.scan_text()is what every install runs against every primitive file.src/apm_cli/install/helpers/security_scan.py— the_pre_deploy_security_scanhook that runs before any file is written to the project tree, viaSecurityGate.scan_files()with the install pipeline’sBLOCK_POLICY.src/apm_cli/deps/lockfile.py—LockEntry.content_hashpins the exact tree per dependency;ci_checks._check_content_integrityre-verifies it on every audit.src/apm_cli/commands/audit.py—apm auditwires the scan, hash-drift detection, and the scratch rebuild diff into one command, with--stripto remediate.
Read more
Section titled “Read more”- Security model and threat coverage: Security
Promise 3: Governed by policy
Section titled “Promise 3: Governed by policy”Org policy enforced at install time, before MCP touches disk.
apm-policy.yml lets a security team allow-list sources, scopes, and
primitives. Every apm install runs the policy before writing to
disk — including transitive MCP servers shipped by deep
dependencies. Tighten-only inheritance flows enterprise -> org ->
repo. apm audit --ci wires the same checks into branch protection.
This is the supply-chain check npm and pip cannot do.
The 10-second demo:
apm install --dry-run <package>Proof in the source
Section titled “Proof in the source”src/apm_cli/policy/install_preflight.py—run_policy_preflight()is the install-time gate; it evaluates the resolved dependency graph (including transitive MCP servers) against the merged policy before any download or write.src/apm_cli/policy/inheritance.py—merge_policies()andresolve_policy_chain()implement the tighten-only enterprise -> org -> repo flow with_escalate()enforcement.src/apm_cli/policy/ci_checks.py—run_baseline_checks()is the CI surface used byapm audit --ci. It runs 8 baseline checks: lockfile-exists, ref-consistency, deployed-files-present, no-orphans, skill-subset-consistency, config-consistency, content-integrity, and includes-consent.
Read more
Section titled “Read more”- Policy schema, inheritance, CI wiring: Governance guide
Is this just npm for prompts?
Section titled “Is this just npm for prompts?”The verbs rhyme on purpose — apm install, apm update,
apm list, apm prune. The package model does not. APM resolves
primitives (skills, prompts, instructions, hooks, MCP servers) and
deploys them into seven different agent harnesses from one manifest.
npm has no equivalent of the harness fan-out, the install-time
policy gate, or the Unicode scan. Promise 1 is the npm-shaped half;
Promise 2 and Promise 3 are not.
Why a lockfile?
Section titled “Why a lockfile?”Two reasons. First, reproducibility: pinned refs plus content
hashes mean every clone and every CI run gets the same files.
Second, integrity: content_hash lets apm audit detect any drift
between what the lockfile says you installed and what is on disk
right now — including hand-edits to files inside apm_modules/.
What does the policy engine actually block?
Section titled “What does the policy engine actually block?”At install time: dependencies from disallowed sources or scopes,
primitives outside the allow-list, and transitive MCP servers that
fail any of the configured trust rules — evaluated before any
download. In CI via apm audit --ci: the 8 baseline checks above,
which catch lockfile drift, missing deployed files, orphaned
packages, and content-hash mismatches before a PR can merge.