Skip to content
Agent Package Manager

Enterprise

APM for organizations rests on three pillars:

  • Portable by manifest — one apm.yml declares every dependency; apm.lock.yaml pins exact versions; every developer and every CI run gets the same agent setup.
  • Secure by defaultapm install scans every package for hidden Unicode and other tampering before agents read it. Attack surface, scanners, and the MCP trust boundary are documented for procurement review.
  • Governed by policyapm-policy.yml lets platform teams allow-list dependencies, restrict deploy targets, and enforce trust rules at install time across every repo, from a single source of truth.

Where to start

Section titled “Where to start”
If you are…Start here
A CISO or security reviewerSecurity Model -> Governance -> Registry Proxy & Air-gapped
A VP of Engineering or Tech Lead evaluating APMGovernance -> Adoption Playbook
A platform engineer rolling out APM org-wideAdoption Playbook -> Registry Proxy & Air-gapped
A champion building an internal pitchMaking the Case -> Adoption Playbook
An engineer authoring policyPolicy Files -> Policy Reference

Section map

Section titled “Section map”
  • Making the Case — problem-at-scale narrative, talking points by audience, objection handling, sample RFC, ROI framework.
  • Adoption Playbook — phased rollout from pilot team to organization-wide, with milestones, success metrics, and rollback options.
  • Security Model — supply-chain posture: pre-deploy gate, content scanners, hidden-Unicode threat model, MCP trust boundary. Consumed verbatim by procurement and security reviewers.
  • Governance — the flagship trust contract: bypass surfaces, install-gate guarantees, audit-log schema, rollout playbook, known gaps. Read this if you are deciding whether to make apm audit --ci a required check.
  • Registry Proxy & Air-gapped — route dependency and marketplace traffic through Artifactory or a compatible proxy; bypass-prevention contract; air-gapped CI playbook for both online-proxy and offline-bundle shapes.
  • Policy Files — conceptual model of apm-policy.yml: what it is, what it declares, how to start one.
  • Policy Reference — complete schema for every apm-policy.yml field.