APM – Agent Package Manager

APM (Agent Package Manager) is a dependency management tool designed by Microsoft specifically for AI coding agents. Its core philosophy introduces traditional software package management paradigms (similar to package.json or requirements.txt) into the AI agent ecosystem. The project uses a single apm.yml manifest to uniformly manage primitives like instructions, skills, agents, hooks, and MCP servers, achieving configuration consistency and one-click reproduction across different machines and clients (such as GitHub Copilot, Claude Code, Cursor, etc.).

Core Features

• Manifest Portability: apm.yml declares all agent primitives; apm install reproduces identical configurations across all clients and machines; apm.lock.yaml locks the full dependency tree with content hashes; supports transitive dependency resolution (packages depending on packages); supports plugin export to standard plugin.json format.
• Secure by Default: Treats prompts as executable programs with hidden Unicode tampering scans on install; apm.lock records source and content hashes for full traceability; transitive MCP servers require explicit trust confirmation; apm audit for on-demand or CI-mode security checks.
• Policy Governance: apm-policy.yml allows security teams to define allowed sources, scopes, and primitives; supports enterprise → org → repo tighten-only inheritance; integrates with GitHub rulesets and branch protection.
• Multi-client Support: Compatible with GitHub Copilot, Claude Code, Cursor, OpenCode, Codex CLI, Gemini, Windsurf — auto-detects and deploys to corresponding directories; supports GitHub, GitLab, Bitbucket, Azure DevOps, and self-hosted Git servers.
• Marketplace & Packaging: apm marketplace add <registry> installs plugins from curated registries; apm pack packages configurations as zip bundles or standalone plugins; native GitHub Action for CI/CD automation.

Architecture & Implementation

• CLI core logic in src/apm_cli/, build system in build/ (Makefile).
• Resolved primitives stored in local .apm/ directory.
• Deployment flow: read apm.yml → resolve dependency tree & security scan → detect local AI clients → deploy primitives to client-specific config directories.
• Quality assurance via layered testing (unit → integration → acceptance) with pytest + pytest-xdist for auto-parallelism; Ruff for linting/formatting enforced through pre-commit hooks and CI.
• CI/CD split into Tier 1 (fast unit + build) and Tier 2 (full integration), with GitHub merge queue enabled.
• Experimental features registered via FLAGS dict with function-scoped imports to avoid circular dependencies.
• devcontainer/ directory provided for containerized development.

Typical Scenarios

• New team members run git clone && apm install to get all agent configurations with multi-client auto-readiness.
• Install skills, plugins, agents from any repository with version locking.
• Install MCP servers with a single command and auto-deploy to all detected clients.
• Whitelist dependency sources via policy files with CI gates blocking violations.
• Directly package agentrc-generated .instructions.md as APM packages without conversion.

Project Status: v0.12.1, 50 releases, 1100+ commits, primarily Python (96.9%), MIT license.