Most agent projects only share code; the runtime wiring—the prompts, skills, hooks, plugins, and policy—lives in dozens of scattered files or developer-specific scripts. That makes agent setups hard to reproduce, review, or ship across teams. The core insight behind this tool is simple: treat an agent's configuration as a first-class package with dependency resolution, registries, and security checks, just like npm or pip do for code.
What Sets It Apart
-
One manifest for the whole agent surface — Declare instructions, skills, prompts, agents, hooks, plugins and MCP servers in a single apm.yml so a repository carries a portable, machine-readable agent spec. So what: onboarding and code review become deterministic instead of ad‑hoc.
-
Transitive dependency resolution across git hosts — Packages can depend on packages and be installed from GitHub, GitLab, Bitbucket, Azure DevOps, or self-hosted git. So what: complex agent stacks (skills that depend on shared prompts or primitives) resolve automatically instead of manual wiring.
-
Plugin authoring and packaging — Supports authoring plugins for Copilot, Claude, Cursor, etc., and exporting standard plugin.json packages. So what: moves agent integrations from one-off scripts to reusable, versioned artifacts.
-
Content security and governance — Built-in audit tooling blocks suspicious content (hidden Unicode, supply‑chain signals) and supports policy files for enterprise registries. So what: reduces the risk of letting an agent ingest compromised packages.
Who it's for + tradeoffs
Great fit if you manage repositories that embed agent behaviors (assistant instructions, reusable skills, CI-driven agents) and need reproducibility, policy controls, and marketplace distribution. It also suits platform teams building curated registries or CI workflows for agent deployments.
Look elsewhere if your use is limited to a single ad-hoc agent prototype, you require a purely local/offline-only toolchain with zero network dependencies, or you prefer a bespoke orchestration layer tailored to one specific closed model provider. There is some upfront discipline: writing and maintaining apm manifests and registries adds process but yields reproducibility and auditability.
Where It Fits
Think of it as the package manager layer for the agent ecosystem: comparable to package managers for code, but focused on agent primitives and runtime wiring. It pairs naturally with tools that analyze codebases into agent instructions and with MCP-based runtimes that expect standardized primitives.
How it works (brief)
At a high level it uses a declarative manifest to express dependencies, resolves transitive graphs across hosts, runs security audits during installation, and can pack an agent configuration into distributable packages or plugin artifacts. Integrations include CI actions and registries so teams can enforce policies and deliver pre-configured agent bundles.