apm: a community-driven dependency manager for AI agent configurations and skills

What it solves

AI coding agents (like GitHub Copilot, Claude Code, and Cursor) require specific context—such as prompts, skills, and plugins—to be effective. Currently, developers must set these up manually, making the agent configurations non-portable and difficult to reproduce across different machines or teams. APM provides a standardized way to declare and manage these dependencies as code.

How it works

APM uses a manifest file (apm.yml) to describe the agent's required primitives, including instructions, skills, prompts, and MCP servers. It functions similarly to a package manager like npm or pip, resolving transitive dependencies and creating a lockfile (apm.lock.yaml) to ensure reproducibility.

Users can install packages from various git hosts (GitHub, GitLab, Bitbucket, etc.) or curated marketplaces. The tool can then "compile" these configurations into formats compatible with specific agent clients, such as generating .github/copilot-instructions.md for GitHub Copilot.

Who it’s for

Developers and security teams who want to share, version-control, and govern the context and skills provided to AI agents within their projects or across an entire organization.

Highlights

• Portable Manifests: Declares all agent primitives in one file for consistent setup across multiple AI clients (Copilot, Claude, Cursor, etc.).
• ** carbonates Transitive Dependency Resolution**: Supports packages that depend on other packages, resolving the full tree.
• Security-First Approach: Scans for hidden Unicode to prevent agent hijacking and uses integrity hashes in lockfiles.
• Enterprise Governance: Allows security teams to define allowed sources and primitives via apm-policy.yml to enforce organizational standards.
• MCP Integration: Simplifies the installation and configuration of Model Context Protocol (MCP) servers across detected clients.
• SBOM Export: Generates standard inventory reports (CycloneDX/SPDX) of the installed agent context.