frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Show HN: Agent Package Manager (APM) for Agent Configuration

https://github.com/microsoft/apm
1•danielmeppiel•1h ago
I work at Microsoft/GitHub and built APM because I was managing agent configs — prompts, instructions, MCP servers — across Copilot, Claude Code, and Cursor. Every new project meant copying skill files, installing plugins by hand, hoping nothing drifted upstream. I realized we were missing the dependency management layer for this new category of config to unlock faster adoption, composability and innovation.

APM (Agent Package Manager) is an open-source CLI that installs and manages AI agent dependencies (plugins, skills, rules, hooks, mcp, etc). It resolves transitive dependencies, pins versions with a lock file, and scans content for supply-chain attacks.

This was posted a couple days ago without context (https://news.ycombinator.com/item?id=47421969). Here's the full story.

1 minute video: https://github.com/microsoft/apm/releases/download/v0.8.2/ap...

How it works:

apm install — resolves any Agent Primitive (plugins, skills, hooks, rules...) and their transitive dependency tree from any git host. Plugin A depends on Plugin B and a shared MCP server? APM walks the tree. One command deploys to Copilot, Claude Code, Cursor, and OpenCode. Full agent setup ready to go for any dev with 1 command.

apm.lock — every resolved dependency pinned to exact commit SHA. Diff it in PRs. Same plugin set, every developer, every CI run.

apm pack — author plugins that compose on other agent config dependencies via apm.yml. Bundle as portable archives; apm unpack for offline environments. You can import other skills, rules or plugins in the plugins you author.

apm audit — scans for hidden Unicode characters (variation selectors, bidi marks) and outputs SARIF for CI. Agent instructions have direct access to your codebase and terminal. Scanning what goes into them matters.

Why this won't come from plugin vendors: each tool governs its own ecosystem. GitHub governs Copilot. Anthropic governs Claude. Nobody governs across tools, resolves cross-plugin dependencies, or gives consumers a lock file for what they actually installed. We need portability.

Packages are git repos — no registry, no signup. apm pack outputs valid plugin-native format, so if you stop using APM your plugins still work. Too early for true package artifacts, maybe down the road.

MIT-licensed under the Microsoft OSS github org and community driven.

External contributors shipped Cursor, OpenCode, Artifactory and Windows support.

Docs: https://microsoft.github.io/apm Repo: https://github.com/microsoft/apm