{"slug": "microsoft-agent-package-manager", "title": "Microsoft Agent Package Manager", "summary": "Microsoft released an open-source dependency manager for AI agents called Agent Package Manager (APM), which allows developers to declare agentic dependencies in a manifest file and reproduce them across different coding agents. The tool supports transitive dependency resolution, plugin authoring, and integration with multiple AI coding assistants including GitHub Copilot, Claude Code, and Cursor.", "body_md": "**An open-source, community-driven dependency manager for AI agents.**\n\nThink `package.json`\n\n, `requirements.txt`\n\n, or `Cargo.toml`\n\n— but for AI agent configuration.\n\nGitHub Copilot · Claude Code · Cursor · OpenCode · Codex · Gemini · Windsurf · Kiro\n\n** Documentation** ·\n\n**·**\n\n[Quick Start](https://microsoft.github.io/apm/getting-started/quick-start/)**·**\n\n[CLI Reference](https://microsoft.github.io/apm/reference/cli-commands/)\n\n[Roadmap](https://github.com/orgs/microsoft/projects/2304)\n\nPortable by manifest. Secure by default. Governed by policy.One file describes every agent's context; one command reproduces it everywhere; one policy controls what an org will allow.\n\nAI coding agents need context to be useful — standards, prompts, skills, plugins — but today every developer sets this up manually. Nothing is portable nor reproducible. There's no manifest for it.\n\n**APM fixes this.** Declare your project's agentic dependencies once in `apm.yml`\n\n, and every developer who clones your repo gets a fully configured agent setup in seconds — with transitive dependency resolution, just like npm or pip. It's also the first tool that lets you **author plugins** with a real dependency manager and export standard `plugin.json`\n\npackages.\n\n```\n# apm.yml — ships with your project\nname: your-project\nversion: 1.0.0\ndependencies:\n  apm:\n    # Skills from any repository\n    - anthropics/skills/skills/frontend-design\n    # Plugins\n    - github/awesome-copilot/plugins/context-engineering\n    # Specific agent primitives from any repository\n    - github/awesome-copilot/agents/api-architect.agent.md\n    # A full APM package with instructions, skills, prompts, hooks...\n    - microsoft/apm-sample-package#v1.0.0\n  mcp:\n    # MCP servers -- installed into every detected client\n    - name: io.github.github/github-mcp-server\n      transport: http   # MCP transport name, not URL scheme -- connects over HTTPS\ngit clone <org/repo> && cd <repo>\napm install    # every agent is configured\n```\n\n**Coming from npx skills add?** Drop-in:\n\n```\napm install vercel-labs/agent-skills                            # whole bundle, like npx skills add\napm install vercel-labs/agent-skills --skill deploy-to-vercel   # one skill, persisted to apm.yml\n```\n\nSame install gesture. You also get a [manifest, lockfile, and reproducibility](https://microsoft.github.io/apm/reference/package-types/#skill-collection-skillsnameskillmd).\n\n**Zero-config Copilot:**\n\n```\napm compile -t copilot   # writes .github/copilot-instructions.md\n```\n\nOne command, no configuration -- VS Code and GitHub Copilot read the file automatically. APM dogfoods this target on its own repository.\n\nOne `apm.yml`\n\ndescribes every primitive your agents need — instructions, skills, prompts, agents, hooks, plugins, MCP servers — and `apm install`\n\nreproduces the exact same setup across every client on every machine. `apm.lock.yaml`\n\npins the resolved tree the way `package-lock.json`\n\ndoes for npm.\n\n— declared once, deployed across Copilot, Claude, Cursor, OpenCode, Codex, Gemini, Windsurf, Kiro[One manifest for everything](https://microsoft.github.io/apm/reference/primitive-types/)— GitHub, GitLab, Bitbucket, Azure DevOps, GitHub Enterprise, Gitea, Gogs, any git host[Install from anywhere](https://microsoft.github.io/apm/guides/dependencies/)— packages can depend on packages; APM resolves the full tree[Transitive dependencies](https://microsoft.github.io/apm/guides/dependencies/)— build Copilot, Claude, and Cursor plugins with dependency management, then export standard[Author plugins](https://microsoft.github.io/apm/guides/plugins/)`plugin.json`\n\n— install plugins from curated registries in one command, deployed across all targets and locked[Marketplaces](https://microsoft.github.io/apm/guides/marketplaces/)—[Pack & distribute](https://microsoft.github.io/apm/guides/pack-distribute/)`apm pack`\n\nbundles your configuration as a zipped package or a standalone plugin— GitHub Action for automated workflows[CI/CD ready](https://github.com/microsoft/apm-action)\n\nAgent context is executable in effect — a prompt is a program for an LLM. APM treats it that way. Every install scans for hidden Unicode that can hijack agent behavior; the lockfile pins integrity hashes; transitive MCP servers are gated by trust prompts.\n\n—[Content security](https://microsoft.github.io/apm/enterprise/security/)`apm install`\n\nblocks compromised packages before agents read them;`apm audit`\n\nruns the same checks on demand—[Lockfile integrity](https://microsoft.github.io/apm/enterprise/governance/)`apm.lock`\n\nrecords resolved sources and content hashes for full provenance—[SBOM export](https://microsoft.github.io/apm/reference/cli/lock/)`apm lock export --format cyclonedx|spdx`\n\nemits a standard inventory of what reached disk, straight from the lockfile — provenance for procurement, not a compliance attestation—[Drift detection](https://microsoft.github.io/apm/guides/drift-detection/)`apm audit`\n\nrebuilds your agent context in scratch and diffs it against your working tree to catch hand-edits before they ship— transitive MCP servers require explicit consent[MCP trust boundaries](https://microsoft.github.io/apm/guides/mcp-servers/)\n\n`apm-policy.yml`\n\nlets a security team say *\"these are the only sources, scopes, and primitives this org will allow\"* and have every `apm install`\n\nenforce it — with tighten-only inheritance from enterprise to org to repo, a published bypass contract, and audit-mode CI gates.\n\napm-policy.yml governs what gets installed; your agent harness governs what runs. The two planes do not overlap.\n\n— the canonical enterprise reference: enforcement points, bypass contract, air-gapped story, failure semantics, rollout playbook[Governance Guide](https://microsoft.github.io/apm/enterprise/governance-guide/)— every check, every field, every default[Policy reference](https://microsoft.github.io/apm/enterprise/policy-reference/)— staged rollout from warn to block across hundreds of repos[Adoption playbook](https://microsoft.github.io/apm/enterprise/adoption-playbook/)— wire[GitHub rulesets integration](https://microsoft.github.io/apm/integrations/github-rulesets/)`apm audit --ci`\n\ninto branch protection\n\n```\ncurl -sSL https://aka.ms/apm-unix | sh\nirm https://aka.ms/apm-windows | iex\n```\n\nNative release binaries are published for macOS, Linux, and Windows x86_64. `apm update`\n\nreuses the matching platform installer.\n\nThen start adding packages:\n\n```\napm install microsoft/apm-sample-package#v1.0.0\n```\n\nOr install from a marketplace:\n\n```\napm marketplace add github/awesome-copilot\napm install azure-cloud-development@awesome-copilot\n```\n\nOr add an MCP server (wired into Copilot, Claude, Cursor, Codex, OpenCode, Gemini, Windsurf, and Kiro):\n\n```\napm install --mcp io.github.github/github-mcp-server --transport http   # connects over HTTPS\n```\n\nSee the ** Getting Started guide** for the full walkthrough.\n\n[agentrc](https://github.com/microsoft/agentrc) analyzes your codebase and generates tailored agent instructions — architecture, conventions, build commands — from real code, not templates.\n\nUse agentrc to author high-quality instructions, then package them with APM to share across your org. The `.instructions.md`\n\nformat is shared by both tools — no conversion needed when moving instructions into APM packages.\n\nCreated by [@danielmeppiel](https://github.com/danielmeppiel). Maintained by [@danielmeppiel](https://github.com/danielmeppiel) and [@sergio-sisternes-epam](https://github.com/sergio-sisternes-epam).\n\n[Roadmap & Discussions](https://github.com/microsoft/apm/discussions/116)[Contributing](/microsoft/apm/blob/main/CONTRIBUTING.md)[AI Native Development guide](https://danielmeppiel.github.io/awesome-ai-native)— a practical learning path for AI-native development\n\n**Built on open standards:** [AGENTS.md](https://agents.md) · [Agent Skills](https://agentskills.io) · [MCP](https://modelcontextprotocol.io)\n\nThis project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general). Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.", "url": "https://wpnews.pro/news/microsoft-agent-package-manager", "canonical_source": "https://github.com/microsoft/apm", "published_at": "2026-06-24 09:14:27+00:00", "updated_at": "2026-06-24 09:44:58.555211+00:00", "lang": "en", "topics": ["ai-tools", "developer-tools", "ai-agents"], "entities": ["Microsoft", "GitHub Copilot", "Claude Code", "Cursor", "OpenCode", "Codex", "Gemini", "Windsurf"], "alternates": {"html": "https://wpnews.pro/news/microsoft-agent-package-manager", "markdown": "https://wpnews.pro/news/microsoft-agent-package-manager.md", "text": "https://wpnews.pro/news/microsoft-agent-package-manager.txt", "jsonld": "https://wpnews.pro/news/microsoft-agent-package-manager.jsonld"}}