What is APKG?

APKG is a package manager designed from the ground up for AI tooling. Where traditional package managers deal in libraries and modules, APKG manages a richer set of artifacts — skills, agents, MCP servers, prompt templates, and shareable configurations — each with metadata and lifecycle requirements unique to the AI ecosystem.

The problem

NPM, pip, and other established package managers were not designed for the demands of AI artifacts. They lack native support for:

• Model compatibility declarations — specifying which LLM families, versions, and context-window sizes a package supports.
• Runtime constraints — declaring GPU requirements, memory floors, and provider availability.
• Capability negotiation — describing what tools, resources, and prompts an MCP server exposes so that consumers can match at install time.
• Provenance and signing — guaranteeing that the package you install was built from the source it claims, by the author it claims.

APKG addresses these gaps head-on with a metadata model that treats AI-specific concerns as first-class citizens rather than afterthoughts.

What APKG manages

APKG supports seven package types, each tailored to a different kind of AI artifact:

• Skills — Discrete AI capabilities with defined inputs and outputs, such as text summarization or code review.
• Agents — Autonomous or semi-autonomous AI agents with tool bindings, like a research assistant or deployment bot.
• MCP Servers — Model Context Protocol servers that expose tools and resources, such as a database query server or GitHub integration.
• Prompts — Reusable prompt templates with variable schemas, like system prompts or evaluation rubrics.
• Configs — Shareable configuration packages for teams and projects.
• Libraries — Traditional code libraries for AI tooling, such as tokenizer utilities.
• Composite — Bundles that aggregate multiple sub-packages into a single distributable unit.

A single command installs a package, verifies its provenance, checks model compatibility, and wires it into your project:

{
  "dependencies": {
    "@acme/code-review-agent": "^2.1.0",
    "@acme/summarization-skill": "^1.4.0",
    "@openai/mcp-tool-server": "^3.0.0"
  }
}

Key features

• Sub-second installs — Every tarball is stored and retrieved by its SHA-256 digest, enabling global deduplication and zero-copy installs via hard-linking from cache.
• Cryptographic signing and provenance — Ed25519 signatures and SLSA-compliant provenance attestations give you a verifiable chain from source commit to published artifact.
• Sandboxed lifecycle hooks — Pre-install, post-install, and custom hooks execute inside a WASM-based sandbox with an explicit capability policy. No network access, no filesystem escape.
• AI-native metadata — Manifests declare model compatibility matrices, GPU and memory requirements, MCP capability surfaces, and prompt variable schemas.
• First-class MCP support — The Model Context Protocol is a core package type, with tool and resource discovery, capability negotiation, and transport configuration built into the manifest format.

How it works

Every APKG package starts with an apkg.json manifest at its root. This file declares the package’s type, dependencies, runtime requirements, and metadata. When you run apkg install, the CLI resolves the full dependency tree, downloads signed tarballs from the registry, verifies integrity and provenance, and links packages into your project. A lockfile captures the exact resolved state so that installs are reproducible across machines and CI environments.

When you’re ready to share your work, apkg publish signs your package, uploads it to the registry, and makes it discoverable to others through search and compatibility filtering.

Next steps

The following guides are coming soon:

• Installation — How to install the APKG CLI on your machine.
• Quick Start — Create, install, and publish your first package.
• CLI Reference — A complete reference for all APKG commands.