Originally published on NextFuture
What you will ship
By the end of this guide you will have Microsoft APM v0.9.2 installed, an apm.yml manifest checked into a repo, and a fresh git clone && apm install that configures Claude Code, GitHub Copilot, and Cursor with the same skills, prompts, and MCP servers — no copy-pasting from a private Notion. APM is the first cross-client manifest for agent context; think package.json, but for the CLAUDE.md, .github/copilot-instructions.md, and .cursor/rules/ files that today drift across every teammate's laptop. The project hit 2,000 stars this week and Microsoft just cut v0.9.2 on Apr 23, 2026 with Azure DevOps AAD auth and a hardened audit check.
Prerequisites: macOS or Linux (Windows PowerShell works too), Python 3.11+ only if you install via pip, and one of Claude Code, GitHub Copilot CLI, Cursor, OpenCode, or Codex installed locally. No paid account required — apm itself is MIT-licensed and the CLI is free forever.
Step-by-step build
1. Install the CLI
curl -sSL https://aka.ms/apm-unix | sh
apm --version # expect: 0.9.2
Homebrew (brew install microsoft/apm/apm) and pip install apm-cli are both supported. Windows users run irm https://aka.ms/apm-windows | iex. The apm update command reuses the same platform installer so you avoid version drift across a team.
2. Initialize a manifest in your repo
cd your-project
apm init
This drops an apm.yml scaffold in the repo root. Open it and declare the exact agent context your team ships with:
name: your-project
version: 1.0.0
target: [claude, copilot, cursor]
dependencies:
apm:
- anthropics/skills/skills/frontend-design
- github/awesome-copilot/plugins/context-engineering
- microsoft/apm-sample-package#v1.0.0
mcp:
- name: io.github.github/github-mcp-server
transport: http
The target list landed in v0.9.0 and lets one manifest feed multiple agent runtimes. Each dependency resolves transitively — if apm-sample-package pulls in more skills, they are fetched and pinned in apm.lock.yaml, mirroring how package-lock.json works for npm.
3. Install and commit the lockfile
apm install
git add apm.yml apm.lock.yaml
git commit -m "chore(apm): pin agent context"
APM writes the resolved tree and content hashes to apm.lock.yaml, then compiles primitives into each detected client's native location: CLAUDE.md for Claude Code, .github/prompts/ for Copilot, .cursor/rules/ for Cursor. Hand-edits to these files are detected later by apm audit so drift does not silently enter your repo.
4. Add an MCP server without editing three config files
v0.9.0 shipped a first-class MCP workflow. One command writes the server to the manifest and reinstalls into every target client:
apm install --mcp io.github.github/github-mcp-server \
--transport http \
--header "Authorization: Bearer $GITHUB_TOKEN"
Transitive MCP servers now require explicit consent; you will be prompted before APM trusts a package that pulls in a new stdio server. In CI, pass --force and gate the build with apm audit --ci. Custom enterprise registries work via MCP_REGISTRY_URL.
5. Wire the team install into onboarding
Replace three wiki pages of setup with one line in your README:
git clone git@github.com:org/your-project.git
cd your-project && apm install
New hires now get Claude Code, Copilot, and Cursor preconfigured in under a minute — identical primitives, pinned versions, the same MCP allowlist. Document the bypass path (APM_POLICY_DISABLE=1) only for emergencies so your security team can still audit it.
Test it works
apm audit --ci
Expected output: a table listing every deployed primitive with its source and an ok status column. Any hand-edit to .apm/ or a pulled plugin file surfaces as drift and the command exits non-zero. v0.9.2 hardened this check to detect local-content tampering, not just installed packages — wire it into your merge gate and config drift stops at the PR.
Common gotchas
Git protocol surprises. v0.9.0 is strict-by-default: ssh:// and https:// URLs no longer silently cross-fall back. If your mirror rejects SSH, export APM_GIT_PROTOCOL=https or pass --https on the command line. The legacy chain is still reachable with APM_ALLOW_PROTOCOL_FALLBACK=1 but will emit a one-shot warning so you cannot forget it is on.
Enterprise policy blocking installs. If your org ships an apm-policy.yml with enforcement: block (new in v0.9.1), a previously green install can now fail. Preview the verdict with apm install --dry-run and run apm policy status --json to see exactly which package or MCP server violated which rule before you open a support ticket.
MCP name validation. Names must match ^[a-zA-Z0-9@_][a-zA-Z0-9._@/:=-]{0,127}$. A URL in the command: field of a stdio MCP entry is rejected at parse time, as is any whitespace-wrapped binary path without explicit args:. The error message prints a valid positive example so the fix is usually obvious.
Ship it this week
Drop an apm.yml into the next repo you spin up today, pin one frontend-design skill, and watch a new teammate clone-and-run without opening your Notion. For teams already on Claude Code, pair APM with the /advisor multi-model workflow to stabilize agent behavior at 80% lower cost. If you are still shopping coding agents, our 2026 Cursor alternatives rundown pairs cleanly with APM's target: list. And if Python is your agent runtime, see how OpenAI Agents SDK 0.14 composes with APM-distributed skills. The repo and docs live at github.com/microsoft/apm — star it, then run apm init before lunch.
This article was originally published on NextFuture. Follow us for more fullstack & AI engineering content.
Top comments (0)