Getting Started
Install the apai CLI, run your first install, read your first Capability Passport, see your first install receipt.
1. Install the apai CLI
v0.1 ships the CLI as a scaffold. Multi-source routing (npm:, pip:, brew:, etc.) lands in Phase 1. Until then, the CLI accepts the command shape and writes a local install receipt at ~/.apai/receipts/<install_id>.json.
# Clone the repo and link the CLI locally (v0.1) git clone https://github.com/griffin9899/apai cd apai/packages/cli pnpm install pnpm run build npm link # Verify apai --version # 0.1.0
npm package publication (@apai/cli) lands when Phase 1 wires real multi-source install behavior. See honest status.
2. Browse the registry
The APAI registry holds 10 reference packages at v0.1. Each has a full Capability Passport, scanner output, and rollback path documented.
apai search apai sync apai search coding --offline # APAI registry search # # prompt-preflight-starter v0.1.0 low prompt-preflight # Generic bounded-prompt protocol with score gate and operator controls. # by apai-official # # costguard v0.1.0-preview medium cost-guard # Token spend ceilings, spike alerts, anomaly detection, and emergency stop. # by apai-official # ... # 10 package(s) found.
Same data also at the web UI: /registry. And as JSON at /api/packages.
3. Read a Capability Passport before installing
Every package has a Capability Passport: a plain-English declaration of what it reads, writes, accesses, spends, exposes, what approvals it requires, and how to roll it back. Read it before you install.
apai passport coding-safe-mode # Capability Passport: Coding Safe Mode # # Package: [email protected] # Publisher: apai-official (verified) # Risk level: low # Type: policy-pack # # Reads: Agent tool-call metadata only # Writes: Package-store policy artifact at ~/.apai/packages/coding-safe-mode/0.1.0/rules/rules.json # Accesses: No network access. No filesystem access beyond package-store artifact and receipt. # Spends: No spend. # Exposes: Package-store artifact and receipt are local; not exported. # Approvals: Operator approval to deactivate any rule. # # Rollback: apai rollback coding-safe-mode --install-id <id> # Scanner: 0.1.0-heuristic (deterministic rule scan, not a certification)
Then run the audit view. The default command verifies the live audit report against local pins; --local and --scan-path keep the scan fully local.
apai audit coding-safe-mode apai audit coding-safe-mode --local apai audit coding-safe-mode --scan-path packages/coding-safe-mode --format json
Or view the rendered passport in the browser at /packages/coding-safe-mode. The same content is available as a text/plain LLM install card at /packages/coding-safe-mode/llms.txt.
4. Install a package
v0.1 install verifies the live registry source, package manifest, install card, and payload manifest before any local receipt is written. prompt-preflight-starter, costguard, mcp-audit, agent-passport, coding-safe-mode, doc-brief, and private-workspace-policy declare checksum-pinned package-store artifacts; remaining seed packages still declare no payload files. Pinned payloads can write only into the APAI package store when --allow-package-writes is passed.
apai install coding-safe-mode --verify-source --verify-manifest --verify-card --verify-payload --allow-package-writes # Preparing install: Coding Safe Mode ([email protected]) # Target: local_cli # Install mode: native-install # Risk level: low # Registry source verification: verified (apai.registry.v0.1) # Install-card verification: verified # Payload-manifest verification: verified (1 payloads) # Payload execution plan: package-store-install # Package-store files written: 1 # Local audit: no-findings (0 high, 0 medium, 0 low) # # v0.1: writing planned install receipt to ~/.apai/receipts/. # Install card, payload manifest, and payload artifact bytes were verified before package-store writes. # # Receipt: /home/user/.apai/receipts/rcpt_01HXY7G8K9M2P3Q4R5S6T7U8V9W.json # Install ID: rcpt_01HXY7G8K9M2P3Q4R5S6T7U8V9W # # Roll back: apai rollback coding-safe-mode --install-id rcpt_01HXY7G8K9M2P3Q4R5S6T7U8V9W
The receipt is a durable record: package + version + source + permissions requested + permissions granted + risk level at install time + scanner findings + registry/card/payload-manifest verification + the exact rollback command. The same receipt lifecycle covers no-payload seed packages and verified package-store installs.
5. Inspect and verify receipts
After an install, use the receipt lifecycle commands to list local receipts, inspect one receipt, verify its local evidence, and hand state to another agent.
apai receipts list apai receipts show rcpt_01HXY7G8K9M2P3Q4R5S6T7U8V9W apai receipts verify rcpt_01HXY7G8K9M2P3Q4R5S6T7U8V9W apai rollback coding-safe-mode --install-id rcpt_01HXY7G8K9M2P3Q4R5S6T7U8V9W --dry-run apai manifest coding-safe-mode --format json apai state inspect --format json --receipt-limit 10 --rollback-limit 10
Full command guide: /docs/receipts.
6. Inspect the dashboard
See your installed packages, install timeline, receipts, applied policies, workspace settings, and billing tier at /app. v0.1 renders realistic demo data; the shape matches what Phase 4 will pull from your real workspace.
Next steps
- Integrations: wire APAI into LangChain, CrewAI, Continue.dev, Claude Code, Codex, Cursor.
- Security model: how the Capability Passport, scanner, MCP Gateway, and policy packs combine.
- Deployment patterns: local-tool vs. cloud-sandbox vs. remote-connector install modes; when to use each.
- Specs: the formal Manifest, Capability Passport, Install Receipt, Policy Pack, and Install Card protocols.