APAI.runv0.1
Specs/APAI Manifest

APAI Manifest

v0.1
schema: apai.manifest.v0.1Draft - feedback welcome

1Purpose

The APAI Manifest declares a package's identity, version, source, wrapped installer evidence, target platforms, declared permissions, security posture, install modes, and rollback strategy. It is the contract between a package publisher and any environment that installs the package.

Every APAI package has exactly one manifest at its repository root or registry entry. The manifest must validate against the JSON Schema at /schemas/apai.manifest.schema.json before it can be trusted by APAI tooling.

2Example

schema: apai.manifest.v0.1
name: example-package
version: 0.1.0
publisher: example-publisher
summary: One-sentence description of what this package does.
type: workflow
license: proprietary-preview

source:
  type: apai
  reference: example-package
  url: https://apai.run/packages/example-package

wraps:
  installer: apai
  command:
    executable: apai
    args:
      - install
      - example-package
  execution_enabled_in_v01: false
  writes_files: false

entrypoints:
  llm_install_card: https://apai.run/packages/example-package/llms.txt
  repo: https://github.com/example-publisher/example-package
  codex_skill: integrations/codex-skill/SKILL.md

supports:
  prompt_install:
    - chatgpt
    - claude
    - gemini
    - grok
  native_install:
    - codex
    - claude_code
    - gemini_cli
    - cursor
    - local_cli
  remote_connector_future:
    - openai_apps_sdk
    - claude_remote_mcp
    - xai_remote_mcp

permissions:
  secrets_required: false
  paid_api_calls: false
  external_send: false
  file_write: optional_transcript_only
  network_access: documented_install_urls_only
  memory_write: false
  spend_limit_required: false

security:
  signature_required: false
  prompt_injection_scan: required
  hidden_unicode_scan: required
  dependency_scan: required
  human_approval_required_for:
    - destructive_actions
    - external_send
    - credential_request
    - production_deploy

rollback:
  strategy: remove_installed_adapter_files
  receipt_required: true

3Manifest fields

FieldTypeReqDescription
schemastringyesMust be "apai.manifest.v0.1" exactly.
namestringyesPackage slug. Lowercase, hyphen-separated, 3-40 chars.
versionstringyesSemVer-compatible. Pre-release tags allowed.
publisherstringyesPublisher slug. Must match registered publisher identity.
summarystringyesSingle-sentence description, 10-160 chars.
typeenumyesOne of: prompt-preflight, cost-guard, mcp-audit, passport-generator, workflow, policy-pack, skill-pack.
licensestringyesSPDX identifier or explicit "proprietary" / "proprietary-preview".
sourceobjectnoWhere the package is published or referenced from. External wrappers declare their upstream source here.
wrapsobjectnoStructured argv for the installer APAI wraps, records, or blocks. Never a shell string.
entrypointsobjectyesMap of entrypoint kinds to URLs or paths. Must include llm_install_card.
supportsobjectyesDeclared platform support across prompt_install, native_install, remote_connector_future.
permissionsobjectyesBoolean and string flags describing declared capabilities.
securityobjectyesScanner requirements and approval triggers.
rollbackobjectyesRollback strategy and whether a receipt is required.

4Source and wraps

The optional source block records where a package comes from. Native APAI packages use type: apai; wrapped external packages use the upstream ecosystem, such as npm, pip, gh, or gemini.

The optional wraps block declares the underlying installer command as structured argv. APAI records the command it would wrap and whether v0.1 execution is enabled. External package-manager execution remains blocked in v0.1 until passport, scanner, receipt, and rollback gates are complete.

source:
  type: npm
  reference: left-pad
  url: https://www.npmjs.com/package/left-pad

wraps:
  installer: npm
  command:
    executable: npm
    args:
      - install
      - left-pad
  execution_enabled_in_v01: false
  writes_files: false

5Permissions field semantics

The permissions block is what gets rendered into the Capability Passport. Every key must be present and explicitly set, even when the answer is the empty / default option. Implicit defaults are not permitted - the goal is that a human reading the manifest can see exactly what the package claims it can do, with no inference.

permissions:
  secrets_required: false | true | string-describing-what-secret
  paid_api_calls: false | true | string-describing-which-API
  external_send: false | true | string-describing-where
  file_write: false | true | string-describing-what-files
  network_access: false | true | string-describing-which-endpoints
  memory_write: false | true | string-describing-which-store
  spend_limit_required: false | true

6Versioning

The manifest schema version is independent of the package version. Packages on a given manifest schema version (e.g. v0.1) are guaranteed to validate against that schema version's JSON Schema. Schema versions follow v0.<minor> until v1.0 ratification.

What this spec is NOT

  • ·An execution contract. The manifest declares permissions; runtime enforcement is the responsibility of the APAI CLI, the policy pack engine, and the host environment.
  • ·A signing or verification protocol. Publisher verification and package signing land in Phase 6.
  • ·A SemVer policy. Packages use SemVer; this spec does not redefine how SemVer works.
  • ·A license document. The license field is declarative; legal interpretation is between publisher and consumer.