Roadmap — Now / Next / Later

[danielmeppiel]

Last updated: 19th March 2026

Public view of where APM is heading. Updated periodically by maintainers.

How this works: Roadmap priorities are shaped collaboratively by maintainers and community feedback. React with 👍 on linked issues to signal demand. File new ideas as Issues.

---

Now

• Org-level policy engine — apm audit --ci --policy, schema, discovery, inheritance #365
• Multi-org manifest authorization #327
• Security hardening — dependency path validation, content scanning improvements #364

Next

• Policy engine Phase 2 — install-time enforcement + required package injection
• Semver pin ranges on dependencies (e.g., >=1.0.0 <2.0.0)
• Auto-install on clone — post-clone hook / git template integration
• Auto-create target directories on install (.cursor/, .opencode/, etc.)
• Content integrity hashing in lockfile — SHA-256 #315
• Extended MCP server configuration #20
• Transitive dependency materialization #114
• Container image distribution #326

Later

• User-level global config — dotfiles / ~/.config/apm/ for personal agent packages across machines
• Scoop auto-update #245
• Windows Phase 3 — native packaging #244
• SSH shorthand for private repos #328

---

Recently shipped (v0.7.7 → v0.8.2)

• ✅ Native Cursor IDE integration — rules, agents, skills, hooks, MCP #301
• ✅ Native OpenCode integration — agents, commands, skills, MCP — inspired by @timvw #306
• ✅ Content security scanning + apm audit — hidden Unicode detection, Glassworm vector, SARIF/JSON/Markdown output #313 #321 #330
• ✅ Diff-aware apm install — manifest as source of truth, self-correcting drift #260
• ✅ Windows native support — Phase 1 & 2, cross-platform runtime, PowerShell helpers — by @sergio-sisternes-epam #227
• ✅ JFrog Artifactory VCS repository support — FQDN, transparent proxy, air-gapped mode — by @chkp-roniz #354
• ✅ ${input:...} variable resolution for MCP server configuration — by @sergio-sisternes-epam #344
• ✅ Local filesystem path dependencies #270
• ✅ Version pinning guidance and CLI visibility #340
• ✅ Lockfile renamed to apm.lock.yaml for IDE syntax highlighting #280
• ✅ Dependency path validation hardening #364
• ✅ File-level downloads from private repos via OS credential helpers #332
• ✅ GHE custom domain host preservation in lockfile #338

Previously shipped (v0.7.4 → v0.7.6)

• ✅ Hooks as a first-class agent primitive #96
• ✅ Plugin management system #83
• ✅ apm pack / apm unpack — portable, target-specific bundles #218
• ✅ InstructionIntegrator — deploy .instructions.md to .github/instructions/ #112
• ✅ Generic git URL support — GitLab, Bitbucket, self-hosted #72 #133 #134
• ✅ Transitive MCP dependency propagation #121 #132
• ✅ Unified deployed_files manifest #163
• ✅ Performance optimization for deep dependency trees #171
• ✅ Microsoft Open Source org migration and compliance

[OrenMe]

This looks awesome!
How does this compare to the new plugin marketplace? I see there are many things here that improve workflows but there is some ambiguity

Would love to hear your thoughts

[danielmeppiel]

@OrenMe My point of view is that the plugin reference is a packaging standard. To APM that's just another packaging format for agent primitives. Current thinking is that "apm install" should work with plugins too, and add them as dependencies in the manifest.

[OrenMe]

Thanks for the explanation @danielmeppiel
Makes a lot of sense although I assume it will be challenging to support multiple packaging formats

I really love this project challenge - I see strange governance models hacks emerging due to lack of such a tool
Example:

1. Creating single repo with all tools and pulling it as git sub module - and then needing to re wire the path settings cause it is not standard for copilot in vscode and cli
2. Creating single repo with all tools and then creating a vscode workspace and pulling there the products/apps repos and the tools repo and then re wiring the copilot paths as well - and this is even worse IMO then option 1 cause the workspace config cannot be git managed

So this project really allows governance, distribution and versioning management

[danielmeppiel]

Roadmap refreshed — 19th March 2026

Major update to reflect where APM stands today after six releases (v0.7.7 → v0.8.2):

Now: Org-level policy engine (apm audit --ci --policy), multi-org authorization, security hardening.

New in Next (shaped by community feedback): semver pin ranges, auto-install on clone, auto-create target directories, container image distribution.

Recently shipped: Cursor + OpenCode native integration, content security scanning with Glassworm detection, diff-aware install, Windows native support, JFrog Artifactory, and more — see the updated list above.

As always, 👍 issues to signal demand. New ideas welcome as Issues.