From aa96518d34ba6f488aa2ca9ce5698331c9000dea Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 6 Jul 2026 12:19:11 +0000 Subject: [PATCH] fix(agent-package-manager): clarify default transitive MCP server blocking behavior MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The APM homepage 'Secure by default' card explicitly states that apm install blocks transitive MCP servers by default unless they are explicitly declared in dependencies.mcp or trusted — no opt-in required. The previous SKILL.md (item 10) only mentioned Unicode/hash security scanning and omitted this default blocking behavior. Item 11 (policy) mentioned transitive MCP blocking only in the context of apm-policy.yml, which could mislead an agent into thinking blocking only applies when org policy is configured. Changes: - SKILL.md Step 3 item 10: add default transitive MCP blocking note - SKILL.md Step 3 item 11: clarify policy adds restrictions on top of default - manifest-and-lockfile.md: expand Policy governance section to distinguish the two-layer security model (default block + optional policy layer) Source: https://microsoft.github.io/apm/#secure-by-default Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- skills/agent-package-manager/SKILL.md | 4 ++-- .../references/manifest-and-lockfile.md | 7 ++++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/skills/agent-package-manager/SKILL.md b/skills/agent-package-manager/SKILL.md index a8a5e4f..21e2f2e 100644 --- a/skills/agent-package-manager/SKILL.md +++ b/skills/agent-package-manager/SKILL.md @@ -38,8 +38,8 @@ metadata: 7. If the repository needs MCP discovery or selection, use `apm mcp list`, `apm mcp search `, and `apm mcp show ` before editing MCP entries by hand. 8. If installation output reports collisions or skipped files, read `references/troubleshooting.md` before retrying with forceful options. 9. If the repository consumes packages from itself (self-referencing dependency), remind the user that changes must be committed and pushed before APM can fetch them. Read `references/troubleshooting.md` for the "Self-referencing dependencies" section. -10. Note that `apm install` scans packages for security threats before deployment, including hidden Unicode and content hash verification. If the scan raises warnings or blocks installation, address the flagged content rather than bypassing the check. - 11. If the repository is in an organization that enforces `apm-policy.yml`, policy is applied at install time and can block transitive MCP servers or restrict dependency sources. If install is blocked by policy, inspect the policy file or contact the org administrator; do not attempt to bypass the enforcement. +10. Note that `apm install` scans packages for security threats before deployment, including hidden Unicode and content hash verification. It also blocks transitive MCP servers by default unless they are explicitly declared in `dependencies.mcp` or trusted; no opt-in is required. If the scan raises warnings or blocks installation, address the flagged content rather than bypassing the check. + 11. If the repository is in an organization that enforces `apm-policy.yml`, policy is applied at install time and can add further restrictions on top of the default transitive MCP block, including restricting dependency sources. If install is blocked by policy, inspect the policy file or contact the org administrator; do not attempt to bypass the enforcement. **Step 4: Compile and validate only when it adds value** 1. Read `references/command-workflows.md` before changing compilation strategy or target selection. diff --git a/skills/agent-package-manager/references/manifest-and-lockfile.md b/skills/agent-package-manager/references/manifest-and-lockfile.md index 72750b6..0efb1b2 100644 --- a/skills/agent-package-manager/references/manifest-and-lockfile.md +++ b/skills/agent-package-manager/references/manifest-and-lockfile.md @@ -98,7 +98,12 @@ Operational consequences: ## Policy governance -`apm-policy.yml` is an optional file that applies install-time policy, including transitive MCP server gating. Inheritance flows enterprise → org → repo and is tighten-only (a downstream policy can only add restrictions, never relax them). +APM enforces two layers of MCP server security: + +1. **Default behavior (no configuration needed):** `apm install` blocks transitive MCP servers by default — any MCP server introduced by a package dependency but not explicitly listed in `dependencies.mcp` is blocked before it reaches disk. No opt-in is required. +2. **Policy layer (optional, org-level):** `apm-policy.yml` can add further restrictions on top of the default block, such as limiting which MCP registries or dependency sources are allowed. + +`apm-policy.yml` inheritance flows enterprise → org → repo and is tighten-only (a downstream policy can only add restrictions, never relax them). Key points: * Policy is enforced automatically at `apm install`; no extra command is needed.