From 1a9a4cd4e3f520e6ac1d8bfb381e9f54eb0b819b Mon Sep 17 00:00:00 2001 From: danielmeppiel Date: Thu, 23 Apr 2026 01:03:09 +0200 Subject: [PATCH] docs(landing): align with three-pillar spine (Portable / Secure / Governed) The landing page was still describing APM purely as a portability story. After PR #851 elevated governance and security to first-class pillars in the README, the docs landing didn't match. - Rewrite intro to the same Portable/Secure/Governed framing as README - Replace 'Dependencies That Resolve' card with 'Governed by policy' (transitive resolution is now mentioned inside the portability card) - Rename 'Supply Chain Security' -> 'Secure by default' and tighten copy to match what install scanners actually cover (hidden Unicode, not PI) - Link governance card to the new flagship Governance Guide - Mention apm.lock.yaml explicitly inside the portability card No structural changes -- still 4 cards, same hero, same Quick Start, same example block. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- docs/src/content/docs/index.mdx | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/src/content/docs/index.mdx b/docs/src/content/docs/index.mdx index e7565cede..88bf50459 100644 --- a/docs/src/content/docs/index.mdx +++ b/docs/src/content/docs/index.mdx @@ -20,22 +20,22 @@ import { Card, CardGrid, Tabs, TabItem } from '@astrojs/starlight/components'; **An open-source dependency manager for AI agents.** Think `package.json`, `requirements.txt`, or `Cargo.toml` — but for AI agent configuration. -AI coding agents need context and capabilities to be useful — instructions, skills, prompts, plugins, MCP servers. But today, every developer configures theirs differently. Copying files, writing instructions from scratch, sharing knowledge in Slack threads. None of it is portable. None of it is versioned. +AI coding agents need context and capabilities to be useful — instructions, skills, prompts, plugins, MCP servers. But today every developer configures theirs differently. Nothing is portable. Nothing is reproducible. Nothing is governed. -APM fixes this. You declare your project's agent configuration once in `apm.yml` — skills, prompts, instructions, agents, hooks, plugins, MCP servers — and every developer who clones your repo gets a fully configured agent setup in seconds. New developer joins the team? `git clone`, `cd`, `apm install`. Done. +APM fixes this. You declare your project's agent configuration once in `apm.yml` — and every developer who clones your repo gets a fully configured agent setup in seconds, locked to exact versions, scanned for hidden threats, and gated by the policies your organization defines. - - `apm.yml` declares skills, instructions, prompts, agents, hooks, plugins, and MCP servers — deployed to Copilot, Claude Code, Cursor, OpenCode, and Codex from a single source of truth. + + One `apm.yml` declares skills, instructions, prompts, agents, hooks, plugins, and MCP servers. Transitive dependencies resolve like npm or pip; `apm.lock.yaml` pins exact versions for reproducible installs across Copilot, Claude Code, Cursor, OpenCode, and Codex. - - Packages depend on packages. APM resolves the full tree — transitive dependencies just work, like npm or pip. + + Skills, prompts, instructions, hooks — everything agents execute is an attack surface. `apm install` scans packages for hidden Unicode and other tampering before they reach your agents; `apm audit` reports the full chain of trust. - - Install from GitHub, GitLab, Bitbucket, Azure DevOps, GitHub Enterprise, or any self-hosted git server. + + `apm-policy.yml` lets platform teams allow-list dependencies, restrict deploy targets, and enforce trust rules at install time — across every repo, from a single source of truth. See the [Governance Guide](/apm/enterprise/governance-guide/). - - Skills, prompts, instructions, hooks — everything agents execute is an attack surface. APM scans packages before deployment, blocking threats before they reach your agents. + + Install from GitHub, GitLab, Bitbucket, Azure DevOps, GitHub Enterprise, or any self-hosted git server. No registry to run, no central service to depend on.