1Purpose
The APAI Manifest declares a package's identity, version, dependencies, target platforms, declared permissions, security posture, install modes, and rollback strategy. It is the contract between a package publisher and any environment that installs the package.
Every APAI package has exactly one manifest at its repository root or registry entry. The manifest must validate against the JSON Schema at /schemas/apai.manifest.schema.json (lands in Day 2 build).
2Example
schema: apai.manifest.v0.1
name: example-package
version: 0.1.0
publisher: example-publisher
summary: One-sentence description of what this package does.
type: workflow
license: proprietary-preview
entrypoints:
llm_install_card: https://apai.run/packages/example-package/llms.txt
repo: https://github.com/example-publisher/example-package
codex_skill: integrations/codex-skill/SKILL.md
supports:
prompt_install:
- chatgpt
- claude
- gemini
- grok
native_install:
- codex
- claude_code
- gemini_cli
- cursor
- local_cli
remote_connector_future:
- openai_apps_sdk
- claude_remote_mcp
- xai_remote_mcp
permissions:
secrets_required: false
paid_api_calls: false
external_send: false
file_write: optional_transcript_only
network_access: documented_install_urls_only
memory_write: false
spend_limit_required: false
security:
signature_required: false
prompt_injection_scan: required
hidden_unicode_scan: required
dependency_scan: required
human_approval_required_for:
- destructive_actions
- external_send
- credential_request
- production_deploy
rollback:
strategy: remove_installed_adapter_files
receipt_required: true3Required fields
| Field | Type | Req | Description |
|---|---|---|---|
| schema | string | yes | Must be "apai.manifest.v0.1" exactly. |
| name | string | yes | Package slug. Lowercase, hyphen-separated, 3-40 chars. |
| version | string | yes | SemVer-compatible. Pre-release tags allowed. |
| publisher | string | yes | Publisher slug. Must match registered publisher identity. |
| summary | string | yes | Single-sentence description, 10-160 chars. |
| type | enum | yes | One of: prompt-preflight, cost-guard, mcp-audit, passport-generator, workflow, policy-pack, skill-pack. |
| license | string | yes | SPDX identifier or explicit "proprietary" / "proprietary-preview". |
| entrypoints | object | yes | Map of entrypoint kinds to URLs or paths. Must include llm_install_card. |
| supports | object | yes | Declared platform support across prompt_install, native_install, remote_connector_future. |
| permissions | object | yes | Boolean and string flags describing declared capabilities. |
| security | object | yes | Scanner requirements and approval triggers. |
| rollback | object | yes | Rollback strategy and whether a receipt is required. |
4Permissions field semantics
The permissions block is what gets rendered into the Capability Passport. Every key must be present and explicitly set, even when the answer is the empty / default option. Implicit defaults are not permitted - the goal is that a human reading the manifest can see exactly what the package claims it can do, with no inference.
permissions: secrets_required: false | true | string-describing-what-secret paid_api_calls: false | true | string-describing-which-API external_send: false | true | string-describing-where file_write: false | true | string-describing-what-files network_access: false | true | string-describing-which-endpoints memory_write: false | true | string-describing-which-store spend_limit_required: false | true
5Versioning
The manifest schema version is independent of the package version. Packages on a given manifest schema version (e.g. v0.1) are guaranteed to validate against that schema version's JSON Schema. Schema versions follow v0.<minor> until v1.0 ratification.
What this spec is NOT
- ·An execution contract. The manifest declares permissions; runtime enforcement is the responsibility of the APAI CLI, the policy pack engine, and the host environment.
- ·A signing or verification protocol. Publisher verification and package signing land in Phase 6.
- ·A SemVer policy. Packages use SemVer; this spec does not redefine how SemVer works.
- ·A license document. The license field is declarative; legal interpretation is between publisher and consumer.