install#
Resolve and download tools declared in an agent manifest and make them runnable from your app.
Overview#
agentpm install reads your agent.json (kind=agent), resolves the tool versions, downloads artifacts, and prepares them for execution in managed subprocesses.
Command synopsis#
agentpm install [<spec>] [--manifest <path>] [--frozen] [--refresh] [--update-range] [--require_attestation] [--quiet] [--token <PAT>]Arguments#
spec(optional). Install a specific tool by spec, e.g.@namespace/name@0.1.2or@namespace/name@^1.2. Adds/updates the entry inagent.json → tools[]and installs it.--manifest <path>(default:agent.json). Path to the agent manifest to read/write.--frozen. Fail if anything would change the resolved set (no re-resolution or lock updates).--refresh. Force re-resolution and re-download even if everything looks satisfied locally (bypass caches).--update-range. Ifspecconflicts with the current range inagent.json, update the range in the manifest to match the requested spec.--require_attestation— Fail install if any resolved artifact is missing a registry attestation signature (supply-chain enforcement).--quiet. Reduce output noise (spinner/logs).--token <PAT>(env:AGENTPM_TOKEN). Personal Access Token for headless auth (overrides env/file).
Scope
agentpm install currently supports kind: "agent" manifests only. Running it on a kind: "tool" manifest will error.
Token resolution order
flag (--token) > env (AGENTPM_TOKEN) > token file (written by agentpm login).
Examples#
Install all tools declared in the manifest#
agentpm installSample output:
• Reading credentials…
✓ Reading credentials (0ms)
• Resolving versions…
✓ Resolving versions (10ms)
• Requesting download URLs…
✓ Requesting download URLs (50ms)
• Downloading tools…
✓ Downloading tools (1ms)
• Finalizing install…
✓ Finalizing install (10ms)
Installed ✓Add + install a specific tool by spec#
agentpm install @zack/summarize@0.1.2
# writes/updates the entry in agent.json → tools[] and installs the artifactRe-resolve and re-download everything#
agentpm install --refreshPrevent any changes to the resolved set#
agentpm install --frozen
# exits with an error if resolution would changeUpdate the manifest’s version range to match your spec#
agentpm install @zack/summarize@0.1.2 --update-rangeWhat install does#
- Reads credentials and your
agent.json. - Resolves versions (respecting exact pins or semver ranges).
- Fetches download URLs and downloads artifacts.
- Writes updates when installing via spec (adds/updates in
tools[]).
Install locations
- Prepared tools:
.agentpm/tools/<namespace>/<name>/<version> - Download cache (tgz artifacts):
.agentpm/cache(used unless you pass--refresh)
Lockfile (agent.lock)#
agentpm install writes a lockfile at the project root to guarantee repeatable installs across machines and CI.
Example:
{
"dependencies": {
"@zack/summarize": {
"integrity": "dd58…ae6d",
"version": "0.1.2"
}
},
"generated": "2025-09-27T00:09:28.488662Z",
"lockfile_version": 1
}What’s in it
dependencies— the exact versions resolved for each tool.integrity— a cryptographic checksum of the artifact used to verify content.generated— timestamp for traceability.lockfile_version— format version (may evolve over time).
How it’s used
- On install, the lockfile pins versions and checksums.
--frozenwill fail if the resolved set would change (protects CI from drift).--refreshre-resolves and re-downloads; if versions change (e.g., semver ranges), the lockfile is updated accordingly.
Best practices
- Commit
agent.lockto version control. - Don’t edit it by hand—change
agent.json(or pass a spec) and re-runagentpm install. - Use exact pins for production; if using ranges, combine with
--frozenin CI.
Verify registry attestation on install#
Ensure every artifact you pull has a registry attestation:
agentpm install --require_attestation- Fails the install if any resolved artifact lacks the registry’s attested signature.
- Works alongside your normal resolution/lockfile flow.
- Use in CI and production to prevent un-attested packages from entering your environment.
Common flows#
- Declared in manifest → install all
# agent.json already has tools[] entries
agentpm install- Ad-hoc add a tool
agentpm install @namespace/my-tool@0.3.1
# now present in tools[] and installed- Pin vs range
- Use exact pins (
0.1.2) for reproducibility.
- Use exact pins (
Verify your install#
# Check that artifacts exist
ls -R .agentpm/tools
# Optional: run your host app and call the tool;
# tools execute in managed subprocesses, isolated from host deps.Errors & troubleshooting#
- “supports kind=agent only.”. You ran
installin akind: "tool"project. Useagentpm init --kind agent …for agents, and declare tools there. - Frozen mismatch. If
--frozenfails, you’re attempting to change the resolved set. Remove--frozenor commit the intended updates first. - Stale cache. If you suspect a bad/corrupt artifact or want to force re-fetch, use
--refresh.
Recommended workflow#
- Declare tools in
agent.json → tools[]or install viaagentpm install @namespace/name@version. - Run
agentpm installlocally; commit manifest changes. - In CI, run:
agentpm lint --strict
agentpm install --frozen --quiet