Apm

<h1 style="text-align: center;"> APM<br> <span style="font-size: 0.82em;"> Advanced Password Manager </span> </h1>

APM is a professional-grade, zero-knowledge command-line interface (CLI) for managing high-sensitivity credentials. Engineered for cryptographic performance and organizational scalability, it features a dual-engine architecture supporting both individual privacy and team-based collaboration.

---

Table of Contents

• Table of Contents
• 1. Security Architecture
  • 1.1 Key Derivation: Argon2id
  • 1.2 Authenticated Encryption: AES-256-GCM and XChaCha20-Poly1305
  • 1.3 Secure Recovery & Identity Verification
  • 1.4 Threat Model Summary
• 2. Core Technical Specifications
  • 2.1 Performance Profiles
• 3. Comprehensive Command Glossary
  • 3.1 Personal Edition (pm)
• 4. MCP Server (Model Context Protocol)
  • 4.1 Configuration Guide
    • For Claude Desktop
    • For Cursor / Windsurf / Others
• 5. Team Edition (pm-team)
• 6. Supported Secret Types
• 7. Plugin Architecture
• 8. Policy Engine & Compliance
• 9. Installation and Deployment
  • 9.1 One-Command Install
  • 9.2 Build from Source
  • 9.3 Build Requirements
  • 9.4 Pre-built Binaries
  • 9.5 Installation of Previews and Betas
• 10. Contact & Support
• 11. Development & Contributing
• 12. Cloud Synchronization Matrix
  • 12.1 Cloud Initialization
• 13. AI Usage
• 14. Version System For Contributors

---

1. Security Architecture

APM uses industry-standard, high-performance cryptographic primitives designed to withstand modern attack vectors, including high-end GPU clusters and dictionary attacks.

1.1 Key Derivation: Argon2id

The master password is never stored. Keys are derived using Argon2id, the winner of the Password Hashing Competition.

• Memory-Hard: Resistant to GPU/ASIC cracking by requiring significant RAM (Default: 64MB, configurable up to 512MB).
• Three-Layer Derivation: Derives 96 bytes of key material, split into distinct 32-byte keys for Encryption, Authentication, and internal Validation.

1.2 Authenticated Encryption: AES-256-GCM and XChaCha20-Poly1305

Confidentiality and integrity are provided by a profile-selected AEAD cipher: AES-256-GCM or XChaCha20-Poly1305.

• Authenticated Encryption: The active AEAD ensures data hasn't been modified.
• Double-Layer Integrity: Extra protection with an HMAC-SHA256 signature over the entire vault file, derived from the master password.
• Vault V4 Format: Includes an unencrypted (but signed) metadata header for identity verification and recovery coordination.
• Nonce Integrity: Every save operation generates a unique nonce to prevent replay attacks and pattern analysis.

1.3 Secure Recovery & Identity Verification

APM features a robust recovery engine designed for zero-knowledge environments.

• Email OTP Verification: 6-digit cryptographically generated email verification codes with strict 15-minute expirations.
• Hashed Validation: Verification codes are compared in hashed form (SHA-256) and never persisted in plaintext.
• Recovery Key Obfuscation: XOR-obfuscation for recovery keys stored in the vault, preventing simple memory dumps from exposing them.
• Quorum Recovery Shares: Optional threshold recovery with trustee shares (pm auth quorum-setup, pm auth quorum-recover).
• WebAuthn Passkeys: Optional passkey recovery factor via local browser ceremony (pm auth passkey register).
• One-Time Recovery Codes: Optional single-use recovery codes (pm auth codes generate).
• DEK Unlocking: Recovery key verification gates DEK unlock, and email OTP plus optional second factors complete identity checks.

1.4 Threat Model Summary

| Vector | Status | Mitigation | | ------------------- | ------------- | ----------------------------------------------------------------- | | Offline Brute-Force | Protected | Argon2id high-cost derivation. | | Vault Tampering | Protected | HMAC-SHA256 integrity signature across all metadata. | | Credential Theft | Protected | Cloud tokens are encrypted inside the vault. | | Identity Spoofing | Protected | Multi-factor recovery (Email -> Recovery Key -> OTP -> Optional 2nd factor). | | Session Hijacking | Protected | Shell-scoped sessions (APM_SESSION_ID) and inactivity timeouts. | | Weak Passwords | Controlled | Enforceable password policies via YAML Policy Engine. | | Compromised Host | Not Protected | Outside the security boundary (Keyloggers/Malware). |

2. Core Technical Specifications

2.1 Performance Profiles

Users can select from pre-defined encryption profiles via pm profile set to balance security and latency, and custom profiles can also change the encryption method.

| Profile | Memory | Time | Parallelism | Nonce Size | | -------- | ---------- | ---- | ----------- | ---------- | | Standard | 64 MB | 3 | 2 | 12 bytes | | Hardened | 256 MB | 5 | 4 | 12 bytes | | Paranoid | 512 MB | 6 | 4 | 24 bytes | | Legacy | 0 (PBKDF2) | 600k | 1 | 12 bytes |

---

3. Comprehensive Command Glossary

3.1 Personal Edition (pm)

The personal edition focuses on local-first security and privacy with native multi-cloud synchronization.

| Command | Category | Description | | :---------- | :--------- | :--------------------------------------------------------------------- | | setup | Lifecycle | Guided setup for vault creation, profile selection, spaces, plugins, and cloud sync. | | add | Mutation | Interactive menu to store any of the 22 supported secret types. | | get [q] | Retrieval | Fuzzy search and display entry details. Use --show-pass for secrets. | | edit [n] | Mutation | Interactive modification of existing entry metadata. | | del [n] | Mutation | Permanent deletion of an entry from the vault. | | gen | Utility | High-entropy password generator. | | totp | Security | Interactive 2FA list, copy, and persistent ordering. | | unlock | Session | Starts a session-scoped unlock instance with inactivity timeout. | | lock | Session | Immediately terminates and wipes the active session. | | session | Session | Issue/list/revoke ephemeral, context-bound delegated sessions. | | auth | Account | Consistently manage email, reset, change, and recover. | | cloud | Sync | Google Drive, GitHub, & Dropbox integration for cross-device syncing. | | space | Org | Manage isolated compartments (e.g., Work, Personal, DevOps). | | mcp | Agentic | Connect AI agents to your vault via Model Context Protocol. | | health | Audit | Dashboard with security scoring and vulnerability reporting. | | trust | Audit | Per-secret trust scoring with risk-level reasons. | | audit | History | Tamper-evident log of every vault interaction. | | import | IO | Ingest data from external files (JSON, CSV, KDBX). | | export | IO | Securely dump vault data to encrypted or plaintext formats. | | policy | Compliance | Load and enforce YAML-based password requirement policies. | | plugins | Extension | Manage manifest plugins, marketplace actions, and permissions. | | info | System | Display version, install path, and environment details. | | cinfo | Crypto | Inspection of current vault cryptographic parameters. | | update | System | Automated self-update engine to fetch the latest builds. |

---

4. MCP Server (Model Context Protocol)

APM includes a native MCP server for integration with AI assistants (Claude Desktop, Cursor, etc.). This allows AI agents to read your vault entries, search for credentials, and even retrieve TOTP codes securely if granted permission.

Mutation tools (add_entry, edit_entry, delete_entry) now su