Concepts¶

Deep technical explanations of how APM works under the hood. Each page covers the theory, design decisions, and internal mechanics of a core subsystem.

Architecture ¶

The four-layer design of APM: CLI layer, domain layer, integration layer, and extension layer.

Encryption ¶

Argon2id key derivation, AES-GCM and XChaCha20-Poly1305 support, HMAC-SHA256 integrity, nonce handling, and the DEK recovery slot.

Vault Format ¶

The V4 binary format specification: APMVAULT header, encrypted body, HMAC signature, and recovery metadata.

Secret Types ¶

All 25+ structured entry types with their field schemas, validation, and display logic.

Security Profiles ¶

Standard, Hardened, Paranoid, and Legacy profiles — their Argon2id parameters, hardware requirements, and auto-detection.

Policy Engine ¶

YAML-based password and rotation policies with classification levels and enforcement.

Sessions ¶

Shell-scoped sessions, ephemeral delegated sessions, and their security boundaries.

Cloud Synchronization ¶

Provider comparison, OAuth2 vs PAT, retrieval key mechanics, metadata consent, and end-to-end encryption guarantees.

Plugins ¶

Manifest-based architecture, 100+ permissions, step executor, hook lifecycle, and marketplace.

MCP Server ¶

Model Context Protocol internals — permission scopes, transaction guardrails, and token lifecycle.

Recovery ¶

Multi-factor recovery: email OTP, recovery keys, Shamir secret sharing, WebAuthn passkeys, and recovery codes.