APM Documentation ¶ APM (Advanced Password Manager) is a professional-grade, zero-knowledge command-line password manager built in Go. It provides encrypted-at-rest vault storage, multi-cloud synchronization, AI-agent integration via MCP, a Windows autofill daemon, a manifest-based plugin system, and organizational team support — all driven from a single CLI binary. Why APM? ¶ Zero-Knowledge Architecture — Your master password never leaves your machine. The vault is encrypted with Argon2id + AES-256-GCM and protected by HMAC-SHA256 integrity signatures. 25+ Secret Types — Passwords, TOTP, API keys, SSH keys, certificates, banking, medical records, legal contracts, documents with file attachments, and more — each with a structured schema. Multi-Cloud Sync — Native support for Google Drive, GitHub, and Dropbox. Your vault is uploaded as an encrypted blob; providers never see plaintext. AI-Agent Integration — Built-in MCP (Model Context Protocol) server lets AI assistants like Claude, Cursor, and Windsurf read and manage vault entries with permission-scoped, token-based access. Windows Autofill — A local daemon that detects credential forms and injects keystrokes via hotkey — no browser extension required. Plugin Ecosystem — Manifest-based plugins with 100+ granular permissions, a marketplace, and hook-based lifecycle integration. Team Edition — Multi-user credential sharing with RBAC, departments, and approval workflows. Quick Install ¶ macOS / Linux Windows PowerShell Build from Source curl -sSL https://raw.githubusercontent.com/aaravmaloo/apm/master/scripts/install.sh | bash Set-ExecutionPolicy Bypass -Scope Process -Force iwr https :// raw . githubusercontent . com / aaravmaloo / apm / master / scripts / install . ps1 -UseBasicParsing | iex git clone https://github.com/aaravmaloo/apm.git cd apm go build -o pm main.go For full installation details, see Installation . Quickstart ¶ # 1. Initialize a new vault (choose a security profile) pm init # 2. Unlock the vault to start a session pm unlock # 3. Add your first entry pm add # 4. Search and retrieve entries pm get github # 5. Generate a strong password pm gen # 6. Lock when done pm lock For a detailed walkthrough, see First Steps . How the Documentation Is Organized ¶ Getting Started ¶ Installation, first steps, and a feature overview to get productive quickly. Guides ¶ Practical how-to guides for day-to-day tasks: Managing your vault — Adding, searching, editing, and organizing entries Cloud synchronization — Setting up GDrive, GitHub, and Dropbox sync Using .apmignore — Controlling what gets uploaded to cloud providers Autofill on Windows — The autofill daemon and hotkey injection Generating TOTP codes — 2FA management and autofill linking Managing sessions — Unlock, lock, ephemeral sessions, and delegation Using plugins — Installing, managing, and creating plugins MCP integration — Connecting AI assistants to your vault Team edition — Organizational credential sharing Importing and exporting — JSON, CSV, and TXT import/export Concepts ¶ Deep technical explanations of how APM works: Architecture — The four-layer design Encryption — Argon2id, AES-256-GCM, HMAC-SHA256 Vault format — The V4 binary format specification Secret types — All 25+ structured entry types Security profiles — Standard, Hardened, Paranoid, Legacy Policy engine — YAML-based password and rotation policies Sessions — Shell-scoped and ephemeral delegated sessions Cloud synchronization — Provider comparison and sync mechanics Plugins — Plugin architecture and permission model MCP server — Model Context Protocol server internals Recovery — Multi-factor recovery, quorum shares, passkeys Reference ¶ Precise technical specifications: CLI reference — Every command, subcommand, and flag .apmignore reference — Format specification Storage reference — File locations and data layout Environment variables — All supported env vars Plugin API — Manifest schema and permissions catalog MCP tools — Tool schemas and permission requirements Policies — YAML policy schema and examples Team ¶ Team edition documentation for organizational deployments: RBAC and roles Departments Approval workflows Threat Model ¶ Vector Status Mitigation Offline Brute-Force Protected Argon2id high-cost derivation (up to 512 MB, 6 iterations) Vault Tampering Protected HMAC-SHA256 integrity signature across all metadata Credential Theft Protected Cloud tokens are encrypted inside the vault Identity Spoofing Protected Multi-factor recovery (Email → Recovery Key → OTP → Optional 2nd factor) Session Hijacking Protected Shell-scoped sessions ( APM_SESSION_ID ) and inactivity timeouts Weak Passwords Controlled Enforceable password policies via YAML Policy Engine Compromised Host Not Protected Outside security boundary (keyloggers, malware) Contact & Support ¶ Primary Maintainer : Aarav Maloo Security Alerts : aaravmaloo06@gmail.com GitHub Issues : aaravmaloo/apm/issues APM is open-source software licensed under the MIT License . Copyrig...