GasPackᵐ
The missing package manager for Apps Script
Install, version, and ship reusable code the way every modern ecosystem does.
The Infrastructure
Write once.
Available everywhere.
How do you share libraries today? A cryptic script ID in a Slack message? A Stack Overflow answer from 2017? Every other ecosystem solved this a decade ago.
✓ Full CLI. Init, build, publish, install.
✓ Versioning and dependency management that actually works.
✓ Automated security scanning, provenance attestation, and signed publishers.
Your scripts are code.
It's time to treat them like it.
$ npm install -g @gaspackm/gpm
added 1 package in 2s
$ gpm publish
🔐 Validating namespace reservations...
✓ All namespaces validated
🔍 Validating module versions...
✓ Module versions validated
✅ Published @yourcompany.com/sheets-ai@1.0.0 as public
📦 Package is now available for installation
🔒 Security: 94/100 (A)
📦 Modules published:
base: SHEETS_AI_BASE (versioned: SHEETS_AI_BASE_V1)
🔗 gaspackm.org/packages/@yourcompany.com/sheets-ai
$ ▌
Verified identity
Publishers prove domain ownership before they can publish under that scope. @acme.com/utils actually came from acme.com. No look-alikes, no impersonation.
Continuous scanning
Every publish runs through static analysis. Scope creep, prompt injection patterns, and known CVEs are surfaced before install. Each rule fires with what leaked, why it matters, and the one-line fix.
Supply-chain attestation
Packages published from CI carry npm-style provenance attestation — a cryptographic tie between the artifact and the commit it came from. Trust is verifiable, not asserted.
AI building blocks
What developers will build for agentic Workspace.
@workspace-tools/a2a-serverTurn any Apps Script into a discoverable A2A agent.@datateam.dev/mcp-serverStand up an MCP server in ten lines. Test locally before deploy.@yourcompany.com/sheets-aiGemini in your Sheet. Cell formulas that classify, summarize, and structure.@hr-tools.io/rag-driveRAG over a Drive folder. Chunking, embedding, vector store included.
Workspace utilities
The libraries every team rewrites. Imagine them written once.
@workspace-tools/batch-emailHigh-volume Gmail with batching, retries, and progress tracking.@datateam.dev/sheets-utilsDedupe, pivot, fuzzy match, range chunking, A1 helpers.@labs.example/drive-crawlerParallel folder walks viaUrlFetchApp.fetchAll— tree traversal that scales.@procurement.io/docs-templateTemplate-driven Docs with merge fields, tables, and conditional sections.
Production plumbing
The unglamorous primitives every production script needs.
@gaspackm.org/continuatorCheckpoint past the 6-minute execution limit. Resumes from last cursor.@yourcompany.com/token-meterTrack Gemini, Claude, and OpenAI token usage per user and per agent.@labs.example/semantic-cacheLLM response cache keyed on embedding similarity. Cut repeat-query cost.@gaspackm.org/audit-logTamper-evident audit chain for agent actions. Queryable, retention-aware.
The shape of a flourishing catalog. Be one of the creators who ships here — start free.
Before
4:00:01 PM Info Starting bonus letter generation...
4:04:05 PM Info Processing employee 30/1084
4:06:01 PM Error Exceeded maximum execution time
1,054Not sent
0%Auditable
~3.5hEstimated
After — community package installed
9:08:01 AM Info Starting bonus letter generation...
9:14:22 AM Info Processing employee 1000/1084
9:18:07 AM Info Complete — 1084/1084 sent
1,084Sent
100%Auditable
~10mTotal time
The fix isn't a Stack Overflow rabbit hole. It's a one-line install.
Free
For open-source authors and personal projects.
$0 /month
- Unlimited public packages
- Verified domain identity
- Continuous security scanning
- Supply-chain attestation
- Community support
Most popular
Pro
For developers shipping production work.
$9 /month
- Everything in Free
- Unlimited private packages
- Advanced security scanning
- Priority support
- Pro badge on profile
Coming soon
Teams
For organizations sharing internal libraries.
TBD
- Everything in Pro
- Multi-seat billing
- Tenant-scoped packages
- Role-based publish
- Centralized audit log
Coming soon
Enterprise
For IT-governed teams with compliance needs.
Talk to us
- Everything in Teams
- SSO (SAML/OIDC)
- SLA + dedicated support
- Self-hosted registry option
- Custom compliance review
All plans include verified identity, continuous scanning, and provenance attestation. Pro adds private packages, AI-assisted features, and priority support.
127Active projects
34Packages
8Pending
3Blocked
● @myworkspace.org/batch-request approved
● @unknown.io/crypto-tool blocked
● 3 packages transferred from jsmith@
Allowlist Policy
✓ Security score ≥ 80
✓ Verified publisher only
✓ No external API calls
✓ Audit logging enabled
On Offboard
→ Transfer packages to manager
→ Revoke OAuth tokens
Trust signals for the code you ship
AI writes the code. Who reads it?
AI will generate a thousand lines of unique code without breaking a sweat. None of it has been reviewed — including by you. None of it has been stress-tested by real users in real production. Six months from now when something breaks, you'll be scrolling through code you accepted but never read, looking for a bug no one else has ever seen.
A community package gives you what AI can't: evidence. A verified publisher with a Pro or Expert badge. An install count showing how many developers are already running it in production. A security score with the static analysis findings laid out. Comments from developers who've shipped it. You're not trusting blindly — you're reading the receipts.
Verifiable supply chain. The trust signals other ecosystems take for granted.
Coming soon — Teams and Enterprise plans with centralized billing, SSO, org-wide package governance, and private self-hosted registry support.
Stop pasting or generating code you can't verify.
Verified publishers. Code that's been scanned, scored, and reviewed by people. Cryptographic provenance back to the commit it came from. Free for public packages.