A package manager for prompts

Declare prompt dependencies. Pull them. Verify who signed them.

No scanner, linter, or test can reliably differentiate between a malicious prompt and a legitimate one. Sigstore identity signing and version pinning are the best available defense. Impromptu implements both.

Quick start

Install:

# macOS / Linux
curl -fsSL https://github.com/calebfaruki/impromptu/releases/latest/download/impromptu-$(uname -s | tr A-Z a-z)-$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/').tar.gz | tar xz
sudo mv impromptu /usr/local/bin/

# or with Go
go install github.com/calebfaruki/impromptu/cmd/impromptu@latest
impromptu init

# latest
impromptu pull https://github.com/anthropics/prompts

# tag
impromptu pull https://github.com/anthropics/prompts --ref v1

# commit
impromptu pull https://github.com/anthropics/prompts --ref a1b2c3d

# signed release
impromptu pull https://github.com/anthropics/prompts --release v1

# subdirectory from a monorepo
impromptu pull https://github.com/anthropics/prompts --ref v1 --path code-review

# custom alias
impromptu pull https://github.com/anthropics/prompts --ref v1 --as reviewer

# inline a single file into your working directory
impromptu pull https://github.com/anthropics/prompts --ref v1 --path claude-md --inline

How it works

Clone mode (--ref) clones a git repo and checks out a tag, branch, or commit. Tags and commits are immutable. Branches are mutable and require --force.

Release mode (--release) downloads a signed tarball from a GitHub or Codeberg release. The .sigstore.json bundle is verified automatically. Unsigned releases are rejected unless --force is passed.

What gets checked

Content. Every pull runs content checks on extracted files. Non-markdown files, symlinks, binaries, raw HTML outside fenced code blocks, and dangerous unicode (zero-width characters, RTL overrides, homoglyphs) are all rejected.

Signatures. Release mode verifies the Sigstore bundle: certificate chain, transparency log inclusion proof, and timestamps. The signer identity and Rekor log index are recorded in the lockfile.

Digests. The lockfile pins a SHA-256 digest for every dependency. On re-pull, on-disk content is compared against the lockfile. A mismatch triggers a re-resolve.

Links