Struct LockedResource 

pub struct LockedResource {
    pub name: String,
    pub source: Option<String>,
    pub url: Option<String>,
    pub path: String,
    pub version: Option<String>,
    pub resolved_commit: Option<String>,
    pub checksum: String,
    pub installed_at: String,
    pub dependencies: Vec<String>,
    pub resource_type: ResourceType,
    pub tool: String,
}

A locked resource (agent or snippet) with resolved version and integrity information.

Represents a specific resource file that has been resolved from either a source repository or local filesystem. Contains all information needed to verify the exact version and integrity of the installed resource.

Local vs Remote Resources

Remote resources (from Git repositories) include:

• source: Source repository name
• url: Repository URL
• version: Original version constraint
• resolved_commit: Exact commit containing the resource

Local resources (from filesystem) omit these fields since they don’t involve Git repositories.

Integrity Verification

All resources include a SHA-256 checksum for integrity verification. The checksum is calculated from the file content after installation and can be used to detect corruption or tampering.

Examples

Remote resource in TOML format:

[[agents]]
name = "example-agent"
source = "community"
url = "https://github.com/example/repo.git"
path = "agents/example.md"
version = "^1.0"
resolved_commit = "a1b2c3d4e5f6..."
checksum = "sha256:abcdef123456..."
installed_at = "agents/example-agent.md"

Local resource in TOML format:

[[agents]]
name = "local-helper"
path = "../local/helper.md"
checksum = "sha256:fedcba654321..."
installed_at = "agents/local-helper.md"

Fields

name: String

Resource name from the manifest.

This corresponds to keys in the [agents] or [snippets] sections of the manifest. Resources are uniquely identified by the combination of (name, source), allowing multiple sources to provide resources with the same name.

source: Option<String>

Source repository name for remote resources.

References a source defined in the [sources] section of the manifest. This field is None for local resources that don’t come from Git repositories.

Omitted from TOML serialization when None.

url: Option<String>

Source repository URL for remote resources.

The full Git repository URL where this resource originates. This field is None for local resources.

Omitted from TOML serialization when None.

path: String

Path to the resource file.

For remote resources, this is the relative path within the source repository. For local resources, this is the filesystem path (may be relative or absolute).

version: Option<String>

Original version constraint from the manifest.

This preserves the version constraint specified in agpm.toml (e.g., “^1.0”, “v2.1.0”). For local resources or resources without version constraints, this field is None.

Omitted from TOML serialization when None.

resolved_commit: Option<String>

Resolved Git commit hash for remote resources.

The exact 40-character SHA-1 commit hash where this resource was found. This ensures reproducible installations even if the version constraint could match multiple commits. For local resources, this field is None.

Omitted from TOML serialization when None.

checksum: String

SHA-256 checksum of the installed file content.

Used for integrity verification to detect file corruption or tampering. The format is “sha256:” followed by the hexadecimal hash.

Example: “sha256:a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3”

installed_at: String

Installation path relative to the project root.

Where the resource file is installed within the project directory. This path is always relative to the project root and uses forward slashes as separators for cross-platform compatibility.

Examples: “agents/example-agent.md”, “snippets/util-snippet.md”

dependencies: Vec<String>

Dependencies of this resource.

Lists the direct dependencies that this resource requires, including both manifest dependencies and transitive dependencies discovered from the resource file itself. Each dependency is identified by its resource type and name (e.g., “agents/helper-agent”, “snippets/utils”).

This field enables dependency graph analysis and ensures all required resources are installed. It follows the same model as Cargo.lock where each package lists its dependencies.

Always included in TOML serialization, even when empty, to match Cargo.lock format.

resource_type: ResourceType

Resource type (agent, snippet, command, etc.)

This field is populated during deserialization based on which TOML section the resource came from ([[agents]], [[snippets]], etc.) and is used internally for determining the correct lockfile section when adding/updating entries.

It is never serialized to the lockfile - the section header provides this information.

tool: String

Tool type for multi-tool support (claude-code, opencode, agpm, custom).

Specifies which target AI coding assistant tool this resource is for. This determines where the resource is installed and how it’s configured.

Defaults to “claude-code” for backward compatibility with existing lockfiles.

Omitted from TOML serialization when the value is “claude-code” (default).

Trait Implementations

impl Clone for LockedResource

fn clone(&self) -> LockedResource

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for LockedResource

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for LockedResource

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Serialize for LockedResource

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.