GasPack

The missing package manager for Apps Script

The package manager Apps Script has been missing.

Install, version, and ship reusable code the way every modern ecosystem does.

The Infrastructure

Write once.
Available everywhere.

How do you share libraries today? A cryptic script ID in a Slack message? A Stack Overflow answer from 2017? Every other ecosystem solved this a decade ago.

✓ Full CLI. Init, build, publish, install.
✓ Versioning and dependency management that actually works.
✓ Automated security scanning, provenance attestation, and signed publishers.

Your scripts are code.
It's time to treat them like it.

$ npm install -g @gaspackm/gpm
added 1 package in 2s
$ gpm publish
🔐 Validating namespace reservations...
✓ All namespaces validated
🔍 Validating module versions...
✓ Module versions validated
✅ Published @yourcompany.com/sheets-ai@1.0.0 as public
📦 Package is now available for installation
 
🔒 Security: 94/100 (A)
 
📦 Modules published:
base: SHEETS_AI_BASE (versioned: SHEETS_AI_BASE_V1)
 
🔗 gaspackm.org/packages/@yourcompany.com/sheets-ai
$

Why GasPack

Trust is the product.

Why should you use packages? Why not just copy-paste code from a website article or let Gemini handle it? AI is good, but far from perfect when building complex systems and workflows from a prompt. You're left with hundreds or thousands of lines of unique code that could solve your problem — or delete all the files on your Google Drive, don't worry, Gemini will apologize for deleting your files and offer to help get them back…

Instead, you can use hundreds or thousands of lines of code that's been scanned, scored, and has a community of thousands of developer eyes looking over it and providing seals of approval.

Verified identity

Publishers prove domain ownership before they can publish under that scope. @acme.com/utils actually came from acme.com. No look-alikes, no impersonation.

Continuous scanning

Every publish runs through static analysis. Scope creep, prompt injection patterns, and known CVEs are surfaced before install. Each rule fires with what leaked, why it matters, and the one-line fix.

Supply-chain attestation

Packages published from CI carry npm-style provenance attestation — a cryptographic tie between the artifact and the commit it came from. Trust is verifiable, not asserted.

The ecosystem we're seeding

What gets built when sharing is easy.

Every modern ecosystem has its compounding packages — the unglamorous primitives, the workspace utilities, the AI building blocks. Here's the shape of an Apps Script catalog when creators have somewhere to ship them.

AI building blocks

What developers will build for agentic Workspace.

  • @workspace-tools/a2a-server Turn any Apps Script into a discoverable A2A agent.
  • @datateam.dev/mcp-server Stand up an MCP server in ten lines. Test locally before deploy.
  • @yourcompany.com/sheets-ai Gemini in your Sheet. Cell formulas that classify, summarize, and structure.
  • @hr-tools.io/rag-drive RAG over a Drive folder. Chunking, embedding, vector store included.

Workspace utilities

The libraries every team rewrites. Imagine them written once.

  • @workspace-tools/batch-email High-volume Gmail with batching, retries, and progress tracking.
  • @datateam.dev/sheets-utils Dedupe, pivot, fuzzy match, range chunking, A1 helpers.
  • @labs.example/drive-crawler Parallel folder walks via UrlFetchApp.fetchAll — tree traversal that scales.
  • @procurement.io/docs-template Template-driven Docs with merge fields, tables, and conditional sections.

Production plumbing

The unglamorous primitives every production script needs.

  • @gaspackm.org/continuator Checkpoint past the 6-minute execution limit. Resumes from last cursor.
  • @yourcompany.com/token-meter Track Gemini, Claude, and OpenAI token usage per user and per agent.
  • @labs.example/semantic-cache LLM response cache keyed on embedding similarity. Cut repeat-query cost.
  • @gaspackm.org/audit-log Tamper-evident audit chain for agent actions. Queryable, retention-aware.

The shape of a flourishing catalog. Be one of the creators who ships here — start free.

What compounds

Someone already solved this. You just have to install it.

Before
Execution log
4:00:01 PM Info Starting bonus letter generation...
4:04:05 PM Info Processing employee 30/1084
4:06:01 PM Error Exceeded maximum execution time
1,054Not sent
0%Auditable
~3.5hEstimated
After — community package installed
Execution log
9:08:01 AM Info Starting bonus letter generation...
9:14:22 AM Info Processing employee 1000/1084
9:18:07 AM Info Complete — 1084/1084 sent
1,084Sent
100%Auditable
~10mTotal time

The fix isn't a Stack Overflow rabbit hole. It's a one-line install.

Pricing

Simple, honest plans.

Free for public packages. Pro for private. Teams and Enterprise are next.

Free

For open-source authors and personal projects.

$0 /month
  • Unlimited public packages
  • Verified domain identity
  • Continuous security scanning
  • Supply-chain attestation
  • Community support
Start free
Most popular

Pro

For developers shipping production work.

$9 /month
  • Everything in Free
  • Unlimited private packages
  • Advanced security scanning
  • Priority support
  • Pro badge on profile
Get Pro
Coming soon

Teams

For organizations sharing internal libraries.

TBD
  • Everything in Pro
  • Multi-seat billing
  • Tenant-scoped packages
  • Role-based publish
  • Centralized audit log

Or email hello@gaspackm.org

Coming soon

Enterprise

For IT-governed teams with compliance needs.

Talk to us
  • Everything in Teams
  • SSO (SAML/OIDC)
  • SLA + dedicated support
  • Self-hosted registry option
  • Custom compliance review

Or email hello@gaspackm.org

All plans include verified identity, continuous scanning, and provenance attestation. Pro adds private packages, AI-assisted features, and priority support.

acme.com Live
127Active projects
34Packages
8Pending
3Blocked
@myworkspace.org/batch-request approved
@unknown.io/crypto-tool blocked
3 packages transferred from jsmith@
Allowlist Policy
✓ Security score ≥ 80
✓ Verified publisher only
✓ No external API calls
✓ Audit logging enabled
On Offboard
→ Transfer packages to manager
→ Revoke OAuth tokens

Trust signals for the code you ship

AI writes the code. Who reads it?

AI will generate a thousand lines of unique code without breaking a sweat. None of it has been reviewed — including by you. None of it has been stress-tested by real users in real production. Six months from now when something breaks, you'll be scrolling through code you accepted but never read, looking for a bug no one else has ever seen.

A community package gives you what AI can't: evidence. A verified publisher with a Pro or Expert badge. An install count showing how many developers are already running it in production. A security score with the static analysis findings laid out. Comments from developers who've shipped it. You're not trusting blindly — you're reading the receipts.

Verifiable supply chain. The trust signals other ecosystems take for granted.

Coming soon — Teams and Enterprise plans with centralized billing, SSO, org-wide package governance, and private self-hosted registry support.

Stop pasting or generating code you can't verify.

Verified publishers. Code that's been scanned, scored, and reviewed by people. Cryptographic provenance back to the commit it came from. Free for public packages.

Start free Read the docs