Instead of the complexity of all those wrappers, maybe we could just use a bash alias?
alias apt="hdapt"
alias apt-get="hdapt"
rapt runs apt which if hardened-kernel is being used would be an alias of hdapt. If not using hardened-kernel, it would be real apt.
We instruct users to use rapt when using apparmor-profile-everything and just apt when not.
Using ordinary apt can be done by running /usr/bin/apt.