Logo
Package Manager

XFPM - XyPriss Fast Package Manager

The official high-performance CLI tool for dependency resolution, security auditing, and full project orchestration across the XyPriss ecosystem. Built entirely in Go.

XFPM focuses on efficient dependency resolution, reproducible environments, and secure package isolation powered by a CAS-based architecture. It replaces traditional package managers with deep integration into the XHSC native engine, Zero-Trust G3 cryptographic signing, and a built-in intelligent security audit loop.

Key Features

Neural Dependency Resolution

Resolves even the most complex dependency trees via a Neural Dependency Graph — recalculating only the modified portions on updates.

Strict Isolation (CAS + Virtual Store)

Content-addressable storage and Ancestor Hoisting prevent ghost dependencies, ensuring environments remain pure across projects.

Zero-Trust G3 Security

Native Ed25519 cryptographic signing and a Trust On First Use (TOFU) verification layer protect every plugin in the ecosystem.

Auto-Update Engine

Keeps the CLI current automatically. No manual intervention required to stay on the latest security patches.

Intelligent Security Auditing

Multi-step SCA engine powered by the OSV database, with an automated repair loop, re-verification pass, and decentralized revocation enforcement.

Cross-Platform Single Binary

Native binaries for Windows, Linux, and macOS (amd64 & arm64). No runtime dependencies - one self-contained executable.

Installation

XFPM is distributed through the official Nehonix unified installer.

Unix / macOS / WSL

bash
curl -sL https://xypriss.nehonix.com/install.js | node

Windows (PowerShell)

powershell
Invoke-RestMethod -Uri "https://xypriss.nehonix.com/install.js" -UseBasicParsing | node

NPM

bash
# Linux / macOS
npm install -g xypriss-cli

# Windows 
npm install -g xypriss-cli

Project Initialization

The init command bootstraps a new XyPriss project using the native XRU (XyPriss Rule Unit) orchestration engine to automate structure creation, metadata injection, and environment preparation.

bash
xfpm init [name] [KEY=VALUE...] [flags]

# Interactive wizard (guided setup)
xfpm init

# Quick start
xfpm init my-app

# Full configuration with pass-through variables
xfpm init my-app AUTHOR="Nehonix" VERSION=2.0.0 PORT=9000

# With orchestration flags
xfpm init my-app --mode xms --force
OptionShorthandDefaultDescription
--mode-mdefaultOrchestration mode: default or xms (Multi-Server).
--author-aNehonix-TeamThe name of the project author.
--desc-d(Generic)A short description of the project.
--version-v1.0.0Initial project version.
--port-p8080Default network port for the server.
--argPass custom orchestration variables in KEY=VALUE format.
--force-ffalseOverwrite the target directory if it already exists.

Guided Interactive Mode

Running xfpm init without arguments launches an interactive wizard for Name, Version, Description, Author, and Port - with sane defaults to get you started in seconds.

Dynamic Orchestration Variables

Any positional argument containing an = (e.g. THEME=dark) is captured and injected into XRU orchestration rules, allowing template customization without modifying the binary.

Native XRU Integration (vG0.1.200+)

No external dependencies required. The XRU engine is natively embedded — ensuring atomic, cross-platform rule execution out of the box.

Automated Environment Setup

Fetches the latest templates, injects metadata, validates and installs the Bun runtime if missing, and performs a full dependency installation automatically.

Dependency Management

bash
# Install all dependencies from package.json
xfpm install

# Add a production package
xfpm add <package>

# Add to devDependencies
xfpm add -D <package>

# Install from a local path
xfpm add -P ./path/to/my-plugin

# Remove a package
xfpm rm <package>

# Update all packages
xfpm update

# Update a specific package
xfpm update <package>

Security Auditing

XFPM's standalone SCA engine audits dependencies against the OSV database and executes an intelligent multi-step repair loop to automatically remediate vulnerabilities.

bash
# Standard interactive audit
xfpm audit

# Intelligent fix loop (auto-repair)
xfpm audit fix

# Terminal dependency tree view
xfpm audit --tree

# Open premium interactive XFPML dashboard
xfpm audit --html # or using the "-w" flag

# Fully automated mode for CI environments
xfpm audit fix --yes --force-remove

Intelligent Fix Loop — xfpm audit fix

  1. 1Registry Validation: Compares local versions against the NPM registry latest field.
  2. 2Automated Repair: Updates package.json and performs a clean installation.
  3. 3Re-Verification: Automatically re-audits to confirm the fix is effective.
  4. 4Fallback Uninstallation: Offers to remove packages that remain vulnerable even at their latest version.

Use --yes and --force-remove together for fully automated, non-interactive security enforcement in CI/CD pipelines.

Plugin Management

XFPM provides a robust suite of tools for managing project plugins and their cryptographic trust status within the Zero-Trust G3 architecture.

bash
# List all plugins and their trust status
xfpm plugin list

# Offline check — only scan node_modules/vstore
xfpm plugin list --local

# Open web dashboard to review and update permissions
xfpm plugin list --review

# Verify and authorize pending plugins (interactive)
xfpm plugin verify

# Open the premium interactive web verification dashboard
xfpm plugin verify --html

# Get detailed Developer Identity and Metadata for a plugin
xfpm plugin get <package>
xfpm plugin id <package>
xfpm plugin info <package>

# Revoke trust and retire permissions
xfpm plugin revoke <package>

# Clean removal without re-queuing the plugin
xfpm plugin revoke <package> --no-pending

Zero-Trust G3 Architecture

XFPM enforces a cryptographically verified security model for the XyPriss ecosystem. All plugins must be signed by their author and authorized by the consuming project before accessing native system hooks.

1Generate Developer Identity

Authors must generate a unique Ed25519 developer identity before signing plugins. Publish your public key fingerprint in your plugin's README so users can verify your identity.

bash
xfpm gen-key

2Declare Privileges (Optional)

If your plugin requires protected system hooks (e.g., HTTP interception, console logging), you must declare them in package.json before signing using the exact system Privilege IDs. Invalid IDs abort the signing process.

json
{
  "xfpm": {
    "permissions": [
      "XHS.HOOK.HTTP.REQUEST",
      "XHS.PERM.LOGGING.CONSOLE_INTERCEPT"
    ]
  }
}

3Sign Plugin Assets

Before publishing, generate a tamper-proof signature manifest. XFPM hashes all production files and embeds your validated Privileges into a xypriss.plugin.xsig file required for safe distribution.

bash
xfpm sign ./ --min-version 1.0.0

4Authorization & Interactive Verification (TOFU)

On first install of a new plugin, XFPM defers validation to a batched interactive Trust On First Use (TOFU) flow triggered via xfpm plugin verify.

Plugin Verification Dashboard
Run xfpm plugin verify --html to launch the premium web-based dashboard for confirming cryptographic Developer IDs, reviewing and selectively approving every requested system Privilege, and bulk-managing dozens of plugins simultaneously.

5Manual Trust Pinning

For manual pinning or non-interactive environments, use the trust subcommand with the plugin name and its Developer ID fingerprint.

bash
xfpm plugin trust <package> <developer-id>

# Example
xfpm plugin trust my-plugin ed25519:adl*******

6Non-Interactive Mode (CI/CD)

Use the --no-interact (or -n) flag with install, update, or verify. In this mode, XFPM automatically trusts any plugin carrying a cryptographically valid G3 signature, bypassing the manual Author ID confirmation prompt.

bash
# Automated installation with G3 verification
xfpm install -vn

# Automated verification of pending plugins
xfpm plugin verify --no-interact

7Configuration-Based Trust (trustedPlugins)

To bypass interactive prompts for well-known plugins without relying on the global --no-interact flag, declare them in your project's package.json under xfpm.trustedPlugins. Unknown third-party additions will still go through full verification.

JSONC Support
The XyPriss configuration parser automatically strips trailing commas from xypriss.config.jsonc, ensuring smooth parsing of security configuration files.
json
{
  "xfpm": {
    "trustedPlugins": ["my-plugin"]
  }
}

Decentralized Revocation Enforcement

XFPM tracks framework-level revocations via native package metadata. If a version is discovered to be compromised, two enforcement mechanisms activate automatically:

Audit Flagging

xfpm audit marks the package as revoked in the audit report with a clear warning.

Runtime Patching

XFPM injects an xfpm.revoked marker into the local package.json, which the XHSC Deep Audit engine catches to block execution.

Package Redirections & Deprecation

Library maintainers can natively manage package deprecations and redirect installations across the XyPriss ecosystem without breaking consuming workflows. Add an xfpm object to your distributed package.json:

json
{
  "name": "old-lib",
  "version": "1.0.0",
  "xfpm": {
    "redirect": {
      "target": "new-lib",
      "message": "old-lib is deprecated. Please refer to our new architecture."
    }
  }
}

When users run xfpm install old-lib, XFPM intercepts the metadata, displays the custom message in the terminal, and shifts resolution downstream to new-lib. The consuming project's package.json is updated to reference the new target automatically.

Advanced Architecture

CAS — Content Addressable Storage

Every file is hashed and stored exactly once in ~/.xfpm/storage (Linux/macOS) or %USERPROFILE%\.xfpm\storage (Windows), eliminating duplicates and ensuring fully deterministic, reproducible installations across all projects on the machine.

The Virtual Store

Dependencies are stored by exact version under node_modules/.xfpm/vstore on all platforms and symlinked into the project root's node_modules. This "Ancestor Hoisting" architecture enforces strict isolation while eliminating ghost dependencies entirely.

Targeted Resolution & Lifecycle Execution

Only the modified portions of the Neural Dependency Graph are recalculated during updates, minimizing overhead. Lifecycle scripts (e.g., postinstall) are invoked exclusively for dependencies targeted in the current transaction, preventing unnecessary execution of ambient scripts and preserving environment stability.

Redirections & Deprecation

Maintainers can natively manage package rename and migration pathways, ensuring users are seamlessly transitioned to new architectures without breaking builds.

Ready to scale?

Master project orchestration with XFPM multi-server (XMS) configurations and Zero-Trust plugin ecosystems.