CLI Commands
These are the commands that interact with the lpm.dev registry and platform. For the full command reference (resolver, dev server, task runner, test/bench, lint, fmt, patch, plugin, store, graph, etc.), see cli.lpm.dev/docs/commands.
Authentication
lpm login
Sign in to lpm.dev. Opens your browser for OAuth and stores the token in your OS keychain (falls back to an AES-256-GCM encrypted file when no keychain is available).
lpm loginlpm logout
Remove stored credentials.
lpm logoutlpm whoami
Show the current user and plan.
lpm whoamilpm token-rotate
Revoke the current token and issue a new one.
lpm token-rotateSetup
lpm setup
Configure .npmrc for the @lpm.dev scope. Used in CI/CD where the token comes from an environment variable.
lpm setup # writes ${LPM_TOKEN} placeholder
lpm setup --oidc # exchanges CI OIDC for a 30-min token (no secrets)
lpm setup --proxy # route all npm metadata through lpm.dev--proxy routes every dependency lookup (not just @lpm.dev/*) through lpm.dev for unified visibility — useful when you want a single audit log of what your CI installs.
lpm setup-npmrc
Generate a 30-day read-only token and write it to a project's .npmrc for local development. Adds .npmrc to .gitignore automatically.
lpm setup-npmrc # 30-day token (default)
lpm setup-npmrc --days 7 # short-lived token
lpm setup-npmrc --days 90 # longerRun again any time to refresh.
lpm doctor
Health check against your setup — Node version, npm config, auth status, keychain availability, registry connectivity, sandbox availability for lifecycle scripts.
lpm doctorPublishing
lpm publish
Publish the current directory. Auto-detects the ecosystem (package.json → JS, Package.swift → Swift, .xcframework bundle → XCFramework). Builds a tarball, runs ecosystem-specific quality checks, verifies SHA-512 integrity, and uploads. The quality score is recorded with the version.
lpm publish
lpm publish --check # run quality checks without uploading
lpm publish --min-score 80 # require a minimum quality score
lpm publish --dry-run # validate the publish flow end-to-endInstalling
lpm install
Resolve and install dependencies. For JavaScript packages, materializes node_modules (isolated by default, hoisted on opt-in). For Swift packages, edits Package.swift to add the dependency via the SE-0292 registry and runs swift package resolve. Agent Skills are fetched by default — pass --no-skills to skip.
lpm install # install everything in lpm.toml/package.json
lpm install @lpm.dev/acme.utils # add and install a JS package
lpm install @lpm.dev/acme.swift-logger # add and install a Swift package
lpm install --no-skills @lpm.dev/acme.utilslpm add
Download and extract source files into your project (shadcn-style). Use when you want to own and modify the code directly. See Source Code Delivery.
lpm add @lpm.dev/acme.login-form
lpm add @lpm.dev/acme.login-form --preset react
lpm add @lpm.dev/acme.login-form --no-skillslpm remove
Remove a dependency.
lpm remove @lpm.dev/acme.utilsDiscovery
lpm search
Search the marketplace and Pool. Hybrid keyword + semantic search — query by intent ("validate user input") as well as by name. Results rank with AI-generated metadata.
lpm search "form builder"
lpm search "validate user input"lpm info
Show details for a published package — versions, description, dependencies, distribution mode.
lpm info @lpm.dev/acme.design-systemlpm quality
Show the server-side quality report for a package. Displays score, tier, and per-check breakdown (29 checks for JavaScript, 25 for Swift, 21 for XCFramework).
lpm quality @lpm.dev/acme.design-system
lpm quality @lpm.dev/acme.design-system --jsonlpm open
Open a package's lpm.dev page in your browser.
lpm open @lpm.dev/acme.design-systemEnvironments & Secrets
The lpm env command tree manages local secrets, cloud sync to lpm.dev, dashboard pairing, org sharing, platform integrations, and OIDC-based CI pulls. The local vault is free; cloud sync and OIDC require Pro or Org.
lpm env set DATABASE_URL=postgres://... # write
lpm env list # read (masked)
lpm env push # encrypt + sync (Pro/Org)
lpm env pull # decrypt (Pro/Org)
lpm env diff # local vs remote
lpm env share --org acme # share with an org (Org)
lpm env pair <CODE> # unlock a paired dashboard session
lpm env push --to vercel # platform integration (Pro/Org)
lpm env oidc allow --provider=github ... # OIDC policy (Pro/Org)
lpm env pull --oidc --env=production # CI-side decrypt (Pro/Org)Full surface: Environments & Secrets.
Tunnels
Expose a local port to the public internet. Ephemeral URLs and the webhook inspector are free; claimed stable domains and --tunnel-auth require Pro or Org.
lpm tunnel # ephemeral tunnel on port 3000
lpm tunnel 4000 # port 4000
lpm tunnel claim acme-api.lpm.llc # claim a stable domain (Pro/Org)
lpm tunnel 3000 acme-api.lpm.llc # use the claimed domain
lpm tunnel inspect --ui # browser inspector
lpm tunnel replay 3 # re-deliver captured event #3
lpm tunnel list # claimed domains
lpm tunnel unclaim acme-api.lpm.llc # release a claimFull surface: Tunnels.
Swift
lpm swift-registry
Configure Swift Package Manager to use LPM as a package registry. Sets the lpmdev scope, authenticates with your LPM token, and installs the package-signing certificate.
lpm swift-registryRun from any directory containing a Package.swift. This is a one-time setup — SPM remembers the configuration across projects. See Swift Package Registry.
Maintenance
lpm audit
Scan dependencies for vulnerabilities (OSV-backed) and behavioral red flags. Works in any npm project, not just lpm.dev packages.
lpm audit
lpm audit --fail-on high # exit non-zero on high-severity findings (CI)
lpm audit --jsonlpm outdated
Check for newer versions of direct dependencies.
lpm outdatedlpm upgrade
Upgrade direct dependencies to latest matching versions.
lpm upgrade
lpm upgrade @lpm.dev/acme.utils # one packagelpm approve-scripts
Approve lifecycle scripts for specific packages. Scripts are blocked by default. The triage mode (script-policy = "triage") auto-approves green packages via a multi-layer security gate.
lpm approve-scripts # interactive
lpm approve-scripts --dry-run # show what would be approved without changing stateAI
lpm mcp
Start the LPM MCP server. Lets AI coding agents query the registry, install/add packages, and read Agent Skills from your tooling. See MCP Server.
lpm mcplpm skills
Manage Agent Skills installed alongside dependencies. See Agent Skills.
lpm skills list
lpm skills installUtilities
lpm config
View or update CLI configuration (save-prefix, script-policy, etc.). Persistent config lives in ./lpm.toml and ~/.lpm/config.toml.
lpm config
lpm config --set save-prefix=^lpm cache
Inspect and prune the metadata cache and content-addressable store.
lpm cachelpm self-update
Update LPM to the latest version. Detects the install channel (npm, Homebrew, cargo, standalone) and runs the matching upgrade.
lpm self-updatelpm init
Interactively create a package.json configured for LPM publishing.
lpm initWhat lives at cli.lpm.dev instead
These surfaces exist in the Rust client but aren't lpm.dev-specific — see cli.lpm.dev/docs/commands for the full reference:
lpm dev,lpm run,lpm exec,lpm dlx— dev server and script runnerlpm test,lpm bench— test and benchmark runnerslpm lint,lpm fmt,lpm check— built-in linter, formatter, type-checkerlpm patch,lpm patch-commit— patch systemlpm filter,lpm deploy— workspace operationslpm rebuild— re-run lifecycle scriptslpm graph— dependency graph querieslpm trust— provenance verificationlpm cert— local HTTPS for non-tunnel localhostlpm ports,lpm health— port management and project healthlpm migrate— convert from npm/yarn/pnpm/bun lockfileslpm plugin— plugin managementlpm use— Node version pinninglpm download,lpm resolve,lpm store,lpm query— low-level introspectionlpm schema,lpm completions,lpm ci— generators and helpers
For every flag of every command, the canonical reference is the Rust client docs at cli.lpm.dev.
