CLI Configuration

The LPM CLI is configured through three layers, in increasing scope:

  1. Project config./lpm.toml (per-project save policy, script policy, etc.)
  2. User config~/.lpm/config.toml (defaults across all your projects)
  3. .npmrc — registry routing and auth (compatible with npm/yarn/pnpm)

Plus environment variables for one-off overrides.

.npmrc

The simplest setup uses lpm setup to write a .npmrc automatically. Manual setup looks like this:

@lpm.dev:registry=https://lpm.dev/api/registry
//lpm.dev/api/registry/:_authToken=${LPM_TOKEN}

Place it in your project root for per-project config or in ~/.npmrc for global config. The ${LPM_TOKEN} placeholder is expanded from the environment at install time — works for npm, yarn, pnpm, and lpm alike.

For local development, prefer lpm setup-npmrc — it generates a 30-day read-only token and writes it directly (no env var needed).

--proxy: route all npm traffic through lpm.dev

lpm setup --proxy

By default, @lpm.dev/* packages route through lpm.dev (for auth and cost attribution), and everything else goes straight to registry.npmjs.org. --proxy flips that — every package metadata lookup goes through lpm.dev. The cost is one extra hop; the benefit is a single source of truth for dependency visibility (every install your team makes is logged centrally), unified caching, and consolidated audit logs.

--proxy is mutually exclusive with the default scoped mode; you opt into one or the other at setup time.

lpm.toml (per-project)

lpm.toml is committed alongside package.json and applies to everyone who runs lpm in the project:

# How `lpm install <pkg>` writes the saved version range
save-prefix = "^"      # default: caret. Alternatives: "~", ""
save-exact = false     # if true, save bare versions (no range)

# Lifecycle script handling
script-policy = "deny"   # "deny" (default) | "allow" | "triage"

# Resolver
resolver = "greedy"      # "greedy" (default) | "pubgrub"

The full set of project keys is documented at cli.lpm.dev/docs/reference/lpm-toml.

~/.lpm/config.toml (per-user)

~/.lpm/config.toml sets your personal defaults across every project:

save-prefix = "^"
save-exact = false
script-policy = "triage"   # opt every project into the multi-layer triage gate

Project config overrides user config. Command-line flags (--exact, --policy=allow) override both.

Environment variables

VariableEffect
LPM_TOKENAuth token. Overrides keychain when set.
LPM_REGISTRY_URLOverride the default registry URL.
LPM_OIDC_TOKENPre-supplied OIDC token for lpm setup --oidc and lpm env pull --oidc — used by CI providers that mint the token via id_tokens: blocks.
LPM_FORCE_FILE_VAULTForce the file-fallback vault instead of the OS keychain. Used in CI runners and sandboxed environments.
LPM_RESOLVERgreedy (default) or pubgrub. Selects the resolver engine.
LPM_GREEDY_FUSION1 (default) or 0. Setting to 0 falls back to the walker-arm orchestration for debugging — has no user-visible effect when left at default.
LPM_ENVDefault --env= for lpm run and lpm dev when no flag is passed.

lpm config

Read or write config values via the CLI rather than editing TOML by hand:

lpm config                                 # print resolved config
lpm config --set save-prefix=^             # write to ./lpm.toml
lpm config --set save-prefix=^ --user      # write to ~/.lpm/config.toml

Where credentials live

SurfaceStorage
Login tokenOS keychain (dev.lpm.auth). File fallback: ~/.lpm/.auth/<account>.enc
Wrapping key for the env vaultOS keychain (dev.lpm.vault-key). File fallback: ~/.lpm/.vault-data/<vault-id>.enc
Cached registry metadata~/.lpm/cache/metadata/
Content-addressable package store~/.lpm/store/
Project install state<project>/.lpm/

Keychain items use service dev.lpm.auth for login tokens and dev.lpm.vault / dev.lpm.vault-key for the secrets vault. The two namespaces are independent — rotating one doesn't disturb the other.

CI/CD

For CI/CD setup (OIDC token exchange, GitHub Actions, GitLab CI, Bitbucket Pipelines, deployment platforms), see:

For the full per-flag reference of every command, see cli.lpm.dev.