Package Ninja overview
Package Ninja is a hosted SaaS workspace plus a local CLI enforcement layer. It authenticates developers in the browser, resolves package policy from the control plane, and blocks or allows package-manager commands before package-manager side effects happen. Use this guide when you need to install the CLI, understand the control model, or troubleshoot governed package-manager workflows.
The goal is simple: keep developer workflows fast while making package policy enforcement deterministic, auditable, and workspace-managed.
What does Package Ninja do?
Package Ninja gives security, platform, and engineering teams one shared package-governance workflow:
- developers keep using familiar package-manager commands
- command routing can be previewed before execution with
package-ninja plan --json - policy is checked before install, run, and publish side effects
- audit visibility is captured in the hosted workspace
What does ecosystem coverage mean right now?
Package Ninja has more than one support tier today:
- First-class governed workflow:
package-ninja restore,package-ninja add,package-ninja remove,package-ninja test,package-ninja run -- <native command>, and project shims share one governed path across the current production adapter set. - Preview coverage:
package-ninja plan --jsonuses the same workflow planner as governed execution and reports selected root, ecosystems, native commands, risk class, freshness requirement, artifact inspection, and audit behavior without running package managers. - Runtime adapter coverage: the policy/runtime layer includes ecosystem adapters for npm-family,
PyPI,Cargo,Go modules,NuGet,Maven/Gradle, andComposer. - Workflow convenience coverage: JavaScript still has the richest top-level convenience verbs overall, especially for
publish. Governedfixnow also supports direct safe-version remediation for PyPIuv/Poetry/Pipenv projects, Cargo, Go modules, NuGet, Composer, and narrow Maven/Gradle manifest patterns when a verified upgrade target exists; other ecosystems still use the universal native command runner when there is not yet a safe default top-level verb. - Registry intelligence coverage: the hosted search and package-risk surfaces already reach beyond npm into multiple additional registries.
Use the dedicated coverage page for the exact breakdown:
How is Package Ninja structured?
- Control plane (web + backend): authentication, workspace state, policy config, billing, and audit records.
- Data plane (CLI runtime): executes package commands locally after policy preflight.
- Policy timing: verdicts are resolved before package manager side effects.
Who should use Package Ninja?
- Security teams that need enforceable package policy without rewriting developer workflows.
- Platform teams that need centralized governance and incident visibility.
- Engineering orgs that need seat-based controls and predictable onboarding.
What does this guide cover?
- install and authenticate the CLI
- workspace onboarding and first-run behavior
- policy precedence and enforcement outcomes
- team membership, roles, and session revocation
- billing seats and checkout lifecycle
- operational troubleshooting and recovery commands
What is the correct CLI package and command name?
Package Ninja uses package-ninja as the canonical command name.
The canonical npm package is @packageninja/cli.
This guide documents only the canonical package and command names. If your machine is still on a legacy compatibility channel, upgrade to @packageninja/cli before following the examples here.
Where are the main product pages?
- Dashboard: packageninja.online/dashboard
- AI Agents: packageninja.online/agents
- Pricing: packageninja.online/pricing
- Proof and architecture brief: packageninja.online/compare