Workspace and CLI model
Package Ninja works as one hosted workspace paired with one local CLI/runtime path.
Why the split exists
- The hosted workspace owns identity, policy, billing, and audit visibility.
- The CLI owns local command interception and preflight enforcement.
- Keeping those responsibilities separate makes the product fast for developers and enforceable for security teams.
Responsibility boundary
| Surface | Responsibility |
|---|---|
| Hosted workspace | login, billing, workspace state, policy management, audit views |
| CLI/runtime | local command interception, package-manager execution path, offline runtime state |
| Control-plane APIs | policy fetch, device authorization, audit ingestion, billing reconciliation |
Operational rule
The hosted workspace and canonical CLI/runtime path are the public product surface documented here. Internal, self-hosted, and compatibility code paths are not part of the public guide and should not be treated as publicly supported routes.