PFM

View and convert AI agent output files in your browser. Everything runs client-side — your files never leave your machine.

📂
Drop a .pfm file here
or click to browse
or
🔄
Drop a file to convert to .pfm
Supports JSON, CSV, TXT, and Markdown
.json
Structured data with sections array
.csv
section_name, content columns
.txt
Plain text as single content section
.md
H2 headings become sections
JavaScript / TypeScript
npm install get-pfm
Python
pip install get-pfm
📦 npm get-pfm 🐍 PyPI get-pfm
🛡️ Security Audits Red Team Reports 📊 Benchmarks Speed, Size, Security 💻 GitHub Source & Docs 📜 Terms Terms of Service
PFM — Pure Fucking Magic. AI agent output container format.
PFM GitHub
Security
Select a section
Select a section from the sidebar
PFM
Source Format
Sections
Meta Fields
Output Size 

    

  










  

    PFM
    Benchmarks
    
    
    Home
  

  

    

      

        
Format Benchmarks

        
Same content, 5 formats. Measured across speed, size, indexability, and security.

      


      
      

        

          
PFM

          
15.5

          
/ 20

        

        

          
JSON

          
12.5

          
/ 20

        

        

          
TXT

          
12.5

          
/ 20

        

        

          
MD

          
12.0

          
/ 20

        

        

          
CSV

          
10.5

          
/ 20

        

      


      
      
1. File Size

      
PFM adds just 4.5% overhead for its metadata, index, and structure. JSON's escaping and quoting costs 11.5%.

      

        
FormatRawGzippedCompressionOverhead

        
          
TXT9,188 B3,859 B42.0%baseline

          
CSV9,227 B3,879 B42.0%+0.4%

          
MD9,371 B3,992 B42.6%+2.0%

          
PFM9,604 B4,110 B42.8%+4.5%

          
JSON10,244 B4,153 B40.5%+11.5%

        
      


      
      
2. Speed

      
PFM's indexed section access is 12–25x faster than every other format. JSON wins full parse via C-optimized json.loads().


      
Targeted Section Access — “License” (10,000 iterations)

      

        

          PFM
          
4.2 µs

        

        

          JSON
          
52.8 µs

        

        

          MD
          
70.0 µs

        

        

          TXT
          
78.7 µs

        

        

          CSV
          
104.9 µs

        

      


      

        
OperationPFMJSONCSVMDTXT

        
          
Full file read31.5 µs27.0 µs30.1 µs30.6 µs41.8 µs

          
File ID (64 bytes)20.7 µs19.8 µs20.8 µs15.4 µs21.1 µs

          
Full parse129.7 µs47.2 µs106.9 µs77.9 µs79.1 µs

          
Section access4.2 µs52.8 µs104.9 µs70.0 µs78.7 µs

        
      


      
      
3. Indexability

      
PFM is the only format with a pre-computed byte-offset index. All others require full-file scanning to locate a section.

      

        
FormatSection IndexAccess PatternSections FoundSearchable

        
          
PFMYes (byte offsets)O(1) seek10grep

          
JSONNoO(n) scan10jq

          
CSVNoO(n) scan10Partial

          
MDNoO(n) scan10grep

          
TXTNoO(n) scan10grep

        
      


      
      
4. Security

      
PFM is the only text format with built-in integrity verification, signing, and encryption. Every other format has zero security features.

      

        
FeaturePFMJSONCSVMDTXT

        
          
IntegritySHA-256NoneNoneNoneNone

          
Tamper DetectionBuilt-inNoneNoneNoneNone

          
SigningHMAC-SHA256NoneNoneNoneNone

          
EncryptionAES-256-GCMNoneNoneNoneNone

          
ProvenanceFull metadataManualNoneNoneNone

        
      


      

        
Benchmarked with Python 3.13 on macOS. 10,000 iterations per test. Same README content across all 5 formats.

      

    

  







  

    PFM
    Security Audits
    
    
    Home
  

  

    

      

        
Security Audits

        
Independent offensive security assessments by Red Team. Full penetration testing, APT simulation, and chaos engineering.

      


      
      

        
        
      


      
      

        

          
Red Team Offensive Security Assessment

          
Project: PFM • Date: 2026-02-17 • Scope: Python, JS/TS, Chrome Extension, VS Code Extension, SPA • 4 parallel adversarial agents


          
Executive Summary

          

            
SeverityFoundFixedOpen

            
              
CRITICAL550

              
HIGH550

              
MEDIUM10100

              
LOW880

            
          

          
Four Red Team agents conducted parallel offensive assessments across all five PFM implementations. All 28 findings were remediated across 6 debate rounds with full verification. 198 automated tests (143 Python + 55 JS) confirm correctness.


          
Key Findings & Remediations

          

            
SeverityFindingStatus

            
              
CRITIndex offset/length out-of-bounds readsFIXED

              
CRITUnbounded meta field injection (DoS)FIXED

              
CRITNo file size limit on reader (OOM)FIXED

              
CRITPath traversal in CLI write commandsFIXED

              
CRITMissing checksum = pass (fail-open)FIXED

              
HIGHInline onclick handlers violate CSP nonceFIXED

              
HIGHTiming side-channel in checksum comparisonFIXED

              
HIGHMeta key override via duplicate keysFIXED

              
HIGHTOCTOU race in stream recoveryFIXED

              
HIGHNo format version validation in JS parsersFIXED

              
MEDCRLF injection in cross-platform parsingFIXED

              
MEDCSV formula injection in converter outputFIXED

              
MEDYAML frontmatter injection in Markdown exportFIXED

              
MEDSession storage quota overflow (Chrome ext)FIXED

              
MEDError messages leak internal pathsFIXED

            
          


          
Attack Vectors Tested (No Finding)

          

            
VectorResult

            
              
Malformed PFM magic line injectionDEFENDED

              
Section name charset bypassDEFENDED

              
Escape sequence round-trip corruptionDEFENDED

              
Encrypted document oracle attackDEFENDED

              
HMAC signature replay / forgeryDEFENDED

              
Stream writer crash + corrupt recoveryDEFENDED

              
JSON/CSV converter prototype pollutionDEFENDED

              
Cross-implementation checksum mismatchDEFENDED

            
          


          

            
A+ Certification

            
Zero open CRITICAL or HIGH findings. All 28 findings remediated with verification. Defense-in-depth across all five implementations with HMAC-SHA256 signing, AES-256-GCM encryption, constant-time comparisons, and strict input validation at every trust boundary.

          

        

      


      
      

        

          
Hacking Summit Certification

          
Project: PFM • Date: 2026-02-17 • Debate Rounds: 6 • Final Grade: A+


          
Hardening Timeline

          

            
RoundFocusFindingsFixed

            
              
1–2Core parser security + escape system1212

              
3VS Code bugs, dead code, meta limits66

              
4Stream checksum, Chrome offsets, consistency88

              
5Version validation, CLI commands, path hardening1010

              
6CSP, timing attacks, CRLF, meta-first-wins1414

              
ScanRed Team parallel assessment (4 agents)1818

            
          


          
Security Architecture

          
    
            
  • Integrity: SHA-256 checksum on all section content, fail-closed verification
    • 
            
  • Authentication: HMAC-SHA256 signing with constant-time comparison
    • 
            
  • Encryption: AES-256-GCM with PBKDF2 key derivation (600K iterations)
    • 
            
  • Parsing: Bounds-checked index reads, CRLF normalization, version gating
    • 
            
  • Input validation: Section name charset enforcement, meta field limits, file size caps
    • 
            
  • Cross-impl consistency: 5 implementations (Python, JS, Chrome, VS Code, SPA) share identical parse/serialize behavior verified by conformance tests
    • 
          


          
Test Coverage

          

            
SuiteTestsStatus

            
              
Python (pytest)143ALL PASS

              
JavaScript (node:test)55ALL PASS

              
Total198ALL PASS

            
          


          

            
CERTIFIED — Grade: A+

            
6 adversarial debate rounds + full Red Team scan. Zero open vulnerabilities. 198 automated tests. All findings remediated with verification across all five implementations.

            
Signed: Hacking Summit Certification Board • Date: 2026-02-17

          

        

      

    

  







  

    PFM
    Terms of Service
    
    
    Home
  

  

    

      

        
Terms of Service

        
Last updated: February 16, 2026

      


      

        
1. Acceptance of Terms

        
By using PFM (Pure Fucking Magic) software, libraries, tools, web viewer, or file format specification (collectively, the “Service”), you agree to these Terms of Service. If you do not agree, do not use the Service.


        
2. License

        
PFM is released under the MIT License. You are free to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, subject to the conditions of the MIT License.

        
The full license text is included with the source code and governs your use of the software.


        
3. The Service

        
PFM provides:

        
    
          
  • An open file format specification (.pfm) for AI agent output
    • 
          
  • Python and JavaScript libraries for reading, writing, and converting PFM files
    • 
          
  • A command-line interface for file operations
    • 
          
  • A web-based viewer and converter that runs entirely client-side
    • 
        


        
4. Privacy & Data Handling

        
The PFM web viewer and converter run entirely in your browser. No files are uploaded to any server. All processing happens client-side on your machine.

        
    
          
  • No analytics or tracking scripts are included
    • 
          
  • No cookies are set (except a local theme preference in localStorage)
    • 
          
  • No data is transmitted to any third party
    • 
          
  • Your files never leave your device
    • 
        


        
5. No Warranty

        
THE SERVICE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT.

        
PFM’s security features (checksums, HMAC signing, AES-256-GCM encryption) are provided as tools. Their correctness depends on proper usage. You are responsible for your own security posture and key management.


        
6. Limitation of Liability

        
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES, OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT, OR OTHERWISE, ARISING FROM, OUT OF, OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


        
7. Acceptable Use

        
You may use PFM for any lawful purpose. You agree not to:

        
    
          
  • Use PFM to store, transmit, or distribute illegal content
    • 
          
  • Attempt to circumvent PFM’s security features for malicious purposes
    • 
          
  • Misrepresent the provenance or integrity of PFM files
    • 
          
  • Use PFM in any way that violates applicable laws or regulations
    • 
        


        
8. Contributions

        
Contributions to PFM are welcome and governed by the project’s CONTRIBUTING.md guidelines. By submitting a contribution, you agree to license it under the same MIT License as the project.


        
9. Changes to Terms

        
These terms may be updated from time to time. Changes will be reflected in the “Last updated” date above. Continued use of the Service after changes constitutes acceptance of the new terms.


        
10. Contact

        
For questions about these terms, open an issue on the project’s GitHub repository.