Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/CarlosEduJs/SCAL-P/llms.txt

Use this file to discover all available pages before exploring further.

This guide takes you from a fresh SCAL-P installation to a policy-enforced install in about two minutes. You need a JavaScript project with a package.json — everything else is handled by SCAL-P. No config is required to get started; you can add policy enforcement progressively as you become familiar with your dependency profile.
1

Go to your project directory

Navigate to any JavaScript project that has a package.json and a lockfile (package-lock.json or pnpm-lock.yaml):
cd my-project
SCAL-P reads your existing lockfile to resolve dependencies before installing. No lockfile means SCAL-P cannot evaluate dependencies ahead of install — make sure one exists.
2

Run your first CI check

Run scalp ci with no arguments:
scalp ci
No config. No setup. scalp ci does everything in one pass: resolves dependencies from the lockfile, evaluates them against policy, installs via npm, hashes every installed package directory with SHA-512, and saves a structured report to .scalp/ci-report.json.On the first run with no policy file, you will see output like this:
WARN policy not found; allowing with audit
INFO binary verified artifact=lodash…
INFO binary verified artifact=express…
INFO ci passed: 0 violations
All packages pass because the default policy is audit-only — SCAL-P hashes and logs everything without blocking. This is the safe default.
Using pnpm? Pass --pm pnpm to use the pnpm adapter: scalp ci --pm pnpm
3

Read the CI report

Open .scalp/ci-report.json to see what was verified:
{
  "version": "0.2",
  "passed": true,
  "audit": {
    "verified": 142,
    "mismatched": 0,
    "missing": 0
  }
}
verified: 142 means 142 package directories were hashed and their hashes recorded in .scalp/lockfile.json. mismatched: 0 confirms that every package on disk matches what was installed — nothing has been tampered with.To write the report to a custom path, use --output:
scalp ci --output ci-report.json
4

Explore the .scalp directory

After the first run, your project directory contains a new .scalp/ folder:
my-project/
├── .scalp/
│   ├── policy.json          ← your policy (create this)
│   ├── policy.schema.json   ← JSON Schema for editor autocomplete
│   ├── lockfile.json        ← auto-generated: SHA-512 hashes of packages
│   ├── ci-report.json       ← CI report from last run
│   ├── cache/
│   │   └── trust.json       ← cached download counts and CVEs
│   └── audit.log            ← every event, append-only
├── node_modules/
├── package.json
└── package-lock.json
  • lockfile.json — SHA-512 hashes of every package directory. Auto-generated after install and used by scalp audit to detect tampering.
  • audit.log — NDJSON append-only log. Every install, audit, and verify writes events here.
  • cache/trust.json — Cached npm download counts and CVE lookups. SCAL-P uses this to avoid unnecessary network calls.
  • policy.schema.json — Draft 2020-12 JSON Schema for policy.json. Editors that support $schema provide autocomplete automatically.
Do not commit .scalp/lockfile.json, .scalp/cache/, or .scalp/audit.log to version control — these are local runtime state. Commit only .scalp/policy.json and .scalp/policy.schema.json.
5

Add a policy

Create .scalp/policy.json to start scoring packages:
{
  "version": 1,
  "trust": { "min_score": 60 },
  "enforcement": { "on_violation": "warn" }
}
Run scalp ci again:
scalp ci
Now every package is evaluated against the trust score engine. Each package receives a score from 0 to 80 based on four factors: hash verification (30 points), version maturity — >= 1.0.0 (15 points), weekly npm downloads (0–20 points), and no active CVEs (0 or 15 points). Any package scoring below 60 is reported.With on_violation: warn, violations are printed but do not block the install. You can review them before tightening enforcement.
Trust scoring is offline-first. If SCAL-P cannot reach the npm registry for download stats, it awards half the points for that factor rather than failing the build.
6

Enforce in CI

When you’re ready to block on violations, update the enforcement mode:
{
  "version": 1,
  "trust": { "min_score": 60 },
  "enforcement": { "on_violation": "block" }
}
Now scalp ci exits 1 on any violation — suitable for CI pipelines. For fork pull requests, use the --pr-context fork flag to force require_hash and block all install scripts:
scalp ci --pr-context fork --output ci-report.json
FlagEffect
--pr-context fork (default)Forces require_hash, blocks install scripts
--pr-context internalRespects policy, scripts blocked unless --allow-scripts
--outputPath to JSON report (default .scalp/ci-report.json)

What to explore next

Commands

Full reference for install, audit, ci, policy check, verify, and checksum.

Policy configuration

Allowlists, denylists, transitive depth limits, and the full policy schema.

Trust scoring

How the 0–80 score is calculated and how to set min_score for your risk tolerance.

CI integration

Set up SCAL-P in GitHub Actions or any CI system that reads exit codes.

Build docs developers (and LLMs) love

Get started for freeTalk to us