Every SCAL-P command that touches packages writes structured events toDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/CarlosEduJs/SCAL-P/llms.txt
Use this file to discover all available pages before exploring further.
.scalp/audit.log. The file is append-only NDJSON (newline-delimited JSON): one JSON object per line, never overwritten. This makes it easy to stream into log aggregators, grep for specific events, or archive per-deployment. Because it accumulates over time and may contain sensitive package names, do not commit it to version control.
Event structure
Every line in the log is a JSON object with the following fields, as defined ininternal/audit/logger.go:
RFC 3339 UTC timestamp of when the event was written. Example:
"2026-05-17T14:32:01Z".Event type identifier. See Event types for all possible values.
The affected package in
name@version format. Omitted for events that do not relate to a specific package (such as policy_missing).Outcome of the event. Common values:
| Value | Meaning |
|---|---|
"verified" | Hash matched or binary confirmed clean. |
"blocked" | Package was blocked due to a policy or trust violation. |
"warn" | Event recorded but execution continued. |
"mismatch" | Computed hash did not match the stored lockfile entry. |
"missing" | Package directory is absent from node_modules. |
Machine-readable explanation of why the event occurred. Present on violations and warnings. See Event types for reason values per event type.
The policy rule that triggered this event, such as
"allowlist", "denylist", "lockfile", or "binary_verify". Present on policy and lockfile violation events.true when the computed hash matched the stored entry. false (or absent) otherwise. Present on hash_verified, hash_check, and binary_verify events.Event types
policy_missing
Emitted when SCAL-P cannot find .scalp/policy.json. Execution continues with an audit-only, non-blocking posture.
policy_violation
One event per package that violates an allowlist, denylist, transitive depth, or trust score rule. The reason field carries the specific violation type such as "trust_score_too_low" or "hash_required".
hash_verified
Emitted by SyncWithTree after a successful SHA-512 hash of a package directory. One event per package after every guarded install or scalp ci run.
hash_skipped
Emitted when the package directory cannot be located on disk during a sync. The package is omitted from the lockfile for this run.
hash_check
Emitted by VerifyAgainstTree (run during scalp audit and scalp ci) for every package in the dependency tree. hash_match is true when the recomputed hash equals the stored lockfile entry.
hash_missing
Emitted when VerifyAgainstTree finds a package in the dependency tree that has no entry in .scalp/lockfile.json. This means the package was not installed through SCAL-P’s guarded flow.
binary_verify
Emitted by scalp verify. Compares the SHA-512 of a release artifact against a checksums file.
How events are produced
| Command | Events written |
|---|---|
scalp install (passthrough) | hash_verified, hash_skipped |
scalp install --guarded | policy_missing (if no policy), policy_violation (if violations), hash_verified, hash_skipped |
scalp audit | hash_check, hash_missing |
scalp ci | policy_violation (if pre-install violations), hash_verified, hash_skipped, hash_check, hash_missing |
scalp verify | binary_verify |
internal/audit/logger.go) opens the file in append mode on every call and closes it immediately after writing the batch. No file handle is held between commands — the file is always safe to read or rotate externally.
Events are written even when the
on_violation enforcement mode is warn or log. The audit log is a record of what happened, not a reflection of what was blocked.