Policy schema reference for SCAL-P (.scalp/policy.json)

The policy file at .scalp/policy.json is the single source of truth for how SCAL-P evaluates your dependencies. It follows JSON Schema Draft 2020-12 and is validated against the bundled schema at .scalp/policy.schema.json. Only version is required; all other fields have safe defaults that produce an audit-only, non-blocking posture.

Add "$schema": "https://raw.githubusercontent.com/CarlosEduJs/SCAL-P/main/.scalp/policy.schema.json" to your policy.json for inline autocomplete and validation in VS Code, JetBrains IDEs, and any editor that supports JSON Schema.

Top-level fields

$schema

string

Optional. A URI pointing to the JSON Schema for this file. Set it to the canonical URL below to enable editor autocomplete and validation.

https://raw.githubusercontent.com/CarlosEduJs/SCAL-P/main/.scalp/policy.schema.json

version

integer

required

Schema version. The only accepted value is 1. SCAL-P uses this field to detect incompatible future policy formats.

trust

object

Controls which packages are evaluated, how trust scoring works, and whether missing hashes are a hard failure.

Show properties

trust.mode

string

default:"audit-only"

Determines which packages are subject to policy evaluation.

Value	Behavior
`allowlist`	Only packages explicitly listed in `packages.allow` are permitted. Everything else is a violation.
`denylist`	All packages are permitted except those explicitly listed in `packages.deny`.
`audit-only`	All packages are logged but nothing is blocked regardless of policy rules.

trust.min_score

integer

default:"0"

Minimum trust score (0–80). Packages whose computed score falls below this threshold trigger a violation. Setting this to 0 (the default) disables trust scoring entirely — no score is computed and no score-based violations are raised.The four factors that contribute to the score are: hash verified (30 pts), version maturity — >= 1.0.0 (15 pts), weekly npm downloads (0–20 pts), and no active CVEs (0 or 15 pts).

trust.require_hash

boolean

default:"false"

When true, any package that does not have an entry in .scalp/lockfile.json is an automatic violation regardless of its total trust score. The violation reason is hash_required. This check is independent of min_score and is evaluated first.Use this as your supply-chain minimum: if a package was not installed through SCAL-P’s guarded flow (or was modified after install), you want to know immediately rather than relying on a lower score.

packages

object

Allow and deny rules for specific packages or name patterns. Rules are evaluated according to the active trust.mode.

Show properties

packages.allow

PackageRule[]

default:"[]"

List of packages permitted in allowlist mode. An empty array blocks every package. Each item is a PackageRule.

packages.deny

PackageRule[]

default:"[]"

List of packages blocked in denylist mode. An empty array allows every package. Each item is a PackageRule.

transitive

object

Limits on transitive (indirect) dependencies.

Show properties

transitive.max_depth

integer

default:"0"

Maximum nesting depth for transitive dependencies. 0 means no depth limit is enforced. Any package nested deeper than max_depth levels triggers a violation.

enforcement

object

Controls what SCAL-P does when a violation is detected.

Show properties

enforcement.on_violation

string

default:"warn"

Action taken when a package violates policy or trust scoring.

Value	Behavior
`block`	Exit with code 1. The install or audit command is aborted.
`warn`	Print the violation and continue.
`log`	Record the violation silently and continue.

enforcement.default_mode

string

default:"passthrough"

The install mode used when --guarded is not passed on the command line.

Value	Behavior
`guarded`	Always run the full resolve → evaluate → enforce → install → sync pipeline.
`passthrough`	Run install directly without policy evaluation. Hash sync still runs.

PackageRule

A PackageRule matches one or more packages by exact name, glob pattern, version constraint, or expected checksum. Every rule must include either name or pattern — both cannot be absent.

name

string

Exact package name to match. Supports scoped packages.Examples: "lodash", "@scope/package"

pattern

string

Glob pattern for matching multiple packages. Supports * (any), *suffix, prefix*, *substr*, and @scope/*.Examples: "*-free", "@scope/*", "*substr*"

versions

string

Optional npm semver range. When present, the rule applies only to packages whose resolved version matches the constraint.Examples: "^4.0.0", ">=1.0.0"

checksum

string

Optional expected SHA-512 integrity hash in sha512-<base64> format. When present, the rule matches only packages whose lockfile integrity entry equals this value.Example: "sha512-a1b2c3d4..."

Complete example

{
  "$schema": "https://raw.githubusercontent.com/CarlosEduJs/SCAL-P/main/.scalp/policy.schema.json",
  "version": 1,
  "trust": {
    "mode": "allowlist",
    "min_score": 60,
    "require_hash": true
  },
  "packages": {
    "allow": [
      { "name": "lodash", "versions": "^4.0.0" },
      { "pattern": "@your-org/*" }
    ],
    "deny": [
      { "pattern": "*-free" },
      { "pattern": "@evil-scope/*" }
    ]
  },
  "transitive": {
    "max_depth": 5
  },
  "enforcement": {
    "on_violation": "block",
    "default_mode": "guarded"
  }
}

packages.deny is evaluated even when trust.mode is allowlist. A package in packages.allow that also matches a packages.deny rule is still blocked. Deny rules take precedence.

Get Started

Commands

Configuration

Guides

Reference

Policy schema reference for SCAL-P (.scalp/policy.json)

Top-level fields

PackageRule

Complete example

Build docs developers (and LLMs) love

Get Started

Commands

Configuration

Guides

Reference

Documentation Index

​Top-level fields

​PackageRule

​Complete example

Build docs developers (and LLMs) love

Top-level fields

PackageRule

Complete example