Commands

scalp init

Bootstrap .scalp/ with policy, lockfile, audit log, and cache — three templates depending on how strict you want to start.

Bootstraps a .scalp/ directory in the current project. Creates a policy.json, policy.schema.json, empty lockfile.json, empty audit.log, and a cache/ directory.

Usage

scalp init [--minimal | --strict]

Flags

FlagDescription
--minimalCreate a bare skeleton policy (version only, no trust or enforcement rules)
--strictCreate a hardcore policy with denylist mode, min_score: 60, require_hash: true, block enforcement, and guarded default mode

Default

Without flags, scalp init writes the safe default policy: audit-only trust mode, warn on violation, passthrough default mode.

{
  "version": 1,
  "trust": { "mode": "audit-only" },
  "enforcement": {
    "on_violation": "warn",
    "default_mode": "passthrough"
  }
}

The default policy is permissive by design. It logs violations as warnings but never blocks. Tighten it gradually as you adopt SCAL-P — see Migration Guide.

Minimal

scalp init --minimal

Writes only the version field. Useful when you want to start from scratch and define every field yourself:

{
  "version": 1
}

Strict

scalp init --strict

Writes a production-hardened policy with deny rules for packages with protestware or compromise history:

{
  "version": 1,
  "trust": {
    "mode": "denylist",
    "min_score": 60,
    "require_hash": true
  },
  "packages": {
    "deny": [
      { "pattern": "*-free" },
      { "name": "colors" },
      { "name": "faker" },
      { "name": "node-ipc" },
      { "name": "event-stream" }
    ]
  },
  "transitive": {
    "max_depth": 3
  },
  "enforcement": {
    "on_violation": "block",
    "default_mode": "guarded"
  }
}

Created files

.scalp/
├── policy.json           ← policy template (based on flags)
├── policy.schema.json    ← JSON Schema for editor autocomplete
├── lockfile.json         ← empty hash baseline ({})
├── audit.log             ← append-only event log (empty)
└── cache/                ← trust score cache directory

When to use each variant

VariantBest for
DefaultFirst-time users, evaluation, local dev
--minimalUsers who want to hand-craft their policy from a blank slate
--strictProduction services, CI enforcement, org-wide rollout

Policy Configuration

Security Best Practices

Migration Guide

Command Reference

Tutorial: Securing an Express API

End-to-end walkthrough — initialize a project, configure SCAL-P policy, run guarded installs, catch violations in CI, and handle a fork PR.

scalp install

Install packages via npm, pnpm, yarn, or bun with optional policy enforcement and hash sync.

On this page

UsageFlagsDefaultMinimalStrictCreated filesWhen to use each variant