Commands

scalp install

Install packages via npm, pnpm, yarn, or bun with optional policy enforcement and hash sync.

Installs packages using your package manager of choice. Without --guarded, it's a transparent passthrough that syncs hashes after install. With --guarded, it evaluates policy and trust scores before anything hits disk.

Usage

scalp install [flags] [--] [pm args...]

Flags

FlagDefaultDescription
--pmauto-detectedPackage manager: npm, pnpm, yarn, bun
--policy.scalp/policy.jsonPath to policy file
--guardedfalseEnforce policy and hash checks before install
--cifalseForce enforcement to block

Passthrough mode

Without --guarded, SCAL-P runs the install, then hashes every installed package directory and saves to .scalp/lockfile.json:

scalp install

Behind the scenes:

  1. Runs npm install / pnpm install / yarn install / bun install with your args
  2. Gets the dependency tree via npm ls --all --json (PM-specific equivalent)
  3. Hashes each package directory with SHA-512 via hash.Dir()
  4. Saves to .scalp/lockfile.json

This mode is useful for gradually adopting SCAL-P. You get the lockfile and audit capability without any enforcement.

Guarded mode

With --guarded, SCAL-P evaluates policy before running the install:

scalp install --guarded

Flow:

  1. Load policy (from .scalp/policy.json or defaults)
  2. Resolve dependencies (lockfile-only, no install)
  3. Parse the lockfile
  4. Evaluate policy: allow/deny rules, transitive depth limits
  5. Evaluate trust scores (if min_score > 0 or require_hash)
  6. If violations → apply enforcement (block, warn, or log)
  7. If no violations (or enforcement is warn/log) → run the actual install
  8. Hash each installed package → update .scalp/lockfile.json

If enforcement is block and violations are found, the install never runs. No packages land in node_modules.

Guarded install with a violation

scalp install --guarded

Policy denies lodash-free:

! policy violations detected
policy violations detected:
- lodash-free@1.0.0 (denylist: pattern:*-free)

Guarded install passing

scalp install --guarded

On success, the command exits silently. On violations, the policy enforcement takes effect and blocks the install:

Passing arguments to the package manager

Use -- to separate SCAL-P flags from PM arguments:

scalp install --guarded -- --save-dev typescript

This passes --save-dev typescript to the underlying package manager.

Override package manager

Auto-detection works for most projects. Override when needed:

scalp install --pm npm --guarded
scalp install --pm pnpm --guarded
scalp install --pm yarn --guarded
scalp install --pm bun --guarded

Using with CI enforcement

scalp install --guarded --ci

--ci forces on_violation to block regardless of what's in your policy.

Guarded by default

If you want all installs to be guarded without passing --guarded every time, set default_mode to guarded in your policy:

{
  "version": 1,
  "enforcement": {
    "default_mode": "guarded"
  }
}

Now plain scalp install behaves like scalp install --guarded.

scalp audit

scalp ci

Policy Configuration

scalp init

Bootstrap .scalp/ with policy, lockfile, audit log, and cache — three templates depending on how strict you want to start.

scalp audit

Validate SCAL-P lockfile hashes against node_modules, detect tampering, and generate reports.

On this page

UsageFlagsPassthrough modeGuarded modeGuarded install with a violationGuarded install passingPassing arguments to the package managerOverride package managerUsing with CI enforcementGuarded by default