Écluse
An open-source supply-chain policy proxy for package registries: the controlled passage every dependency clears before it reaches your build.
I leaned on an LLM heavily to build this, during bootstrapping, behind a documented process. Here's how, and how to verify it.
What brought you here?
Start with the path that matches what you need. Each one leads from the short answer to the relevant detail.
Decide if it fits
Start with the problem and the policy-proxy bet, then compare the alternatives honestly.
Deploy and operate
Configure Écluse, connect npm, and lock down the deployment around it.
Understand the design
Use the architecture map to follow one concern down to its rationale.
Contribute
Enter the pinned development environment and take a change through the test gates.
Assess security
Review the security contract, invariants, and generated threat model.
Verify the provenance
See how AI was used, then verify the released image instead of trusting it.