A draughtsman's section of a canal lock: a barge of stacked shipping containers waits in the low chamber below the closed gate.

Écluse

An open-source supply-chain policy proxy for package registries: the controlled passage every dependency clears before it reaches your build.

I leaned on an LLM heavily to build this, during bootstrapping, behind a documented process. Here's how, and how to verify it.

What brought you here?

Start with the path that matches what you need. Each one leads from the short answer to the relevant detail.

Decide if it fits

Start with the problem and the policy-proxy bet, then compare the alternatives honestly.

Deploy and operate

Configure Écluse, connect npm, and lock down the deployment around it.

Understand the design

Use the architecture map to follow one concern down to its rationale.

Contribute

Enter the pinned development environment and take a change through the test gates.

Assess security

Review the security contract, invariants, and generated threat model.

Verify the provenance

See how AI was used, then verify the released image instead of trusting it.