Consumer Setup

Verify your npm dependencies in 2 minutes.

Quick start

npx @ajna-inc/supplychain install-hook

This adds a preinstall hook to your package.json and writes a default ajna-policy.json. Every subsequent npm install runs verification automatically.

What gets checked

• Signatures — every attestation is cryptographically verified against the publisher's DID
• Age — versions younger than minAge (default 7 days) are flagged
• Publisher continuity — if the signing DID changes across versions, you're warned
• Lifecycle scripts — packages with postinstall scripts are flagged unless whitelisted
• Transitive deps — the entire lockfile tree is walked, not just direct deps
• Audit credentials — third-party scanner verdicts (Socket, Snyk) are checked
• Revocation — credentials that have been revoked are flagged

Default behavior

Out of the box, enforcement is warn— nothing is blocked. You see a report on every install. When you're comfortable, flip to block:

// ajna-policy.json
{
  "enforcement": "block"
}

Verify manually

npx @ajna-inc/supplychain verify
npx @ajna-inc/supplychain verify --json          # machine-readable
npx @ajna-inc/supplychain verify --report out.json  # save report

Skip verification temporarily

AJNA_SC_SKIP=1 npm install