How audits work

The Ark audit is a mandatory quality gate. Every package must score at least 60/100 before it can be submitted to the registry. No audit, no publish.

The audit as differentiator

npm doesn't audit packages for quality. App stores audit for policy compliance, not craftsmanship. Ark's audit does something different: it measures whether a package is actually good — well-structured, secure, complete, and genuinely useful.

The audit score determines your price range. Better packages command higher prices. This is the "record label" model: Ark certifies value so buyers can trust what they're purchasing.

Two modes

Mode	Dimensions	Cost	Best for
--static	D1–D5 (90 pts total)	Free	Development iteration, quick score check
--full	D1–D6 (100 pts total)	~$0.02–0.10 in Claude tokens	Final submission, maximizing score

Static mode analyzes your files without calling Claude. Full mode adds D6 — a Claude evaluation of originality, domain depth, and documentation quality. You pay the Claude API costs for the full audit; it's charged to your creator account.

What gets analyzed

The auditor scans the entire package directory:

ark.json — validity, required fields, format
CLAUDE.md — presence, structure, instructions quality
bin/install.sh — syntax, safety, idempotence
bin/verify.sh — presence and correctness
All files — secret detection, file permissions, no forbidden patterns
README.md — presence and completeness

The audit flow

What happens when you run ark audit

1. CLI reads all files in current directory
2. Runs static analysis (D1–D5)
       - Validates ark.json schema
       - Checks bash syntax (bash -n)
       - Scans for secrets / credentials
       - Verifies required files exist
       - Checks for idempotence patterns
3. [--full only] Sends package to Claude for D6 analysis
4. Calculates score per dimension
5. Determines verdict and price range
6. [--save] Writes audit-report.json with SHA-256 hash
7. Displays results + improvement suggestions

The tamper-proof report

When you run ark audit --save, the CLI generates an audit-report.json and computes a SHA-256 hash of the report content. During ark publish, the registry verifies that hash against the current report file. Any modification — even adding a space — invalidates the report.

Re-audit after any change. If you modify any file after auditing, re-run the audit. The registry will detect a mismatch between the report and the actual archive content.

Manual review

Automated audit scores are necessary but not sufficient. Every submission goes through manual review (24-48h) by the Ark team. We check for:

Accuracy of the description
The package actually doing what it claims
No policy violations (scrapers, data exfiltration, etc.)
Reasonable quality at the stated price

Manual review can reject a package that passed the automated audit, or approve it with conditions (e.g., "update description before publishing").

→ 6 dimensions — detailed breakdown of each score
→ Scoring & verdicts — what the numbers mean
→ ark audit — run it