JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 1288
  • Score
    100M100P100Q99199F
  • License UNLICENSED

Production-oriented Node.js supply-chain runtime and install hardening.

Package Exports

    Readme

    Kratex

    Kratex

    Node.js supply-chain enforcement at install and at runtime.

    Static scanners find known-bad packages. Kratex controls what every package — known or unknown — can actually do: which files it can read, which hosts it can reach, which processes it can spawn. Rules run at install time to gate lifecycle scripts and at runtime to intercept live operations, attributed to first-party versus third-party code.

    npm install -g @kratex/cli

    Requires Node.js 22 or 24+.

    Get started

    kratex login          # connect to your Kratex account
kratex init           # bind this repo to a project and pull its policy
kratex ci             # policy-gated install
kratex run node app.js

    kratex ci and kratex install run npm ci / npm install --ignore-scripts, then evaluate each package's lifecycle scripts against your policy before running them. kratex run injects the same enforcement into your running Node process.

    Commands

    Command What it does
    kratex run <command> Run any Node command under active policy
    kratex install npm install --ignore-scripts + lifecycle gating
    kratex ci npm ci --ignore-scripts + lifecycle gating
    kratex audit npm dependency and signature audit
    kratex init Bind this repo to a Kratex project
    kratex login Authenticate with Kratex
    kratex logout Remove stored credentials
    kratex whoami Print authenticated user
    kratex policy validate Parse and summarize active policy
    kratex profile docker Print a hardened Dockerfile derived from policy
    kratex doctor Check local setup and config

    kratex run accepts a script shorthand: kratex run serve expands to npm run serve.

    Policy

    Policy is created and managed on kratex.dev and pulled automatically when you run kratex init.

    Rules specify a subject (first-party code, third-party code, or a named package), a target (filesystem path, network host, process command, environment variable, install lifecycle script), and an effect (allow, audit, or block). Unmatched operations are allowed by default. Built-in rules always block writes to credential paths (~/.ssh, ~/.aws, browser profiles, crypto wallets) regardless of user rules.