JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 1288
  • Score
    100M100P100Q99120F
  • License Apache-2.0

Node.js supply-chain enforcement at install and at runtime. Policy-gated lifecycle scripts, caller-chain-attributed runtime hook.

Package Exports

    Readme

    Kratex

    @kratex/cli

    Node.js supply-chain enforcement at install and at runtime.

    Static scanners find known-bad packages. Kratex controls what every package, known or unknown, can actually do: which files it can read, which hosts it can reach, which processes it can spawn. Rules run at install time to gate lifecycle scripts and at runtime to intercept live operations, attributed to first-party versus third-party code.

    npm i -g @kratex/cli

    Requires Node.js 22.15+ or 24+.

    Get started

    kratex init           # bind this directory; writes kratex.config.json
kratex ci             # policy-gated install
kratex run node app.js

    kratex ci and kratex install run npm ci / npm install --ignore-scripts, then evaluate each package's lifecycle scripts against the policy before running them. kratex run injects the same enforcement into your running Node process.

    Out of the box, the default policy enables six block-tier rules (credential exfiltration, wallet directory reads, lifecycle network/shell escapes, self-propagation) and audits everything else. Tighten or loosen by editing kratex.config.json. See Policy below.

    Commands

    Command What it does
    kratex run <command> Run any Node command under active policy
    kratex install npm install --ignore-scripts + lifecycle gating
    kratex ci npm ci --ignore-scripts + lifecycle gating
    kratex audit npm dependency and signature audit
    kratex init Bind this directory; writes kratex.config.json
    kratex policy validate Parse and summarize active policy
    kratex profile docker Print a hardened Dockerfile derived from policy
    kratex doctor Check local setup and config

    kratex run accepts a script shorthand: kratex run serve expands to npm run serve.

    Policy

    Policy lives in kratex.config.json in the directory you ran kratex init from. It is plain JSON — version it with the rest of your repo.

    Rules specify:

    • Subject: first-party code, third-party code, or a named package.
    • Target: a filesystem path, network host, process command, environment variable, or install lifecycle script.
    • Effect: allow, audit, or block.

    Unmatched operations are allowed by default. Six built-in block-tier rules fire regardless of policy mode and cannot be overridden by user rules:

    • third-party-credential-read: reads of ~/.npmrc, ~/.aws/**, ~/.ssh/**, browser profile directories.
    • third-party-wallet-read: reads of crypto wallet directories (~/.electrum/**, ~/Library/Application Support/Solana/**, etc.).
    • third-party-lifecycle-network: network calls from preinstall/install/postinstall scripts.
    • third-party-lifecycle-shell-{sh,bash,zsh,dash}: shell command spawns from lifecycle scripts.
    • third-party-self-propagation-fs: writes to other packages' package.json files at runtime.

    The full policy schema lives in @kratex/shared/policy/schema.ts.

    Authentication (optional)

    kratex login / kratex logout / kratex whoami connect the CLI to an optional hosted policy and telemetry service. These commands are not required to use the CLI — the local policy file is the source of truth either way. Skip this section if you are running Kratex without a hosted backend.

    License

    Apache License 2.0. See the root LICENSE.