JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 1288
  • Score
    100M100P100Q101019F
  • License Apache-2.0

Node.js supply-chain enforcement at install and at runtime. Policy-gated lifecycle scripts, caller-chain-attributed runtime hook.

Package Exports

    Readme

    Kratex

    @kratex/cli

    Node.js supply-chain enforcement at install and at runtime.

    Static scanners find known-bad packages. Kratex controls what every package, known or unknown, can actually do: which files it can read, which hosts it can reach, which processes it can spawn. Rules run at install time to gate lifecycle scripts and at runtime to intercept live operations, attributed to first-party versus third-party code.

    npm i -g @kratex/cli

    Requires Node.js 18.17+.

    Get started

    kratex ci             # policy-gated install
kratex run node app.js

    kratex ci and kratex install run npm ci / npm install --ignore-scripts, then evaluate each package's lifecycle scripts against the policy before running them. kratex run injects the same enforcement into your running Node process.

    Out of the box, the default policy enables six block-tier rules (credential exfiltration, wallet directory reads, lifecycle network/shell escapes, self-propagation) and allows everything else. Tighten or loosen by editing kratex.policy.json. See Policy below.

    Commands

    Command What it does
    kratex run <command> Run any Node command under active policy
    kratex install npm install --ignore-scripts + lifecycle gating
    kratex ci npm ci --ignore-scripts + lifecycle gating
    kratex audit npm dependency and signature audit
    kratex policy validate Parse and summarize active policy
    kratex profile docker Print a hardened Dockerfile derived from policy
    kratex doctor Check local setup and config

    kratex run accepts a script shorthand: kratex run serve expands to npm run serve.

    Policy

    Policy lives in kratex.policy.json in your project root. It is plain JSON — version it with the rest of your repo. With no config file present, Kratex falls back to the built-in default policy.

    Rules specify:

    • Subject: first-party code, third-party code, or a named package.
    • Target: a filesystem path, network host, process command, environment variable, or install lifecycle script.
    • Effect: allow, audit, or block.

    Unmatched operations are allowed by default. Six built-in block-tier rules fire regardless of policy mode and cannot be overridden by user rules:

    • third-party-credential-read: reads of ~/.npmrc, ~/.aws/**, ~/.ssh/**, browser profile directories.
    • third-party-wallet-read: reads of crypto wallet directories (~/.electrum/**, ~/Library/Application Support/Solana/**, etc.).
    • third-party-lifecycle-network: network calls from preinstall/install/postinstall scripts.
    • third-party-lifecycle-spawn: any non-node subprocess spawned from a lifecycle script (shells, interpreters, arbitrary binaries). Node children are exempt because they re-enter the runtime. Overridable per package for native-module builds.
    • third-party-self-propagation-fs: writes to other packages' package.json files at runtime.

    One additional built-in is audit-tier (it records but never blocks): third-party-pii-read surfaces third-party reads of files classified as PII or financial data. It carries the immutable tag so the audit record always fires and cannot be muted by a user allow rule.

    The full policy schema lives in @kratex/shared/policy/schema.ts.

    License

    Apache License 2.0. See the root LICENSE.