Package Exports
- @kratex/shared
Readme
@kratex/shared
The schema and built-in-rule definitions consumed by every Kratex component.
This package is internal to the Kratex monorepo. It is not published separately to npm. Consumers (@kratex/cli, @kratex/runtime, Kratex Guardian) link to it via the workspace file: protocol.
What lives here
- Policy schema (
src/policy/schema.ts) — the zod schemas for rules, subjects, targets, conditions, effects, andkratex.config.jsonitself. This is the single source of truth: the CLI validates against it, the runtime evaluates against it, Guardian uses it for extension policies. - Built-in rules (
src/policy/builtin-rules/) — the six block-tier rules that ship enabled by default (credential exfil, wallet read, lifecycle network, lifecycle shell, self-propagation), plus their per-binary fan-outs (sh,bash,zsh,dash) and target allowlists (CREDENTIAL_ACCESS_ALLOWLIST,LIFECYCLE_NETWORK_ALLOWLIST,LIFECYCLE_SHELL_ALLOWLIST). - Data classes (
src/policy/data-classes.ts) — theBUILTIN_FILENAME_CLASS_MAPthat classifies sensitive paths (credentials, wallets, secrets) so rules can match on data class rather than literal paths. - Route contracts (
src/contracts/) — theKRATEX_API_CONTRACTtable of CLI-facing routes (device auth, project policy fetch, telemetry ingestion). Used by both the CLI and any backend that implements it.
Editing the schema
The policy schema is the integration point between the CLI, the runtime, and Guardian. Changes here ripple to all three. Build after editing:
npm run build -w @kratex/sharedConsumers pick up the new dist/ automatically — they link via the file: protocol, so no republish is required.
License
Apache License 2.0. See the root LICENSE.