Package Exports
- @kratex/shared
- @kratex/shared/primordials
Readme
@kratex/shared
The schema and built-in-rule definitions consumed by every Kratex component.
This package is internal to the Kratex monorepo. It is not published separately to npm. Consumers (@kratex/cli, @kratex/runtime) link to it via the workspace file: protocol.
What lives here
- Policy schema (
src/policy/schema.ts) — the zod schemas for rules, subjects, targets, conditions, effects, andkratex.policy.jsonitself. This is the single source of truth: the CLI validates against it, the runtime evaluates against it. - Built-in rules (
src/policy/builtin-rules/) — the block-tier rules that ship enabled by default (credential exfil, wallet read, lifecycle network, lifecycle spawn, self-propagation). The lifecycle-spawn block is command-agnostic — it blocks any non-node subprocess a third-party lifecycle script spawns rather than enumerating shell binaries — and the target allowlists (LIFECYCLE_NETWORK_ALLOWLIST,LIFECYCLE_SPAWN_ALLOWLIST) exempt package-manager entrypoints. - Data classes (
src/policy/data-classes.ts) — theBUILTIN_FILENAME_CLASS_MAPthat classifies sensitive paths (credentials, wallets, secrets) so rules can match on data class rather than literal paths. - Route contracts (
src/contracts/) — theKRATEX_API_CONTRACTtable of CLI-facing routes (device auth, project policy fetch, telemetry ingestion). Used by both the CLI and any backend that implements it.
Editing the schema
The policy schema is the integration point between the CLI and the runtime. Changes here ripple to both. Build after editing:
npm run build -w @kratex/sharedConsumers pick up the new dist/ automatically — they link via the file: protocol, so no republish is required.
License
Apache License 2.0. See the root LICENSE.