Skip to content
Docs menu

Commands

Every command except kratex doctor accepts --audit and --enforce, described once under Shared flags. kratex doctor takes no options. Policy is always discovered automatically; see policy source resolution.

Shared flags

FlagDescription
--auditForce the effective policy mode to audit regardless of what the file declares.
--enforceForce the effective policy mode to enforce.

kratex run

Run a command under Kratex’s runtime guards.

kratex run node app.js
kratex run -- node app.js   # use -- to suppress shorthand expansion
kratex run build            # expands to: npm run build (if build is a package.json script)

Shorthand expansion: if the first argument matches a script name in the package.json in the current working directory (no walk-up) and is not itself a recognized executable (node, npm, npx, or a path), kratex run <name> expands to kratex run npm run <name>. Pass -- before the name to opt out.


kratex npx

Run a package binary under Kratex’s runtime guards. Sugar for kratex run npx <package>.

kratex npx create-vite my-app

All protection comes from the runtime: a package fetched by npx has its lifecycle scripts gated at the install phase, and its bin runs under runtime enforcement. Equivalent to typing kratex run npx <package> [args].


kratex install / kratex i

Run npm install with lifecycle-script gating.

kratex install
kratex i
kratex install -- --legacy-peer-deps   # pass extra npm flags after --

Two-phase: first runs npm install --ignore-scripts --no-audit to fetch packages without executing any scripts, then evaluates each discovered preinstall/install/postinstall script against policy, then runs npm rebuild for the permitted ones.


kratex ci

Run npm ci with lifecycle-script gating. Same two-phase logic as kratex install but uses npm ci for the fetch phase (clean install from lockfile).

kratex ci
kratex ci -- --prefer-offline

kratex audit

Run npm audit --audit-level=high and record it in Kratex telemetry.

kratex audit

The npm process itself runs unguarded: no preload is injected and no runtime gating applies to it. The active policy is loaded only for the policy banner and for telemetry context; the command’s purpose is to emit the install-lifecycle event pair (command audit, started and ended, correlated by run id) around the npm audit run. Extra arguments (for example --json) are forwarded to npm audit.


kratex doctor

Check Node version, npm version, and policy file discovery.

kratex doctor

Prints whether the current Node version meets the 18.17 minimum, the npm version, and the resolved policy path on the config: line (or built-in default when no file is found). Exits non-zero if Node is below 18.17. Accepts no flags; any options passed are ignored.


kratex profile docker

Print a hardened Dockerfile for the current project.

kratex profile docker

Reads the active policy, collects all explicitly allowed write paths, and emits a Dockerfile with a minimal non-root image, --ignore-scripts install, and commented docker run flags for a read-only root filesystem. Output goes to stdout.


kratex policy validate

Parse and validate the discovered policy file, print a summary, and exit.

kratex policy validate

Prints: the resolved policy path, source kind, root, mode, and user rule count. Exits non-zero on any parse or schema error. Useful for CI pre-checks before deploying a policy change.