The Seven KRAIT Rules

A deep dive into KRAIT-001 through KRAIT-007 — the structural security rules enforced via AST analysis across 6 languages by the Rust NIF.

All 7 rules are enforced across 6 languages (Elixir, Python, JavaScript, TypeScript, Go, Rust) using dedicated tree-sitter parsers in the Rust NIF. Each language has adapted rule implementations that match its specific dangerous patterns.

KRAIT-001: No Code Eval

Dynamic code evaluation is the most dangerous capability an agent can access. KRAIT-001 prohibits all forms of runtime code evaluation:

• Elixir: Code.eval_string, Code.eval_quoted, :erl_eval, EEx.eval_string
• Python: eval(), exec(), compile()
• JavaScript/TypeScript: eval(), new Function()
• Go: reflect package usage

KRAIT-002: No Shell Execution

An agent with shell access has access to everything. KRAIT-002 blocks shell execution across all languages:

• Elixir: System.cmd, System.shell, :os.cmd, Port.open
• Python: subprocess, import os (includes os.system, os.popen)
• JavaScript/TypeScript: require('child_process'), import child_process
• Go: os/exec import
• Rust: std::process::Command

KRAIT-003: No Credential Access

KRAIT-003 uses taint analysis to prevent access to sensitive credential paths. Reads targeting ~/.ssh, ~/.aws, ~/.config, and .env files are tracked through data flow. Even if the path is constructed indirectly — concatenated from fragments or passed through variables — the taint tracker follows it to the source.

KRAIT-004: No Network Exfiltration

Raw HTTP/network access is blocked across all languages:

• Elixir: HTTPoison, Finch, :httpc, :hackney — all blocked. Must use allowlisted WebFetch.
• Python: import requests, import urllib, import httpx
• JavaScript/TypeScript: fetch(), require('http'), require('https'), XMLHttpRequest
• Go: net/http import
• Rust: std::net, reqwest

KRAIT-005: No Hot Code Loading

Dynamic code loading is blocked:

• Elixir: Code.load_file, Code.load_binary, Code.compile_string, Node.connect
• Python: __import__(), importlib.reload
• Go: plugin.Open
• JavaScript/TypeScript: dynamic require() with variable arguments

KRAIT-006: No Core Tampering

Certain paths in the KRAIT system are immutable. The supervision tree, the Narsil NIF, the rule definitions, and the core orchestration modules are all protected. KRAIT-006 ensures that file writes targeting these paths are rejected at the AST level.

KRAIT-007: No Recursive Self-Modification

The evolution system is what makes KRAIT unique — and it must be protected above all else. KRAIT-007 prevents the agent from modifying the evolution system itself. The agent can evolve its own task modules, but it cannot alter the mechanism that governs evolution.