Skip to main content
KRAIT

The Seven KRAIT Rules

A deep dive into KRAIT-001 through KRAIT-007 — the structural security rules enforced via AST analysis by the Narsil Rust NIF.

KRAIT-001: No Code Eval

Dynamic code evaluation is the most dangerous capability an agent can access. KRAIT-001 prohibits all forms of runtime code evaluation, including Code.eval_string, Code.eval_quoted, and the Erlang equivalent :erl_eval. If it can turn a string into executable code at runtime, it is blocked.

KRAIT-002: No Shell Execution

An agent with shell access has access to everything. KRAIT-002 blocks System.cmd, System.shell, :os.cmd, and Port.open with command arguments. No spawning of OS processes. No piping to external commands. The agent operates within the BEAM and nowhere else.

KRAIT-003: No Credential Access

KRAIT-003 uses taint analysis to prevent access to sensitive credential paths. Reads targeting ~/.ssh, ~/.aws, ~/.config, and .env files are tracked through data flow. Even if the path is constructed indirectly — concatenated from fragments or passed through variables — the taint tracker follows it to the source.

KRAIT-004: No Network Exfiltration

Raw HTTP requests are blocked. The agent cannot use HTTPoison, Finch, :httpc, or any other HTTP client directly. All external communication must go through KRAIT's allowlisted WebFetch interface, which enforces domain restrictions and payload limits.

KRAIT-005: No Hot Code Loading

The BEAM's hot code loading is powerful — and dangerous in the hands of a self-modifying agent. KRAIT-005 prohibits Code.load_file, Code.load_binary, Code.compile_string, and Node.connect. The agent cannot load arbitrary modules or join other BEAM clusters.

KRAIT-006: No Core Tampering

Certain paths in the KRAIT system are immutable. The supervision tree, the Narsil NIF, the rule definitions, and the core orchestration modules are all protected. KRAIT-006 ensures that file writes targeting these paths are rejected at the AST level.

KRAIT-007: No Recursive Self-Modification

The evolution system is what makes KRAIT unique — and it must be protected above all else. KRAIT-007 prevents the agent from modifying the evolution system itself. The agent can evolve its own task modules, but it cannot alter the mechanism that governs evolution.