Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

KERNlang/kern


KERN — The LLM Programming Language

npm CI GitHub release license


One backend spec. Real TypeScript and Python output. 240 review rules.
A .kern spec is ~70% fewer tokens than the TypeScript it generates — ~81% fewer than maintaining both backends (measured, GPT-class tokenizer, example corpus).


kernlang.devMCPReviewPlaygroundDocsFor LLMs


Install

npm install -g @kernlang/cli
kern compile api.kern --target=express # Generate an Express backend
kern compile api.kern --target=fastapi # Generate a FastAPI backend
kern check # Nominal type checker (zero false positives)
kern review src/ --recursive # Static analysis (240 rules, taint tracking)
kern context src/ --stdout # Whole-project context map for an LLM/agent
kern init --template=fullstack my-app # Scaffold fullstack app (Next.js + Express + MCP)
kern init --mcp # Scaffold an MCP server with security guards
kern import src/ --outdir=kern/ # TypeScript → .kern
kern schema --json # Full schema for LLM consumption

What is KERN?

KERN is a backend structure and portable route-logic language — and as of v4, a typed core language: classes with inheritance, enums, closures, and a built-in nominal type checker, all compiling to both TypeScript and Python with parity proven by differential conformance fixtures (every fixture executes on both runtimes and must produce identical results).

Define routes, schemas, handlers, API shape, validation, and small portable logic once, then emit real TypeScript/Express and Python/FastAPI code. Keep complex business logic in TypeScript or Python; move shared structure and parity-safe operations into KERN.

KERN also includes four supporting capabilities: Review, Infer, MCP Security, and Evolve. You can skip .kern entirely and run kern review against existing TypeScript and Python for security bugs, unguarded effects, flaky tests, and prompt injection — 240 AST-based rules that catch what ESLint misses.

Backend Parity First

KERN should own the repeatable parts of backend work:

  • route declarations and HTTP shape
  • request and response schemas
  • validation and status responses
  • small portable route logic
  • generated Express and FastAPI structure that stays aligned

Host-language code should still own application-specific business logic, data access, and framework-specific integration. The goal is not to hide TypeScript or Python; it is to stop rewriting the same route/schema/controller structure twice.

Compile Target Status

Tier Targets Status
Primary backend parity path Express, FastAPI Maintained path for TypeScript/Python backend structure and portable route logic
Supported product/runtime targets MCP, CLI, Ink, Next.js, Web (React), Tailwind Useful targets with schemas, deterministic output, and examples
Additional adapters Vue, Nuxt, React Native, Terminal Available adapters; verify fit before making them your main production path

Tiers are tracked per compile target, not per npm package. For example, @kernlang/terminal contains two separate targets: --target=terminal (pure ANSI/Node.js output) and --target=ink (React + Ink TSX output).

For detailed examples, interactive demos, and the full rule reference, visit kernlang.dev .

The Language (v4)

v4 turns KERN's portable layer into a typed core language. One source, two real runtimes, identical behavior:

enum name=Status values="Pending|Active|Done"
class name=Shape abstract=true export=true
 method name=area returns=number
class name=Square extends=Shape export=true
 field name=side type=number value={{ 3 }}
 method name=area returns=number
 handler
 return value="this.side * this.side"
fn name=measure returns=number
 param name=shape type=Shape
 handler
 return value="shape.area()"
  • Classes — single inheritance, abstract classes, fields, getters, static members. Override variance is Liskov-checked by kern check.
  • Enums — TypeScript gets a native enum; Python gets a plain namespace class with identical member values (including TS auto-increment semantics). Operations the two targets can't represent identically — reverse indexing Status[0], Object.keys(Status) iteration — are rejected at compile time for both targets, so neither side can silently diverge.
  • Closures — including captured-variable mutation, lowered correctly on both targets.
  • Type checkingkern check verifies class hierarchies, call-site arity and argument types, and declared returns. Zero false positives by design: it only reports violations it can prove.

The parity guarantee is enforced, not promised: every language construct ships with differential conformance fixtures that execute the generated TypeScript and the generated Python and require identical results — and anything outside the provable subset fails closed with an explicit error instead of guessing.

Quick Example

8 lines of .kern:

machine name=Order
 state name=pending
 state name=confirmed
 state name=shipped
 state name=delivered
 transition name=confirm from=pending to=confirmed
 transition name=ship from=confirmed to=shipped
 transition name=deliver from=shipped to=delivered

Compiles to 40 lines of typed TypeScript — a state union type, guarded transition functions, and a dedicated error class.

5-Minute Quickstart

Build a fullstack Todo app (Next.js + Express + MCP) from scratch:

# 1. Install
npm install -g @kernlang/cli
# 2. Scaffold
kern init --template=fullstack my-todo-app
cd my-todo-app
# 3. Compile everything
kern compile models.kern # shared types
kern compile api.kern --target=express # backend API
kern compile frontend.kern --target=nextjs # Next.js frontend
kern compile mcp-server.kern --target=mcp # AI agent tools
# 4. Run
cd generated/api && npx tsx server.ts # API on :3001

Available templates: fullstack, nextjs, express, file-tools, api-gateway, database-tools

See examples/starter/fullstack/ for the generated files.

kern check

The KERN nominal type checker — deterministic, zero false positives by design (it only fires on violations it can prove; anything ambiguous is skipped, never guessed).

kern check # Check every .kern file under cwd
kern check src/ # Check a directory
kern check api.kern # Check one file
kern check --json # Stable machine output (schemaVersion 1.0) for CI/bots
kern check --with-semantics # Also run semantic validation

What it checks: class declarations and override variance, call-site arity and argument types, and declared returns — annotate a function with returns=<Class> and the checker verifies every literal return value="new <Class>(...)" against it:

class name=Dog
class name=Cat
fn name=mk returns=Dog
 handler lang=kern
 return value="new Cat()" # kern check: check-return-type error

Exit codes: 0 clean, 1 findings, 2 operational failure — drop it straight into CI before kern review.

kern review

Static analysis with taint tracking, concept-level checks, and OWASP LLM01 coverage. No AI needed.

kern review src/ --recursive # Full scan
kern review src/ --enforce --min-coverage=80 # CI gate
kern review --diff origin/main # Only changed files
kern review src/ --lint # KERN + ESLint + tsc unified
kern review src/ --llm # AI review (see below)

240 rules across base, security, framework, performance, test-quality, null-safety, dead-logic, concept, and taint-aware analysis layers.

Recent coverage includes broadly reusable Next.js, React, Storybook, and Playwright checks: App Router body parsing, cache and header hazards, client-boundary env exposure, cookie hardening, SWR invalidation drift, browser storage parsing, client-side redirect sinks, wildcard postMessage, legacy React lifecycles, effect cleanup mistakes, timer cleanup drift, stale .length/.size hook deps, props-array mutation in render, focused tests, fixed Playwright sleeps, brittle networkidle waits, non-deterministic stories, and unmocked Storybook network calls.

AI-Assisted Review (--llm)

--llm translates your code to KERN IR — a compressed semantic representation that strips framework sugar and gives raw meaning. Two modes:

Inside an AI CLI (Claude Code, Codex, Cursor) — no env vars needed:

kern review src/ --llm # Outputs KERN IR + findings + taint for the AI to review

CI/CD pipeline — set both env vars to call an LLM API directly:

KERN_LLM_API_KEY=sk-... KERN_LLM_MODEL=gpt-4o kern review src/ --llm

No hardcoded model — you choose via KERN_LLM_MODEL. Files are batched by token size, not count.

Full rule reference: kernlang.dev/review

MCP Server Security

Scan MCP servers for vulnerabilities. 12 rules mapped to the OWASP MCP Top 10. Plus live server inspection and tool pinning.

npx kern-mcp-security ./src/server.ts

Available as: VS Code Extension | CLI (npx kern-mcp-security) | GitHub Action (see CI/CD below)

MCP Server

KERN ships its own MCP server. AI agents can compile, review, inspect, and self-correct .kern files via the Model Context Protocol.

npx @kernlang/mcp-server # Start locally (stdio)

Or use the hosted endpoint — no install required:

https://kernlang.dev/api/mcp # Streamable HTTP — point any MCP client here

Claude Desktop — add to claude_desktop_config.json:

{
 "mcpServers": {
 "kern": { "command": "npx", "args": ["@kernlang/mcp-server"] }
 }
}

Claude Code:

claude mcp add kern -- npx @kernlang/mcp-server

16 tools including compile, compile-json, compile-and-review, review, review-kern, review-mcp-server, inspect-mcp-servers, verify-tool-pins, audit-mcp-config, generate-security-tests, parse, decompile, validate, list-targets, list-nodes, schema 3 resources: kern://spec, kern://targets, kern://examples/{category} 1 prompt: write-kern (system prompt with full language spec)

Self-correction loop: schema → write .kerncompile-json → fix from diagnostics → done. Zero human intervention.

Full setup guide: kernlang.dev/mcp

Build MCP Servers from .kern

30 lines of .kern generates a production MCP server with auto-injected security guards:

kern init --mcp # Scaffold with templates
kern compile server.kern --target=mcp --watch # Compile + hot reload

Templates: file-tools, api-gateway, database-tools

kern context

Give an LLM or agent instant whole-project context — not just for review. kern context walks your project's import graph and call graph and emits a compact, token-budgeted map of how the codebase fits together: which symbols exist, who calls/uses each one (cross-file blast radius), imports, and taint flows.

kern context src/ # write kern-context.json (full artifact)
kern context src/ --stdout # print the JSON to stdout
kern context src/ --spine --stdout # compact <kern-map> spine, ready to drop in a prompt
kern context src/ --spine --spine-budget 3000 # cap the spine at ~3000 tokens
kern context src/ --max-depth=2 # limit import-graph depth

Two forms: the full kern-context.json artifact (default), and — with --spine — the compact <kern-map> spine, the same prompt-ready form kern review --llm injects per batch. Feed the spine to a coding agent and it starts the task already knowing the project's structure — "validateSession → used by 6 files" — instead of cold-reading every file to map dependencies. --spine-budget fits it to a token budget, degrading gracefully on large projects. It's deterministic and cacheable: regenerate after each change and the context stays fresh.

Paths are relative by default (--absolute for absolute, --base=<dir> to rebase). Analyzes TypeScript sources (.ts, .tsx, .mts, .cts); for a .kern project, point it at the compiled TypeScript output.

CI/CD

KERN Review — GitHub Action

Drop this into .github/workflows/kern-review.yml to run kern review on every push and PR:

name: KERN Review
on:
 push:
 branches: [main, dev]
 pull_request:
 branches: [main]
jobs:
 review:
 runs-on: ubuntu-latest
 steps:
 - uses: actions/checkout@v6
 - uses: actions/setup-node@v6
 with:
 node-version: '22'
 - name: Activate pnpm
 run: |
 corepack enable
 corepack prepare pnpm@10.32.1 --activate
 pnpm --version

 - run: pnpm install --frozen-lockfile --ignore-scripts
 - run: pnpm build
 - name: KERN Review
 run: npx @kernlang/cli review src/ --recursive
 # Optional: enforce minimum coverage
 # - name: KERN Review (enforced)
 # run: npx @kernlang/cli review src/ --recursive --enforce --min-coverage=80
 # Optional: LLM-assisted review (set secrets in repo settings)
 # - name: KERN Review (AI)
 # run: npx @kernlang/cli review src/ --recursive --llm
 # env:
 # KERN_LLM_API_KEY: ${{ secrets.KERN_LLM_API_KEY }}
 # KERN_LLM_MODEL: ${{ vars.KERN_LLM_MODEL }}

MCP Security — GitHub Action

Drop this into .github/workflows/mcp-security.yml for MCP server scanning with SARIF upload and PR comments:

name: MCP Security
on:
 push:
 branches: [main, dev]
 pull_request:
 branches: [main]
permissions:
 contents: read
 security-events: write
 pull-requests: write
jobs:
 scan:
 runs-on: ubuntu-latest
 steps:
 - uses: actions/checkout@v4
 - uses: actions/setup-node@v4
 with:
 node-version: '20'
 - name: Install KERN MCP Security
 run: npm install -g @kernlang/review-mcp@latest
 - name: Scan MCP server code
 id: scan
 run: |
 kern-mcp-security --format json --output kern-mcp-security.json . || true
 kern-mcp-security --format sarif --output kern-mcp-security.sarif . || true

 RESULT=$(kern-mcp-security --quiet . 2>&1) || true
 GRADE=$(echo "$RESULT" | head -1 | awk '{print 1ドル}')
 SCORE=$(echo "$RESULT" | head -1 | awk '{print 2ドル}')

 echo "grade=$GRADE" >> $GITHUB_OUTPUT
 echo "score=$SCORE" >> $GITHUB_OUTPUT
 echo "MCP Security Score: $GRADE ($SCORE/100)"

 - name: Verify tool pinning lockfile
 run: |
 if [ -f .kern-mcp-lock.json ]; then
 kern-mcp-security --verify . || echo "::warning::Tool pinning drift detected"
 else
 echo "No .kern-mcp-lock.json found — run 'npx kern-mcp-security --lock .' to generate one"
 fi

 - name: Upload SARIF to Code Scanning
 if: always() && hashFiles('kern-mcp-security.sarif') != ''
 uses: github/codeql-action/upload-sarif@v3
 with:
 sarif_file: kern-mcp-security.sarif
 category: kern-mcp-security
 continue-on-error: true
 - name: Post PR comment
 if: github.event_name == 'pull_request' && always()
 uses: actions/github-script@v7
 with:
 script: |
 const fs = require('fs');
 let report;
 try {
 report = JSON.parse(fs.readFileSync('kern-mcp-security.json', 'utf-8'));
 } catch { return; }

 const { grade, total } = report.score;
 const color = { A: '22c55e', B: '84cc16', C: 'f97316', D: 'f59e0b', F: 'ef4444' }[grade];
 const badge = `![Score](https://img.shields.io/badge/MCP_Security-${grade}_(${total}%25)-${color})`;

 let body = `## KERN MCP Security Report\n\n${badge}\n\n`;
 body += `| Metric | Score |\n|--------|-------|\n`;
 body += `| Guard Coverage | ${report.score.guardCoverage}% |\n`;
 body += `| Input Validation | ${report.score.inputValidation}% |\n`;
 body += `| Rule Compliance | ${report.score.ruleCompliance}% |\n`;
 body += `| Auth Posture | ${report.score.authPosture}% |\n\n`;
 body += `**${report.findingsCount} finding(s)**\n\n`;
 body += `> Scanned by [KERN MCP Security](https://kernlang.dev/review)`;

 const { data: comments } = await github.rest.issues.listComments({
 owner: context.repo.owner, repo: context.repo.repo,
 issue_number: context.issue.number,
 });
 const existing = comments.find(c => c.body?.includes('KERN MCP Security Report'));

 if (existing) {
 await github.rest.issues.updateComment({
 owner: context.repo.owner, repo: context.repo.repo,
 comment_id: existing.id, body,
 });
 } else {
 await github.rest.issues.createComment({
 owner: context.repo.owner, repo: context.repo.repo,
 issue_number: context.issue.number, body,
 });
 }

 - name: Enforce score threshold
 if: always()
 run: |
 SCORE="${{ steps.scan.outputs.score }}"
 THRESHOLD=60
 if [ -n "$SCORE" ] && [ "$SCORE" -lt "$THRESHOLD" ] 2>/dev/null; then
 echo "::error::MCP Security score $SCORE is below threshold $THRESHOLD"
 exit 1
 fi

KERN Compile + Validate — GitHub Action

Drop this into .github/workflows/kern-compile.yml to validate .kern files compile correctly on every PR:

name: KERN Compile
on:
 push:
 branches: [main, dev]
 pull_request:
 branches: [main]
jobs:
 compile:
 runs-on: ubuntu-latest
 steps:
 - uses: actions/checkout@v6
 - uses: actions/setup-node@v6
 with:
 node-version: '22'
 - name: Activate pnpm
 run: |
 corepack enable
 corepack prepare pnpm@10.32.1 --activate
 pnpm --version

 - run: pnpm install --frozen-lockfile --ignore-scripts
 - run: pnpm build
 - name: Validate .kern files
 run: npx @kernlang/cli compile src/ --target=nextjs --json
 - name: Type-check generated output
 run: npx tsc --noEmit

Release Process

Use the built-in release workflows in this order:

  1. Run Release Preflight from main with a plain semver like 3.2.4.
  2. Wait for the preflight run to pass build, test, and pnpm publish --dry-run.
  3. Publish a GitHub Release with a lowercase tag like v3.2.4.
  4. Let Version & Publish publish to npm and sync versions back to dev.

Contributor architecture guide: docs/architecture.md

Ecosystem

Package What it does
@kernlang/cli CLI — compile, review, context, evolve, dev
@kernlang/core Parser, codegen, types — the compiler engine
@kernlang/test Native KERN structural test runner
@kernlang/review 240 rules, taint tracking, OWASP LLM01, concept model
@kernlang/review-mcp MCP security scanner (12 rules, OWASP MCP Top 10)
@kernlang/react Next.js, Tailwind, Web transpilers
@kernlang/vue Vue 3 SFC, Nuxt 3 transpilers
@kernlang/native React Native transpiler
@kernlang/express Express backend + WebSocket transpiler
@kernlang/python Python backend codegen (FastAPI router target + WebSocket)
@kernlang/mcp MCP server transpiler — .kern to secure MCP servers
@kernlang/mcp-server KERN's own MCP server — compile, review, parse via MCP
@kernlang/terminal ANSI terminal + Ink transpilers
@kernlang/evolve Self-extending template system
@kernlang/review-python Python review support (FastAPI, Django)
@kernlang/playground Interactive compiler UI
@kernlang/metrics Language coverage analysis
@kernlang/protocol AI draft communication protocol

VS Code Extensions

  • Kern MCP Security — MCP security scanner with inline findings, Security Score, autofixes (Open VSX)
  • Kern Sight — Review findings as inline diagnostics, sidebar panel, .kern syntax highlighting

License

Dual-licensed: AGPL-3.0 + Commercial.

Use case License Cost
Personal projects AGPL-3.0 Free
Open-source projects AGPL-3.0 Free
Education & research AGPL-3.0 Free
Internal company tools (not distributed) AGPL-3.0 Free
Commercial products & SaaS Commercial license Contact us

Why AGPL? AGPL means if you use KERN in a product you distribute or serve to users, you must open-source your modifications. If you don't want that obligation, the commercial license gives you full freedom to use KERN in proprietary products without disclosure.

What the commercial license includes:

  • Use KERN in closed-source products and SaaS
  • No obligation to open-source your code
  • Priority support and issue resolution
  • License for your entire engineering team

Contact: hello@kernlang.dev — we respond within 24 hours.

Copyright (c) 2026 KERNlang

About

MCP review engine with 182 + rules (taint tracking, OWASP LLM01, concept model) + universal IR compiler: .kern compiles to 13 targets including Next.js, Vue, Express, and FastAPI. AGPL-3.0.

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

Watchers

Forks

Packages

Contributors

AltStyle によって変換されたページ (->オリジナル) /