One backend spec. Real TypeScript and Python output. 240 review rules.
LLMs write .kern in up to 85% fewer tokens. 7 LLMs verified.
kernlang.dev • MCP • Review • Playground • Docs • For LLMs
npm install -g @kernlang/clikern compile api.kern --target=express # Generate an Express backend
kern compile api.kern --target=fastapi # Generate a FastAPI backend
kern review src/ --recursive # Static analysis (240 rules, taint tracking)
kern context src/ --stdout # Whole-project context map for an LLM/agent
kern init --template=fullstack my-app # Scaffold fullstack app (Next.js + Express + MCP)
kern init --mcp # Scaffold an MCP server with security guards
kern import src/ --outdir=kern/ # TypeScript → .kern
kern schema --json # Full schema for LLM consumptionKERN is a backend structure and portable route-logic language.
Define routes, schemas, handlers, API shape, validation, and small portable logic once, then emit real TypeScript/Express and Python/FastAPI code. Keep complex business logic in TypeScript or Python; move shared structure and parity-safe operations into KERN.
KERN also includes four supporting capabilities: Review, Infer, MCP Security, and Evolve. You can skip .kern entirely and run kern review against existing TypeScript and Python for security bugs, unguarded effects, flaky tests, and prompt injection — 240 AST-based rules that catch what ESLint misses.
KERN should own the repeatable parts of backend work:
- route declarations and HTTP shape
- request and response schemas
- validation and status responses
- small portable route logic
- generated Express and FastAPI structure that stays aligned
Host-language code should still own application-specific business logic, data access, and framework-specific integration. The goal is not to hide TypeScript or Python; it is to stop rewriting the same route/schema/controller structure twice.
| Tier | Targets | Status |
|---|---|---|
| Primary backend parity path | Express, FastAPI | Maintained path for TypeScript/Python backend structure and portable route logic |
| Supported product/runtime targets | MCP, CLI, Ink, Next.js, Web (React), Tailwind | Useful targets with schemas, deterministic output, and examples |
| Additional adapters | Vue, Nuxt, React Native, Terminal | Available adapters; verify fit before making them your main production path |
Tiers are tracked per compile target, not per npm package. For example, @kernlang/terminal contains two separate targets: --target=terminal (pure ANSI/Node.js output) and --target=ink (React + Ink TSX output).
For detailed examples, interactive demos, and the full rule reference, visit kernlang.dev.
7 lines of .kern:
machine name=Order initial=pending
transition from=pending to=confirmed event=confirm
transition from=confirmed to=shipped event=ship
transition from=shipped to=delivered event=deliver
Compiles to 140+ lines of typed TypeScript — enums, transition functions, exhaustive checks, error classes.
Build a fullstack Todo app (Next.js + Express + MCP) from scratch:
# 1. Install
npm install -g @kernlang/cli
# 2. Scaffold
kern init --template=fullstack my-todo-app
cd my-todo-app
# 3. Compile everything
kern compile models.kern # shared types
kern compile api.kern --target=express # backend API
kern compile frontend.kern --target=nextjs # Next.js frontend
kern compile mcp-server.kern --target=mcp # AI agent tools
# 4. Run
cd generated/api && npx tsx server.ts # API on :3001Available templates: fullstack, nextjs, express, file-tools, api-gateway, database-tools
See examples/starter/fullstack/ for the generated files.
Static analysis with taint tracking, concept-level checks, and OWASP LLM01 coverage. No AI needed.
kern review src/ --recursive # Full scan
kern review src/ --enforce --min-coverage=80 # CI gate
kern review --diff origin/main # Only changed files
kern review src/ --lint # KERN + ESLint + tsc unified
kern review src/ --llm # AI review (see below)240 rules across base, security, framework, performance, test-quality, null-safety, dead-logic, concept, and taint-aware analysis layers.
Recent coverage includes broadly reusable Next.js, React, Storybook, and Playwright checks: App Router body parsing, cache and header hazards, client-boundary env exposure, cookie hardening, SWR invalidation drift, browser storage parsing, client-side redirect sinks, wildcard postMessage, legacy React lifecycles, effect cleanup mistakes, timer cleanup drift, stale .length/.size hook deps, props-array mutation in render, focused tests, fixed Playwright sleeps, brittle networkidle waits, non-deterministic stories, and unmocked Storybook network calls.
--llm translates your code to KERN IR — a compressed semantic representation that strips framework sugar and gives raw meaning. Two modes:
Inside an AI CLI (Claude Code, Codex, Cursor) — no env vars needed:
kern review src/ --llm # Outputs KERN IR + findings + taint for the AI to reviewCI/CD pipeline — set both env vars to call an LLM API directly:
KERN_LLM_API_KEY=sk-... KERN_LLM_MODEL=gpt-4o kern review src/ --llmNo hardcoded model — you choose via KERN_LLM_MODEL. Files are batched by token size, not count.
Full rule reference: kernlang.dev/review
Scan MCP servers for vulnerabilities. 12 rules mapped to the OWASP MCP Top 10. Plus live server inspection and tool pinning.
npx kern-mcp-security ./src/server.tsAvailable as: VS Code Extension | CLI (npx kern-mcp-security) | GitHub Action (see CI/CD below)
KERN ships its own MCP server. AI agents can compile, review, inspect, and self-correct .kern files via the Model Context Protocol.
npx @kernlang/mcp-server # Start locally (stdio)Or use the hosted endpoint — no install required:
https://kernlang.dev/api/mcp # Streamable HTTP — point any MCP client here
Claude Desktop — add to claude_desktop_config.json:
{
"mcpServers": {
"kern": { "command": "npx", "args": ["@kernlang/mcp-server"] }
}
}Claude Code:
claude mcp add kern -- npx @kernlang/mcp-server16 tools including compile, compile-json, compile-and-review, review, review-kern, review-mcp-server, inspect-mcp-servers, verify-tool-pins, audit-mcp-config, generate-security-tests, parse, decompile, validate, list-targets, list-nodes, schema
3 resources: kern://spec, kern://targets, kern://examples/{category}
1 prompt: write-kern (system prompt with full language spec)
Self-correction loop: schema → write .kern → compile-json → fix from diagnostics → done. Zero human intervention.
Full setup guide: kernlang.dev/mcp
30 lines of .kern generates a production MCP server with auto-injected security guards:
kern init --mcp # Scaffold with templates
kern compile server.kern --target=mcp --watch # Compile + hot reloadTemplates: file-tools, api-gateway, database-tools
Give an LLM or agent instant whole-project context — not just for review. kern context walks your project's import graph and call graph and emits a compact, token-budgeted map of how the codebase fits together: which symbols exist, who calls/uses each one (cross-file blast radius), imports, and taint flows.
kern context src/ # write kern-context.json (full artifact)
kern context src/ --stdout # print the JSON to stdout
kern context src/ --spine --stdout # compact <kern-map> spine, ready to drop in a prompt
kern context src/ --spine --spine-budget 3000 # cap the spine at ~3000 tokens
kern context src/ --max-depth=2 # limit import-graph depthTwo forms: the full kern-context.json artifact (default), and — with --spine — the compact <kern-map> spine, the same prompt-ready form kern review --llm injects per batch. Feed the spine to a coding agent and it starts the task already knowing the project's structure — "validateSession → used by 6 files" — instead of cold-reading every file to map dependencies. --spine-budget fits it to a token budget, degrading gracefully on large projects. It's deterministic and cacheable: regenerate after each change and the context stays fresh.
Paths are relative by default (--absolute for absolute, --base=<dir> to rebase). Analyzes TypeScript sources (.ts, .tsx, .mts, .cts); for a .kern project, point it at the compiled TypeScript output.
Drop this into .github/workflows/kern-review.yml to run kern review on every push and PR:
name: KERN Review
on:
push:
branches: [main, dev]
pull_request:
branches: [main]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: '22'
- name: Activate pnpm
run: |
corepack enable
corepack prepare pnpm@10.32.1 --activate
pnpm --version
- run: pnpm install --frozen-lockfile --ignore-scripts
- run: pnpm build
- name: KERN Review
run: npx @kernlang/cli review src/ --recursive
# Optional: enforce minimum coverage
# - name: KERN Review (enforced)
# run: npx @kernlang/cli review src/ --recursive --enforce --min-coverage=80
# Optional: LLM-assisted review (set secrets in repo settings)
# - name: KERN Review (AI)
# run: npx @kernlang/cli review src/ --recursive --llm
# env:
# KERN_LLM_API_KEY: ${{ secrets.KERN_LLM_API_KEY }}
# KERN_LLM_MODEL: ${{ vars.KERN_LLM_MODEL }}Drop this into .github/workflows/mcp-security.yml for MCP server scanning with SARIF upload and PR comments:
name: MCP Security
on:
push:
branches: [main, dev]
pull_request:
branches: [main]
permissions:
contents: read
security-events: write
pull-requests: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install KERN MCP Security
run: npm install -g @kernlang/review-mcp@latest
- name: Scan MCP server code
id: scan
run: |
kern-mcp-security --format json --output kern-mcp-security.json . || true
kern-mcp-security --format sarif --output kern-mcp-security.sarif . || true
RESULT=$(kern-mcp-security --quiet . 2>&1) || true
GRADE=$(echo "$RESULT" | head -1 | awk '{print $1}')
SCORE=$(echo "$RESULT" | head -1 | awk '{print $2}')
echo "grade=$GRADE" >> $GITHUB_OUTPUT
echo "score=$SCORE" >> $GITHUB_OUTPUT
echo "MCP Security Score: $GRADE ($SCORE/100)"
- name: Verify tool pinning lockfile
run: |
if [ -f .kern-mcp-lock.json ]; then
kern-mcp-security --verify . || echo "::warning::Tool pinning drift detected"
else
echo "No .kern-mcp-lock.json found — run 'npx kern-mcp-security --lock .' to generate one"
fi
- name: Upload SARIF to Code Scanning
if: always() && hashFiles('kern-mcp-security.sarif') != ''
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: kern-mcp-security.sarif
category: kern-mcp-security
continue-on-error: true
- name: Post PR comment
if: github.event_name == 'pull_request' && always()
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
let report;
try {
report = JSON.parse(fs.readFileSync('kern-mcp-security.json', 'utf-8'));
} catch { return; }
const { grade, total } = report.score;
const color = { A: '22c55e', B: '84cc16', C: 'f97316', D: 'f59e0b', F: 'ef4444' }[grade];
const badge = `-${color})`;
let body = `## KERN MCP Security Report\n\n${badge}\n\n`;
body += `| Metric | Score |\n|--------|-------|\n`;
body += `| Guard Coverage | ${report.score.guardCoverage}% |\n`;
body += `| Input Validation | ${report.score.inputValidation}% |\n`;
body += `| Rule Compliance | ${report.score.ruleCompliance}% |\n`;
body += `| Auth Posture | ${report.score.authPosture}% |\n\n`;
body += `**${report.findingsCount} finding(s)**\n\n`;
body += `> Scanned by [KERN MCP Security](https://kernlang.dev/review)`;
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner, repo: context.repo.repo,
issue_number: context.issue.number,
});
const existing = comments.find(c => c.body?.includes('KERN MCP Security Report'));
if (existing) {
await github.rest.issues.updateComment({
owner: context.repo.owner, repo: context.repo.repo,
comment_id: existing.id, body,
});
} else {
await github.rest.issues.createComment({
owner: context.repo.owner, repo: context.repo.repo,
issue_number: context.issue.number, body,
});
}
- name: Enforce score threshold
if: always()
run: |
SCORE="${{ steps.scan.outputs.score }}"
THRESHOLD=60
if [ -n "$SCORE" ] && [ "$SCORE" -lt "$THRESHOLD" ] 2>/dev/null; then
echo "::error::MCP Security score $SCORE is below threshold $THRESHOLD"
exit 1
fiDrop this into .github/workflows/kern-compile.yml to validate .kern files compile correctly on every PR:
name: KERN Compile
on:
push:
branches: [main, dev]
pull_request:
branches: [main]
jobs:
compile:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: '22'
- name: Activate pnpm
run: |
corepack enable
corepack prepare pnpm@10.32.1 --activate
pnpm --version
- run: pnpm install --frozen-lockfile --ignore-scripts
- run: pnpm build
- name: Validate .kern files
run: npx @kernlang/cli compile src/ --target=nextjs --json
- name: Type-check generated output
run: npx tsc --noEmitUse the built-in release workflows in this order:
- Run
Release Preflightfrommainwith a plain semver like3.2.4. - Wait for the preflight run to pass build, test, and
pnpm publish --dry-run. - Publish a GitHub Release with a lowercase tag like
v3.2.4. - Let
Version & Publishpublish to npm and sync versions back todev.
Contributor architecture guide: docs/architecture.md
| Package | What it does |
|---|---|
| @kernlang/cli | CLI — compile, review, context, evolve, dev |
| @kernlang/core | Parser, codegen, types — the compiler engine |
| @kernlang/test | Native KERN structural test runner |
| @kernlang/review | 240 rules, taint tracking, OWASP LLM01, concept model |
| @kernlang/review-mcp | MCP security scanner (12 rules, OWASP MCP Top 10) |
| @kernlang/react | Next.js, Tailwind, Web transpilers |
| @kernlang/vue | Vue 3 SFC, Nuxt 3 transpilers |
| @kernlang/native | React Native transpiler |
| @kernlang/express | Express backend + WebSocket transpiler |
| @kernlang/python | Python backend codegen (FastAPI router target + WebSocket) |
| @kernlang/mcp | MCP server transpiler — .kern to secure MCP servers |
| @kernlang/mcp-server | KERN's own MCP server — compile, review, parse via MCP |
| @kernlang/terminal | ANSI terminal + Ink transpilers |
| @kernlang/evolve | Self-extending template system |
| @kernlang/review-python | Python review support (FastAPI, Django) |
| @kernlang/playground | Interactive compiler UI |
| @kernlang/metrics | Language coverage analysis |
| @kernlang/protocol | AI draft communication protocol |
- Kern MCP Security — MCP security scanner with inline findings, Security Score, autofixes (Open VSX)
- Kern Sight — Review findings as inline diagnostics, sidebar panel, .kern syntax highlighting
Dual-licensed: AGPL-3.0 + Commercial.
| Use case | License | Cost |
|---|---|---|
| Personal projects | AGPL-3.0 | Free |
| Open-source projects | AGPL-3.0 | Free |
| Education & research | AGPL-3.0 | Free |
| Internal company tools (not distributed) | AGPL-3.0 | Free |
| Commercial products & SaaS | Commercial license | Contact us |
Why AGPL? AGPL means if you use KERN in a product you distribute or serve to users, you must open-source your modifications. If you don't want that obligation, the commercial license gives you full freedom to use KERN in proprietary products without disclosure.
What the commercial license includes:
- Use KERN in closed-source products and SaaS
- No obligation to open-source your code
- Priority support and issue resolution
- License for your entire engineering team
Contact: hello@kernlang.dev — we respond within 24 hours.
Copyright (c) 2026 KERNlang