Name: kern
Author: KERNlang

Built for humans and AI. 192-line spec. 12 compile targets. 76 review rules.

_{LLMs write .kern in 85% fewer tokens. 7 LLMs verified.}

kernlang.dev • Playground • Review Rules • Docs • For LLMs

Install

npm install -g @kernlang/cli

kern review src/ --recursive                      # Static analysis (76 rules, taint tracking, OWASP LLM01)
kern compile src/ --target=nextjs                  # .kern → Next.js
kern compile src/ --target=fastapi                 # .kern → FastAPI Python
kern evolve src/ --recursive                       # Detect gaps → propose templates
kern dev src/ --target=nextjs                      # Watch & hot-transpile

What is KERN?

KERN is a structural language with five capabilities: Compile, Review, Evolve, Infer, and MCP Security.

Write .kern once, compile to 12 targets. Or skip .kern entirely and use kern review to scan your existing TypeScript and Python for security bugs, unguarded effects, and prompt injection — 76 AST-based rules that catch what ESLint misses.

Same .kern → Next.js, React, Vue, Nuxt, Express, FastAPI, Native, CLI, Terminal, Ink, Tailwind, MCP

For detailed examples, interactive demos, and the full rule reference, visit kernlang.dev.

Quick Example

7 lines of .kern:

machine name=Order initial=pending
  transition from=pending to=confirmed event=confirm
  transition from=confirmed to=shipped event=ship
  transition from=shipped to=delivered event=deliver

Compiles to 140+ lines of typed TypeScript — enums, transition functions, exhaustive checks, error classes.

kern review

Static analysis with taint tracking, concept-level checks, and OWASP LLM01 coverage. No AI needed.

kern review src/ --recursive            # Full scan
kern review src/ --enforce --min-coverage=80  # CI gate
kern review --diff origin/main          # Only changed files
kern review src/ --lint                 # KERN + ESLint + tsc unified
kern review src/ --llm                  # Export IR for AI review

76 rules across 10 layers: Base, React, Next.js, Vue, Express, Security (v1-v4), Dead Logic, Null Safety, Concept Rules, Taint Tracking.

Full rule reference: kernlang.dev/review

MCP Server Security

Scan MCP servers for vulnerabilities. 13 rules mapped to the OWASP MCP Top 10.

npx kern-mcp-security ./src/server.ts

Available as: VS Code Extension | CLI (npx kern-mcp-security) | GitHub Action (see CI/CD below)

MCP Server

KERN ships its own MCP server. AI agents can compile, review, and analyze .kern files via the Model Context Protocol.

npx @kernlang/mcp-server                   # Start KERN MCP server (stdio)

Claude Desktop — add to claude_desktop_config.json:

{
  "mcpServers": {
    "kern": { "command": "npx", "args": ["@kernlang/mcp-server"] }
  }
}

5 tools: compile, review, parse, validate, list-targets
2 resources: kern://spec (language spec), kern://targets (available targets)
1 prompt: write-kern (system prompt with full language spec)

You can also compile your own MCP servers from .kern:

kern compile server.kern --target=mcp       # .kern → MCP server

CI/CD

KERN Review — GitHub Action

Drop this into .github/workflows/kern-review.yml to run kern review on every push and PR:

name: KERN Review

on:
  push:
    branches: [main, dev]
  pull_request:
    branches: [main]

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - uses: pnpm/action-setup@v5
        with:
          version: 9

      - uses: actions/setup-node@v6
        with:
          node-version: '22'
          cache: 'pnpm'

      - run: pnpm install --frozen-lockfile
      - run: pnpm build

      - name: KERN Review
        run: npx @kernlang/cli review src/ --recursive

      # Optional: enforce minimum coverage
      # - name: KERN Review (enforced)
      #   run: npx @kernlang/cli review src/ --recursive --enforce --min-coverage=80

MCP Security — GitHub Action

Drop this into .github/workflows/mcp-security.yml for MCP server scanning with SARIF upload and PR comments:

name: MCP Security

on:
  push:
    branches: [main, dev]
  pull_request:
    branches: [main]

permissions:
  contents: read
  security-events: write
  pull-requests: write

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install KERN MCP Security
        run: npm install -g @kernlang/review-mcp@latest

      - name: Scan MCP server code
        id: scan
        run: |
          kern-mcp-security --format json --output kern-mcp-security.json . || true
          kern-mcp-security --format sarif --output kern-mcp-security.sarif . || true

          RESULT=$(kern-mcp-security --quiet . 2>&1) || true
          GRADE=$(echo "$RESULT" | head -1 | awk '{print $1}')
          SCORE=$(echo "$RESULT" | head -1 | awk '{print $2}')

          echo "grade=$GRADE" >> $GITHUB_OUTPUT
          echo "score=$SCORE" >> $GITHUB_OUTPUT
          echo "MCP Security Score: $GRADE ($SCORE/100)"

      - name: Verify tool pinning lockfile
        run: |
          if [ -f .kern-mcp-lock.json ]; then
            kern-mcp-security --verify . || echo "::warning::Tool pinning drift detected"
          else
            echo "No .kern-mcp-lock.json found — run 'npx kern-mcp-security --lock .' to generate one"
          fi

      - name: Upload SARIF to Code Scanning
        if: always() && hashFiles('kern-mcp-security.sarif') != ''
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: kern-mcp-security.sarif
          category: kern-mcp-security
        continue-on-error: true

      - name: Post PR comment
        if: github.event_name == 'pull_request' && always()
        uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');
            let report;
            try {
              report = JSON.parse(fs.readFileSync('kern-mcp-security.json', 'utf-8'));
            } catch { return; }

            const { grade, total } = report.score;
            const color = { A: '22c55e', B: '84cc16', C: 'f97316', D: 'f59e0b', F: 'ef4444' }[grade];
            const badge = `![Score](https://img.shields.io/badge/MCP_Security-${grade}_(${total}%25)-${color})`;

            let body = `## KERN MCP Security Report\n\n${badge}\n\n`;
            body += `| Metric | Score |\n|--------|-------|\n`;
            body += `| Guard Coverage | ${report.score.guardCoverage}% |\n`;
            body += `| Input Validation | ${report.score.inputValidation}% |\n`;
            body += `| Rule Compliance | ${report.score.ruleCompliance}% |\n`;
            body += `| Auth Posture | ${report.score.authPosture}% |\n\n`;
            body += `**${report.findingsCount} finding(s)**\n\n`;
            body += `> Scanned by [KERN MCP Security](https://kernlang.dev/review)`;

            const { data: comments } = await github.rest.issues.listComments({
              owner: context.repo.owner, repo: context.repo.repo,
              issue_number: context.issue.number,
            });
            const existing = comments.find(c => c.body?.includes('KERN MCP Security Report'));

            if (existing) {
              await github.rest.issues.updateComment({
                owner: context.repo.owner, repo: context.repo.repo,
                comment_id: existing.id, body,
              });
            } else {
              await github.rest.issues.createComment({
                owner: context.repo.owner, repo: context.repo.repo,
                issue_number: context.issue.number, body,
              });
            }

      - name: Enforce score threshold
        if: always()
        run: |
          SCORE="${{ steps.scan.outputs.score }}"
          THRESHOLD=60
          if [ -n "$SCORE" ] && [ "$SCORE" -lt "$THRESHOLD" ] 2>/dev/null; then
            echo "::error::MCP Security score $SCORE is below threshold $THRESHOLD"
            exit 1
          fi

Ecosystem

Package	What it does
@kernlang/cli	CLI — compile, review, evolve, dev
@kernlang/core	Parser, codegen, types — the compiler engine
@kernlang/review	76 rules, taint tracking, OWASP LLM01, concept model
@kernlang/review-mcp	MCP security scanner (13 rules, OWASP MCP Top 10)
@kernlang/react	Next.js, Tailwind, Web transpilers
@kernlang/vue	Vue 3 SFC, Nuxt 3 transpilers
@kernlang/native	React Native transpiler
@kernlang/express	Express backend + WebSocket transpiler
@kernlang/fastapi	FastAPI Python + WebSocket transpiler
@kernlang/mcp	MCP server transpiler — .kern to secure MCP servers
@kernlang/mcp-server	KERN's own MCP server — compile, review, parse via MCP
@kernlang/terminal	ANSI terminal + Ink transpilers
@kernlang/evolve	Self-extending template system
@kernlang/review-python	Python review support (FastAPI, Django)
@kernlang/playground	Interactive compiler UI
@kernlang/metrics	Language coverage analysis
@kernlang/protocol	AI draft communication protocol

VS Code Extensions

Kern Sight MCP — MCP security scanner with inline findings, Security Score, autofixes
Kern Sight (coming soon) — Review findings as inline diagnostics + webview code review panel

License

AGPL-3.0 — Swiss-engineered with precision.

kernlang.dev