Command Palette

Search for a command to run...

UnylyUnyly
Browse all

Bulwark

FreeNot checked

AI agent governance: content scanning, audit logs, policy evaluation, session management.

GitHubEmbed

About

AI agent governance: content scanning, audit logs, policy evaluation, session management.

README

Open-source governance layer for AI agents.

Bulwark sits between AI agents and external tools, enforcing policies, managing credentials, inspecting content, and maintaining a complete audit trail. One policy governs all your agents — Claude Code, OpenClaw, Codex, or any MCP/HTTP client.

Why Bulwark?

AI agents are powerful but ungoverned. They can access any tool, leak any credential, and leave no audit trail. Bulwark fixes this:

  • Policy enforcement — YAML-based rules control which tools agents can use, with glob patterns, scope-based precedence, and hot-reload
  • Credential management — Agents never see real secrets. Bulwark injects credentials at the last mile, encrypted at rest with age
  • Content inspection — Scan requests and responses for secrets, PII, and prompt injection. Block or redact automatically
  • Audit logging — Every action recorded in a tamper-evident SQLite database with blake3 hash chains
  • Rate limiting — Token-bucket rate limits per session, operator, tool, or globally. Cost tracking with budget enforcement
  • MCP-native — Works as an MCP gateway or HTTP forward proxy. Governance metadata on every tool call response

Install

# Homebrew (macOS / Linux)
brew install bpolania/tap/bulwark

# Docker
docker pull ghcr.io/bpolania/bulwark

# From source
git clone https://github.com/bpolania/bulwark.git
cd bulwark && cargo build --release

Quick Start: Govern Claude Code with GitHub

This walkthrough connects Claude Code to GitHub through Bulwark. Every tool call is policy-evaluated, audited, and credential-injected — in about 5 minutes.

Prerequisites: Claude Code installed, a GitHub personal access token, and Node.js/npm (for the GitHub MCP server).

1. Initialize and verify

bulwark init my-project && cd my-project
bulwark doctor

doctor runs 9 diagnostic checks. All should pass.

2. Store your GitHub token

bulwark cred add github-token --type bearer_token
# Prompts for the token — hidden input, encrypted with age at rest

Configure the credential-to-tool binding in your bindings file so Bulwark knows to inject this token for GitHub tool calls.

3. Configure the upstream GitHub server

Edit bulwark.yaml:

mcp_gateway:
  upstream_servers:
    - name: github
      command: "npx"
      args: ["-y", "@modelcontextprotocol/server-github"]
      env:
        GITHUB_PERSONAL_ACCESS_TOKEN: "${GITHUB_TOKEN}"

policy:
  policies_dir: "./policies"
  hot_reload: true

audit:
  enabled: true

inspect:
  enabled: true
  inspect_requests: true
  inspect_responses: true

Make sure GITHUB_TOKEN is set in your shell (export GITHUB_TOKEN=ghp_...).

4. Write a policy

cat > policies/base.yaml << 'EOF'
metadata:
  name: quickstart-policy
  scope: global

rules:
  - name: allow-reads
    description: "Allow all read operations"
    match:
      actions: ["read_*", "get_*", "list_*", "search_*"]
    verdict: allow
    priority: 10

  - name: allow-github-writes
    description: "Allow creating issues, comments, PRs"
    match:
      tools: ["github__*"]
      actions: ["create_*", "update_*"]
    verdict: allow
    priority: 10

  - name: block-destructive
    description: "Block all delete and force-push operations"
    match:
      actions: ["delete_*", "force_push_*"]
    verdict: deny
    priority: 20
    message: "Destructive operations are blocked by policy"

  - name: default-deny
    match: {}
    verdict: deny
    priority: -100
    message: "No policy explicitly allows this action"
EOF

bulwark policy validate

5. Create a session and connect Claude Code

# Create a session (--ttl is in seconds: 28800 = 8 hours)
bulwark session create --operator $(whoami) --agent-type claude-code --ttl 28800
# → Token: bwk_sess_7f3a...

export BULWARK_SESSION="bwk_sess_7f3a..."   # paste your actual token

# Register Bulwark as an MCP server in Claude Code
claude mcp add --transport stdio bulwark \
  --env BULWARK_SESSION=$BULWARK_SESSION \
  -- bulwark mcp start

6. Use Claude Code — now governed

Start Claude Code. GitHub tools appear namespaced as github__list_issues, github__create_issue, etc.

Try it:

"List the open issues in my repo"

Open a second terminal:

bulwark audit tail
22:01:03  github__list_issues   ✓ allow   3ms  (allow-reads)

Every call is logged with the verdict, matched rule, and timing. Now try something destructive:

"Delete issue #1"

22:02:01  github__delete_issue  ✗ deny    <1ms (block-destructive)

Blocked. Sub-millisecond — policy evaluation happens in memory. The agent gets a structured error explaining which rule denied it.

What just happened

Claude Code connected to Bulwark (not directly to GitHub). For every tool call, Bulwark validated the session, scanned for secrets/PII, evaluated the policy, injected the real GitHub token, scanned the response, and recorded a tamper-evident audit event. Same agent experience — full governance underneath.

Going Deeper

Content inspection — 13 built-in patterns scan for AWS keys, GitHub tokens, private keys, PII, and prompt injection. Redaction happens before content reaches the agent.

bulwark inspect rules
bulwark inspect scan --text "my key is AKIAIOSFODNN7EXAMPLE"

Policy replay — Preview the impact of policy changes against real audit history before deploying:

bulwark policy test --dir ./new-policies/ --since 1h

Audit forensics — Reconstruct a session timeline and verify the hash chain:

bulwark session inspect <session-id>
bulwark audit verify
bulwark audit export --since 24h --format json

HTTP proxy mode — For non-MCP agents, Bulwark runs as a forward proxy with TLS interception:

bulwark proxy start
bulwark ca export   # trust the CA in your HTTP client

Architecture

┌─────────────┐     ┌──────────────────────────────────────────────┐     ┌──────────────┐
│             │     │                  Bulwark                      │     │              │
│  AI Agent   │────>│  Session > Inspect > Policy > Inject > Proxy │────>│  Upstream    │
│  (Claude,   │<────│  <── Audit <── Inspect <── Response <─────── │<────│  Tool/API    │
│   Codex,    │     │                                              │     │              │
│   custom)   │     └──────────────────────────────────────────────┘     └──────────────┘
└─────────────┘

Integration Modes

Mode Transport Best For
MCP Gateway (stdio) stdio/JSON-RPC Claude Code, OpenClaw, any MCP client
MCP Gateway (HTTP) Streamable HTTP Remote agents, MCP registry, multi-agent
HTTP Proxy HTTP/HTTPS Codex, curl, any HTTP client

Example Policy

# policies/base.yaml
metadata:
  name: my-policy
  scope: global

rules:
  - name: allow-reads
    verdict: allow
    priority: 10
    match:
      actions: ["read*", "get*", "list*"]

  - name: block-destructive-in-prod
    verdict: deny
    priority: 100
    match:
      actions: ["delete*", "drop*"]
    conditions:
      environments: ["production"]

  - name: default-deny
    verdict: deny
    match: {}

See examples/policies/ for complete policy sets (startup, enterprise, development, multi-agent).

CLI

bulwark init <path>              # Scaffold a new project
bulwark proxy start              # Start HTTP/HTTPS proxy
bulwark mcp start                # Start MCP gateway (stdio)
bulwark mcp serve                # Start MCP gateway (HTTP)
bulwark doctor                   # Diagnose setup issues (9 checks)
bulwark status                   # Health dashboard
bulwark policy validate          # Validate policy files
bulwark policy test --dir <path> # Test policies against audit log
bulwark session create|list|revoke|inspect
bulwark cred add|list|remove|test
bulwark audit search|tail|stats|export|verify
bulwark inspect scan|rules       # Content inspection
bulwark ca export|path           # CA certificate management
bulwark completions <shell>      # Shell completions (bash/zsh/fish)

Documentation

Development

git clone https://github.com/bpolania/bulwark.git
cd bulwark
cargo build --workspace
cargo test --workspace          # 487 tests
cargo clippy --workspace --all-targets -- -D warnings

Project Structure

crates/
  cli/        # CLI binary and commands
  proxy/      # HTTP/HTTPS forward proxy with TLS MITM
  mcp/        # MCP governance gateway
  config/     # Configuration loading and types
  policy/     # YAML policy engine with hot-reload
  vault/      # Credential storage and session management
  audit/      # Tamper-evident audit logging
  inspect/    # Content inspection (secrets, PII, injection)
  ratelimit/  # Token-bucket rate limiter and cost tracker
  common/     # Shared types and error definitions

License

Apache 2.0. See LICENSE.

from github.com/bpolania/bulwark

Installing Bulwark

This server has no published package — it is built from source. Open the repository and follow its README.

▸ github.com/bpolania/bulwark

FAQ

Is Bulwark MCP free?

Yes, Bulwark MCP is free — one-click install via Unyly at no cost.

Does Bulwark need an API key?

No, Bulwark runs without API keys or environment variables.

Is Bulwark hosted or self-hosted?

Self-hosted: the server runs locally on your machine via the install command above.

How do I install Bulwark in Claude Desktop, Claude Code or Cursor?

Open Bulwark on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.

Related MCPs

Compare Bulwark with

Not sure what to pick?

Find your stack in 60 seconds

Author?

Embed badge for your README

Browse similar

All ai MCPs