Bulwark
БесплатноНе проверенAI agent governance: content scanning, audit logs, policy evaluation, session management.
Описание
AI agent governance: content scanning, audit logs, policy evaluation, session management.
README
Open-source governance layer for AI agents.
Bulwark sits between AI agents and external tools, enforcing policies, managing credentials, inspecting content, and maintaining a complete audit trail. One policy governs all your agents — Claude Code, OpenClaw, Codex, or any MCP/HTTP client.
Why Bulwark?
AI agents are powerful but ungoverned. They can access any tool, leak any credential, and leave no audit trail. Bulwark fixes this:
- Policy enforcement — YAML-based rules control which tools agents can use, with glob patterns, scope-based precedence, and hot-reload
- Credential management — Agents never see real secrets. Bulwark injects credentials at the last mile, encrypted at rest with age
- Content inspection — Scan requests and responses for secrets, PII, and prompt injection. Block or redact automatically
- Audit logging — Every action recorded in a tamper-evident SQLite database with blake3 hash chains
- Rate limiting — Token-bucket rate limits per session, operator, tool, or globally. Cost tracking with budget enforcement
- MCP-native — Works as an MCP gateway or HTTP forward proxy. Governance metadata on every tool call response
Install
# Homebrew (macOS / Linux)
brew install bpolania/tap/bulwark
# Docker
docker pull ghcr.io/bpolania/bulwark
# From source
git clone https://github.com/bpolania/bulwark.git
cd bulwark && cargo build --release
Quick Start: Govern Claude Code with GitHub
This walkthrough connects Claude Code to GitHub through Bulwark. Every tool call is policy-evaluated, audited, and credential-injected — in about 5 minutes.
Prerequisites: Claude Code installed, a GitHub personal access token, and Node.js/npm (for the GitHub MCP server).
1. Initialize and verify
bulwark init my-project && cd my-project
bulwark doctor
doctor runs 9 diagnostic checks. All should pass.
2. Store your GitHub token
bulwark cred add github-token --type bearer_token
# Prompts for the token — hidden input, encrypted with age at rest
Configure the credential-to-tool binding in your bindings file so Bulwark knows to inject this token for GitHub tool calls.
3. Configure the upstream GitHub server
Edit bulwark.yaml:
mcp_gateway:
upstream_servers:
- name: github
command: "npx"
args: ["-y", "@modelcontextprotocol/server-github"]
env:
GITHUB_PERSONAL_ACCESS_TOKEN: "${GITHUB_TOKEN}"
policy:
policies_dir: "./policies"
hot_reload: true
audit:
enabled: true
inspect:
enabled: true
inspect_requests: true
inspect_responses: true
Make sure GITHUB_TOKEN is set in your shell (export GITHUB_TOKEN=ghp_...).
4. Write a policy
cat > policies/base.yaml << 'EOF'
metadata:
name: quickstart-policy
scope: global
rules:
- name: allow-reads
description: "Allow all read operations"
match:
actions: ["read_*", "get_*", "list_*", "search_*"]
verdict: allow
priority: 10
- name: allow-github-writes
description: "Allow creating issues, comments, PRs"
match:
tools: ["github__*"]
actions: ["create_*", "update_*"]
verdict: allow
priority: 10
- name: block-destructive
description: "Block all delete and force-push operations"
match:
actions: ["delete_*", "force_push_*"]
verdict: deny
priority: 20
message: "Destructive operations are blocked by policy"
- name: default-deny
match: {}
verdict: deny
priority: -100
message: "No policy explicitly allows this action"
EOF
bulwark policy validate
5. Create a session and connect Claude Code
# Create a session (--ttl is in seconds: 28800 = 8 hours)
bulwark session create --operator $(whoami) --agent-type claude-code --ttl 28800
# → Token: bwk_sess_7f3a...
export BULWARK_SESSION="bwk_sess_7f3a..." # paste your actual token
# Register Bulwark as an MCP server in Claude Code
claude mcp add --transport stdio bulwark \
--env BULWARK_SESSION=$BULWARK_SESSION \
-- bulwark mcp start
6. Use Claude Code — now governed
Start Claude Code. GitHub tools appear namespaced as github__list_issues, github__create_issue, etc.
Try it:
"List the open issues in my repo"
Open a second terminal:
bulwark audit tail
22:01:03 github__list_issues ✓ allow 3ms (allow-reads)
Every call is logged with the verdict, matched rule, and timing. Now try something destructive:
"Delete issue #1"
22:02:01 github__delete_issue ✗ deny <1ms (block-destructive)
Blocked. Sub-millisecond — policy evaluation happens in memory. The agent gets a structured error explaining which rule denied it.
What just happened
Claude Code connected to Bulwark (not directly to GitHub). For every tool call, Bulwark validated the session, scanned for secrets/PII, evaluated the policy, injected the real GitHub token, scanned the response, and recorded a tamper-evident audit event. Same agent experience — full governance underneath.
Going Deeper
Content inspection — 13 built-in patterns scan for AWS keys, GitHub tokens, private keys, PII, and prompt injection. Redaction happens before content reaches the agent.
bulwark inspect rules
bulwark inspect scan --text "my key is AKIAIOSFODNN7EXAMPLE"
Policy replay — Preview the impact of policy changes against real audit history before deploying:
bulwark policy test --dir ./new-policies/ --since 1h
Audit forensics — Reconstruct a session timeline and verify the hash chain:
bulwark session inspect <session-id>
bulwark audit verify
bulwark audit export --since 24h --format json
HTTP proxy mode — For non-MCP agents, Bulwark runs as a forward proxy with TLS interception:
bulwark proxy start
bulwark ca export # trust the CA in your HTTP client
Architecture
┌─────────────┐ ┌──────────────────────────────────────────────┐ ┌──────────────┐
│ │ │ Bulwark │ │ │
│ AI Agent │────>│ Session > Inspect > Policy > Inject > Proxy │────>│ Upstream │
│ (Claude, │<────│ <── Audit <── Inspect <── Response <─────── │<────│ Tool/API │
│ Codex, │ │ │ │ │
│ custom) │ └──────────────────────────────────────────────┘ └──────────────┘
└─────────────┘
Integration Modes
| Mode | Transport | Best For |
|---|---|---|
| MCP Gateway (stdio) | stdio/JSON-RPC | Claude Code, OpenClaw, any MCP client |
| MCP Gateway (HTTP) | Streamable HTTP | Remote agents, MCP registry, multi-agent |
| HTTP Proxy | HTTP/HTTPS | Codex, curl, any HTTP client |
Example Policy
# policies/base.yaml
metadata:
name: my-policy
scope: global
rules:
- name: allow-reads
verdict: allow
priority: 10
match:
actions: ["read*", "get*", "list*"]
- name: block-destructive-in-prod
verdict: deny
priority: 100
match:
actions: ["delete*", "drop*"]
conditions:
environments: ["production"]
- name: default-deny
verdict: deny
match: {}
See examples/policies/ for complete policy sets (startup, enterprise, development, multi-agent).
CLI
bulwark init <path> # Scaffold a new project
bulwark proxy start # Start HTTP/HTTPS proxy
bulwark mcp start # Start MCP gateway (stdio)
bulwark mcp serve # Start MCP gateway (HTTP)
bulwark doctor # Diagnose setup issues (9 checks)
bulwark status # Health dashboard
bulwark policy validate # Validate policy files
bulwark policy test --dir <path> # Test policies against audit log
bulwark session create|list|revoke|inspect
bulwark cred add|list|remove|test
bulwark audit search|tail|stats|export|verify
bulwark inspect scan|rules # Content inspection
bulwark ca export|path # CA certificate management
bulwark completions <shell> # Shell completions (bash/zsh/fish)
Documentation
- Getting Started
- Architecture Overview
- Policy Reference
- Configuration Reference
- Credential Management
- Audit System
- Content Inspector
- Rate Limiting
- Threat Model
- Agent Guides: Claude Code | Codex | OpenClaw
Development
git clone https://github.com/bpolania/bulwark.git
cd bulwark
cargo build --workspace
cargo test --workspace # 487 tests
cargo clippy --workspace --all-targets -- -D warnings
Project Structure
crates/
cli/ # CLI binary and commands
proxy/ # HTTP/HTTPS forward proxy with TLS MITM
mcp/ # MCP governance gateway
config/ # Configuration loading and types
policy/ # YAML policy engine with hot-reload
vault/ # Credential storage and session management
audit/ # Tamper-evident audit logging
inspect/ # Content inspection (secrets, PII, injection)
ratelimit/ # Token-bucket rate limiter and cost tracker
common/ # Shared types and error definitions
License
Apache 2.0. See LICENSE.
Установка Bulwark
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/bpolania/bulwarkFAQ
Bulwark MCP бесплатный?
Да, Bulwark MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Bulwark?
Нет, Bulwark работает без API-ключей и переменных окружения.
Bulwark — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Bulwark в Claude Desktop, Claude Code или Cursor?
Открой Bulwark на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
автор: modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
автор: xuzexin-hzCompare Bulwark with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории ai
