Bulwark

Open-source governance layer for AI agents.

Bulwark sits between AI agents and external tools, enforcing policies, managing credentials, inspecting content, and maintaining a complete audit trail. One policy governs all your agents — Claude Code, OpenClaw, Codex, or any MCP/HTTP client.

Why Bulwark?

AI agents are powerful but ungoverned. They can access any tool, leak any credential, and leave no audit trail. Bulwark fixes this:

• Policy enforcement — YAML-based rules control which tools agents can use, with glob patterns, scope-based precedence, and hot-reload
• Credential management — Agents never see real secrets. Bulwark injects credentials at the last mile, encrypted at rest with age
• Content inspection — Scan requests and responses for secrets, PII, and prompt injection. Block or redact automatically
• Audit logging — Every action recorded in a tamper-evident SQLite database with blake3 hash chains
• Rate limiting — Token-bucket rate limits per session, operator, tool, or globally. Cost tracking with budget enforcement
• MCP-native — Works as an MCP gateway or HTTP forward proxy. Governance metadata on every tool call response

Install

# Homebrew (macOS / Linux)
brew install bpolania/tap/bulwark

# Docker
docker pull ghcr.io/bpolania/bulwark

# From source
git clone https://github.com/bpolania/bulwark.git
cd bulwark && cargo build --release

Quick Start: Govern Claude Code with GitHub

This walkthrough connects Claude Code to GitHub through Bulwark. Every tool call is policy-evaluated, audited, and credential-injected — in about 5 minutes.

Prerequisites: Claude Code installed, a GitHub personal access token, and Node.js/npm (for the GitHub MCP server).

1. Initialize and verify

bulwark init my-project && cd my-project
bulwark doctor

doctor runs 9 diagnostic checks. All should pass.

2. Store your GitHub token

bulwark cred add github-token --type bearer_token
# Prompts for the token — hidden input, encrypted with age at rest

Configure the credential-to-tool binding in your bindings file so Bulwark knows to inject this token for GitHub tool calls.

3. Configure the upstream GitHub server

Edit bulwark.yaml:

mcp_gateway:
  upstream_servers:
    - name: github
      command: "npx"
      args: ["-y", "@modelcontextprotocol/server-github"]
      env:
        GITHUB_PERSONAL_ACCESS_TOKEN: "${GITHUB_TOKEN}"

policy:
  policies_dir: "./policies"
  hot_reload: true

audit:
  enabled: true

inspect:
  enabled: true
  inspect_requests: true
  inspect_responses: true

Make sure GITHUB_TOKEN is set in your shell (export GITHUB_TOKEN=ghp_...).

4. Write a policy

cat > policies/base.yaml << 'EOF'
metadata:
  name: quickstart-policy
  scope: global

rules:
  - name: allow-reads
    description: "Allow all read operations"
    match:
      actions: ["read_*", "get_*", "list_*", "search_*"]
    verdict: allow
    priority: 10

  - name: allow-github-writes
    description: "Allow creating issues, comments, PRs"
    match:
      tools: ["github__*"]
      actions: ["create_*", "update_*"]
    verdict: allow
    priority: 10

  - name: block-destructive
    description: "Block all delete and force-push operations"
    match:
      actions: ["delete_*", "force_push_*"]
    verdict: deny
    priority: 20
    message: "Destructive operations are blocked by policy"

  - name: default-deny
    match: {}
    verdict: deny
    priority: -100
    message: "No policy explicitly allows this action"
EOF

bulwark policy validate

5. Create a session and connect Claude Code

# Create a session (--ttl is in seconds: 28800 = 8 hours)
bulwark session create --operator $(whoami) --agent-type claude-code --ttl 28800
# → Token: bwk_sess_7f3a...

export BULWARK_SESSION="bwk_sess_7f3a..."   # paste your actual token

# Register Bulwark as 

... [View full README on GitHub](https://github.com/bpolania/bulwark#readme)