Summary
If you're running AI agents that call external tools and APIs, this sits between them as a policy enforcement layer. It proxies MCP tool calls, evaluates YAML rules to allow or deny actions based on glob patterns, injects credentials so agents never see raw tokens, scans requests and responses for secrets and PII, and writes every call to a tamper-evident audit log with hash chains. Works as an MCP gateway over stdio or HTTP, or as a forward proxy for non-MCP clients. Ships with rate limiting, session management, and hot-reload policies. Useful when you need centralized governance across multiple agents hitting the same tools, or when compliance requires you to prove what an agent did and didn't have permission to do.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
Bulwark
Open-source governance layer for AI agents.
Bulwark sits between AI agents and external tools, enforcing policies, managing credentials, inspecting content, and maintaining a complete audit trail. One policy governs all your agents — Claude Code, OpenClaw, Codex, or any MCP/HTTP client.
Why Bulwark?
AI agents are powerful but ungoverned. They can access any tool, leak any credential, and leave no audit trail. Bulwark fixes this:
- Policy enforcement — YAML-based rules control which tools agents can use, with glob patterns, scope-based precedence, and hot-reload
- Credential management — Agents never see real secrets. Bulwark injects credentials at the last mile, encrypted at rest with age
- Content inspection — Scan requests and responses for secrets, PII, and prompt injection. Block or redact automatically
- Audit logging — Every action recorded in a tamper-evident SQLite database with blake3 hash chains
- Rate limiting — Token-bucket rate limits per session, operator, tool, or globally. Cost tracking with budget enforcement
- MCP-native — Works as an MCP gateway or HTTP forward proxy. Governance metadata on every tool call response
Install
# Homebrew (macOS / Linux)
brew install bpolania/tap/bulwark
# Docker
docker pull ghcr.io/bpolania/bulwark
# From source
git clone https://github.com/bpolania/bulwark.git
cd bulwark && cargo build --release
Quick Start: Govern Claude Code with GitHub
This walkthrough connects Claude Code to GitHub through Bulwark. Every tool call is policy-evaluated, audited, and credential-injected — in about 5 minutes.
Prerequisites: Claude Code installed, a GitHub personal access token, and Node.js/npm (for the GitHub MCP server).
1. Initialize and verify
bulwark init my-project && cd my-project
bulwark doctor
doctor runs 9 diagnostic checks. All should pass.
2. Store your GitHub token
bulwark cred add github-token --type bearer_token
# Prompts for the token — hidden input, encrypted with age at rest
Configure the credential-to-tool binding in your bindings file so Bulwark knows to inject this token for GitHub tool calls.
3. Configure the upstream GitHub server
Edit bulwark.yaml:
mcp_gateway:
upstream_servers:
- name: github
command: "npx"
args: ["-y", "@modelcontextprotocol/server-github"]
env:
GITHUB_PERSONAL_ACCESS_TOKEN: "${GITHUB_TOKEN}"
policy:
policies_dir: "./policies"
hot_reload: true
audit:
enabled: true
inspect:
enabled: true
inspect_requests: true
inspect_responses: true
Make sure GITHUB_TOKEN is set in your shell (export GITHUB_TOKEN=ghp_...).
4. Write a policy
cat > policies/base.yaml << 'EOF'
metadata:
name: quickstart-policy
scope: global
rules:
- name: allow-reads
description: "Allow all read operations"
match:
actions: ["read_*", "get_*", "list_*", "search_*"]
verdict: allow
priority: 10
- name: allow-github-writes
description: "Allow creating issues, comments, PRs"
match:
tools: ["github__*"]
actions: ["create_*", "update_*"]
verdict: allow
priority: 10
- name: block-destructive
description: "Block all delete and force-push operations"
match:
actions: ["delete_*", "force_push_*"]
verdict: deny
priority: 20
message: "Destructive operations are blocked by policy"
- name: default-deny
match: {}
verdict: deny
priority: -100
message: "No policy explicitly allows this action"
EOF
bulwark policy validate
5. Create a session and connect Claude Code
# Create a session (--ttl is in seconds: 28800 = 8 hours)
bulwark session create --operator $(whoami) --agent-type claude-code --ttl 28800
# → Token: bwk_sess_7f3a...
export BULWARK_SESSION="bwk_sess_7f3a..." # paste your actual token
# Register Bulwark as an MCP server in Claude Code
claude mcp add --transport stdio bulwark \
--env BULWARK_SESSION=$BULWARK_SESSION \
-- bulwark mcp start
6. Use Claude Code — now governed
Start Claude Code. GitHub tools appear namespaced as github__list_issues, github__create_issue, etc.
Try it:
"List the open issues in my repo"
Open a second terminal:
bulwark audit tail
22:01:03 github__list_issues ✓ allow 3ms (allow-reads)
Every call is logged with the verdict, matched rule, and timing. Now try something destructive:
"Delete issue #1"
22:02:01 github__delete_issue ✗ deny <1ms (block-destructive)
Blocked. Sub-millisecond — policy evaluation happens in memory. The agent gets a structured error explaining which rule denied it.
What just happened
Claude Code connected to Bulwark (not directly to GitHub). For every tool call, Bulwark validated the session, scanned for secrets/PII, evaluated the policy, injected the real GitHub token, scanned the response, and recorded a tamper-evident audit event. Same agent experience — full governance underneath.
Going Deeper
Content inspection — 13 built-in patterns scan for AWS keys, GitHub tokens, private keys, PII, and prompt injection. Redaction happens before content reaches the agent.
bulwark inspect rules
bulwark inspect scan --text "my key is AKIAIOSFODNN7EXAMPLE"
Policy replay — Preview the impact of policy changes against real audit history before deploying:
bulwark policy test --dir ./new-policies/ --since 1h
Audit forensics — Reconstruct a session timeline and verify the hash chain:
bulwark session inspect <session-id>
bulwark audit verify
bulwark audit export --since 24h --format json
HTTP proxy mode — For non-MCP agents, Bulwark runs as a forward proxy with TLS interception:
bulwark proxy start
bulwark ca export # trust the CA in your HTTP client
Architecture
┌─────────────┐ ┌──────────────────────────────────────────────┐ ┌──────────────┐
│ │ │ Bulwark │ │ │
│ AI Agent │────>│ Session > Inspect > Policy > Inject > Proxy │────>│ Upstream │
│ (Claude, │<────│ <── Audit <── Inspect <── Response <─────── │<────│ Tool/API │
│ Codex, │ │ │ │ │
│ custom) │ └──────────────────────────────────────────────┘ └──────────────┘
└─────────────┘
Integration Modes
| Mode | Transport | Best For |
|---|---|---|
| MCP Gateway (stdio) | stdio/JSON-RPC | Claude Code, OpenClaw, any MCP client |
| MCP Gateway (HTTP) | Streamable HTTP | Remote agents, MCP registry, multi-agent |
| HTTP Proxy | HTTP/HTTPS | Codex, curl, any HTTP client |
Example Policy
# policies/base.yaml
metadata:
name: my-policy
scope: global
rules:
- name: allow-reads
verdict: allow
priority: 10
match:
actions: ["read*", "get*", "list*"]
- name: block-destructive-in-prod
verdict: deny
priority: 100
match:
actions: ["delete*", "drop*"]
conditions:
environments: ["production"]
- name: default-deny
verdict: deny
match: {}
See examples/policies/ for complete policy sets (startup, enterprise, development, multi-agent).
CLI
bulwark init <path> # Scaffold a new project
bulwark proxy start # Start HTTP/HTTPS proxy
bulwark mcp start # Start MCP gateway (stdio)
bulwark mcp serve # Start MCP gateway (HTTP)
bulwark doctor # Diagnose setup issues (9 checks)
bulwark status # Health dashboard
bulwark policy validate # Validate policy files
bulwark policy test --dir <path> # Test policies against audit log
bulwark session create|list|revoke|inspect
bulwark cred add|list|remove|test
bulwark audit search|tail|stats|export|verify
bulwark inspect scan|rules # Content inspection
bulwark ca export|path # CA certificate management
bulwark completions <shell> # Shell completions (bash/zsh/fish)
Documentation
- Getting Started
- Architecture Overview
- Policy Reference
- Configuration Reference
- Credential Management
- Audit System
- Content Inspector
- Rate Limiting
- Threat Model
- Agent Guides: Claude Code | Codex | OpenClaw
Development
git clone https://github.com/bpolania/bulwark.git
cd bulwark
cargo build --workspace
cargo test --workspace # 487 tests
cargo clippy --workspace --all-targets -- -D warnings
Project Structure
crates/
cli/ # CLI binary and commands
proxy/ # HTTP/HTTPS forward proxy with TLS MITM
mcp/ # MCP governance gateway
config/ # Configuration loading and types
policy/ # YAML policy engine with hot-reload
vault/ # Credential storage and session management
audit/ # Tamper-evident audit logging
inspect/ # Content inspection (secrets, PII, injection)
ratelimit/ # Token-bucket rate limiter and cost tracker
common/ # Shared types and error definitions
License
Apache 2.0. See LICENSE.
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Configuration
BULWARK_CONFIGPath to bulwark.yaml configuration file
BULWARK_SESSION_TOKENsecretSession token for operator authentication (bwk_sess_...)
Categories
Registryactive
Packageghcr.io/bpolania/bulwark:v0.2.0
TransportSTDIO
AuthRequired
UpdatedFeb 25, 2026
