@qball-inc/the-bulwark
v1.3.0
Published
Full-lifecycle SDLC guardrailing framework for Claude Code — from product ideation and planning through implementation, code review, and test validation. Enterprise-grade skills and agents for AI-human peer collaboration.
Maintainers
Readme
Latest stable release: v1.3.0
v1.3.0 (2026-06-23) — Fewer prompts, sharper reviews. This release cuts permission-prompt friction and makes code review smarter about what it's reviewing. Every bundled skill and agent now pre-authorizes exactly the tools it needs, so routine operations stop interrupting you for approval. The code-review skill is now language-aware — it detects each changed file's language and runs only the checks that apply, backed by universal per-language recipes that skip gracefully when a tool isn't installed. And a new opt-in permission hook (off by default) can auto-approve tool calls scoped to Bulwark's own bundled files, for users who want an even quieter workflow.
See the v1.3.0 release notes and the full CHANGELOG.
What is The Bulwark?
The Bulwark is a Claude Code plugin that adds automated quality enforcement to your development workflow. It ships 30 skills, 15 custom agents, and 8 hooks that run programmatic checks on every code change you make.
Claude Code is remarkably capable on its own — but capability without consistency is a problem. Without guardrails you get code that skips type checks, reviews that miss issues a single pass can't cover, test suites full of mocks that verify calls instead of behavior, and estimates that vary wildly between sessions. The Bulwark makes enforcement automatic: hooks run quality checks after every write, skills orchestrate single-focus multi-agent pipelines, and rules are injected at session start and enforced throughout. You don't have to remember to ask Claude to run tests or check types — it just happens.
Who it's for: builders who want to stay in the driver's seat while giving Claude semi-autonomy over structured workflows; teams that need repeatable, auditable AI-assisted development; users on Claude Max or Enterprise plans (the multi-agent pipelines are token-intensive — Pro Plus works for single-agent skills but hits rate limits on pipelines).
→ For the design (defense-in-depth, multi-agent pipelines), see How it works and architecture.md.
Quick install
Two ways to install. Pick whichever works for you.
# Option A — npm
claude /plugin install npm:@qball-inc/the-bulwark
# Option B — marketplace (one-time add, then install)
claude /plugin marketplace add QBall-Inc/plugins-market
claude /plugin install the-bulwark@qball-incAfter installing, restart your session and run the guided setup:
/the-bulwark:initThis walks you through Rules.md injection, CLAUDE.md configuration, and optional tooling (LSP, Justfile scaffolding, statusline), auto-detecting brownfield projects.
Full walkthrough + prerequisites: Getting started.
Trouble installing? See the FAQ.
Adoption
The Bulwark is growing through word of mouth. These charts auto-update daily — GitHub clone traffic (top) and npm downloads (bottom), each shown daily and as a cumulative running total. Data is self-snapshotted to a traffic-stats branch because GitHub purges clone traffic after 14 days.
Common workflows
Each workflow chains skills into a repeatable pipeline. The diagrams are the shape; the linked guides have the detail and full sample prompts.
Initialize — set up governance in any project.
flowchart LR
A["/the-bulwark:init"] --> B[Rules.md + CLAUDE.md] --> C[optional: LSP · Justfile · statusline]Greenfield — idea to executable plan. → Feature development
flowchart LR
A[product-ideation] --> B[bulwark-research] --> C[bulwark-brainstorm] --> D[plan-creation] --> E[plan-to-tasks] --> F[implement]Brownfield — onboard onto an existing codebase. → Feature development
flowchart LR
A["subagent-prompting (map the codebase)"] --> B["planned: codebase & documentation understanding"] --> C[bulwark-research] --> D[bulwark-brainstorm] --> E[plan-creation] --> F[plan-to-tasks] --> G[implement]The codebase & documentation understanding skill is planned, not yet shipped — today, use
subagent-promptingto map the code first.
New feature — add to an existing plan. → Research & planning
flowchart LR
A[bulwark-research] --> B[bulwark-brainstorm] --> C["plan-creation (sub-plan linked to master)"] --> D[plan-to-tasks] --> E[implement]Analyze · Fix · Verify — the issue lifecycle. → Fixing bugs
flowchart LR
A["Analyze (issue-debugging)"] --> B["Fix (fix-bug)"] --> C["Verify (bulwark-fix-validator)"]/the-bulwark:issue-debugging Analyze the root cause of <symptom>; no code change.
/the-bulwark:fix-bug Fix <bug> end-to-end and prove the fix with tests.
# Verify a fix you already applied: validate it against the debug report.Documentation
Hooks
Eight hooks run automatically — no manual invocation. All use ${CLAUDE_PLUGIN_ROOT} for path resolution, so they work wherever the plugin is installed.
| Hook | Event | What it does |
|------|-------|--------------|
| enforce-quality.sh | PostToolUse | Runs just typecheck/lint/build after every Write/Edit/MultiEdit on code; flags failures. Skips tmp/, logs/, .claude/, docs/. |
| suggest-pipeline-stop.sh | Stop | Suggests relevant review/audit pipelines; file-type-aware, per-file registry, post-fix grace period. |
| inject-protocol.sh | SessionStart | Injects the governance protocol; loads Rules.md; shows the activation banner. |
| cleanup-stale.sh | SessionStart | Deletes logs/+tmp/ files older than 10 days (preserves .gitkeep). |
| cleanup-review-registry.sh | SessionStart | Wipes stale review-accumulator state so pipeline gating works across sessions. |
| check-template-drift.sh | SessionStart | Detects CLAUDE.md/Rules.md drift from canonical templates; feeds init --update. |
| track-pipeline-start.sh | SubagentStart | Logs pipeline invocation metadata for observability. |
| track-pipeline-stop.sh | SubagentStop | Logs pipeline completion metadata for observability. |
The Bulwark also ships one optional, opt-in hook (off by default) that auto-approves access to its own bundled files, so Claude Code stops re-prompting for assets you already trusted at install — handy if you don't run in auto mode. Full detail, safety boundaries, and how to enable it: hooks reference.
Registries & guides
- Skill registry — all 30 skills, grouped (product & strategy · code quality · setup & tooling · meta)
- Agent registry — all 15 sub-agents, by pipeline
- Conventions — the CS / T / V / ID rules
Rules.mdenforces - Guides — Getting started · How it works · Research & planning · Feature development · Fixing bugs
FAQ & troubleshooting
Common install and runtime issues — SSH clone failures, hooks not firing, just not found, rate-limited pipelines, and more — are covered in the FAQ. If your issue isn't there, open an issue.
Roadmap
Language-aware code review, an evaluation framework for skills/agents, a codebase-understanding skill for brownfield onboarding, enterprise traceability, and more. No timeline commitments — see docs/roadmap.md for the direction.
Releases & changelog
- Latest release: github.com/QBall-Inc/the-bulwark/releases/latest
- Full version history: CHANGELOG.md — follows Keep a Changelog; the project adheres to SemVer
- npm: npmjs.com/package/@qball-inc/the-bulwark
- Update an installed plugin:
claude plugin update the-bulwark@qball-inc
Contributing
Issues and PRs are welcome. The Bulwark is developed in a private repo and mirrored here, so contributions follow a specific porting model — see CONTRIBUTING.md before opening a PR. The fastest way to help: open an issue for a bug or feature request.
Credits
Built with just (Casey Rodarmor) and Claude Code (Anthropic). Badges by shields.io.
