AI agents operate
without guardrails
When AI agents interact with payment processors, compliance systems, privacy-sensitive APIs, and regulated infrastructure, the stakes are existential. A single leaked credential or unauthorized API call can trigger regulatory violations, data breaches, and financial loss.
No credential isolation
Agents receive raw API keys and tokens, with no boundary between access and exposure.
No policy enforcement
Every agent has implicit access to every tool. No per-agent, per-session, or per-operator controls.
No content inspection
Sensitive data flows through agent pipelines unscanned — PII, secrets, and injection attacks pass unchecked.
No audit trail
When something goes wrong, there is no verifiable record of what happened, when, or why.
Six layers of governance
Every request passes through a multi-stage pipeline. Each layer enforces a different security boundary.
Policy Enforcement
YAML-based rules control which tools agents can use. Glob patterns, scope-based precedence (global/operator/session), priority ordering, and hot-reload without restart.
Credential Management
Agents never see real secrets. Bulwark injects credentials at the last mile before tool invocation. Encrypted at rest using age encryption.
Content Inspection
13 built-in detection patterns scan for AWS keys, GitHub tokens, private keys, PII, and prompt injection. Automatic blocking or redaction.
Audit Logging
Every action recorded in a tamper-evident SQLite database with Blake3 hash chains. Real-time tailing, search, export, and cryptographic verification.
Rate Limiting
Token-bucket rate limits per session, operator, tool, or globally. Cost tracking with budget enforcement to prevent runaway spending.
MCP-Native
Works as an MCP gateway (stdio or HTTP) or HTTP forward proxy. Governance metadata attached to every tool call response.
Request pipeline
Every agent interaction flows through a deterministic, auditable pipeline before reaching upstream tools.
Response path mirrors the pipeline in reverse — content inspection and audit logging on every response.
Three modes, any agent
Bulwark adapts to your agent architecture. Local development, remote multi-agent systems, or legacy HTTP clients — one governance layer handles all.
| Mode | Transport | Use Case |
|---|---|---|
| MCP Gateway (stdio) | JSON-RPC | Local agents — Claude Code, OpenClaw |
| MCP Gateway (HTTP) | Streamable HTTP | Remote agents, multi-agent setups |
| HTTP Proxy | HTTP/HTTPS + TLS MITM | Any HTTP client |
Built in Rust, 10 crates
A modular Rust workspace where each security boundary is its own crate — independently testable, auditable, and replaceable.
How Honto
engineered Bulwark
Bulwark represents Honto's philosophy in practice: production-grade AI infrastructure built with engineering discipline. Every design decision prioritizes security, auditability, and operational reliability.
Threat Modeling
Mapped every attack surface where AI agents interact with sensitive systems — payments, compliance, privacy, and credentials.
Zero-Trust Architecture
Designed a pipeline where agents never directly access secrets or tools. Every interaction is mediated, inspected, and logged.
Modular Rust Workspace
10 independent crates, each owning a security boundary. 487 unit tests ensure correctness at every layer.
Open-Source Release
Apache 2.0 licensed. Transparent, auditable, and community-driven — because security tools must be verifiable.
Need agent governance
for your organization?
Bulwark is open-source and ready to deploy. For enterprise deployments, custom policy design, or integration support — Honto's engineering team is here to help.