██████╗ █████╗ ███████╗████████╗██╗ ██████╗ ███╗ ██╗
██╔══██╗██╔══██╗██╔════╝╚══██╔══╝██║██╔═══██╗████╗ ██║
██████╔╝███████║███████╗ ██║ ██║██║ ██║██╔██╗ ██║
██╔══██╗██╔══██╗╚════██║ ██║ ██║██║ ██║██║╚██╗██║
██████╔╝██║ ██║███████║ ██║ ██║╚██████╔╝██║ ╚████║
╚═════╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝
Quality, Security & Intelligence
for AI Coding Agents
Every line of code that leaves your session passes through Bastion's gates. No exceptions.
How It Works · Installation · Quick Start · Skills · Contributing
AI-generated code ships with 2.74x more OWASP vulnerabilities than human-written code. Vibe coding produces working demos that break in production. Skill ecosystems conflict silently. Token costs spiral out of control.
Nobody covers all of this — until now.
Bastion is a comprehensive quality, security, and intelligence framework for AI coding agents. 17 skills. 6 specialized agents. 5 reference documents. Zero dependencies.
"Bastion is what happens when you stop treating AI coding agents as toys and start treating them as professionals that need professional guardrails."
When you start a Claude Code session with Bastion installed, something invisible but powerful happens: a bash hook runs automatically, reads Bastion's core skill file, and injects it directly into the agent's context. From that moment on, every line of code the agent writes is subject to quality gates.
The agent doesn't need to remember to be careful. Bastion remembers for it.
When the agent writes a database query, Bastion's security-scanner flags SQL injection risks. When it finishes a feature, quality-gates blocks the commit until tests pass. When you install a new skill that conflicts with an existing one, skill-doctor catches the collision before it produces silent bugs. When your token bill climbs, token-optimizer compresses context and delegates to fresh subagents.
Bastion works alongside your existing tools — Super Powers, Claude-Mem, GSD, Context7 — not against them. It fills the gaps they leave: security scanning, quality enforcement, skill conflict resolution, and cost optimization.
The result: code that ships with fewer vulnerabilities, tests that actually catch regressions, an environment that stays clean, and token bills that stay under control.
One line. That's it.
claude plugin add lilcipherx/BastionBastion auto-activates at every session start via a session-start hook. No configuration required. No dependencies to install. No Docker containers to spin up.
For Cursor:
# Clone into your plugins directory
git clone https://github.com/lilcipherx/Bastion ~/.cursor/plugins/bastionFor Codex (OpenAI):
git clone https://github.com/lilcipherx/Bastion ~/.codex/skills/bastionFor Gemini CLI:
gemini extensions install https://github.com/lilcipherx/BastionFor OpenCode:
git clone https://github.com/lilcipherx/Bastion ~/.opencode/skills/bastionBastion is built on four principles:
- Security is non-negotiable. Every line of code that leaves your session is scanned. Not because it's nice to have, but because AI-generated code ships with 2.74x more OWASP vulnerabilities than human-written code. Bastion closes that gap.
- Quality is a gate, not a suggestion. Six stages stand between your code and production: lint, type-check, test, security scan, coverage, and build. Every stage must pass. Partial passes don't exist.
- Intelligence should be automatic. You shouldn't have to remember to run a security scan or check for architectural smells. Bastion's hooks inject quality awareness at session start. The agent doesn't need to remember — Bastion remembers for it.
- Zero dependencies, zero compromise. No npm packages, no Docker containers, no build steps. Just markdown files and a bash hook. This means instant installation, zero attack surface, and transparent, auditable code.
Start a new Claude Code session and ask:
What skills do you have available from Bastion?
If Bastion is installed correctly, the agent will list the security, quality, and ecosystem skills available. You can also run:
Run security-scanner on my codebase
This should trigger a full OWASP Top 10 scan on your project.
claude plugin update bastionOr if you cloned manually:
cd ~/.claude/plugins/bastion && git pull| Feature | No Skills | Super Powers | GSD | Bastion |
|---|---|---|---|---|
| Security scanning (OWASP Top 10) | ❌ | ❌ | Partial | ✅ Full coverage |
| Auto-remediation with validation | ❌ | ❌ | ❌ | ✅ Fix + verify + rollback |
| CI/CD pipeline generation | ❌ | ❌ | ❌ | ✅ GitHub / GitLab / CircleCI |
| Performance bottleneck detection | ❌ | ❌ | ❌ | ✅ O(n²) detection, N+1 queries |
| Skill conflict detection | ❌ | ❌ | ❌ | ✅ Cross-framework analysis |
| Token cost optimization | ❌ | ❌ | ❌ | ✅ Budget tracking + compression |
| Test quality analysis (mutation) | ❌ | TDD workflow | ❌ | ✅ Mutation testing + flaky detection |
| Architecture scoring (A-F) | ❌ | ❌ | ❌ | ✅ SOLID / DRY / KISS / YAGNI |
| Session state persistence | ❌ | ❌ | ❌ | ✅ 10:1 compression ratio |
| Workspace cleanup | ❌ | ❌ | ❌ | ✅ Safe classification system |
| API contract validation | ❌ | ❌ | ❌ | ✅ OpenAPI / GraphQL / gRPC |
| Zero external dependencies | — | ✅ | ✅ | ✅ |
| Subagent definitions | ❌ | ❌ | ✅ | ✅ 6 specialized agents |
Bastion activates automatically. But here's how to get value immediately:
Run security-scanner on my codebase
Scans every file against the OWASP Top 10, detects hardcoded secrets (AWS keys, GitHub tokens, private keys), and audits dependencies for known CVEs.
Run test-forge for src/auth/login.ts
Produces unit, integration, and edge-case tests with >80% coverage target. Follows strict TDD methodology with meaningful assertions — no expect(true).toBe(true) theater.
Run cicd-generator for this project
Detects your stack (Node, Python, Go, Rust, Java), generates production-ready pipelines with lint → type-check → test → security scan → build → deploy stages.
Run skill-doctor to check all installed skills
Detects conflicts between Bastion, Super Powers, GSD, Claude-Mem, and any other installed skills. Produces a compatibility matrix and resolution plan.
Run architecture-reviewer on src/core
Scores your architecture A-F across SOLID, DRY, KISS, and YAGNI principles. Detects circular dependencies, god objects, and architecture smells.
The first line of defense. Every piece of code passes through these gates before it ships.
| Skill | Description | Type |
|---|---|---|
| security-scanner | Full OWASP Top 10 scanning, secret detection, dependency CVE audit | Rigid |
| test-forge | TDD-driven test generation with mutation testing standards | Rigid |
| quality-gates | 6-stage gate pipeline: lint → types → tests → security → coverage → build | Rigid |
| auto-remediation | Automated vulnerability fixing with rollback safety | Semi-Rigid |
| cicd-generator | Production pipeline generation for GitHub Actions, GitLab CI, CircleCI | Flexible |
| security-report | Professional security findings with CVSS scoring and compliance mapping | Flexible |
Understand your codebase deeply before making changes.
| Skill | Description | Type |
|---|---|---|
| code-archaeologist | Dead code detection, legacy pattern identification, git history mining, technical debt scoring (A-F) | Diagnostic |
| architecture-reviewer | SOLID/DRY/KISS/YAGNI compliance scoring, design pattern audit, architecture smell detection | Diagnostic |
| performance-hunter | Bottleneck identification (N+1 queries, O(n²) algorithms), memory leak detection, performance budgets | Diagnostic |
| api-contract-checker | OpenAPI/GraphQL schema validation, breaking change detection, drift analysis, versioning strategy | Diagnostic |
| test-coverage-analyst | Beyond line coverage: mutation testing, critical path analysis, flaky test detection, test health scoring | Diagnostic |
Keep your entire development environment healthy and efficient.
| Skill | Description | Type |
|---|---|---|
| skill-doctor | Cross-framework conflict detection, trigger overlap analysis, compatibility matrix | Meta |
| token-optimizer | Context window management, token budget tracking, conversation compression, subagent delegation | Meta |
| session-resume | State capture with 10:1 compression ratio, validation on resume, drift detection | Meta |
| cleanup-agent | Safe workspace pollution removal, skill residual cleanup, build artifact management | Meta |
| quality-grader | 8-dimension skill evaluation rubric, A-F grading, comparison framework | Meta |
Bastion includes 6 subagent definitions for parallel, focused execution:
| Agent | Purpose |
|---|---|
| security-auditor | Deep security audits across the entire codebase |
| test-generator | Comprehensive test suite production with coverage enforcement |
| code-reviewer | Multi-dimensional code review (quality, security, performance, maintainability) |
| remediation-agent | Safe automated vulnerability fixing with rollback |
| cicd-architect | Production pipeline generation with quality gates |
| perf-analyzer | Static performance analysis with quantified impact |
Bastion injects its quality framework at the start of every Claude Code session via a session-start hook:
Session starts
│
▼
hooks/session-start runs
│
▼
using-bastion/SKILL.md injected as structured context
│
▼
Agent follows Bastion rules for all subsequent tasks
No manual activation. No configuration. It just works.
When multiple skills could apply to a task, Bastion follows a strict priority:
1. PROCESS SKILLS (always first):
security-scanner → test-forge → quality-gates
2. ANALYSIS SKILLS (for review/optimization):
architecture-reviewer → performance-hunter → code-archaeologist
3. ECOSYSTEM SKILLS (for environment management):
skill-doctor → token-optimizer → cleanup-agent
Bastion is designed to complement, not replace, your existing workflow tools:
| Framework | Relationship | Notes |
|---|---|---|
| Super Powers | ✅ Complementary | SP manages workflow; Bastion manages quality |
| Claude-Mem | ✅ Complementary | Claude-Mem manages memory; Bastion manages security |
| GSD | ✅ Complementary | GSD manages milestones; Bastion manages gates |
| Context7 | ✅ Complementary | Context7 manages docs; Bastion manages code quality |
Important: If you detect conflicts between Bastion and another framework, run
skill-doctorimmediately. It will diagnose the conflict and produce a resolution plan.
The entire plugin is zero-dependency.
- No npm packages
- No Python requirements
- No Docker containers
- No build step
- No runtime binaries
Just markdown files and a bash hook. This means:
- Instant installation — no
npm install, nopip install - Zero attack surface — no supply chain risk
- Universal compatibility — works on any system with bash
- Transparent — read every line of every skill, understand exactly what it does
Bastion includes 5 comprehensive reference documents:
| Document | Contents |
|---|---|
| OWASP Top 10 | Full checklist with detection patterns and remediation for all 10 categories |
| Security Patterns | Common vulnerability fix patterns with before/after code |
| CI/CD Templates | Complete pipeline templates for Node.js, Python, Go, Rust, Java |
| Architecture Patterns | SOLID compliance matrix, design pattern catalog, smell detection |
| Performance Patterns | Bottleneck detection, optimization strategies, budget templates |
bastion/
├── .claude-plugin/ # Claude Code plugin manifest
│ ├── plugin.json
│ └── marketplace.json
├── .cursor-plugin/ # Cursor plugin manifest
│ └── plugin.json
├── .codex/ # Codex (OpenAI) platform support
│ └── instructions.md
├── .opencode/ # OpenCode platform support
│ └── instructions.md
├── skills/ # 17 skills
│ ├── using-bastion/ # Entry skill (auto-injected at session start)
│ ├── security-scanner/ # Security & Quality (6 skills)
│ ├── test-forge/
│ ├── quality-gates/
│ ├── auto-remediation/
│ ├── cicd-generator/
│ ├── security-report/
│ ├── code-archaeologist/ # Code Intelligence (5 skills)
│ ├── architecture-reviewer/
│ ├── performance-hunter/
│ ├── api-contract-checker/
│ ├── test-coverage-analyst/
│ ├── skill-doctor/ # Ecosystem Management (5 skills)
│ ├── token-optimizer/
│ ├── session-resume/
│ ├── cleanup-agent/
│ └── quality-grader/
├── agents/ # 6 subagent definitions
│ ├── security-auditor.md
│ ├── test-generator.md
│ ├── code-reviewer.md
│ ├── remediation-agent.md
│ ├── cicd-architect.md
│ └── perf-analyzer.md
├── commands/ # 5 slash commands
│ ├── security-scan.md
│ ├── quality-check.md
│ ├── architect-review.md
│ ├── test-gen.md
│ └── pipeline-gen.md
├── docs/
│ └── references/ # 5 reference documents
├── hooks/
│ ├── hooks.json # Claude Code hook config
│ ├── hooks-cursor.json # Cursor hook config
│ └── session-start # Hook script (bash)
├── tests/ # Self-test scripts
│ ├── test-structure.sh
│ ├── test-skill-frontmatter.sh
│ └── test-plugin-manifest.sh
├── .github/ # GitHub templates
│ ├── ISSUE_TEMPLATE/
│ └── PULL_REQUEST_TEMPLATE.md
├── GEMINI.md # Gemini platform support
├── gemini-extension.json # Gemini extension manifest
├── package.json # npm metadata
├── run-hook.cmd # Windows hook script
├── logo.svg # SVG logo
├── README.md
├── CLAUDE.md # Repository instructions
├── AGENTS.md # Agent configuration
├── CONTRIBUTING.md # Contribution guidelines
├── CHANGELOG.md
├── RELEASE-NOTES.md
├── SECURITY.md
├── CODE_OF_CONDUCT.md
├── LICENSE
└── .gitignore
When you install Bastion, your AI coding agent gets:
- Code that doesn't ship secrets, vulnerabilities, or known CVEs
- Architecture that degrades gracefully, not catastrophically
- A skill ecosystem that works together, not against itself
- Token costs under control with smart optimization
- CI/CD pipelines generated from codebase analysis
When you skip Bastion, you get:
- Security incidents
- Regressions in production
- Wasted tokens and money
- Silent conflicts between skills
- Technical debt that compounds daily
Choose quality. Choose Bastion.
Bastion is MIT-licensed, zero-dependency, and built for the Claude Code ecosystem.
Website · Issues · Discussions · Contributing
If you find Bastion valuable, consider giving it a ⭐ — it helps others discover the project.