YggLarsCowe/bmalph
↗ GitHubUnified AI Development Framework - BMAD phases with Ralph execution loop
334
Stars
33
Forks
6
Watchers
33
Open Issues
Safety Rating A
The repository appears to be a legitimate open-source AI development tooling project. No hardcoded API keys, tokens, or passwords were found. The bypassPermissions configuration documented in the README is an intentional user-configurable setting for unattended automation, not a malicious pattern. No obfuscated code, data exfiltration patterns, or prompt injection attempts were detected. Dependency manifests were not included in the provided content, so a full dependency vulnerability scan was not possible, but no obvious red flags are present.
ℹAI-assisted review, not a professional security audit.
AI Analysis
bmalph is a TypeScript CLI tool that bundles and integrates two AI development systems — BMAD-METHOD (a structured planning framework with analyst, PM, architect, and QA agents covering Phases 1-3) and Ralph (an autonomous bash-based implementation loop for Phase 4). It provides a unified workflow for AI-assisted software development across multiple platforms including Claude Code, OpenAI Codex, OpenCode, Cursor, Windsurf, GitHub Copilot, and Aider, managing installation, upgrades, health checks, and the transition from planning artifacts to autonomous implementation.
Use Cases
- Bootstrapping AI-assisted software projects with structured planning phases (analysis, PRD, architecture, stories)
- Running autonomous TDD-based implementation loops via Ralph on supported CLI platforms
- Managing multi-platform AI coding assistant configurations from a single CLI
- Transitioning BMAD planning artifacts into Ralph's execution format for iterative development
- Monitoring and diagnosing AI development workflow health across project phases
Tags
Security Findings (1)
The README documents a configuration variable CLAUDE_PERMISSION_MODE="bypassPermissions" intended to be set in .ralph/.ralphrc, which instructs the Claude Code driver to bypass permission checks for unattended loops. While this is a user-configurable setting rather than a hardcoded secret, it represents a security-relevant default that disables interactive approval workflows in automated AI sessions.
Project Connections
GSD
Both are structured, multi-phase AI coding workflow systems. GSD provides a new-project through execute-phase pipeline with context-engineered planning artifacts; bmalph bundles BMAD-METHOD planning phases (analyst, PM, architect, QA) with the Ralph autonomous implementation loop — parallel philosophies targeting the same set of AI coding platforms.
GSD-2
→GSD-2 is a TypeScript autonomous coding agent CLI with spec-driven workflows; bmalph wraps BMAD-METHOD and Ralph into a unified CLI supporting Claude Code, Cursor, Codex, and Windsurf. Both provide structured frameworks layered on top of AI coding tools but differ in planning methodology and execution engine.
claude-code-best-practice
→claude-code-best-practice documents the underlying patterns that bmalph implements — subagent orchestration, prompt management, MCP hooks, and workflow structure. The repository functions as the conceptual reference for the development methodology that bmalph operationalizes.
Chops
→Chops manages and organizes AI agent skills across Claude Code, Cursor, Codex, and Windsurf — the exact platforms bmalph targets. Chops provides the skill library management layer that keeps agent capabilities used within bmalph workflows organized and discoverable.