Fortress System

Zero-dependency quality gate for JavaScript & TypeScript projects. One command to set up. One command to check your code.

$ npx fortress-system setup
View on GitHub View on npm
fortress quick
Fortress Quick Validation Running enabled checks... [PASS] Lint (0.3s) [PASS] Tests (0.1s) 4/4 tests passed [PASS] Secrets Detection (0.1s) [PASS] Content (0.2s) ────────────────────────────────────────────────── Score: 100/100 (0.7s) All checks passed.

Why Fortress?

Quality checks that work with your stack, not against it.

0 Zero Dependencies

Built entirely on Node.js built-ins. Nothing in your supply chain to compromise. No dependency updates to chase.

>_ One Command Setup

npx fortress-system setup handles everything — package.json, git init, install, interactive wizard, pre-commit hook.

Adaptive Scoring

Only using 3 of 7 checks? Your score adapts. Disabled checks don't penalize you. A perfect 100 is always reachable.

# Secrets Detection

19 built-in patterns catch AWS keys, GitHub tokens, Stripe secrets, JWTs, private keys, and more — before they hit version control.

</> Claude Code Integration

Auto-configures CLAUDE.md, permissions, statusline, and two specialized AI agents for security audit and code review.

CI CI/CD Ready

JSON output, exit codes, --ci flag. Drop fortress validate into any pipeline as a quality gate.

7 Quality Checks

Each check is auto-detected and independently configurable.

Check What it does Weight
TypeScript Runs tsc --noEmit to catch type errors 20
Lint Runs your linter (ESLint, Biome, Next.js) 15
Tests Runs your test suite with proportional scoring 25
Content Scans for TODOs, FIXMEs, forbidden patterns 20
Secrets Detects hardcoded credentials (19 patterns) 10
Security Runs npm audit for vulnerable dependencies 10
Build Verifies your project builds successfully 10

How It Works

1

Install & detect

Run npx fortress-system setup in any JS/TS project. Fortress detects your framework, linter, test runner, and package manager automatically.

2

Code with confidence

Run fortress quick as you work. The pre-commit hook catches issues before they reach your repo.

3

Validate before deploy

Run fortress deploy for a full quality gate. Score 95+ means deploy-ready. Track your trend with fortress trend.

4

AI-powered review

Run fortress review to invoke security audit and code review agents via Claude Code. Optional but powerful.

Works With Your Stack

Auto-detects and configures for your tools.

Frameworks

Next.js, React, Vue, Nuxt, Svelte, SvelteKit, Angular, Express, Fastify, Koa

Test Runners

Vitest, Jest, Mocha, Node.js built-in test runner

Tooling

TypeScript, ESLint, Biome, npm, yarn, pnpm, bun

Fully Configurable

The setup wizard generates this for you. Tweak it however you want.

fortress.config.js
// Generated by `fortress init` — edit freely
module.exports = {
  checks: {
    typescript: {
      enabled: true,
      command: 'npx tsc --noEmit',
      weight: 20,
    },
    lint: {
      enabled: true,
      command: 'npx eslint .',
      weight: 15,
    },
    test: {
      enabled: true,
      command: 'npx vitest run',
      weight: 25,
    },
    secrets: {
      enabled: true,
      patterns: [
        { regex: 'MYAPP_KEY_[A-Za-z0-9]{32}', label: 'MyApp API Key' },
      ],
      allowlist: { 'tests/fixtures/': '*' },
      weight: 10,
    },
    // content, security, build — all auto-configured
  },
  scoring: { deployThreshold: 95 },
};

Frequently Asked Questions

Yes, completely. Fortress is open source under the MIT license. Free to use in personal projects, commercial projects, and CI/CD pipelines. No paid tiers, no telemetry, no catch.
No. Fortress works in any terminal with Node.js 18+. The Claude Code integration (CLAUDE.md, agents, statusline) is set up automatically during fortress init but is entirely optional. The fortress review command gracefully skips with a helpful message if Claude Code isn't installed. All other commands work identically with or without it.
The pre-commit hook runs fortress quick, which skips the slower checks (security audit and build). Typical runs complete in under 2 seconds. If your test suite is fast, you'll barely notice it. You can also remove or customize the hook at any time — it's just a file at .git/hooks/pre-commit.
That's totally fine. Fortress uses adaptive scoring — disabled checks are excluded from the total. If you only enable lint and tests, those two checks can still reach a perfect 100/100. You're never penalized for checks that don't apply to your project.
Yes. Use fortress validate --ci for pass/fail checks or fortress deploy --ci --json for deploy gates. The --ci flag disables colors and interactive prompts. Exit code 1 on failure, so your pipeline fails on quality issues. Works with GitHub Actions, GitLab CI, CircleCI, Jenkins, and any other CI system that runs Node.js.
Every dependency is a potential supply chain risk, an install-time cost, and a maintenance burden. Fortress is built entirely on Node.js built-ins, which means fast installs, no node_modules bloat, no vulnerability alerts from transitive deps, and nothing in your supply chain that you don't control. The entire package ships at 45 KB.
You can customize commands for any check (point lint at Biome instead of ESLint, use a different test runner, etc.), add custom secret detection patterns, define forbidden content patterns, and allowlist specific paths. The fortress.config.js file is plain JavaScript — full control, no magic.

Ship better code, starting now.

Takes 30 seconds to set up. Zero config required.

npx fortress-system setup