<div align="center">

🛡️ Rampart

A firewall for AI coding agents.

</div>

---

Claude Code's --dangerously-skip-permissions mode — and similar autonomous modes in Cline and Codex — give agents unrestricted shell access. Your agent can read your SSH keys, exfiltrate your .env, or rm -rf / with no guardrails.

Rampart sits between the agent and your system. Every command, file access, and network request is evaluated against your policy before it executes. Dangerous commands never run.

---

Install

# Homebrew (macOS and Linux) — recommended
brew install peg/tap/rampart

# One-line install (no sudo required)
curl -fsSL https://rampart.sh/install | bash

# Go install (requires Go 1.24+)
go install github.com/peg/rampart/cmd/rampart@latest

Windows (PowerShell):

irm https://rampart.sh/install.ps1 | iex

After installing, run rampart quickstart or follow the setup steps below.

---

Quick start

Pick your agent and run one command:

# Claude Code
rampart setup claude-code

# OpenClaw
rampart setup openclaw --patch-tools

# Cline
rampart setup cline

# Codex CLI
rampart setup codex

# Any other agent (wraps $SHELL)
rampart wrap -- your-agent

That's it. Verify everything is working:

rampart doctor

Then watch your agent in real time:

rampart watch

Once running, every tool call goes through Rampart's policy engine first:

✅ 14:23:01  exec  "npm test"                          [allow-dev]
✅ 14:23:03  read  ~/project/src/main.go                [default]
🔴 14:23:05  exec  "rm -rf /tmp/*"                      [block-destructive]
🟡 14:23:08  exec  "curl https://api.example.com"       [log-network]
👤 14:23:10  exec  "kubectl apply -f prod.yaml"         [require-approval]
🔴 14:23:12  resp  read .env                            [block-credential-leak]
                    → blocked: response contained AWS_SECRET_ACCESS_KEY

---

How it works

<img src="docs/architecture.svg" alt="Rampart architecture" width="100%">

Pattern matching handles 95%+ of decisions in microseconds. The optional rampart-verify sidecar adds LLM-based classification for ambiguous commands. All decisions go to a hash-chained audit trail.

| Agent | Setup command | Integration | |-------|--------------|-------------| | Claude Code | rampart setup claude-code | Native PreToolUse hooks via ~/.claude/settings.json | | OpenClaw | rampart setup openclaw --patch-tools | Native bridge + shell shim + tool patches | | Cline | rampart setup cline | Native hooks via settings | | Codex CLI | rampart setup codex | Persistent wrapper with LD_PRELOAD | | Any agent | rampart wrap -- <agent> | Shell wrapping via $SHELL | | MCP servers | rampart mcp -- <server> | MCP protocol proxy | | System-wide | rampart preload -- <cmd> | LD_PRELOAD syscall interception |

<div align="center"> <img src="docs/watch.png" alt="rampart watch — live audit dashboard" width="700"> </div> <details> <summary><strong>Table of Contents</strong></summary>

Getting Started: Install · Quick start · Claude Code · OpenClaw · Wrap any agent

Core Features: Policies · Approval flow · Audit trail · Live dashboard · Webhook notifications

Advanced: LD_PRELOAD · MCP proxy · SIEM integration · Webhook actions · Preflight API

Reference: Performance · Security · OWASP coverage · CLI reference · Compatibility · Building from source

</details>

---

Claude Code

Native integration through Claude Code's hook system — every Bash command, file read, and write goes through Rampart before execution:

# Install background service
rampart serve install

# Wire up hooks
rampart setup claude-code

Then use Claude Code normally. Rampart runs invisibly in the background.

To remove:

rampart setup claude-code --remove

---

OpenClaw

Full native integration — one command covers everything:

sudo rampart setup openclaw --patch-tools

This installs three layers of protection:

1. Native bridge — Rampart connects to the OpenClaw gateway and intercepts exec approval events. Hard deny rules resolve before the Discord UI shows. When you click "Always Allow", the rule is written to ~/.rampart/policies/user-overrides.yaml — a file that survives upgrades and is never overwritten by rampart setup.

2. Shell shim — intercepts exec calls from Claude Code and other agents running under OpenClaw.

3. Tool patches — patches web_fetch, browser, message, and exec tools in OpenClaw's dist files so URL fetches, browser navigation, and outbound messages are all policy-checked.

Requires write access to the OpenClaw dist directory (typically needs sudo for global npm installs).

After each OpenClaw upgrade, re-run the tool patches:

sudo rampart setup openclaw --patch-tools --force

The native bridge survives upgrades automatically — exec approval interception never stops. Between upgrade and re-patch, web_fetch/browser/message tools bypass Rampart; exec enforcement via the bridge remains active throughout.

Run rampart doctor at any time to see exactly which patches are applied. Use rampart doctor --fix to re-apply missing patches automatically.

---

Wrap any agent

For agents without a hook system, wrap sets $SHELL to a policy-checking shim. Works with any agent that reads $SHELL (Aider, OpenCode, Continue, and more):

rampart wrap -- aider
rampart wrap -- opencode
rampart wrap -- python my_agent.py

---

Protect any process (LD_PRELOAD)

For agents with no hook system and no $SHELL support, preload intercepts exec-family syscalls at the OS level:

rampart preload -- codex
rampart preload -- python my_agent.py
rampart preload -- node agent.js

# Monitor mode — log only, no blocking
rampart preload --mode monitor -- risky-tool

Intercepts execve, execvp, system(), popen(), and posix_spawn(). Denied calls return EPERM.

Platform notes: Works with all dynamically-linked binaries on Linux. Works on macOS with Homebrew/nvm/pyenv binaries; blocked by SIP for /usr/bin/* (AI agents don't live there).

---

Protect MCP servers

Drop-in proxy between your agent and any MCP server:

rampart mcp -- npx @modelcontextprotocol/server-filesystem /path

In your MCP config (Claude Desktop, etc.):

{
  "mcpServers": {
    "filesystem": {
      "command": "rampart",
      "args": ["mcp", "--", "npx", "@modelcontextprotocol/server-filesystem", "."]
    }
  }
}

Auto-generate policies from an MCP server's tool list:

rampart mcp scan -- npx @modelcontextprotocol/server-filesystem .

---

Writing policies

Policies are YAML. Glob matching, hot-reload on file change.

rampart setup creates ~/.rampart/policies/custom.yaml as a starter template. It's never overwritten by upgrades.

version: "1"
default_action: allow

policies:
  - name: block-destructive
    match:
      tool: ["exec"]
    rules:
      - action: deny
        when:
          command_matches: ["rm -rf *", "mkfs.*", "dd if=*", ":(){ :|:& };:"]
        message: "Destructive command blocked"

  - name: block-credential-reads
    priority: 1
    match:
      tool: ["read"]
    rules:
      - action: deny
        when:
          path_matches: ["**/.ssh/id_*", "**/.aws/credentials", "**/.env"]
        message: "Credential access blocked"

  - name: block-exfil
    match:
      tool: ["fetch"]
    rules:
      - action: deny
        when:
          domain_matches: ["*.ngrok-free.app", "*.requestbin.com", "webhook.site"]
        message: "Exfiltration domain blocked"

Use command_contains for substring matching (case-insensitive):

  - name: block-dangerous-substrings
    match:
      tool: ["exec"]
    rules:
      - action: deny
        when:
          command_contains: ["DROP TABLE", "rm -rf"]
        message: "Dangerous substring detected"

Use action: ask to trigger an approval prompt:

  - name: ask-before-sudo
    match:
      agent: ["claude-code"]
      tool: ["exec"]
    rules:
      - action: ask
        when:
          command_contains: ["sudo "]
        message: "This command needs your approval"

No YAML editing required for common cases. When a command is blocked, Rampart suggests what to run:

# When "npm install lodash" gets denied:
#   💡 To allow this: rampart allow "npm install *"
rampart allow "npm install *"
#  ✓ Rule added — policy reloaded (12 rules active)

Evaluation: Deny always wins. Lower priority number = evaluated first. Four actions: deny, ask, watch, allow.

Project-local policies

Drop .rampart/policy.yaml in any git repo for project-specific rules. Commit it so every team member gets the same rules automatically:

rampart init --project

Security note: Set RAMPART_NO_PROJECT_POLICY=1 to skip project policy loading when working in untrusted repos.

Built-in