Protect OpenAI Codex CLI subprocesses using Rampart’s LD_PRELOAD/DYLD interception. Every shell command Codex spawns through libc exec-family calls passes through your policy before execution.
Unlike Claude Code and Cline — which expose hook APIs — Codex CLI doesn’t have a native hook system. Rampart uses LD_PRELOAD to intercept system calls (execve, execvp, system, popen, posix_spawn) at the OS level. This means every command Codex spawns is evaluated against your policy regardless of how Codex invokes it.
Codex CLI → tool call → librampart.so intercept → Rampart policy → allow / deny
rampart setup codex requires the preload library (librampart.so on Linux, librampart.dylib on macOS). If your install does not include it — common for source builds — build and place it first:
mkdir -p ~/.rampart/lib
# Linux
cc -shared -fPIC -o ~/.rampart/lib/librampart.so preload/librampart.c -ldl -lcurl -lpthread
# macOS
cc -dynamiclib -fPIC -o ~/.rampart/lib/librampart.dylib preload/librampart.c -lcurl
Then install the persistent Codex wrapper:
rampart setup codex
This creates ~/.local/bin/codex — a wrapper script that runs the real Codex binary through rampart preload. From that point on, just use codex normally.
✓ Wrapper installed at /home/user/.local/bin/codex
Wraps: /usr/local/bin/codex
Via: /usr/local/bin/rampart preload
✓ Run 'codex' normally — all tool calls are now enforced by Rampart.
Uninstall: rampart setup codex --remove
The wrapper lives in ~/.local/bin. Make sure that directory appears before the real Codex binary in your PATH:
# ~/.bashrc or ~/.zshrc
export PATH="$HOME/.local/bin:$PATH"
Verify the right codex is active:
which codex
# Should print: /home/user/.local/bin/codex
If you don’t want the wrapper, you can invoke Rampart inline for any command:
rampart preload -- codex exec --full-auto 'fix the bug in auth.py'
If you run rampart setup without arguments, the wizard detects installed agents automatically:
Detected agents:
✓ Codex (found) → rampart setup codex
✗ Claude Code → not found
✗ OpenClaw → not found
Which agents would you like to protect? [all detected/select/skip]
Codex is set up automatically when detected.
Start the Rampart server, then run Codex:
# Terminal 1
rampart serve
# Terminal 2 — Rampart watch shows live decisions
rampart watch
# Terminal 3 — run Codex normally
codex exec --full-auto 'check disk usage'
You should see df -h appear in rampart watch as allowed. Try something blocked:
codex exec --full-auto 'show me the SSH private key'
# → Operation not permitted (blocked by block-credential-access)
Rampart’s standard policy covers the most common Codex threat scenarios out of the box:
| Scenario | Policy | Action |
|---|---|---|
cat ~/.ssh/id_rsa |
block-credential-access |
deny |
curl ... \| bash |
block-destructive |
deny |
base64 -d \| sh |
block-destructive |
deny |
sudo rm -rf / |
require-privileged-approval |
require approval |
cat /etc/shadow |
block-credential-access |
deny |
/dev/tcp/ shell redirect |
block-network-exfil |
deny |
rampart setup codex --remove
Rampart verifies the file is its own wrapper before removing it. The real Codex binary is restored automatically (it was never moved).
rampart setup codex supports Linux and macOS by installing a wrapper at ~/.local/bin/codex that invokes Codex through rampart preload. Linux provides full LD_PRELOAD coverage. macOS works for dynamically linked/Homebrew-style binaries, but SIP prevents preload interception for protected system binaries. Windows is not supported; use the HTTP API or MCP proxy mode instead. Run rampart setup --help for alternatives.