action: ask)action: ask surfaces Claude Code’s built-in inline approval dialog when a policy rule matches, instead of blocking the command outright. The user sees the command details and can approve or deny without leaving their session.
Use action: ask when a command is sensitive but not always dangerous — you want a human in the loop without hard-blocking legitimate use:
rm -rf build/, database resets)For commands that should never run (credential access, exfiltration), use action: deny instead.
action and when must be nested inside a rules: list — not at the policy level:
policies:
- name: ask before running tests
rules:
- action: ask
when:
command_contains:
- pytest
- npm test
message: "Running test suite — proceed?"
- name: ask before dropping databases
rules:
- action: ask
when:
command_matches:
- "dropdb *"
- "psql * DROP *"
message: "This will delete a database. Are you sure?"
audit: true — Log User DecisionsBy default, action: ask prompts don’t log the user’s response. Add audit: true to record approvals and denials:
policies:
- name: audited-deploys
rules:
- action: ask
ask:
audit: true # ← log the user's decision
when:
command_matches:
- "kubectl apply *"
message: "Deploy to cluster?"
With audit: true, the audit trail includes whether the user approved or denied the prompt. This is useful for compliance, debugging, and understanding agent behavior patterns.
headless_only: true — Block in CIUse headless_only: true when you want interactive approval locally but hard denies in CI/headless environments:
policies:
- name: production-safety
rules:
- action: ask
ask:
audit: true
headless_only: true # ← deny in CI, prompt interactively
when:
command_matches:
- "*--env=production*"
message: "Production operation requires approval"
Behavior:
rampart serve): Blocks with a denyThis lets you write one policy that works both locally (with prompts) and in CI (with denies). See CI/Headless Agents for more details.
require_approval Migration NoteOlder Rampart docs and policies may still reference action: require_approval, but current Rampart releases require action: ask explicitly.
Use this form instead:
- action: ask
ask:
audit: true
message: "Needs approval"
action: require_approval is no longer accepted by the policy engine. Update old examples and local policies to use action: ask.
⚠️ Common mistake: putting
action: askdirectly inside the policy (as a sibling ofnameorrules).rampart policy lintwill catch this and explain the correct structure.
When a matching command is intercepted, Claude Code displays:
Hook PreToolUse:Bash requires confirmation for this command:
Rampart: Running test suite — proceed?
Do you want to proceed?
> 1. Yes
2. No
Esc to cancel · Tab to amend · ctrl+e to explain
Pressing ctrl+e expands an AI-generated explanation of what the command does and its risk level — this is a Claude Code native feature, not Rampart.
By default, a policy applies to all tools. Scope it to bash-only or specific tools using match:
policies:
- name: ask before shell commands with curl
match:
tool: Bash
rules:
- action: ask
when:
command_contains:
- curl
action: ask is the current human-approval action. Depending on the integration, it can surface as Claude Code’s inline prompt, OpenClaw’s native approval UI, or Rampart’s dashboard/CLI approval queue.
--dangerously-skip-permissions modeaction: ask shows the native approval prompt even when Claude Code is launched with --dangerously-skip-permissions. Claude Code honors hook-returned permissionDecision: ask regardless of the bypass flag — the user still sees the inline dialog and must approve or deny.
action: ask triggers Claude Code’s native permission prompt. On other agents:
cancel: true)rampart policy lint will warn if you use action: ask without scoping the policy to match.agent: [claude-code].
The permissionDecision: ask hook response was introduced in Claude Code v2.0. Older versions may treat it as allow.
Use rampart policy lint to validate before deploying:
rampart policy lint ~/.rampart/policies/my-policy.yaml
And test end-to-end:
rampart test ~/.rampart/policies/my-policy.yaml