Rampart fully supports Windows for protecting Claude Code and other AI agents.
irm https://rampart.sh/install.ps1 | iex
This downloads the latest release, installs to ~\.rampart\bin, adds it to your PATH, and offers to set up Claude Code hooks automatically.
Manual install: Download the .zip from GitHub Releases, extract rampart.exe, and add to your PATH.
rampart setup claude-code
This adds hooks to ~\.claude\settings.json. Claude Code will now route all Bash commands through Rampart.
After running rampart setup claude-code, dangerous commands are blocked immediately. No need to run rampart serve for basic protection — the hook evaluates policies locally.
Run rampart serve if you want:
rampart watch shows real-time decisionsaction: ask policies need serve to handle human reviewrampart serve
Note: On Windows,
rampart serveruns in the foreground. Keep the terminal window open, or use Task Scheduler/NSSM to run it at startup.
# Check version
rampart version
# Health check
rampart doctor
# Test a command against your policy
rampart test "rm -rf /"
| Feature | Status |
|---|---|
rampart serve |
✅ Works (foreground only) |
rampart setup claude-code |
✅ Works |
rampart hook |
✅ Works |
rampart test |
✅ Works |
rampart watch |
✅ Works |
rampart mcp |
✅ Works |
| Path-based policies | ✅ Works (auto-converts \ to /) |
| Feature | Status | Notes |
|---|---|---|
rampart serve --background |
❌ Unix only | Uses fork/exec |
rampart serve stop |
❌ Unix only | Uses SIGTERM |
rampart upgrade |
✅ Works | Downloads .zip asset, replaces rampart.exe |
rampart wrap |
❌ Unix only | Uses $SHELL |
rampart preload |
❌ Linux only | Uses LD_PRELOAD |
Rampart automatically normalizes Windows paths for policy matching:
# This policy works on both Windows and Unix:
- name: block-ssh-keys
match:
tool: [read]
rules:
- action: deny
when:
path_matches:
- "**/.ssh/id_*"
message: "SSH key access blocked"
C:\Users\Trevor\.ssh\id_rsa will match **/.ssh/id_* correctly.
rampart uninstall
This removes hooks from Claude Code and Cline, removes Rampart from your PATH, and prints instructions to delete the remaining files.
Manual cleanup (if rampart command isn’t working):
# Delete Rampart files
Remove-Item -Recurse -Force ~\.rampart
Then remove %USERPROFILE%\.rampart\bin from PATH: Settings → System → About → Advanced system settings → Environment Variables.
Rampart is an unsigned binary that modifies other programs’ configurations (Claude Code hooks). This may trigger security warnings:
SmartScreen “Windows protected your PC”:
Windows Defender quarantine:
Corporate antivirus blocking:
Contact your IT team to whitelist rampart.exe, or install to a location your AV trusts.
Why does this happen? Rampart hooks into other programs and intercepts command execution — behaviors that look suspicious to antivirus heuristics. The binary is not code-signed (certificates cost ~$400/year). We’re working on getting Rampart whitelisted with major AV vendors.
The installer refreshes PATH automatically, but if it doesn’t work:
$env:PATH = "$env:USERPROFILE\.rampart\bin;$env:PATH"
Or restart your terminal.
If a previous install left files with broken permissions:
# Run as Administrator
takeown /f "$env:USERPROFILE\.rampart" /r /d y
icacls "$env:USERPROFILE\.rampart" /grant "$($env:USERNAME):F" /t
Remove-Item -Recurse -Force "$env:USERPROFILE\.rampart"
# Then re-run installer
irm https://rampart.sh/install.ps1 | iex
rampart doctorTest-Path ~\.claude\settings.jsonrampart setup claude-code --forcerampart serve is runninghttp://localhost:9090)rampart test "your-command"action: ask in --dangerously-skip-permissions modeaction: ask shows the native approval prompt even when Claude Code is launched with --dangerously-skip-permissions. Claude Code honors hook-returned permission decisions regardless of the bypass flag.
rampart watch