Skip to content

Rampart

Open-source guardrails for AI agents. A policy firewall for shell commands, file access, and MCP tools.

What is Rampart?

Rampart is a policy engine that sits between AI agents and the tools they use. Every command, file access, and network request gets evaluated against your YAML policies before it executes. Dangerous actions get blocked instantly. Everything gets logged to a tamper-evident audit trail where each entry is cryptographically linked to the previous one — if anyone tampers with a record, the chain breaks.

Rampart also scans tool responses — if your agent reads a file containing credentials, the response is blocked before those secrets enter the agent's context window. Learn more →

  • Policy Engine

    YAML-based policies with glob matching. Deny, allow, log, or require human approval. Zero noticeable overhead.

    Learn more

  • Audit Trail

    Tamper-evident logs where every entry is linked to the last. Daily rotation, search, and verification built in.

    Learn more

  • Real-time Alerts

    Webhook notifications to Discord, Slack, or Teams when something gets blocked. Export to security monitoring tools (Splunk, Wazuh, etc.) via syslog.

    Learn more

  • Universal Integration

    Native hooks, native plugins, shell wrapping, MCP proxy, system-level interception, HTTP API. Works with every major AI agent.

    Integration guides

  • Response Scanning

    Block credentials in tool responses before they reach the agent's context window. Prevents secrets from being exfiltrated in later turns.

    How it works

  • OWASP Agentic Top 10

    Mapped against the 2026 OWASP framework for autonomous AI agents. 1 fully covered, 8 partially mitigated, 1 not addressed, with honest assessment of gaps.

    Full mapping

Quick Start

# Install
brew install peg/tap/rampart

# Claude Code
rampart setup claude-code

# OpenClaw
rampart setup openclaw

That's it. Pick the integration that matches your agent. Full setup guide → · Support matrix →

Frequently Asked Questions

Is Claude Code safe to use in --dangerously-skip-permissions mode?
It can be — with guardrails. --dangerously-skip-permissions gives Claude Code full shell access, which is powerful but risky. Rampart provides those guardrails: every command is evaluated against your policy before it runs. Full guide →

What happens if my AI agent runs a destructive command?
Without Rampart: it runs. With Rampart: the command is evaluated against your policy in under 10μs. If it matches a deny rule, it's blocked before execution and logged. Claude Code receives the denial reason and explains it to you.

Can AI agents be manipulated by prompt injection?
Yes — a webpage or MCP tool response can contain instructions that try to override an agent's behavior. Rampart's watch-prompt-injection policy monitors tool responses for these patterns and logs them for review. Learn more →

Does Rampart send my commands to any external server?
No. Rampart runs entirely on your machine. Policy evaluation, audit logging, and the dashboard are all local processes. No command data, file paths, or decisions are sent anywhere.

Will Rampart slow down my agent?
Policy checks are pure in-memory pattern matching — no network calls, no disk I/O, no measurable impact on your agent's workflow.

What if I need to allow a command that's blocked?
Run rampart allow "your command pattern" and it's done — no YAML editing required. The rule takes effect immediately. For one-time exceptions, use action: ask in your policy so you can approve each instance. Full guide →

How It Works

AI AgentsInterceptionYAML Policy Engine\n<10μsrampart-verify\n(optional sidecar)Audit Trail\nhash-chainedOutcomesClaude CodeClineOpenClawCodex CLIAny AgentNative HooksNative PluginLD_PRELOADMCP ProxyExecuteBlockedApproval allowdenyambiguous

Works With Every Agent

Agent Integration Setup
Claude Code Native hooks rampart setup claude-code
Cline Native hooks rampart setup cline
OpenClaw Native plugin rampart setup openclaw
Codex CLI Wrapper + preload rampart setup codex
Cursor MCP proxy rampart mcp --
Claude Desktop MCP proxy rampart mcp --
Any CLI agent Shell wrapper rampart wrap --
Python agents HTTP API / SDK localhost:9090

See all integration guides

What's New in v1.0

  • Update checks are sanerampart doctor understands the 1.0 release line and no longer suggests downgrading release candidates to the older stable v0.9.22 release.
  • OpenClaw 2026.5.6 verified for launch — Rampart uses OpenClaw's first-class plugin approval path as the single human-approval owner, with Rampart handling policy, audit, and durable allow-always persistence. Details →
  • Degraded mode is explicit — sensitive OpenClaw tools block when rampart serve is unavailable, while only configured lower-risk failOpenTools may proceed.
  • Setup and doctor are launch-strictrampart setup openclaw installs the native plugin cleanly, repairs approval-hardening drift, and rampart doctor checks plugin state, serve reachability, approval timeout alignment, and version coherence.
  • Matching and bypass regressions are tighter — shell-wrapper normalization, URL/domain handling, path matching, and OpenClaw plugin approval/degraded-mode tests now cover the hard edges found during the 1.0 RC pass.

v0.9.22

  • Runtime config is finally less weird — Rampart now has a documented persistent local config file at ~/.rampart/config.yaml, with a clear url / serve_url / api precedence model for hooks, approvals, reloads, and service-backed flows. Details →
  • Config resolution is stricter and more trustworthy — malformed local config no longer silently falls back to the wrong endpoint during approval, hook, preload, watch, or reload paths.
  • OpenClaw approval integrity is tighter — ambiguous PostToolUseFailure events no longer get mislabeled as Rampart denials, which keeps native approval history and audit state more honest. Details →
  • OpenClaw docs are now aligned with reality — native plugin first, single approval owner, legacy dist patching treated as compatibility-only. Details →

v0.9.21

  • OpenClaw trust signals tightenedrampart status is more careful about when it claims OpenClaw bridge/plugin state.
  • Built-in self-modification policy tuned — human-readable docs and PR text can mention Rampart commands without tripping the policy, while real self-modifying command invocations remain protected.
  • Support contract clarified — the published support matrix now clearly splits recommended, supported, and legacy OpenClaw integration tiers.

v0.9.20

  • OpenClaw approval trust — Native Discord exec approvals are the supported path for Rampart's OpenClaw integration. OpenClaw owns approval UI/state, Rampart owns policy, audit, and allow-always persistence. Details →
  • Durable Allow Always — OpenClaw approvals can persist safe learned rules to user-overrides.yaml.
  • Sensitive degraded-mode behavior — High-risk OpenClaw tools stop silently bypassing policy when the service is unavailable.

v0.9.13

  • plugins.allow set automatically — Setup now adds rampart to OpenClaw's plugins.allow config. Existing plugins are preserved — only appends, never overwrites. No more "plugins.allow is empty" warning in openclaw doctor.
  • Plugin version corrected — Plugin now reports the actual Rampart version instead of 0.1.0.
  • rampart doctor false positives fixed — Dist-patch and ask-mode warnings are now suppressed when the native plugin is active (both are irrelevant with plugin integration).
  • Enforcement verified — Confirmed before_tool_call is properly awaited and blocking in OpenClaw 2026.3.28+. Deny decisions are enforced end-to-end, not just logged.

v0.9.12

  • Plugin bundled in binary — The OpenClaw plugin is now embedded directly in the rampart binary. rampart setup openclaw works on any machine — no external checkout or npm install required. Learn more →
  • Bridge hardened — Errors during approval escalations now fail closed (deny) instead of silently allowing.
  • Learn endpoint securedPOST /v1/rules/learn now rate-limited and restricted to allow decisions only.

v0.9.11

  • openclaw.yaml security hardening — Closed bash */sh */curl */wget * exec bypass holes. Dedicated block-force-push policy. Tightened docker/kubectl/git subcommand allowlists.
  • default_action: ask in openclaw.yaml — Novel or unlisted tool calls surface for human approval instead of silently failing.
  • sessions_spawn depth guard — Subagents cannot spawn further agents.

v0.9.10

  • Native OpenClaw pluginrampart setup openclaw auto-detects your OpenClaw version and installs a native before_tool_call hook. Intercepts supported OpenClaw tool calls (exec, read, write, web_fetch, browser, message) without fragile dist patching; degraded behavior still depends on tool class and configuration. Requires OpenClaw >= 2026.3.28. Learn more →
  • Always Allow writeback — Click "Always Allow" in the OpenClaw approval UI and Rampart writes a permanent smart-glob rule to ~/.rampart/policies/user-overrides.yaml.
  • Approval store persistence — Pending approvals survive rampart serve restarts via JSONL journal.
  • rampart doctor plugin check — Shows ✓ OpenClaw plugin: installed when the native hook is active.