Install Rampart via an AI Agent¶
This guide is written for AI agents executing on behalf of a user who said something like:
"Install Rampart and protect this machine"
"Set up Rampart to secure my Claude Code / OpenClaw agent"
"Add safety guardrails to my AI coding environment"
Follow these steps in order. Each step is independently verifiable.
Step 1: Install the Rampart binary¶
Verify the install:
Expected output: rampart vX.Y.Z
Step 2: Run quickstart (non-interactive)¶
This single command auto-detects the running AI environment, installs the background policy service, wires up hooks, and runs a health check:
The --yes flag skips any prompts so setup can run unattended in CI, remote shells, or agent-driven installs.
OpenClaw note: protection applies to future tool calls, not the current session. Restart the OpenClaw gateway after this step for hooks to take effect.
Serve note: direct Claude Code and Cline native hooks can evaluate policy locally without rampart serve, but dashboard views, approval APIs, and OpenClaw plugin evaluation rely on the local service.
Step 3: Verify everything is working¶
Expected output: all checks pass (โ). If any check fails, follow the hint printed next to it.
Check the service is running and review recent activity:
Expected output (example):
๐ก๏ธ Rampart Status
Protected: OpenClaw (plugin)
Mode: enforce (default_action: allow)
Today: 0 allow ยท 0 deny ยท 0 log
If you see Protected: with your agent listed, Rampart is active.
Step 4: Report back to the user¶
Tell the user:
- Rampart is installed and running (version from
rampart --version) - Which environment was auto-detected and configured
- Dashboard URL:
http://localhost:9090/dashboard/(opens in browser to show live policy activity) - Token location:
~/.rampart/token(keep this private)
What Rampart does¶
Every shell command, file access, and network request your AI agent makes is now evaluated against a policy before it executes.
Blocked by default (standard policy): - rm -rf /, rm -rf ~, rm -rf * โ filesystem destruction - curl <url> | bash, wget <url> | sh โ remote code execution - cat ~/.ssh/id_rsa, cat ~/.ssh/id_ed25519 โ SSH key exfiltration - cat .env, cat .env.* โ API key / secret access - dd if=/dev/urandom of=/dev/sda โ disk destruction - Prompt injection patterns in tool responses โ exfiltration directives, instruction overrides
Allowed by default: everything else. The policy engine is deny-on-match, not deny-by-default โ it only blocks what the rules explicitly cover.
Customizing protection¶
To see what policies are active:
To add your own rules, edit ~/.rampart/policies/standard.yaml. See Policy Schema for the full syntax.
To require human approval before a specific operation runs:
policies:
- name: approve-production-deploys
match:
tool: ["exec"]
command_contains: ["kubectl", "helm", "--namespace prod"]
rules:
- action: ask
message: "Production deploy requires human approval"
Troubleshooting¶
rampart doctor shows hook not installed
Re-run setup for your specific agent:
rampart setup openclaw # OpenClaw native plugin on current builds
rampart setup claude-code # Claude Code native hooks
rampart setup cline # Cline native hooks
Service not running
A legitimate command is being blocked
Then add an allow rule for your specific use case. See Securing Claude Code.
rampart serve also writes ~/.rampart/ACTIVE_POLICY.md, a markdown table of active rules that agents can use for self-description.
Reference¶
| Command | What it does |
|---|---|
rampart quickstart --yes | Full non-interactive setup |
rampart doctor | Health check โ hooks, service, permissions |
rampart status | Show protected agents, mode, today's allow/deny counts |
rampart watch | Live audit feed of all tool calls |
rampart token | Print bearer token for the dashboard |
rampart policy explain '<tool>' | Show which policy applies to a tool call |
Docs: https://docs.rampart.sh
Issues: https://github.com/peg/rampart/issues