{"id":44338937,"url":"https://github.com/peg/rampart","last_synced_at":"2026-05-06T02:04:31.325Z","repository":{"id":337773410,"uuid":"1154906566","full_name":"peg/rampart","owner":"peg","description":"Open-source firewall for AI agents. Policy engine that audits and controls what OpenClaw, Claude Code, Cursor, Codex, and any AI tool can do on your machine.","archived":false,"fork":false,"pushed_at":"2026-03-25T01:19:06.000Z","size":4699,"stargazers_count":55,"open_issues_count":2,"forks_count":8,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-25T18:59:06.970Z","etag":null,"topics":["agent-security","ai-agents","ai-security","audit-trail","claude-code","cli","codex","devtools","golang","ld-preload","llm","mcp","openclaw","policy-engine","prompt-injection","secure-ai-agents","secure-openclaw","security","security-openclaw"],"latest_commit_sha":null,"homepage":"https://rampart.sh","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/peg.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":"docs/ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-10T22:51:51.000Z","updated_at":"2026-03-24T15:51:36.000Z","dependencies_parsed_at":"2026-03-24T17:05:20.276Z","dependency_job_id":null,"html_url":"https://github.com/peg/rampart","commit_stats":null,"previous_names":["peg/rampart"],"tags_count":86,"template":false,"template_full_name":null,"purl":"pkg:github/peg/rampart","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peg%2Frampart","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peg%2Frampart/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peg%2Frampart/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peg%2Frampart/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/peg","download_url":"https://codeload.github.com/peg/rampart/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peg%2Frampart/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31290967,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T13:12:26.723Z","status":"ssl_error","status_checked_at":"2026-04-01T13:12:25.102Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-security","ai-agents","ai-security","audit-trail","claude-code","cli","codex","devtools","golang","ld-preload","llm","mcp","openclaw","policy-engine","prompt-injection","secure-ai-agents","secure-openclaw","security","security-openclaw"],"created_at":"2026-02-11T12:24:00.911Z","updated_at":"2026-05-06T02:04:31.297Z","avatar_url":"https://github.com/peg.png","language":"Go","funding_links":[],"categories":["๐Ÿ›ก๏ธ Security \u0026 Safety"],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# Rampart\n\n**A firewall for AI coding agents.**\n\n[![Go](https://img.shields.io/badge/Go-1.24+-00ADD8?style=flat\u0026logo=go)](https://go.dev)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)\n[![CI](https://github.com/peg/rampart/actions/workflows/ci.yml/badge.svg)](https://github.com/peg/rampart/actions/workflows/ci.yml)\n[![Release](https://img.shields.io/github/v/release/peg/rampart?style=flat)](https://github.com/peg/rampart/releases)\n[![Docs](https://img.shields.io/badge/Docs-docs.rampart.sh-FF6392?style=flat)](https://docs.rampart.sh)\n\n\u003c/div\u003e\n\n---\n\nClaude Code's `--dangerously-skip-permissions` mode, and similar autonomous modes in Cline and Codex, give agents unrestricted shell access. Your agent can read your SSH keys, exfiltrate your `.env`, or `rm -rf /` with no guardrails.\n\nRampart sits between the agent and your system. Every command, file access, and network request is evaluated against your policy before it executes. Dangerous commands never run.\n\n---\n\n## Install\n\n```bash\n# Homebrew (macOS and Linux, recommended)\nbrew install peg/tap/rampart\n\n# One-line install (no sudo required)\ncurl -fsSL https://rampart.sh/install | bash\n\n# Go install (requires Go 1.24+)\ngo install github.com/peg/rampart/cmd/rampart@latest\n```\n\n**Windows (PowerShell):**\n```powershell\nirm https://rampart.sh/install.ps1 | iex\n```\n\nAfter installing, run `rampart quickstart` or follow the setup steps below.\n\n---\n\n## Quick start\n\nPick your agent and run one command:\n\n```bash\n# Claude Code\nrampart setup claude-code\n\n# OpenClaw\nrampart setup openclaw\n\n# Cline\nrampart setup cline\n\n# Codex CLI\nrampart setup codex\n\n# Any other agent (wraps $SHELL)\nrampart wrap -- your-agent\n```\n\nThat's it. Verify everything is working:\n\n```bash\nrampart doctor\n```\n\nThen watch your agent in real time:\n\n```bash\nrampart watch\n```\n\n### Optional persistent local config\n\nIf you do not want to keep exporting environment variables, Rampart also supports\n`~/.rampart/config.yaml` for local defaults:\n\n```yaml\nurl: http://127.0.0.1:9090\n# serve_url: http://127.0.0.1:9090 # compatibility alias for url\n# api: http://127.0.0.1:9091 # optional advanced override for daemon/split-topology API setups\n```\n\n| Setting | Use it for | Notes |\n| --- | --- | --- |\n| `url` | Primary Rampart base URL | Canonical setting for hook/watch/plugin/service-backed flows |\n| `serve_url` | Backwards-compatible alias for `url` | Kept for compatibility; prefer `url` in new configs |\n| `api` | Optional API base URL override for approval/control commands | Advanced only; usually unnecessary unless you split the API away from the main serve endpoint |\n\nNotes:\n- `url` is the main knob; use this unless you have a specific reason not to.\n- `api` is **not** the normal setting for `rampart serve`; it is for advanced daemon/split-topology setups.\n- Client-side `--api` flags expect an **API base URL** (`http://127.0.0.1:9091`), while daemon/server `--api` flags refer to an **API listen address** (`127.0.0.1:9091`).\n\nResolution order is: flag โ†’ environment โ†’ config file โ†’ auto-discovered state โ†’ default.\n\nOnce running, every tool call goes through Rampart's policy engine first:\n\n```\nALLOW 14:23:01 exec \"npm test\" [allow-dev]\nALLOW 14:23:03 read ~/project/src/main.go [default]\nDENY 14:23:05 exec \"rm -rf /tmp/*\" [block-destructive]\nLOG 14:23:08 exec \"curl https://api.example.com\" [log-network]\nASK 14:23:10 exec \"kubectl apply -f prod.yaml\" [ask]\nDENY 14:23:12 resp read .env [block-credential-leak]\n -\u003e blocked: response contained AWS_SECRET_ACCESS_KEY\n```\n\n---\n\n## How it works\n\n\u003cimg src=\"docs/architecture.svg\" alt=\"Rampart architecture\" width=\"100%\"\u003e\n\nPattern matching handles 95%+ of decisions in microseconds. The optional [rampart-verify](https://github.com/peg/rampart-verify) sidecar adds LLM-based classification for ambiguous commands. All decisions go to a hash-chained audit trail.\n\n| Agent | Setup command | Integration |\n|-------|--------------|-------------|\n| **Claude Code** | `rampart setup claude-code` | Native `PreToolUse` hooks via `~/.claude/settings.json` |\n| **OpenClaw** | `rampart setup openclaw` | Native plugin + selective native approvals |\n| **Cline** | `rampart setup cline` | Native hooks via settings |\n| **Codex CLI** | `rampart setup codex` | Wrapper that runs Codex through `rampart preload` |\n| **Any agent** | `rampart wrap -- \u003cagent\u003e` | Shell wrapping via `$SHELL` |\n| **MCP servers** | `rampart mcp -- \u003cserver\u003e` | MCP protocol proxy |\n| **System-wide** | `rampart preload -- \u003ccmd\u003e` | LD_PRELOAD syscall interception |\n\n\u003cdiv align=\"center\"\u003e\n\u003cimg src=\"docs/watch.png\" alt=\"rampart watch live audit dashboard\" width=\"700\"\u003e\n\u003c/div\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eTable of Contents\u003c/strong\u003e\u003c/summary\u003e\n\n**Getting Started:** [Install](#install) ยท [Quick start](#quick-start) ยท [Claude Code](#claude-code) ยท [OpenClaw](#openclaw) ยท [Wrap any agent](#wrap-any-agent)\n\n**Core Features:** [Policies](#writing-policies) ยท [Approval flow](#approval-flow) ยท [Audit trail](#audit-trail) ยท [Live dashboard](#live-dashboard) ยท [Webhook notifications](#webhook-notifications)\n\n**Advanced:** [LD_PRELOAD](#protect-any-process-ld_preload) ยท [MCP proxy](#protect-mcp-servers) ยท [SIEM integration](#siem-integration) ยท [Webhook actions](#webhook-actions) ยท [Preflight API](#preflight-api)\n\n**Reference:** [Performance](#performance) ยท [Security](#security-recommendations) ยท [OWASP coverage](#owasp-coverage) ยท [CLI reference](#cli-reference) ยท [Compatibility](#compatibility) ยท [Building from source](#building-from-source)\n\n\u003c/details\u003e\n\n---\n\n## Claude Code\n\nNative integration through Claude Code's hook system. Every Bash command, file read, and write goes through Rampart before execution:\n\n```bash\n# Install background service\nrampart serve install\n\n# Wire up hooks\nrampart setup claude-code\n```\n\nThen use Claude Code normally. Rampart runs invisibly in the background.\n\nTo remove:\n```bash\nrampart setup claude-code --remove\n```\n\n---\n\n## OpenClaw\n\nNative plugin integration is now the preferred setup on current OpenClaw builds:\n\n```bash\nrampart setup openclaw\n```\n\nThis keeps OpenClaw's native approval UI while letting Rampart decide which commands actually need approval.\n\n`rampart serve` is part of this path. The plugin calls the local Rampart service for policy evaluation, approvals, and audit flow.\n\n### How exec approvals work\n\nRampart leaves global `tools.exec.ask` set to `\"off\"`, so routine shell commands do not spam you with approval prompts. When a Rampart policy returns `ask` for a specific exec call, the plugin reissues only that command with `ask: \"always\"`, which sends it through OpenClaw's native approval card.\n\nIn practice, that means:\n\n- safe commands run normally, with no prompt\n- denied commands are blocked immediately\n- only commands that match a Rampart `ask` rule show an OpenClaw approval card\n\n### What the plugin protects\n\n**1. Native plugin**: evaluates tool calls in `before_tool_call`, blocks deny decisions immediately, and routes selective exec approvals through OpenClaw's native approval UI.\n\n**2. Selective native approvals**: Rampart decides when an exec should require approval, and OpenClaw shows the approval card only for those matched commands.\n\n**3. Bundled policy profile**: installs the OpenClaw-focused policy profile used by the plugin setup.\n\n### Legacy compatibility path\n\n`rampart setup openclaw --patch-tools` still exists as a compatibility option for older setups, but it is no longer the recommended path. It modifies OpenClaw dist files and must be re-applied after upgrades.\n\nRun `rampart doctor` at any time to verify the current OpenClaw integration state.\n\n---\n\n## Wrap any agent\n\nFor agents without a hook system, `wrap` sets `$SHELL` to a policy-checking shim. Works with any agent that reads `$SHELL` (Aider, OpenCode, Continue, and more):\n\n```bash\nrampart wrap -- aider\nrampart wrap -- opencode\nrampart wrap -- python my_agent.py\n```\n\n---\n\n## Protect any process (LD_PRELOAD)\n\nFor agents with no hook system and no `$SHELL` support, `preload` intercepts exec-family syscalls at the OS level:\n\n```bash\nrampart preload -- codex\nrampart preload -- python my_agent.py\nrampart preload -- node agent.js\n\n# Monitor mode: log only, no blocking\nrampart preload --mode monitor -- risky-tool\n```\n\nIntercepts `execve`, `execvp`, `system()`, `popen()`, and `posix_spawn()`. Denied calls return `EPERM`.\n\n**Platform notes:** Works with all dynamically-linked binaries on Linux. Works on macOS with Homebrew/nvm/pyenv binaries; blocked by SIP for `/usr/bin/*` (AI agents don't live there).\n\n---\n\n## Protect MCP servers\n\nDrop-in proxy between your agent and any MCP server:\n\n```bash\nrampart mcp -- npx @modelcontextprotocol/server-filesystem /path\n```\n\nIn your MCP config (Claude Desktop, etc.):\n\n```json\n{\n \"mcpServers\": {\n \"filesystem\": {\n \"command\": \"rampart\",\n \"args\": [\"mcp\", \"--\", \"npx\", \"@modelcontextprotocol/server-filesystem\", \".\"]\n }\n }\n}\n```\n\nAuto-generate policies from an MCP server's tool list:\n\n```bash\nrampart mcp scan -- npx @modelcontextprotocol/server-filesystem .\n```\n\n---\n\n## Writing policies\n\nPolicies are YAML. Glob matching, hot-reload on file change.\n\n\u003e `rampart setup` creates `~/.rampart/policies/custom.yaml` as a starter template. It's never overwritten by upgrades.\n\n```yaml\nversion: \"1\"\ndefault_action: allow\n\npolicies:\n - name: block-destructive\n match:\n tool: [\"exec\"]\n rules:\n - action: deny\n when:\n command_matches: [\"rm -rf *\", \"mkfs.*\", \"dd if=*\", \":(){ :|:\u0026 };:\"]\n message: \"Destructive command blocked\"\n\n - name: block-credential-reads\n priority: 1\n match:\n tool: [\"read\"]\n rules:\n - action: deny\n when:\n path_matches: [\"**/.ssh/id_*\", \"**/.aws/credentials\", \"**/.env\"]\n message: \"Credential access blocked\"\n\n - name: block-exfil\n match:\n tool: [\"fetch\"]\n rules:\n - action: deny\n when:\n domain_matches: [\"*.ngrok-free.app\", \"*.requestbin.com\", \"webhook.site\"]\n message: \"Exfiltration domain blocked\"\n```\n\nUse `command_contains` for substring matching (case-insensitive):\n\n```yaml\n - name: block-dangerous-substrings\n match:\n tool: [\"exec\"]\n rules:\n - action: deny\n when:\n command_contains: [\"DROP TABLE\", \"rm -rf\"]\n message: \"Dangerous substring detected\"\n```\n\nUse `action: ask` to trigger an approval prompt:\n\n```yaml\n - name: ask-before-sudo\n match:\n agent: [\"claude-code\"]\n tool: [\"exec\"]\n rules:\n - action: ask\n when:\n command_contains: [\"sudo \"]\n message: \"This command needs your approval\"\n```\n\n**No YAML editing required for common cases.** When a command is blocked, Rampart suggests what to run:\n\n```bash\n# When \"npm install lodash\" gets denied:\n# ๐Ÿ’ก To allow this: rampart allow \"npm install *\"\nrampart allow \"npm install *\"\n# Rule added; policy reloaded (12 rules active)\n```\n\n**Evaluation:** Deny always wins. Lower priority number = evaluated first. Four actions: `deny`, `ask`, `watch`, `allow`.\n\n### Project-local policies\n\nDrop `.rampart/policy.yaml` in any git repo for project-specific rules. Commit it so every team member gets the same rules automatically:\n\n```bash\nrampart init --project\n```\n\n**Security note:** Set `RAMPART_NO_PROJECT_POLICY=1` to skip project policy loading when working in untrusted repos.\n\n### Built-in profiles\n\n```bash\nrampart init --profile standard # allow-by-default, blocks dangerous commands\nrampart init --profile paranoid # deny-by-default, explicit allowlist\nrampart init --profile ci # strict; all approvals become hard denies\nrampart init --profile yolo # log-only, no blocking\n```\n\n---\n\n## Approval flow\n\nFor commands that need a human to decide:\n\n```yaml\npolicies:\n - name: production-deploys\n match:\n tool: [\"exec\"]\n rules:\n - action: ask\n when:\n command_matches: [\"kubectl apply *\", \"terraform apply *\"]\n message: \"Production deployment requires approval\"\n```\n\nHow approval reaches you depends on your environment:\n\n| Environment | How you approve |\n|-------------|----------------|\n| Claude Code | Native approval prompt in the terminal |\n| OpenClaw | Native approval card in your connected chat surface |\n| Any | `rampart approve \u003cid\u003e` via CLI, dashboard, or signed URL |\n\n```bash\nrampart pending # What's waiting\nrampart approve abc123 # Let it through\nrampart deny abc123 # Block it\n```\n\nPending approvals expire after 2 minutes by default (`--approval-timeout` to change).\n\n---\n\n## Audit trail\n\nEvery tool call is logged to hash-chained JSONL. Tamper with any record and the chain breaks:\n\n```bash\nrampart audit tail --follow # Stream events\nrampart audit verify # Check chain integrity\nrampart audit stats # Decision breakdown\nrampart audit search # Query by tool, agent, decision, time range\n```\n\n---\n\n## Live dashboard\n\n```bash\nrampart watch # TUI: live colored event stream\n```\n\nWeb dashboard at **http://localhost:9090/dashboard/** when `rampart serve` is running. Three tabs: live stream, history, and a policy REPL to test commands before they run.\n\n---\n\n## Webhook notifications\n\n```yaml\nnotify:\n url: \"https://discord.com/api/webhooks/your/webhook\"\n on: [\"deny\"]\n\npolicies:\n # ...\n```\n\nWorks with Discord webhooks, Slack incoming webhooks, or any HTTP endpoint.\n\n---\n\n## SIEM integration\n\n```bash\n# RFC 5424 syslog (Wazuh, QRadar, ArcSight, Sentinel)\nrampart serve --syslog localhost:514\n\n# Common Event Format (Splunk, QRadar)\nrampart serve --syslog localhost:514 --cef\n```\n\n---\n\n## Webhook actions\n\nDelegate allow/deny decisions to an external service:\n\n```yaml\nrules:\n - action: webhook\n when:\n command_matches: ['*production*']\n webhook:\n url: 'http://localhost:8090/verify'\n timeout: 5s\n fail_open: true\n```\n\nSee [rampart-verify](https://github.com/peg/rampart-verify), an optional LLM sidecar for ambiguous commands (~$0.0001/call).\n\n---\n\n## Preflight API\n\nCheck if a call would be allowed without executing it:\n\n```bash\ncurl -s localhost:9090/v1/preflight/exec \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -d '{\"agent\":\"a\",\"session\":\"s\",\"params\":{\"command\":\"rm -rf /\"}}'\n# โ†’ {\"allowed\":false,\"decision\":\"deny\",\"matched_policies\":[\"block-destructive\"]}\n```\n\n---\n\n## Performance\n\nPolicy evaluation in single-digit microseconds:\n\n| Command | Decision | Time |\n|---------|----------|------|\n| `rm -rf /` | deny | 8ยตs |\n| `sudo reboot` | watch | 6ยตs |\n| `.ssh/id_rsa` read | deny | 3ยตs |\n| `git status` | allow | 4ยตs |\n| `curl ngrok.io` | deny | 3ยตs |\n\n---\n\n## Security recommendations\n\n**Self-modification protection.** Agents cannot bypass their own policy by running `rampart allow` or `rampart block`. Those commands are blocked when executed by an agent. Policy modifications must be made by a human.\n\n**Don't run your AI agent as root.** Root access defeats user separation. Run agent frameworks as an unprivileged user.\n\n**Run `rampart serve` as a separate user** in production to prevent agents from reading audit logs or modifying policies.\n\nFor a full discussion of the threat model, see [`docs/THREAT-MODEL.md`](docs/THREAT-MODEL.md).\n\n---\n\n## OWASP coverage\n\nRampart maps to the [OWASP Top 10 for Agentic Applications](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/):\n\n| Risk | Coverage |\n|------|----------|\n| **ASI02: Tool Misuse** | Yes: every tool call is evaluated before execution |\n| **ASI05: Unexpected Code Execution** | Yes: pattern matching plus optional LLM verification |\n| **ASI08: Data Exfiltration** | Yes: domain blocking and credential response scanning |\n| **ASI09: Human-Agent Trust** | Yes: `ask` actions enforce human-in-the-loop |\n| **ASI10: Rogue Agents** | Yes: hash-chained audit trail and response scanning |\n| **ASI01: Goal Hijack** | Partial: policy limits blast radius even if goals are altered |\n| **ASI06: Context Poisoning** | Partial: response scanning blocks credentials from context window |\n| **ASI07: Inter-Agent Communication** | โŒ Not addressed |\n\n[Full OWASP mapping โ†’](https://docs.rampart.sh/reference/owasp-mapping/)\n\n---\n\n## CLI reference\n\n```bash\n# Setup\nrampart quickstart # Auto-detect, install, configure, health check\nrampart setup claude-code # Claude Code native hooks\nrampart setup cline # Cline native hooks\nrampart setup openclaw # OpenClaw native plugin integration\nrampart setup codex # Codex CLI shell wrapper (Linux, macOS)\nrampart setup \u003cagent\u003e --remove # Clean uninstall\n\n# Run\nrampart wrap -- \u003ccommand\u003e # Wrap any agent via $SHELL\nrampart preload -- \u003ccommand\u003e # LD_PRELOAD syscall interception\nrampart mcp -- \u003cmcp-server-command\u003e # Proxy MCP with policy enforcement\nrampart mcp scan -- \u003cserver\u003e # Auto-generate policies from MCP tools\n\n# Serve\nrampart serve [--port 9090] # Start approval + dashboard server\nrampart serve install # Install as a boot service (systemd/launchd)\nrampart serve --background # Start in background\nrampart serve stop # Stop background server\n\n# Diagnose\nrampart doctor # Health check (colored output)\nrampart doctor --fix # Auto-apply missing patches\nrampart doctor --json # Machine-readable (exit 1 on issues)\nrampart status # Quick dashboard: what's protected\nrampart watch # Live TUI event stream\n\n# Policy\nrampart init [--profile standard|paranoid|ci|yolo] # Initialize global policy\nrampart init --project # Create .rampart/policy.yaml\nrampart policy lint [file] # Lint policy file\nrampart policy explain \"git status\" # Trace evaluation\nrampart policy list # Browse community registry\nrampart policy fetch \u003cname\u003e # Install community policy\n\n# Rules (no YAML editing required)\nrampart allow \"npm install *\" # Allow a command pattern\nrampart block \"curl * | bash\" # Block a pattern\nrampart rules # List custom rules\nrampart rules remove 3 # Remove by number\nrampart allow \"docker *\" --for 1h # Temporary allow\n\n# Test\nrampart test \"rm -rf /\" # Dry-run against policies\nrampart test --json # Structured output for CI\n\n# Approvals\nrampart pending # What's waiting\nrampart approve \u003cid\u003e # Allow\nrampart deny \u003cid\u003e # Deny\n\n# Audit\nrampart audit tail [--follow]\nrampart audit verify\nrampart audit stats\nrampart log --deny # Recent denies\n\n# Upgrade\nrampart upgrade # New binary + refresh policies\nrampart upgrade --no-binary # Refresh policies only\n```\n\n---\n\n## Compatibility\n\n| Agent | Method | Platforms |\n|-------|--------|-----------|\n| Claude Code | `rampart setup claude-code` | Linux, macOS, Windows |\n| OpenClaw | `rampart setup openclaw` | Linux, macOS |\n| Cline | `rampart setup cline` | Linux, macOS, Windows |\n| Codex CLI | `rampart setup codex` | Linux, macOS (requires `librampart.so`/`.dylib`) |\n| Claude Desktop | `rampart mcp` | All |\n| Aider, OpenCode, Continue | `rampart wrap` | Linux, macOS |\n| Python agents | `rampart preload` or HTTP API | Linux, macOS |\n| Node.js agents | `rampart preload` or HTTP API | Linux, macOS |\n| Any MCP server | `rampart mcp` | All |\n| Any process | `rampart preload` | Linux, macOS |\n| Custom agents | HTTP API at `localhost:9090` | All |\n\n---\n\n## Building from source\n\n```bash\ngit clone https://github.com/peg/rampart.git\ncd rampart\ngo build -o rampart ./cmd/rampart\ngo test ./...\n```\n\nRequires Go 1.24+.\n\n---\n\n## Upgrading from v0.9.8?\n\nv0.9.9 contains three breaking changes:\n\n**`action: require_approval` is now a hard error.**\nUpdate your policies from:\n```yaml\n- action: require_approval\n```\nto:\n```yaml\n- action: ask\n ask:\n audit: true\n```\nRun `rampart policy lint` to find all occurrences.\n\n**`--serve-token` flag removed.**\nUse the `RAMPART_TOKEN` environment variable instead:\n```bash\n# Before (v0.9.8 and earlier)\nrampart serve --serve-token mysecrettoken\n\n# After (v0.9.9+)\nRAMPART_TOKEN=mysecrettoken rampart serve\n```\n\n**`GET /v1/policy` endpoint removed.**\nUse `GET /v1/status` for server health or `GET /v1/policies` to list active policies.\n\n---\n\n## Companion Tool: Snare\n\nRampart blocks. [Snare](https://snare.sh) catches.\n\nSnare plants canary tokens in your AI agent's environment - API keys, cloud credentials, file paths. If your agent, or something that compromised it, uses those tokens, you get an instant alert.\n\n**Rampart + Snare = preventive + detective controls.** Use both.\n\n---\n\n## Contributing\n\nContributions welcome. Open an issue first for anything beyond small fixes. All work goes through the `staging` branch. PRs to `main` require one approving review.\n\n---\n\n## License\n\n[Apache 2.0](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpeg%2Frampart","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpeg%2Frampart","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpeg%2Frampart/lists"}