Installs Rampart hooks for supported AI coding agents.
Usage
rampart setup [agent]
rampart setup [agent] [flags]
Supported agents
Claude Code
rampart setup claude-code
~/.claude/settings.json. Covers ALL tools: Bash, Read, Write, Edit, Fetch, Task, and any future tools.
What it does:
- Adds wildcard hook matcher (
.*) to intercept all tool calls
- Configures
rampart hook as the hook command
- Preserves existing settings (safe to run multiple times)
- Auto-discovers token from
~/.rampart/token
After setup:
# Just run claude normally
claude
Cline
Installs PreToolUse hooks in Cline’s settings.json (VS Code extension). Supports both local and remote VS Code environments.
What it does:
- Adds hooks to
~/.config/Cline/settings.json or ~/.vscode/extensions/
- Covers exec, read, write, edit tools
- Auto-discovers serve URL and token
OpenClaw
Installs shell shim and systemd/launchd service for OpenClaw protection.
What it does:
- Creates
~/.local/bin/rampart-shim (shell wrapper)
- Installs systemd user service (Linux) or LaunchAgent (macOS)
- Generates and persists auth token
- Optionally patches file tools with
--patch-tools
After setup:
# Configure OpenClaw gateway to use the shim
export SHELL=~/.local/bin/rampart-shim
Codex
Linux: Installs wrapper at ~/.local/bin/codex that intercepts commands.
macOS: Use rampart preload -- codex instead (LD_PRELOAD approach).
Flags
Overwrite existing hook configuration
Uninstall hooks (clean removal)
OpenClaw only: Also patch file tools (read/write/edit/grep) for full coverage
OpenClaw only: Port for Rampart policy server
Examples
Initial setup
# Interactive wizard (auto-detects agent)
rampart setup
# Direct setup for Claude Code
rampart setup claude-code
# Full OpenClaw protection (shell + file tools)
rampart setup openclaw --patch-tools
Reconfiguration
# Force re-install hooks
rampart setup claude-code --force
# Update to latest hook configuration
rampart setup cline --force
Removal
# Uninstall Claude Code hooks
rampart setup claude-code --remove
# Uninstall OpenClaw integration
rampart setup openclaw --remove
Output
Success (Claude Code)
✓ Rampart hook installed in ~/.claude/settings.json
Hook command: /usr/local/bin/rampart hook
Claude Code will now route ALL tool calls through Rampart.
(Bash, Read, Write, Edit, Fetch, Task, and any new tools)
Run 'claude' normally — no wrapper needed.
Dashboard: token auto-detected from ~/.rampart/token ✓
Events will appear in the dashboard automatically.
Tip: export RAMPART_SESSION=my-project in your shell profile to tag audit events with a project name.
Success (OpenClaw)
✓ Default policy written to ~/.rampart/policies/standard.yaml
✓ Systemd service written to ~/.config/systemd/user/rampart-proxy.service
✓ Shell shim installed at ~/.local/bin/rampart-shim
✓ Rampart proxy service started
Next steps:
1. Set SHELL=~/.local/bin/rampart-shim in your OpenClaw gateway config
2. Restart the OpenClaw gateway
3. Every command will now go through Rampart's policy engine
Policy: ~/.rampart/policies/standard.yaml
Audit: ~/.rampart/audit
Watch: rampart watch --audit-dir ~/.rampart/audit
Verification
After setup, verify the integration:
# Health check
rampart doctor
# Test a command
rampart test "ls -la"
# Watch live events
rampart watch
Troubleshooting
Claude Code: hooks not firing
Check PATH:
which rampart
# Should return: /usr/local/bin/rampart or similar
# Add rampart to PATH
export PATH="$PATH:$(go env GOPATH)/bin"
# Or use absolute path in settings.json
rampart setup claude-code --force
OpenClaw: commands not blocked
Check service status:
# Linux
systemctl --user status rampart-proxy
# macOS
launchctl list | grep rampart
# Restart service
rampart setup openclaw --force
--patch-tools after OpenClaw upgrades:
rampart setup openclaw --patch-tools --force
node_modules which get replaced on update.
Exit codes
0 - Setup successful1 - Setup failed (check error message)
See also