Skip to main content
Rampart protects Codex CLI through a wrapper that uses LD_PRELOAD syscall interception. Every command Codex executes — regardless of tool or subprocess — flows through your policy engine.

Quick Setup

1

Install Rampart service

Start the background policy server:
rampart serve install
Runs on port 9090 with token at ~/.rampart/token.
2

Install Codex wrapper (Linux)

Create a wrapper script at ~/.local/bin/codex:
rampart setup codex
This installs a shell script that wraps the real codex binary with rampart preload.
Linux only. On macOS, use rampart preload -- codex directly (no wrapper).
3

Ensure wrapper is on PATH

Verify ~/.local/bin is before the real codex in your PATH:
export PATH="$HOME/.local/bin:$PATH"
Add to ~/.bashrc or ~/.zshrc to make permanent.
4

Use Codex normally

Run codex as usual — all tool calls are now protected:
codex "list all environment variables"

How It Works

Wrapper Flow (Linux)

The wrapper ensures librampart.so is preloaded for Codex and all its children. Every exec-family syscall goes through the library.

Direct Preload (macOS)

On macOS, use rampart preload directly: 
rampart preload -- codex "list files"
This sets DYLD_INSERT_LIBRARIES and execs codex with the Rampart library loaded.

Wrapper Script

The installed wrapper (~/.local/bin/codex) looks like: 
#!/bin/sh
# Rampart wrapper for Codex — managed by 'rampart setup codex'
# Intercepts all tool calls via LD_PRELOAD syscall enforcement.
# Real codex: /usr/bin/codex
# Remove: rampart setup codex --remove
exec rampart preload -- /usr/bin/codex "$@"
Safe to inspect and modify. Points to the real codex binary (auto-detected during setup).

Intercepted System Calls

The preload library intercepts all exec-family functions: 
execve("/bin/rm", ["/bin/rm", "-rf", "/tmp"], envp)
→ Rampart checks → allowed/denied
No matter how Codex spawns commands, Rampart sees them.

Policy Configuration

~/.rampart/policies/custom.yaml
version: "1"
default_action: allow

policies:
  - name: codex-safe-dev
    match:
      agent: ["preload"]  # wrapper uses "preload" agent
      tool: ["exec"]
    rules:
      - action: allow
        when:
          command_matches:
            - "git *"
            - "npm *"
            - "python *"
            - "ls *"
        message: "Safe development commands"

  - name: codex-block-destructive
    match:
      agent: ["preload"]
      tool: ["exec"]
    rules:
      - action: deny
        when:
          command_matches:
            - "rm -rf /*"
            - "dd if=*"
            - "mkfs.*"
            - ":(){ :|:& };:"
        message: "Destructive command blocked"

  - name: codex-ask-network
    match:
      agent: ["preload"]
      tool: ["exec"]
    rules:
      - action: ask
        when:
          command_contains:
            - "curl "
            - "wget "
            - "nc "
        message: "Network command requires approval"
Reload: 
rampart serve --reload

Monitoring

Live Dashboard

# Browser
open http://localhost:9090/dashboard/

# Terminal
rampart watch

Audit Trail

# Tail logs
rampart audit tail --follow

# Search for Codex activity
rampart audit search --agent preload --tool exec

# Stats
rampart audit stats
Output: 
Agent: preload
  Total: 342
  Allowed: 310
  Denied: 8
  Logged: 24

Example Session

Terminal output with wrapper active: 
$ codex "list all running processes"

 Checking policy for: ps aux
   Decision: allow
   Policy: allow-dev

USER       PID  %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.1 169396 13940 ?        Ss   10:23   0:02 /sbin/init
...

$ codex "delete all temporary files"

🛡️ Rampart blocked: rm -rf /tmp/*
   Reason: Matches pattern 'rm -rf *' in policy block-destructive

Error: Command blocked by security policy.

Platform Support

Coverage: ~95% of dynamically-linked binariesMechanism: LD_PRELOADSetup:
rampart setup codex
How it works:
  • Wrapper at ~/.local/bin/codex shadows real codex
  • Calls rampart preload -- /usr/bin/codex
  • LD_PRELOAD=~/.rampart/lib/librampart.so intercepts all exec calls
Limitations:
  • Static binaries cannot be intercepted
  • Codex must be dynamically linked (check with file $(which codex))

Troubleshooting

Wrapper not intercepting

  1. Check wrapper is being used: 
    which codex
# Should output: /home/user/.local/bin/codex
  2. Verify PATH order: 
    echo $PATH
# ~/.local/bin should appear BEFORE /usr/bin
  3. Test wrapper directly: 
    ~/.local/bin/codex --version
# Should show Codex version (proving wrapper works)

Library not found

  1. Check librampart.so exists: 
    ls -la ~/.rampart/lib/librampart.so
# Should exist and be executable
  2. Build library if missing: 
    cd /path/to/rampart/preload
make
make install  # Installs to ~/.rampart/lib/
  3. Test library loads: 
    LD_PRELOAD=~/.rampart/lib/librampart.so echo test
# Should print "test" without errors

Service connection errors

  1. Check service is running: 
    curl http://localhost:9090/healthz
# Should return "ok"
  2. Check token: 
    cat ~/.rampart/token
# Should output token starting with "rampart_"
  3. Test with debug: 
    RAMPART_DEBUG=1 rampart preload -- echo test
# Should show debug output to stderr

Commands not being blocked

  1. Verify enforce mode: 
    # Check wrapper uses enforce mode (not monitor)
cat ~/.local/bin/codex
# Should NOT have --mode monitor
  2. Test policy directly: 
    rampart test "rm -rf /tmp"
# Should show: Decision: deny
  3. Check audit logs: 
    rampart audit tail -n 10
# Should show recent commands

Uninstalling

Remove Codex wrapper: 
rampart setup codex --remove
This removes ~/.local/bin/codex wrapper. The real codex binary remains untouched. Complete removal: 
rampart serve uninstall
rm -rf ~/.rampart

Advanced: Custom Agent Name

Tag Codex events with a custom agent identifier: 
# Edit wrapper to use custom agent name
#!/bin/sh
exec rampart preload --agent codex-cli --session project-alpha -- /usr/bin/codex "$@"
Then write agent-specific policies: 
policies:
  - name: codex-specific-rules
    match:
      agent: ["codex-cli"]
    rules:
      - action: deny
        when:
          command_contains: ["production", "deploy"]
        message: "Codex blocked from production operations"

Performance

Preload overhead:
OperationWithout RampartWith RampartOverhead
echo hello2ms3.5ms+1.5ms
git status45ms47ms+2ms
npm test3.2s3.202s+0.002s
Policy checks add 1-3ms per command. Negligible for typical Codex workflows.

Build docs developers (and LLMs) love

Get started for freeTalk to us