Skip to main content
Rampart - Security layer for AI coding agents

The security layer for AI coding agents

Claude Code’s --dangerously-skip-permissions mode — and similar autonomous modes in Cline and Codex — give agents unrestricted shell access. Rampart sits between the agent and your system: every command, file access, and network request is evaluated against your YAML policy before it executes. Dangerous commands are blocked in microseconds. Everything is logged. One command to get protected: 
rampart setup claude-code
rampart quickstart auto-detects Claude Code or Cline, installs rampart serve as a boot service, configures hooks, and runs a health check. Done.

How it works

Pattern matching handles 95%+ of decisions in microseconds. The optional rampart-verify sidecar adds LLM-based classification for ambiguous commands. All decisions go to a hash-chained audit trail. Every command Claude executes goes through Rampart’s policy engine first: 
✅ 14:23:01  exec  "npm test"                          [allow-dev]
✅ 14:23:03  read  ~/project/src/main.go                [default]
🔴 14:23:05  exec  "rm -rf /tmp/*"                      [block-destructive]
🟡 14:23:08  exec  "curl https://api.example.com"       [log-network]
👤 14:23:10  exec  "kubectl apply -f prod.yaml"         [require-approval]

Key features

Native agent integration

Claude Code, Cline, OpenClaw, Codex — or wrap any agent with shell interception

Microsecond policy engine

Pattern matching evaluates 95%+ of decisions in single-digit microseconds

Hash-chained audit trail

Tamper-evident JSONL audit logs with SIEM integration (syslog/CEF)

Human-in-the-loop approvals

Native approval prompts for Claude Code, dashboard for other agents

Live monitoring dashboard

Real-time TUI and web dashboard with policy testing and approval management

Project-local policies

Commit .rampart/policy.yaml to your repo for team-shared security rules

Microsecond policy engine

Pattern matching evaluates 95%+ of decisions in single-digit microseconds

Hash-chained audit trail

Tamper-evident JSONL audit logs with SIEM integration (syslog/CEF)

Human-in-the-loop approvals

Native approval prompts for Claude Code, dashboard for other agents

Live monitoring dashboard

Real-time TUI and web dashboard with policy testing and approval management

Project-local policies

Commit .rampart/policy.yaml to your repo for team-shared security rules

Supported agents

AgentSetupIntegration
Claude Coderampart setup claude-codeNative PreToolUse hooks — works in --dangerously-skip-permissions mode
Clinerampart setup clineNative hooks via settings
OpenClawrampart setup openclawShell shim with human-in-the-loop approval flow
Any agentrampart wrap -- <agent>Shell wrapping via $SHELL
MCP serversrampart mcp -- <server>MCP protocol proxy
System-widerampart preload -- <cmd>LD_PRELOAD syscall interception

OWASP coverage

Rampart maps to the OWASP Top 10 Risks for Agentic AI:
  • Excessive Agency — Policy engine enforces least-privilege per tool call
  • Unauthorized Tool Use — Every tool call evaluated before execution
  • Insecure Tool Implementation — Response scanning detects credential leaks
  • Prompt Injection → Tool Abuse — Pattern matching catches injected commands
  • Insufficient Audit Trail — Hash-chained JSONL with SIEM export
  • Data Exfiltration — Domain blocking and credential pattern detection
  • Uncontrolled Autonomy — Human-in-the-loop for sensitive operations
For a complete threat model analysis, see THREAT-MODEL.md.

Next steps

Installation

Install Rampart on macOS, Linux, or Windows

Quick start

Get up and running in under 2 minutes

Writing policies

Learn how to write YAML policies for your agent

CLI reference

Complete command reference for all Rampart commands

Build docs developers (and LLMs) love

Get started for freeTalk to us