Skip to main content

Match Conditions

Match conditions determine which tool calls a policy applies to and which specific rules within that policy should trigger. This page documents both policy-level matching (the match clause) and rule-level conditions (the when clause).

Policy-Level Match Clause

The match clause at the policy level determines which tool types and agents the policy applies to: 
policies:
  - name: my-policy
    match:
      tool: ["exec", "read"]
      agent: "claude-code"
    rules:
      # ...

Match Fields

match.tool
string | array
required
Tool type(s) this policy applies to. Can be a single string or array of strings.Standard tool types:
  • exec - Shell commands
  • read - File read operations
  • write - File write/edit operations
  • fetch - HTTP/network requests
  • mcp - Generic MCP tool calls
  • mcp-destructive - MCP tools with destructive keywords (delete, destroy, remove, drop, purge, kill)
  • mcp-dangerous - MCP tools with dangerous keywords (stop, restart, execute, modify, send, post)
MCP-specific tool names:
  • mcp__server__toolname - Target a specific MCP tool (e.g., create_issue, send_message)
# Single tool
match:
  tool: "exec"

# Multiple tools
match:
  tool: ["read", "write"]

# MCP-specific tool
match:
  tool: ["mcp__filesystem__write_file"]
match.agent
string
default:"*"
Glob pattern matching agent identity. Defaults to * (all agents).
# Only apply to Claude Code
match:
  tool: "exec"
  agent: "claude-code"

# Only apply to MCP clients
match:
  tool: "mcp"
  agent: "mcp-*"

Rule-Level When Clause

The when clause defines conditions for a specific rule to trigger. All conditions are optional - omit when entirely for unconditional rules. 
rules:
  - action: deny
    when:
      command_matches: ["rm -rf /"]
      session_matches: ["myapp/main"]
    message: "Destructive command blocked on main branch"

Command Conditions (exec tools)

when.command_matches
array
Glob patterns matching the full command string. Case-sensitive.Glob syntax:
  • * - Any characters (single segment)
  • ** - Any characters (crosses /)
  • ? - Any single character
when:
  command_matches:
    - "rm -rf /"
    - "sudo *"
    - "bash -c **rm -rf /**"
Use ** to match paths with slashes. Limited to 2 ** per pattern for performance.
when.command_not_matches
array
Exclude patterns. Rule only matches if command does NOT match any of these patterns.
when:
  command_matches:
    - "rm -rf /var/**"
  command_not_matches:
    - "rm -rf /var/tmp"
    - "rm -rf /var/cache"
Combine command_matches and command_not_matches to create allowlist exceptions.
when.command_contains
array
Substring matching (case-insensitive). Checks if command contains any of these strings.
when:
  command_contains:
    - "DROP TABLE"
    - "rm -rf"
    - "/dev/tcp/"
command_contains is case-insensitive and does substring matching. Use this for catching obfuscation bypasses that evade glob patterns.

Path Conditions (read/write tools)

when.path_matches
array
Glob patterns matching file paths. Works on both Unix and Windows paths.
when:
  path_matches:
    # Unix paths
    - "**/.ssh/id_*"
    - "**/.aws/credentials"
    - "/etc/shadow"
    # Windows paths
    - "**\\.ssh\\id_*"
    - "**\\System32\\**"
Windows paths require double backslashes (\\) in YAML strings.
when.path_not_matches
array
Exclude path patterns. Rule only matches if path does NOT match any of these.
when:
  path_matches:
    - "**/.ssh/id_*"
  path_not_matches:
    - "**/*.pub"  # Allow public keys

Network Conditions (fetch tools)

when.url_matches
array
Glob patterns matching full URLs.
when:
  url_matches:
    - "https://api.github.com/**"
    - "http://localhost:*"
when.domain_matches
array
Glob patterns matching domain names. Automatically extracts domain from URLs.
when:
  domain_matches:
    - "*.ngrok.io"
    - "*.ngrok-free.app"
    - "webhook.site"
    - "*.requestbin.com"

Session Conditions

when.session_matches
array
Glob patterns matching session identity. Sessions are auto-detected as repo/branch from git.
when:
  session_matches:
    - "myapp/main"
    - "myapp/production"
    - "*/main"  # Any repo, main branch
Override auto-detected session with RAMPART_SESSION=my-label.
when.session_not_matches
array
Exclude sessions. Rule only matches if session does NOT match any pattern.
when:
  session_not_matches:
    - "myapp/dev"
    - "myapp/test"

Agent Depth Conditions

when.agent_depth
object
Match nested sub-agent depth. 0 = top-level agent, 1+ = sub-agents.
# Block deep nesting (prevent privilege escalation)
when:
  agent_depth:
    gte: 3

MCP Parameter Conditions

when.tool_param_matches
object
Match MCP tool input parameters by case-insensitive glob pattern. Keys are parameter names, values are glob patterns. Rule matches if any parameter condition matches.
when:
  tool_param_matches:
    path: "**/.env*"
    url: "*webhook.site*"
    action: "delete*"

Response Conditions

when.response_matches
array
Regex patterns matching tool output. Used for credential leak detection and prompt injection defense.
when:
  response_matches:
    # AWS keys
    - "AKIA[0-9A-Z]{16}"
    # Private keys
    - "-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----"
    # GitHub PATs
    - "ghp_[a-zA-Z0-9]{36}"
    # OpenAI keys
    - "sk-[a-zA-Z0-9]{48}"
    # Slack tokens
    - "xox[bsapr]-[a-zA-Z0-9-]+"
    # JWTs
    - "eyJ[a-zA-Z0-9_-]+\\.eyJ[a-zA-Z0-9_-]+"
Response scanning adds latency. Use sparingly for high-value credential patterns.
when.response_not_matches
array
Exclude response patterns. Rule only matches if response does NOT match any pattern.
when:
  response_matches:
    - "AKIA[0-9A-Z]{16}"
  response_not_matches:
    - "AKIAIOSFODNN7EXAMPLE"  # Exclude AWS example key

Rate Limiting

when.call_count
object
Sliding-window rate limiting for tool calls. Rampart increments the counter on every PreToolUse event.
# Block after 100 fetch calls in 1 hour
when:
  call_count:
    tool: fetch
    gte: 100
    window: 1h

Default Catch-All

when.default
boolean
Catch-all condition. When true, matches any tool call that reaches this rule.
rules:
  # Specific denies first
  - action: deny
    when:
      command_contains: ["rm -rf /"]
  # Then catch-all allow
  - action: allow
    when:
      default: true

Complete Examples

Block Credential Access

policies:
  - name: block-credential-reads
    priority: 1
    match:
      tool: ["read"]
    rules:
      # Block SSH private keys
      - action: deny
        when:
          path_matches:
            - "**/.ssh/id_*"
          path_not_matches:
            - "**/*.pub"
        message: "SSH private key access blocked"
      
      # Block cloud credentials
      - action: deny
        when:
          path_matches:
            - "**/.aws/credentials"
            - "**/.aws/config"
            - "**/.kube/config"
            - "**/.docker/config.json"
        message: "Cloud credential access blocked"
      
      # Block env files (except examples)
      - action: deny
        when:
          path_matches:
            - "**/.env"
            - "**/.env.*"
          path_not_matches:
            - "**/.env.example"
            - "**/.env.template"
        message: "Environment file access blocked"

Block Destructive Commands with Exceptions

policies:
  - name: block-destructive
    match:
      tool: ["exec"]
    rules:
      - action: deny
        when:
          command_matches:
            - "rm -rf /var/**"
          command_not_matches:
            # Allow temp/build cleanup
            - "rm -rf /var/tmp"
            - "rm -rf /var/tmp/**"
            - "rm -rf /var/cache"
            - "rm -rf /var/log"
        message: "Destructive /var command blocked"

Detect Credential Leaks in Output

policies:
  - name: block-credential-leaks
    match:
      tool: ["exec", "read"]
    rules:
      - action: deny
        when:
          response_matches:
            - "AKIA[0-9A-Z]{16}"  # AWS access key
            - "-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----"
            - "ghp_[a-zA-Z0-9]{36}"  # GitHub PAT
            - "sk-[a-zA-Z0-9]{48}"  # OpenAI key
        message: "Sensitive credential detected in response"

Rate Limit Network Calls

policies:
  - name: rate-limit-fetch
    match:
      tool: ["fetch", "web_search", "web_fetch"]
    rules:
      - action: ask
        when:
          call_count:
            gte: 100
            window: 1h
        message: "High fetch volume - require approval to continue"

Validation Rules

Pattern Syntax

  • Glob patterns use *, **, and ? wildcards
  • ** limited to 2 per pattern for performance
  • command_contains is case-insensitive, all others case-sensitive
  • Regex patterns (response_matches) use Go RE2 syntax

Logical Operators

  • Multiple conditions within when are AND’ed together
  • Multiple patterns within a condition field are OR’ed together
  • *_not_matches creates exclusions

Best Practices

Order Matters

Rules evaluate top-to-bottom. Place specific denies first, then catch-all allows.

Use command_contains for Bypasses

Substring matching catches obfuscation tricks that evade glob patterns (e.g., SUDO, Rm -Rf).

Test Before Deploy

Use rampart test "command" to dry-run commands against your policy.

Next Steps

Build docs developers (and LLMs) love

Get started for freeTalk to us