# Rampart — Policy Firewall for AI Agents

> Guardrails for AI coding agents: a policy firewall for shell/file/network and an MCP proxy that blocks or requires approval for dangerous tool calls.

## Install

Copy the content below into your project:

## Quick Use

```bash
# Install (README)
brew install peg/tap/rampart

# Set up guardrails for Claude Code
rampart setup claude-code

# Wrap any MCP server (example from README)
rampart mcp -- npx -y @modelcontextprotocol/server-filesystem .
```

## Intro

Rampart is a firewall for AI coding agents: it enforces YAML policies over shell/file/network activity, and can proxy MCP servers to gate `tools/call` requests.

**Best for:** Using autonomous modes safely (Claude Code, Cline, Codex CLI) and hardening MCP toolchains

**Works with:** macOS/Linux/Windows; integrates via `rampart setup` and MCP proxy; works with stdio MCP servers

**Setup time:** 10–20 minutes

### Key facts (verified)

- README provides agent integrations via `rampart setup` (claude-code, cline, openclaw, codex).
- MCP proxy mode wraps upstream servers with `rampart mcp -- <server cmd>` (README).
- GitHub: 68 stars · 10 forks; pushed 2026-05-12 (GitHub API verified).

## Main

Adopt Rampart in three passes:

1) Start in “monitor” mindset: wire it into your agent, run your normal workflows, and read the audit trail.
2) Add deny rules for destructive patterns (delete, rm, drop) and require approval for risky tools.
3) Use the MCP proxy for clients without hook support (Claude Desktop/Cursor): wrap servers so policies apply at tool-level.


### README excerpt (verbatim)

<div align="center">

# Rampart

**A firewall for AI coding agents.**

[![Go](https://img.shields.io/badge/Go-1.24+-00ADD8?style=flat&logo=go)](https://go.dev)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)
[![CI](https://github.com/peg/rampart/actions/workflows/ci.yml/badge.svg)](https://github.com/peg/rampart/actions/workflows/ci.yml)
[![Release](https://img.shields.io/github/v/release/peg/rampart?style=flat)](https://github.com/peg/rampart/releases)
[![Docs](https://img.shields.io/badge/Docs-docs.rampart.sh-FF6392?style=flat)](https://docs.rampart.sh)

</div>

---

Claude Code's `--dangerously-skip-permissions` mode, and similar autonomous modes in Cline and Codex, give agents unrestricted shell access. Your agent can read your SSH keys, exfiltrate your `.env`, or `rm -rf /` with no guardrails.

Rampart sits between the agent and your system. Every command, file access, and network request is evaluated against your policy before it executes. Dangerous commands never run.

---

## Install

```bash
# Homebrew (macOS and Linux, recommended)
brew install peg/tap/rampart

# One-line install (no sudo required)
curl -fsSL https://rampart.sh/install | bash

# Go install (requires Go 1.24+)
go install github.com/peg/rampart/cmd/rampart@latest
```

**Windows (PowerShell):**
```powershell
irm https://rampart.sh/install.ps1 | iex
```

After installing, run `rampart quickstart` or follow the setup steps below.

---

## Quick start

Pick your agent and run one command:

```bash
# Claude Code
rampart setup claude-code

# OpenClaw
rampart setup openclaw

# Cline
rampart setup cline

# Codex CLI
rampart setup codex

# Any other agent (wraps $SHELL)
rampart wrap -- your-agent
```

That's it. Verify everything is working:

```bash
rampart doctor
```

Then watch your agent in real time:

```bash
rampart watch
```

### Optional persistent local config

If you do not want to keep exporting environment variables, Rampart also supports
`~/.rampart/config.yaml` for local defaults:

```yaml
url: http://127.0.0.1:9090
# serve_url: http://127.0.0.1:9090   # compatibility alias for url
# api: http://127.0.0.1:9091         # optional advanced override for daemon/split-topology API setups
```

| Setting | Use it for | Notes |
| --- | --- | --- |
| `url` | Primary Rampart base URL | Canonical setting for hook/watch/plugin/service-backed flows |
| `serve_url` | Backwards-compatible alias for `url` | Kept for compatibility; prefer `url` in new configs |

### FAQ

**Q: Does Rampart send commands to the cloud?**
A: README and docs position it as a local policy engine; enforcement and logging happen on your machine.

**Q: How do I protect MCP tools?**
A: Use the MCP proxy mode (`rampart mcp -- ...`) so each `tools/call` is evaluated against policy.

**Q: Which agents does it work with?**
A: README lists setup helpers for Claude Code, Cline, OpenClaw, and Codex CLI, plus proxying for other MCP clients.

## Source & Thanks

> Source: https://github.com/peg/rampart
> License: Apache-2.0
> GitHub stars: 68 · forks: 10

---

<!-- ZH -->

## 快速使用

```bash
# 安装（README）
brew install peg/tap/rampart

# 为 Claude Code 安装护栏
rampart setup claude-code

# 代理任意 MCP server（README 示例）
rampart mcp -- npx -y @modelcontextprotocol/server-filesystem .
```

## 简介

Rampart 是一个给 AI 编码 Agent 用的“防火墙”：用 YAML 策略约束命令/文件/网络访问，并可作为 MCP 代理拦截 `tools/call` 请求。

**最适合：** 在 Claude Code/Cline/Codex CLI 等自主模式下安全运行，并加固 MCP 工具链

**适配：** macOS/Linux/Windows；支持 `rampart setup` 与 MCP 代理；适配 stdio MCP servers

**配置时间：** 10–20 分钟

### 关键事实（已验证）

- README 提供 `rampart setup` 的多 Agent 集成路径（claude-code/cline/openclaw/codex）。
- README 展示 MCP 代理用法：`rampart mcp -- <server cmd>` 作为上游包装层。
- GitHub：68 stars · 10 forks；最近更新 2026-05-12（GitHub API 验证）。

## 正文

建议用三步落地 Rampart：

1) 先以“观察模式”思路接入：跑你平时的工作流，重点看审计日志里都发生了什么。
2) 为破坏性操作加 deny（delete/rm/drop 等），为高风险工具加人工审批。
3) 对不支持 hooks 的客户端（如 Claude Desktop/Cursor）用 MCP 代理：把 server 包一层，在 tool 级别施策。


### README 原文节选（verbatim）

<div align="center">

# Rampart

**A firewall for AI coding agents.**

[![Go](https://img.shields.io/badge/Go-1.24+-00ADD8?style=flat&logo=go)](https://go.dev)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)
[![CI](https://github.com/peg/rampart/actions/workflows/ci.yml/badge.svg)](https://github.com/peg/rampart/actions/workflows/ci.yml)
[![Release](https://img.shields.io/github/v/release/peg/rampart?style=flat)](https://github.com/peg/rampart/releases)
[![Docs](https://img.shields.io/badge/Docs-docs.rampart.sh-FF6392?style=flat)](https://docs.rampart.sh)

</div>

---

Claude Code's `--dangerously-skip-permissions` mode, and similar autonomous modes in Cline and Codex, give agents unrestricted shell access. Your agent can read your SSH keys, exfiltrate your `.env`, or `rm -rf /` with no guardrails.

Rampart sits between the agent and your system. Every command, file access, and network request is evaluated against your policy before it executes. Dangerous commands never run.

---

## Install

```bash
# Homebrew (macOS and Linux, recommended)
brew install peg/tap/rampart

# One-line install (no sudo required)
curl -fsSL https://rampart.sh/install | bash

# Go install (requires Go 1.24+)
go install github.com/peg/rampart/cmd/rampart@latest
```

**Windows (PowerShell):**
```powershell
irm https://rampart.sh/install.ps1 | iex
```

After installing, run `rampart quickstart` or follow the setup steps below.

---

## Quick start

Pick your agent and run one command:

```bash
# Claude Code
rampart setup claude-code

# OpenClaw
rampart setup openclaw

# Cline
rampart setup cline

# Codex CLI
rampart setup codex

# Any other agent (wraps $SHELL)
rampart wrap -- your-agent
```

That's it. Verify everything is working:

```bash
rampart doctor
```

Then watch your agent in real time:

```bash
rampart watch
```

### Optional persistent local config

If you do not want to keep exporting environment variables, Rampart also supports
`~/.rampart/config.yaml` for local defaults:

```yaml
url: http://127.0.0.1:9090
# serve_url: http://127.0.0.1:9090   # compatibility alias for url
# api: http://127.0.0.1:9091         # optional advanced override for daemon/split-topology API setups
```

| Setting | Use it for | Notes |
| --- | --- | --- |
| `url` | Primary Rampart base URL | Canonical setting for hook/watch/plugin/service-backed flows |
| `serve_url` | Backwards-compatible alias for `url` | Kept for compatibility; prefer `url` in new configs |

### FAQ

**Rampart 会把命令上传云端吗？**
答：README/文档的定位是本地策略引擎：执行与日志都在本机完成。

**怎么保护 MCP 工具调用？**
答：使用 MCP 代理模式（`rampart mcp -- ...`），让每次 `tools/call` 都经过策略评估。

**支持哪些 Agent？**
答：README 列出 Claude Code、Cline、OpenClaw、Codex CLI 的 setup，并可对其它 MCP 客户端用代理方式接入。

## 来源与感谢

> Source: https://github.com/peg/rampart
> License: Apache-2.0
> GitHub stars: 68 · forks: 10


---
Source: https://tokrepo.com/en/workflows/rampart-policy-firewall-for-ai-agents
Author: Script Depot