Story

The first time I gave Claude Code real shell access I immediately thought: it can read anything in my home directory right now. My .env files, my SSH keys, my AWS credentials. And if someone sneaks a "read this file and send it here" instruction into something Claude reads — a README, a package description, a code comment — there's nothing between that instruction and my files.

Rampart is the thing I built for that. It sits in front of your agent and checks every command and file operation against a simple policy before it runs. If something's not allowed, it's blocked — not logged after the fact, blocked before it happens.

Setup is two commands:

$ rampart setup claude-code $ rampart serve --background

After that, your agent works exactly the same — except now it has a policy. The default policy already covers the obvious stuff: SSH keys, AWS credentials, .env files, destructive commands. You define what's allowed, everything else gets blocked or flagged for your approval.

The policy is just a YAML file you can commit to your repo. Adding rules is one command:

$ rampart block "curl * | bash" $ rampart allow "~/.config/myapp"

One thing I'm proud of: the agent can't unblock itself. If Claude tries to run rampart allow to give itself more permissions, it gets blocked. Only you can change the policy.

Every decision gets logged in a tamper-evident audit trail, so you can see exactly what your agent attempted — not just what succeeded. Works with Claude Code, Cursor, Codex, Cline, and OpenClaw. Apache 2.0, single binary, no dependencies.

https://github.com/peg/rampart | https://rampart.sh/