Skip to content

feat: Rampart v0.9.10 — reliability, security, UX, docs#244

Merged
peg merged 19 commits intomainfrom
staging
Mar 30, 2026
Merged

feat: Rampart v0.9.10 — reliability, security, UX, docs#244
peg merged 19 commits intomainfrom
staging

Conversation

@peg
Copy link
Copy Markdown
Owner

@peg peg commented Mar 25, 2026
edited
Loading

Rampart v0.9.10

Polished minor release. All blockers resolved, security audit clean, e2e 45/45, all packages pass with -race on Linux/macOS/Windows.

OpenClaw Plugin Integration

The headline feature of this release. Rampart previously intercepted tool calls by patching OpenClaw's dist files — fragile, broke on every upgrade. v0.9.10 replaces that with a native OpenClaw plugin using the official before_tool_call hook API.

How it works:

AI agent → OpenClaw → before_tool_call hook → Rampart plugin
                                                     ↓
                                         POST localhost:9090/v1/check
                                                     ↓
                                         allow / deny / ask / watch
  1. rampart setup --plugin installs the plugin via openclaw plugins install, sets tools.exec.ask: off (Rampart owns all decisions), and copies the openclaw.yaml policy profile
  2. On every tool call, the plugin fires before_tool_call and checks Rampart's proxy
  3. Rampart evaluates against policies → returns a verdict
  4. If ask, the plugin surfaces an approval UI in OpenClaw and polls until resolved
  5. "Always Allow" clicks call POST /v1/rules/learn to write a permanent allow rule back into user-overrides.yaml

Requires: OpenClaw >= 2026.3.28 (introduces before_tool_call hook)

Security Fixes

  • BuildAllowPattern hardened — high-risk command prefixes no longer generate trailing wildcard globs:

    • docker run nginx → exact match (not docker run *)
    • sudo docker run nginx → exact match (wrapper prefix stripping: sudo/env/nice/nohup/etc. are stripped before dangerous prefix check)
    • kubectl apply/exec/delete, curl <external-url>, rm, dd, mkfs, chmod/chown on sensitive paths all kept exact
    • Package installs (apt install, npm install, brew install) continue to glob last arg as before
    • 27 test cases covering all cases including bypass attempts

  • Path traversal fix in isSensitivePathTokenpath.Clean() now resolves .. and . before matching sensitive roots. /tmp/../etc/shadow and /./etc/passwd now correctly trigger exact-match mode.

  • policyWriteMu added to ServerhandleLearnRule and handleDeleteAutoAllowed serialize the read-modify-write cycle on policy YAML files, eliminating the TOCTOU race under concurrent admin requests.

Reliability

  • Approval store persistence — pending approvals survive rampart serve restarts (JSONL at ~/.rampart/pending-approvals.jsonl, atomic writes, graceful on missing file, 4 new tests)
  • rampart doctor checks ask: on-miss — the most common silent failure now produces a clear warning with the exact fix
  • Name-based rule deletionDELETE /v1/rules/auto-allowed/{name} replaces fragile index-based deletion
  • MCP configurable agent identity--agent-id and --session-id flags on rampart mcp

UX / Bug Fixes

  • Smart Always Allow globssudo apt-get install nmap writes sudo apt-get install * instead of exact match; dangerous prefixes excluded (see Security above)
  • setup panic fixedstrings.Fields(version)[0] now guarded against empty slice; no crash on malformed openclaw --version output
  • e2e.yaml updatedrequire_approvalask (renamed in v0.9.9); suite now 45/45 clean
  • toolList YAML unmarshaler — user override rules accept both tool: exec (scalar) and tool: [exec] (sequence)
  • GoReleaser — reverted homebrew_casksbrews; Homebrew auto-update now works

Docs

  • Approval timeout corrected: 1h/5m → 2 minutes (README + cli-commands reference)
  • require_approval removed from API-REFERENCE; ask noted as replacement
  • action: log deprecation noted in guides (renamed to action: watch)
  • 9 previously unpublished guides now live: Windows, CI/headless, Wazuh, project policies, community policies, OpenClaw, Codex, benchmarking, native-ask
  • v0.9.9 migration notes added to README (3 breaking changes with before/after)
  • Snare cross-links added: "Rampart blocks. Snare catches."

Test Status

go test -race ./...   → 24 packages, 0 failures (Linux, macOS, Windows)
rampart test e2e.yaml → 45/45 passed
goreleaser snapshot   → cross-platform build ✓

clap [bot] added 3 commits March 26, 2026 16:36
feat: persist pending approvals to disk — survive rampart serve restarts
64b7621
fix: v1.0 prep — doctor ask check, smart allow-always globs, name-bas…
749dcf5 
…ed deletion, MCP agent identity
fix: update dist patches for OpenClaw 2026.3.x bundle changes
35caf51 
- message patch: new bundle uses '= async () => await runMessageAction({'
  instead of 'const result = await runMessageAction({'
- web_fetch patch: new bundle uses 'readStringParam$1' instead of 'readStringParam'
- doctor: check ask mode at tools.exec.ask in addition to top-level ask

Found during dogfooding on OpenClaw 2026.3.24.
clap [bot] added 2 commits March 29, 2026 17:25
fix: add read/write tool coverage to env policy, add --since to audit…
a01bc62 
… verify
feat: POST /v1/rules/learn — always-allow writeback API for OpenClaw …
22fcac0 
…plugin

- Extract BuildAllowPattern and HashPattern to internal/policy/glob.go
  for shared use by bridge and API handlers
- New POST /v1/rules/learn endpoint with admin auth, smart glob
  computation, atomic file writes, duplicate detection (409), and
  automatic policy reload
- Tests for learn handler (create, duplicate, missing fields, auth)
  and shared glob functions
- Plugin integration and openclaw policy profile
clap [bot] added 12 commits March 30, 2026 01:12
feat: v1.0 plugin integration — learn endpoint, setup --plugin, openc…
871c458 
…law.yaml profile, doctor checks

- POST /v1/rules/learn: always-allow writeback API for OpenClaw plugin
- BuildAllowPattern extracted to internal/policy/glob.go (shared)
- rampart setup openclaw --plugin: installs plugin, configures OpenClaw
- rampart setup openclaw --migrate: removes old dist patches, installs plugin
- policies/openclaw.yaml: 13-policy profile for OpenClaw tool surface
- rampart doctor: plugin health check
- Bridge audit sink restored and struct fixes
- All bridge tests passing
feat: auto-detect OpenClaw version
2fc6b07
feat: polish log output, install.sh UX, doctor summary
6a2fa7f
fix: suppress web_fetch/browser/message/exec patch warnings when plug…
b8cf95e 
…in is installed
docs: v0.9.10 changelog
b23d174
fix: set USERPROFILE in learn handler tests for Windows compatibility
1739434
fix: update e2e.yaml require_approval → ask, add toolList YAML unmars…
9120f55 
…haler

- tests/e2e.yaml: replace deprecated 'require_approval' expect values with
  'ask' (renamed in v0.9.9)
- internal/proxy/learn_handlers.go: add toolList type with custom YAML
  unmarshaler so tool: accepts both scalar ('exec') and sequence (['exec'])
  forms in user override rules
fix: harden BuildAllowPattern — no trailing wildcard for high-risk pr…
77297ee 
…efixes

Add shouldKeepExact() to detect dangerous command prefixes and return
exact pattern instead of globbing:
- docker run/exec, kubectl apply/exec/delete
- curl/wget with external URLs (non-localhost)
- chmod/chown on sensitive paths (/etc, /usr, /root, etc)
- sudo rm, sudo dd, sudo mkfs

Safe prefixes (apt install, npm install, brew install, etc) continue
to glob the last argument as before.

23/23 tests pass.
fix: setup panic + mutex writes + doc corrections
aca6dff 
- fix: guard strings.Fields()[0] in getOpenClawVersion (no panic on empty version)
- fix: serialize user-overrides.yaml writes with policyWriteMu (TOCTOU)
- fix: same mutex for handleDeleteAutoAllowed rules handler
- docs: fix approval timeout default README 1h → 2m, cli-commands 5m → 2m
- docs: remove stale require_approval from API-REFERENCE, clarify ask
- docs: fix action:log references across docs-site guides
chore: remove accidental .gocache and TASK.md from commit
352aaba
fix: harden BuildAllowPattern — no trailing wildcard for high-risk pr…
9bb4703 
…efixes
fix: setup panic + mutex writes + doc corrections
288032a
@peg peg changed the title feat: Rampart v1.0 prep — reliability, UX, docs, ecosystem feat: Rampart v0.9.10 — reliability, security, UX, docs Mar 30, 2026
clap [bot] added 2 commits March 30, 2026 16:03
fix: use forward-slash path matching in isSensitivePathToken (Windows…
b39f2b0 
… CI)
fix: path traversal bypass + sudo wrapper bypass in glob safety checks
f5966f6 
- Use path.Clean() to resolve .. and . in isSensitivePathToken,
  blocking /tmp/../etc/shadow style bypasses
- Strip wrapper prefixes (sudo, env, nice, nohup, etc) before checking
  dangerous prefix list, so 'sudo docker run' correctly blocks wildcards
- Drop sudo- prefixed entries (sudo rm, sudo dd, sudo mkfs) since rm/dd/mkfs
  now match with or without sudo after prefix stripping
- Add 6 new test cases covering the fixed bypass vectors
@peg peg merged commit e65b509 into main Mar 30, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@peg