v0.2.35: Hook auto-reads token from ~/.rampart/token (#59)

* fix: inline RAMPART_TOKEN in Claude Code hook command

Claude Code hooks don't inherit the user's shell environment, so
RAMPART_TOKEN was never set at hook runtime. The hook silently fell
back to local-only evaluation and events never reached the dashboard.

- serve install persists token to ~/.rampart/token (0600)
- setup claude-code reads token from RAMPART_TOKEN env or token file
  and writes e.g. 'RAMPART_TOKEN=xxx /usr/local/bin/rampart hook'
- hasRampartInMatcher recognises RAMPART_TOKEN= prefixed commands
- 2 new tests: InlinesToken (env) + InlinesTokenFromFile

* fix: hook auto-reads token from ~/.rampart/token

Rather than inlining RAMPART_TOKEN in settings.json (security risk),
make the hook itself read ~/.rampart/token as a fallback when the env
var is not set. This mirrors the existing URL auto-discovery pattern.

- serve install persists token to ~/.rampart/token (0600)
- hook reads ~/.rampart/token when RAMPART_TOKEN env is unset
- setup claude-code writes bare '/path/to/rampart hook' — no creds

settings.json now contains no credentials whatsoever.

* ux: setup claude-code shows dashboard auth status

* fix: dashboard reads hook audit files (audit-hook-YYYY-MM-DD.jsonl)

The hook writes audit events to audit-hook-YYYY-MM-DD.jsonl while serve
writes to YYYY-MM-DD.jsonl. auditFilesForDate only matched the serve
prefix, so the dashboard showed 0 events even though the hook was
correctly recording them.

Now matches both prefixes. handleAuditDates similarly updated to surface
dates that only have hook files.

* fix: serve install --force unloads old service before reload

Two bugs:
1. --force wrote new plist + launchctl load but never unloaded the old
   service, so the old binary/token kept running. launchctl unload is
   now called first (best-effort) on both macOS and Linux.
2. persistToken failure was silently ignored, leaving plist token and
   ~/.rampart/token out of sync. Now warns with recovery command.

* ux: always show full token in serve install output

Generated and reused tokens both show the full value now. User needs
the full token to auth to the dashboard — truncating it was just friction.
Simplified output: dashboard URL, full token, token file pointer.

* fix: TestResolveToken_Generated isolates from real ~/.rampart/token

The test was leaking into the real home dir, so machines that had run
serve install would have a token file and the test would see generated=false.

* fix+test: token file permissions, hook guard, audit hook file coverage

- persistToken: add os.Chmod after WriteFile so pre-existing files with
  wrong permissions (e.g. 0644) are always corrected to 0600
- hook.go: add tok != "" guard after readPersistedToken for consistency
  with resolveServiceToken
- New tests:
  - TestPersistAndReadToken: roundtrip + 0600 permission check
  - TestPersistToken_FixesPermissions: chmod on pre-existing 0644 file
  - TestResolveToken_FromFile: resolveServiceToken reads from ~/.rampart/token
  - TestAuditDates_WithHookFiles: handleAuditDates returns hook file dates
  - TestAuditEvents_HookFilesIncluded: auditFilesForDate reads hook files

Author: peg

CHANGELOG.md

@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.2.35] — 2026-02-18
+
+### Fixed
+- `rampart hook` now auto-reads the token from `~/.rampart/token` when `RAMPART_TOKEN` is not set in the environment. Claude Code hooks don't inherit the user's shell environment, so the token was never available at hook runtime — events silently fell back to local-only evaluation and never reached the dashboard. The hook now discovers both the serve URL (`localhost:18275`) and the token from standard locations, with no credentials needed in `settings.json`.
+- `rampart serve install` now persists the generated token to `~/.rampart/token` (mode 0600). This is the canonical token location the hook reads from automatically.
+- Dashboard now shows hook events. The hook and serve both write to `~/.rampart/audit/` but used different filename prefixes (`audit-hook-YYYY-MM-DD.jsonl` vs `YYYY-MM-DD.jsonl`). The audit API now reads both, so all events appear in the History tab regardless of which component wrote them.
+
 ## [0.2.34] — 2026-02-18
 
 ### Fixed

cmd/rampart/cli/hook.go

@@ -124,6 +124,14 @@ Cline setup: Use "rampart setup cline" to install hooks automatically.`,
 			if serveToken == "" {
 				serveToken = os.Getenv("RAMPART_TOKEN")
 			}
+			// Auto-read token from ~/.rampart/token when not set via env/flag.
+			// This means settings.json never needs to contain credentials —
+			// the hook discovers both the URL and the token from standard locations.
+			if serveToken == "" {
+				if tok, err := readPersistedToken(); err == nil && tok != "" {
+					serveToken = tok
+				}
+			}
 
 			if mode != "enforce" && mode != "monitor" && mode != "audit" {
 				return fmt.Errorf("hook: invalid mode %q (must be enforce, monitor, or audit)", mode)

cmd/rampart/cli/serve_install.go

@@ -119,13 +119,56 @@ func resolveServiceToken(tokenFlag string) (string, bool, error) {
 	if env := os.Getenv("RAMPART_TOKEN"); env != "" {
 		return env, false, nil
 	}
+	// Check persisted token file written by a previous serve install.
+	if tok, err := readPersistedToken(); err == nil && tok != "" {
+		return tok, false, nil
+	}
 	b := make([]byte, 16)
 	if _, err := rand.Read(b); err != nil {
 		return "", false, fmt.Errorf("generate token: %w", err)
 	}
 	return hex.EncodeToString(b), true, nil
 }
 
+// tokenFilePath returns the path to the persisted token file.
+func tokenFilePath() (string, error) {
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return "", err
+	}
+	return filepath.Join(home, ".rampart", "token"), nil
+}
+
+// persistToken writes the token to ~/.rampart/token (0600).
+// If the file already exists, permissions are explicitly set to 0o600 regardless
+// of what they were before — os.WriteFile only applies the mode on creation.
+func persistToken(token string) error {
+	p, err := tokenFilePath()
+	if err != nil {
+		return err
+	}
+	if err := os.MkdirAll(filepath.Dir(p), 0o700); err != nil {
+		return err
+	}
+	if err := os.WriteFile(p, []byte(token), 0o600); err != nil {
+		return err
+	}
+	return os.Chmod(p, 0o600)
+}
+
+// readPersistedToken reads the token from ~/.rampart/token if it exists.
+func readPersistedToken() (string, error) {
+	p, err := tokenFilePath()
+	if err != nil {
+		return "", err
+	}
+	b, err := os.ReadFile(p)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(string(b)), nil
+}
+
 func plistPath() (string, error) {
 	home, err := os.UserHomeDir()
 	if err != nil {
@@ -261,6 +304,12 @@ func installDarwin(cmd *cobra.Command, cfg serviceConfig, force, generated bool,
 		return nil
 	}
 
+	// Unload any existing service before writing new plist.
+	// Best-effort: ignore errors if the service wasn't loaded.
+	if _, err := os.Stat(path); err == nil {
+		_, _ = runner("launchctl", "unload", path).CombinedOutput()
+	}
+
 	content, err := generatePlist(cfg)
 	if err != nil {
 		return fmt.Errorf("generate plist: %w", err)
@@ -280,6 +329,10 @@ func installDarwin(cmd *cobra.Command, cfg serviceConfig, force, generated bool,
 		return fmt.Errorf("launchctl load: %w\n%s", err, out)
 	}
 
+	if err := persistToken(cfg.Token); err != nil {
+		fmt.Fprintf(cmd.ErrOrStderr(), "⚠ Warning: could not save token to ~/.rampart/token: %v\n", err)
+		fmt.Fprintf(cmd.ErrOrStderr(), "  Run: echo '%s' > ~/.rampart/token\n", cfg.Token)
+	}
 	printSuccess(cmd, cfg.Token, generated, port, path)
 	return nil
 }
@@ -310,13 +363,20 @@ func installLinux(cmd *cobra.Command, cfg serviceConfig, force, generated bool,
 		return fmt.Errorf("write unit: %w", err)
 	}
 
+	// Stop the old service before reload so the new binary/token take effect.
+	_, _ = runner("systemctl", "--user", "stop", "rampart-serve.service").CombinedOutput()
+
 	if out, err := runner("systemctl", "--user", "daemon-reload").CombinedOutput(); err != nil {
 		return fmt.Errorf("systemctl daemon-reload: %w\n%s", err, out)
 	}
 	if out, err := runner("systemctl", "--user", "enable", "--now", "rampart-serve.service").CombinedOutput(); err != nil {
 		return fmt.Errorf("systemctl enable: %w\n%s", err, out)
 	}
 
+	if err := persistToken(cfg.Token); err != nil {
+		fmt.Fprintf(cmd.ErrOrStderr(), "⚠ Warning: could not save token to ~/.rampart/token: %v\n", err)
+		fmt.Fprintf(cmd.ErrOrStderr(), "  Run: echo '%s' > ~/.rampart/token\n", cfg.Token)
+	}
 	printSuccess(cmd, cfg.Token, generated, port, path)
 	return nil
 }
@@ -325,17 +385,10 @@ func printSuccess(cmd *cobra.Command, token string, generated bool, port int, pa
 	w := cmd.ErrOrStderr()
 	fmt.Fprintf(w, "\n✅ Rampart service installed: %s\n", path)
 	fmt.Fprintf(w, "   Dashboard: http://localhost:%d/dashboard/\n", port)
+	fmt.Fprintf(w, "   Token:     %s\n", token)
+	fmt.Fprintf(w, "   (token also saved to ~/.rampart/token — hooks read it automatically)\n")
 	if generated {
-		fmt.Fprintf(w, "\n🔑 Generated token (save this — you'll need it for hooks):\n")
-		fmt.Fprintf(w, "   export RAMPART_TOKEN=%s\n\n", token)
-		fmt.Fprintf(w, "   Add to your shell profile so it persists across sessions:\n")
-		fmt.Fprintf(w, "     echo 'export RAMPART_TOKEN=%s' >> ~/.zshrc   # zsh (macOS default)\n", token)
-		fmt.Fprintf(w, "     echo 'export RAMPART_TOKEN=%s' >> ~/.bashrc  # bash\n\n", token)
-	} else {
-		display := token
-		if len(token) > 8 {
-			display = token[:8] + "..."
-		}
-		fmt.Fprintf(w, "   Token: %s\n", display)
+		fmt.Fprintf(w, "\n   To persist across shell sessions:\n")
+		fmt.Fprintf(w, "     echo 'export RAMPART_TOKEN=%s' >> ~/.zshrc\n", token)
 	}
 }

cmd/rampart/cli/serve_install_test.go

@@ -14,7 +14,9 @@
 package cli
 
 import (
+	"os"
 	"os/exec"
+	"path/filepath"
 	"strings"
 	"testing"
 )
@@ -93,6 +95,7 @@ func TestResolveToken_FromEnv(t *testing.T) {
 
 func TestResolveToken_Generated(t *testing.T) {
 	t.Setenv("RAMPART_TOKEN", "")
+	t.Setenv("HOME", t.TempDir()) // prevent reading ~/.rampart/token from real home
 	tok, gen, err := resolveServiceToken("")
 	if err != nil {
 		t.Fatal(err)
@@ -105,6 +108,86 @@ func TestResolveToken_Generated(t *testing.T) {
 	}
 }
 
+func TestPersistAndReadToken(t *testing.T) {
+	home := t.TempDir()
+	t.Setenv("HOME", home)
+
+	// File doesn't exist yet — readPersistedToken should return an error.
+	if _, err := readPersistedToken(); err == nil {
+		t.Fatal("expected error reading token from empty home, got nil")
+	}
+
+	// Persist a token.
+	const want = "abc123deadbeef"
+	if err := persistToken(want); err != nil {
+		t.Fatalf("persistToken: %v", err)
+	}
+
+	// File must be 0o600.
+	p, _ := tokenFilePath()
+	info, err := os.Stat(p)
+	if err != nil {
+		t.Fatalf("stat token file: %v", err)
+	}
+	if info.Mode().Perm() != 0o600 {
+		t.Errorf("token file permissions: got %04o, want 0600", info.Mode().Perm())
+	}
+
+	// Round-trip: read back the token.
+	got, err := readPersistedToken()
+	if err != nil {
+		t.Fatalf("readPersistedToken: %v", err)
+	}
+	if got != want {
+		t.Errorf("got %q, want %q", got, want)
+	}
+}
+
+func TestPersistToken_FixesPermissions(t *testing.T) {
+	home := t.TempDir()
+	t.Setenv("HOME", home)
+
+	// Create the token file manually with wrong permissions.
+	p, _ := tokenFilePath()
+	_ = os.MkdirAll(filepath.Dir(p), 0o700)
+	_ = os.WriteFile(p, []byte("oldtoken"), 0o644)
+
+	// persistToken must fix permissions, not just overwrite content.
+	if err := persistToken("newtoken"); err != nil {
+		t.Fatalf("persistToken: %v", err)
+	}
+	info, err := os.Stat(p)
+	if err != nil {
+		t.Fatalf("stat: %v", err)
+	}
+	if info.Mode().Perm() != 0o600 {
+		t.Errorf("permissions not fixed: got %04o, want 0600", info.Mode().Perm())
+	}
+}
+
+func TestResolveToken_FromFile(t *testing.T) {
+	home := t.TempDir()
+	t.Setenv("HOME", home)
+	t.Setenv("RAMPART_TOKEN", "")
+
+	// Write a token to the file.
+	const want = "filetokendeadbeef"
+	if err := persistToken(want); err != nil {
+		t.Fatalf("persistToken: %v", err)
+	}
+
+	tok, gen, err := resolveServiceToken("")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if gen {
+		t.Error("expected generated=false when token comes from file")
+	}
+	if tok != want {
+		t.Errorf("got %q, want %q", tok, want)
+	}
+}
+
 func TestBuildServiceArgs(t *testing.T) {
 	args := buildServiceArgs(8080, "/etc/rampart.yaml", "/etc/policies", "/var/audit", "monitor", "10m")
 	want := []string{"--port", "8080", "--config", "/etc/rampart.yaml", "--config-dir", "/etc/policies", "--audit-dir", "/var/audit", "--mode", "monitor", "--approval-timeout", "10m"}

cmd/rampart/cli/setup.go

@@ -97,6 +97,8 @@ Use --remove to uninstall the Rampart hooks from Claude Code settings.`,
 
 			// Build the hook config — no --serve-url needed, hook auto-discovers on localhost:18275.
 			// Use absolute path so the hook works regardless of Claude Code's PATH.
+			// The hook reads RAMPART_TOKEN from ~/.rampart/token automatically, so
+			// settings.json never needs to contain credentials.
 			hookBin := "rampart"
 			if exe, err := os.Executable(); err == nil {
 				hookBin = exe
@@ -168,10 +170,18 @@ Use --remove to uninstall the Rampart hooks from Claude Code settings.`,
 			fmt.Fprintln(cmd.OutOrStdout(), "  Claude Code will now route Bash commands through Rampart.")
 			fmt.Fprintln(cmd.OutOrStdout(), "  Run 'claude' normally — no wrapper needed.")
 			fmt.Fprintln(cmd.OutOrStdout(), "")
-			fmt.Fprintln(cmd.OutOrStdout(), "  Dashboard approvals:")
-			fmt.Fprintln(cmd.OutOrStdout(), "    Run 'rampart serve' to enable dashboard-based approvals.")
-			fmt.Fprintln(cmd.OutOrStdout(), "    The hook auto-discovers serve on localhost:18275.")
-			fmt.Fprintln(cmd.OutOrStdout(), "    Set RAMPART_TOKEN env var to authenticate with serve.")
+
+			// Tell the user whether dashboard auth is wired up.
+			if tok, _ := readPersistedToken(); tok != "" {
+				fmt.Fprintln(cmd.OutOrStdout(), "  Dashboard: token auto-detected from ~/.rampart/token ✓")
+				fmt.Fprintln(cmd.OutOrStdout(), "  Events will appear in the dashboard automatically.")
+			} else if os.Getenv("RAMPART_TOKEN") != "" {
+				fmt.Fprintln(cmd.OutOrStdout(), "  Dashboard: token detected from RAMPART_TOKEN env ✓")
+				fmt.Fprintln(cmd.OutOrStdout(), "  Events will appear in the dashboard automatically.")
+			} else {
+				fmt.Fprintln(cmd.OutOrStdout(), "  Dashboard: no token found — running in local-only mode.")
+				fmt.Fprintln(cmd.OutOrStdout(), "  Run 'rampart serve install' first to enable the dashboard.")
+			}
 
 			// Check if rampart is in system PATH.
 			if _, err := execLookPath("rampart"); err != nil {

internal/proxy/audit_handlers.go

@@ -170,8 +170,12 @@ func (s *Server) handleAuditDates(w http.ResponseWriter, r *http.Request) {
 		if e.IsDir() || !strings.HasSuffix(e.Name(), ".jsonl") {
 			continue
 		}
-		// Extract date from filename: "2026-02-18.jsonl" or "2026-02-18.p1.jsonl"
+		// Extract date from filename: "2026-02-18.jsonl", "2026-02-18.p1.jsonl",
+		// or hook's "audit-hook-2026-02-18.jsonl".
 		name := e.Name()
+		if strings.HasPrefix(name, "audit-hook-") {
+			name = strings.TrimPrefix(name, "audit-hook-")
+		}
 		if len(name) >= 10 {
 			d := name[:10]
 			if _, err := time.Parse("2006-01-02", d); err == nil {
@@ -313,7 +317,9 @@ func (s *Server) auditFilesForDate(date string) []string {
 		if e.IsDir() || !strings.HasSuffix(e.Name(), ".jsonl") {
 			continue
 		}
-		if strings.HasPrefix(e.Name(), date) {
+		// Match serve's own files ("YYYY-MM-DD.jsonl", "YYYY-MM-DD.pN.jsonl")
+		// and hook's files ("audit-hook-YYYY-MM-DD.jsonl") — both land in the same dir.
+		if strings.HasPrefix(e.Name(), date) || strings.HasPrefix(e.Name(), "audit-hook-"+date) {
 			files = append(files, filepath.Join(s.auditDir, e.Name()))
 		}
 	}

internal/proxy/audit_handlers_test.go

@@ -229,3 +229,56 @@ func TestAuditNoDir(t *testing.T) {
 		assert.Equal(t, http.StatusServiceUnavailable, resp.StatusCode, "path: %s", path)
 	}
 }
+
+func writeHookAuditFile(t *testing.T, dir, date string, events []map[string]any) {
+	t.Helper()
+	path := filepath.Join(dir, "audit-hook-"+date+".jsonl")
+	var lines []string
+	for _, evt := range events {
+		b, err := json.Marshal(evt)
+		require.NoError(t, err)
+		lines = append(lines, string(b))
+	}
+	require.NoError(t, os.WriteFile(path, []byte(strings.Join(lines, "\n")+"\n"), 0o644))
+}
+
+func TestAuditDates_WithHookFiles(t *testing.T) {
+	dir := t.TempDir()
+	// Serve writes one date, hook writes another — both should appear.
+	writeAuditFile(t, dir, "2026-02-17", []map[string]any{{"id": "serve-01"}})
+	writeHookAuditFile(t, dir, "2026-02-18", []map[string]any{{"id": "hook-01"}})
+
+	ts, token := setupAuditTestServer(t, dir)
+
+	resp := doGet(t, ts, token, "/v1/audit/dates")
+	defer resp.Body.Close()
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body map[string]any
+	require.NoError(t, json.NewDecoder(resp.Body).Decode(&body))
+	dates := body["dates"].([]any)
+	assert.Equal(t, 2, len(dates), "expected both serve and hook dates")
+	assert.Equal(t, "2026-02-18", dates[0])
+	assert.Equal(t, "2026-02-17", dates[1])
+}
+
+func TestAuditEvents_HookFilesIncluded(t *testing.T) {
+	dir := t.TempDir()
+	// Serve file is empty; hook file has events — dashboard should see them.
+	writeAuditFile(t, dir, "2026-02-18", []map[string]any{})
+	writeHookAuditFile(t, dir, "2026-02-18", []map[string]any{
+		{"id": "hook-01", "decision": map[string]any{"action": "allow"}},
+		{"id": "hook-02", "decision": map[string]any{"action": "deny"}},
+	})
+
+	ts, token := setupAuditTestServer(t, dir)
+
+	resp := doGet(t, ts, token, "/v1/audit/events?date=2026-02-18")
+	defer resp.Body.Close()
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body map[string]any
+	require.NoError(t, json.NewDecoder(resp.Body).Decode(&body))
+	total := int(body["total_in_file"].(float64))
+	assert.Equal(t, 2, total, "expected hook file events to be counted")
+}