docs: v0.9.12 pass

Author: clap [bot]

docs-site/getting-started/configuration.md

@@ -20,14 +20,14 @@ rampart wrap --config /path/to/policy.yaml -- agent
 
 ```yaml
 version: "1"
-default_action: allow  # allow | deny
+default_action: allow  # allow | deny | ask | watch
 
 policies:
   - name: my-policy
     match:
       tool: ["exec"]  # Which tool types this applies to
     rules:
-      - action: deny  # deny | allow | log | ask | watch | webhook
+      - action: deny  # deny | allow | ask | watch | webhook
         when:
           command_matches: ["rm -rf *"]
         message: "Destructive command blocked"
@@ -39,8 +39,8 @@ policies:
 |--------|--------|
 | `deny` | Block the tool call. Agent receives an error. |
 | `allow` | Permit the tool call. |
-| `log` | Permit but log with elevated visibility. |
-| `ask` | Block until a human approves or denies (use `audit: true` to log the decision). |
+| `watch` | Permit but log with elevated visibility. (Previously called `log` — `log` still works as an alias.) |
+| `ask` | Block until a human approves or denies. Also valid as `default_action: ask` to surface unmatched calls for review. |
 | `webhook` | Delegate the decision to an external HTTP endpoint. |
 
 **Deny always wins.** If any matching policy says `deny`, the call is denied regardless of other policies.

docs-site/getting-started/how-it-works.md

@@ -23,14 +23,14 @@ This wires an agent to use the daemon. What it does depends on the agent:
 | **Claude Code** | Writes `PreToolUse` hook in `~/.claude/settings.json` |
 | **Codex** | Writes hook config in `~/.codex/config.json` |
 | **Cline** | Writes hook config in `~/.cline/settings.json` |
-| **OpenClaw** | Installs LD_PRELOAD (exec interception) + patches file tools |
+| **OpenClaw** | Installs native `before_tool_call` plugin (all tools) on >= 2026.3.28; legacy shim on older versions |
 | **MCP servers** | Use `rampart mcp --` prefix instead of setup |
 
 After setup, every tool call the agent makes goes through the daemon for policy evaluation before execution.
 
 ```
 rampart setup claude-code   # one-time, survives agent updates
-rampart setup openclaw      # needs re-run after OpenClaw upgrades
+rampart setup openclaw      # auto-detects version; native plugin on >= 2026.3.28
 ```
 
 ## Live monitoring (`rampart watch`)

docs-site/getting-started/installation.md

@@ -97,7 +97,7 @@ volumes:
   rampart-audit:
 ```
 
-Available tags: `latest`, `0.7.4`, `0.7`. At release time, `latest` points to `0.7.4`. Pin to a specific version tag for reproducibility. Images are published on [GitHub Container Registry](https://github.com/peg/rampart/pkgs/container/rampart).
+Available tags: `latest`, `0.9.12`, `0.9`. `latest` always points to the current stable release. Pin to a specific version tag for reproducibility. Images are published on [GitHub Container Registry](https://github.com/peg/rampart/pkgs/container/rampart).
 
 ## Build from Source
 

docs-site/getting-started/troubleshooting.md

@@ -57,7 +57,7 @@ rampart status
 Rampart looks for policies in this order:
 
 1. Path specified via `--config` flag
-2. `~/.rampart/policy.yaml`
+2. `~/.rampart/policies/` directory (all `.yaml` files merged)
 3. Built-in `standard` profile (default)
 
 ### 3. Does your rule actually match?
@@ -159,6 +159,43 @@ rampart test "rm -rf /"
 rampart test --tool read "/etc/shadow"
 ```
 
+## OpenClaw plugin not intercepting tool calls
+
+**Check if the plugin is installed:**
+
+```bash
+openclaw plugins list
+# Should show: rampart  v0.9.12  ✓ active
+
+rampart doctor
+# Should show: ✓ OpenClaw plugin: installed (before_tool_call hook active)
+```
+
+**Plugin missing — reinstall:**
+
+```bash
+rampart setup openclaw --plugin --force
+# Then restart the OpenClaw gateway
+```
+
+**OpenClaw version too old:**
+
+The native plugin requires OpenClaw >= 2026.3.28. Upgrade:
+
+```bash
+npm install -g openclaw@latest
+rampart setup openclaw  # auto-detects and installs plugin
+```
+
+**Rampart serve not running:**
+
+The plugin calls `localhost:9090` on every tool call. If serve isn't running, all calls fail-open (allowed silently).
+
+```bash
+rampart status          # check if serve is running
+rampart serve --start   # start if not running
+```
+
 ## Still stuck?
 
 - Check [GitHub Issues](https://github.com/peg/rampart/issues)

docs-site/index.md

@@ -205,11 +205,23 @@ verify -> outcomes.approval
 
 [:octicons-arrow-right-24: See all integration guides](integrations/index.md)
 
-## What's New in v0.9.11
+## What's New in v0.9.12
+
+- **Plugin bundled in binary** — The OpenClaw plugin is now embedded directly in the `rampart` binary. `rampart setup openclaw --plugin` works on any machine — no external checkout or npm install required. [Learn more →](integrations/openclaw.md)
+- **Bridge hardened** — Errors during require_approval escalations now fail closed (deny) instead of silently allowing. `writeAllowAlwaysRule` uses atomic writes.
+- **Learn endpoint secured** — `POST /v1/rules/learn` now rate-limited and restricted to `allow` decisions only. Deny rules belong in policy YAML.
+- **`openclaw.yaml` message policy** — `message` tool actions distinguished: reads always allowed, sends to unknown channels require approval.
+
+### v0.9.11
+
+- **`openclaw.yaml` security hardening** — Closed `bash *`/`sh *`/`curl *`/`wget *` exec bypass holes. Dedicated `block-force-push` policy. Tightened docker/kubectl/git subcommand allowlists.
+- **`default_action: ask` in openclaw.yaml** — Novel or unlisted tool calls surface for human approval instead of silently failing.
+- **`sessions_spawn` depth guard** — Subagents cannot spawn further agents.
+
+### v0.9.10
 
 - **Native OpenClaw plugin** — `rampart setup openclaw` auto-detects your OpenClaw version and installs a native `before_tool_call` hook. Covers every tool call (exec, read, write, web_fetch, browser, message) without fragile dist patching. Requires OpenClaw >= 2026.3.28. [Learn more →](integrations/openclaw.md)
-- **`default_action: ask` in openclaw.yaml** — Novel or unlisted tool calls surface for human approval instead of silently failing. Eliminates false positives for custom tools.
 - **Always Allow writeback** — Click "Always Allow" in the OpenClaw approval UI and Rampart writes a permanent smart-glob rule to `~/.rampart/policies/user-overrides.yaml`.
 - **Approval store persistence** — Pending approvals survive `rampart serve` restarts via JSONL journal.
 - **`rampart doctor` plugin check** — Shows `✓ OpenClaw plugin: installed` when the native hook is active.
-- **Security hardening** — Closed bash/sh/curl/wget exec bypass holes; hardened git push, docker, kubectl allowlists; sessions_spawn depth guard prevents subagents from spawning agents.
+- **Smart Always Allow globs** — `sudo apt-get install nmap` writes `sudo apt-get install *`, not an exact match. High-risk prefixes (`docker run`, `kubectl apply`, external `curl`) kept exact.

docs-site/integrations/openclaw.md

@@ -1,137 +1,177 @@
 ---
 title: Securing OpenClaw
-description: "Native Rampart integration for OpenClaw — policy enforcement, exec approval routing, and file tool protection in one command."
+description: "Native Rampart integration for OpenClaw — policy enforcement via before_tool_call hook. One command, full coverage."
 ---
 
 # OpenClaw
 
-Rampart integrates natively with OpenClaw 2026.3.x. One command sets up full protection and connects Rampart's policy engine to OpenClaw's exec approval system.
+Rampart integrates natively with OpenClaw via the `before_tool_call` plugin API. Every tool call — exec, read, write, web_fetch, browser, message, and more — is evaluated against your policy before it runs.
 
-!!! info "Version requirement"
-    Requires OpenClaw 2026.3.x or later for native exec approval integration. Earlier versions work with shell shim only.
+!!! info "Version requirements"
+    - **OpenClaw >= 2026.3.28**: Native plugin (recommended) — full tool coverage via `before_tool_call` hook
+    - **OpenClaw < 2026.3.28**: Legacy shim + bridge — exec-only coverage, requires re-patching after upgrades
 
-!!! tip "Fastest path"
-    If you want your OpenClaw agent to install and configure Rampart for you, just say:
-    > "Install Rampart and protect this machine."
-
-    The agent will run `rampart quickstart --yes` which handles everything automatically.
-    See the [agent install guide](../guides/agent-install.md) for full details.
+    `rampart setup openclaw` auto-detects your version and uses the right method.
 
 ## Setup
 
 ```bash
-rampart quickstart
+rampart setup openclaw
 ```
 
 That's it. Rampart:
 
-1. Installs `rampart serve` as a boot service
-2. Configures the OpenClaw shell shim (exec protection)
-3. Patches OpenClaw file tools (read/write/edit/grep protection)
-4. Patches `web_fetch` (network exfiltration protection)
-5. Auto-selects the `openclaw.yaml` policy profile
-6. Connects to the OpenClaw gateway for native exec approval routing
+1. Detects your OpenClaw version
+2. **If >= 2026.3.28**: Extracts the bundled plugin and installs it via `openclaw plugins install`
+3. Configures OpenClaw to route decisions through Rampart (`tools.exec.ask: off`)
+4. Copies the `openclaw.yaml` policy profile to `~/.rampart/policies/openclaw.yaml`
+5. Starts `rampart serve` as a boot service (if not already running)
 
-## How it works after setup
+No external downloads, no npm install — the plugin is bundled inside the `rampart` binary.
 
-When `rampart serve` starts, it automatically connects to the OpenClaw gateway WebSocket and subscribes to exec approval events. This is the native integration — Rampart becomes the policy engine inside OpenClaw's approval flow.
+### Force the native plugin
 
-```
-Agent wants to run a command
-  └─ OpenClaw fires exec.approval.requested
-       └─ Rampart evaluates policy
-            ├─ Hard deny (rm -rf /, cat ~/.ssh/id_rsa, etc.)
-            │    → resolved immediately, command never runs
-            │    → user sees nothing (no prompt needed)
-            │
-            ├─ Safe command (npm test, git status, etc.)
-            │    → resolved allow-once immediately
-            │    → command runs, no prompt
-            │
-            └─ Needs human review (kubectl apply, sudo, etc.)
-                 → Rampart creates approval, notifies via your
-                   configured channel (Discord, Telegram, etc.)
-                 → command waits until you approve or deny
+```bash
+rampart setup openclaw --plugin
 ```
 
-You can verify the bridge is connected:
+### Migrate from the old shim/bridge integration
 
 ```bash
-rampart status
-# Shows: OpenClaw bridge: connected (ws://127.0.0.1:18789)
+rampart setup openclaw --migrate
 ```
 
-Or check the serve log:
+Removes old dist patches and bridge config, installs the native plugin.
+
+## How it works
 
-```bash
-rampart log
-# bridge: connected to OpenClaw gateway, listening for approval requests
 ```
+Agent wants to run a tool (exec, read, write, web_fetch, ...)
+  └─ OpenClaw fires before_tool_call hook
+       └─ Rampart plugin POSTs to localhost:9090/v1/tool/<name>
+            └─ Rampart evaluates openclaw.yaml policy
+                 ├─ allow  → tool runs
+                 ├─ deny   → tool blocked, agent gets error message
+                 └─ ask    → Rampart creates approval, notifies you
+                              tool waits until you approve or deny
+```
+
+## Coverage
+
+With the native plugin, **all tool calls are covered**:
+
+| Tool | Coverage | Notes |
+|------|----------|-------|
+| `exec` | ✅ Native plugin | All commands evaluated |
+| `read` | ✅ Native plugin | Path-based policy matching |
+| `write` / `edit` | ✅ Native plugin | Path-based policy matching |
+| `web_fetch` | ✅ Native plugin | Domain allowlist/blocklist |
+| `web_search` | ✅ Native plugin | Always allowed by default |
+| `browser` | ✅ Native plugin | Domain-based rules |
+| `message` | ✅ Native plugin | Read actions always allowed; sends to unknown channels require approval |
+| `canvas` | ✅ Native plugin | Always allowed (UI only) |
+| `sessions_spawn` | ✅ Native plugin | Subagents cannot spawn further agents |
 
-## Protecting Sub-Agents
+!!! note "Sub-agents"
+    The `before_tool_call` hook fires for tool calls from subagents too. The `openclaw.yaml` profile uses `session_matches: ["subagent:*"]` to apply stricter rules to subagent sessions.
 
-OpenClaw can spawn sub-agents like Codex CLI and Claude Code. These agents execute commands through their own shell processes, not through OpenClaw's exec tool. The bridge doesn't cover sub-agents — they need their own interception.
+## The `openclaw.yaml` profile
+
+The default profile installed by `rampart setup openclaw`. Key behaviors:
+
+- **`default_action: ask`** — any tool call not matched by an explicit rule surfaces for human approval (no silent failures)
+- **Safe exec commands allowed** — `go build`, `npm install`, `git commit`, `docker build`, etc.
+- **Dangerous exec requires approval** — `sudo`, `docker run --privileged`, `kubectl delete`, force-push blocked
+- **Credential reads require approval** — `.env`, `.kube/config`, `.aws/credentials` ask before reading; SSH keys hard-denied
+- **External curl/wget blocked** — use `web_fetch` tool instead (which is policy-aware)
+- **Subagent depth guard** — subagents cannot spawn further agents
+
+Install manually:
 
 ```bash
-rampart setup codex       # Wraps Codex CLI with LD_PRELOAD
-rampart setup claude-code # Adds hooks to ~/.claude/settings.json
+rampart init --profile openclaw
 ```
 
-`rampart quickstart` handles this automatically if Codex or Claude Code are detected.
+## Always Allow writeback
 
-## Coverage Matrix
+When you click "Always Allow" in the OpenClaw approval UI, Rampart writes a permanent smart-glob rule to `~/.rampart/policies/user-overrides.yaml` via `POST /v1/rules/learn`. The rule takes effect immediately without restarting serve.
 
-| What | Protected by | Notes |
-|------|-------------|-------|
-| OpenClaw exec commands | ✅ Native bridge | Policy engine inside approval flow |
-| File reads/writes/edits | ✅ File tool patches | Re-run after OpenClaw upgrades |
-| `web_fetch` requests | ✅ Dist patch | Exfiltration via URL blocked |
-| Codex CLI commands | ✅ `rampart setup codex` | LD_PRELOAD — all child processes |
-| Claude Code commands | ✅ `rampart setup claude-code` | Native hooks |
-| Other sub-agent commands | ✅ `rampart preload --` | LD_PRELOAD — universal |
-| Browser automation | ⚠️ Not intercepted | Separate browser process |
-| `message` tool | ⚠️ Not intercepted | Issue [#221](https://github.com/peg/rampart/issues/221) |
+For example, approving `sudo apt-get install nmap` always writes:
+```yaml
+- name: user-allow-<hash>
+  match:
+    tool: exec
+  rules:
+    - when:
+        command_matches: ["sudo apt-get install *"]
+      action: allow
+```
 
-## Rampart deny overrides OpenClaw approval
+## Verify the integration
 
-!!! important "Approving in OpenClaw does not override a Rampart deny"
-    With the native bridge, Rampart evaluates the command **before** OpenClaw shows it to you. Hard deny rules (`action: deny`) are resolved immediately and the command never runs — you won't see an approval prompt at all.
+```bash
+rampart doctor
+```
 
-    For commands that should be human-approvable, use `action: ask` in your policy. That creates an approval gate where Rampart notifies you and waits for your decision before resolving OpenClaw's approval.
+Expected output when fully configured:
 
-## The `openclaw.yaml` profile
+```
+✓ rampart serve: running (pid 12345)
+✓ OpenClaw plugin: installed (before_tool_call hook active)
+✓ Policy: openclaw.yaml loaded (N rules, default: ask)
+✓ Approval store: persistent (N pending)
+```
+
+Or check plugin status directly:
 
-`rampart quickstart` auto-selects the `openclaw.yaml` policy profile when OpenClaw is detected. This profile includes everything in `standard.yaml` plus:
+```bash
+openclaw plugins list
+# rampart  v0.9.12  ✓ active
+```
 
-- **Session-aware rules**: main session (direct chat) has different permissions from subagents and cron jobs
-- **Deployment gates**: `kubectl apply`, `terraform apply`, `docker push`, `helm install/upgrade` require approval
-- **Tighter sub-agent restrictions**: subagents face more restrictions on sensitive file access and external actions
+## Troubleshooting
 
-To install it manually:
+**Plugin not loading after setup:**
 
 ```bash
-rampart init --profile openclaw
+openclaw plugins list   # check rampart is listed
+rampart doctor          # shows plugin check status
+```
+
+If missing, re-run setup:
+
+```bash
+rampart setup openclaw --plugin --force
 ```
 
-## Disabling the bridge
+**OpenClaw version too old:**
 
-To run Rampart without the native bridge (shim-only mode):
+```bash
+npm install -g openclaw@latest
+rampart setup openclaw   # auto-detects new version
+```
+
+**Checking what's being blocked:**
 
 ```bash
-rampart serve --no-openclaw-bridge
+rampart log --deny   # recent denials
+rampart log --ask    # recent approvals
 ```
 
+## Legacy: shim + bridge (OpenClaw < 2026.3.28)
+
+If you're on an older OpenClaw version, `rampart setup openclaw` falls back to:
+
+1. Shell shim (exec interception via `SHELL` env override)
+2. OpenClaw gateway bridge (WebSocket, exec-only coverage)
+3. Dist patches for file tools (fragile, re-run after OpenClaw upgrades)
+
+Upgrade OpenClaw to get the native plugin and avoid the upgrade fragility.
+
 ## Uninstall
 
 ```bash
 rampart uninstall --yes
 ```
 
-Removes the service, shell shim, OpenClaw gateway drop-in, and restores patched tool files. Policies and audit logs in `~/.rampart/` are preserved.
-
-!!! warning "File patches require re-running after OpenClaw upgrades"
-    `--patch-tools` modifies files in `node_modules`. After upgrading OpenClaw, run:
-    ```bash
-    rampart setup openclaw --patch-tools --force
-    ```
-    Or restart the OpenClaw gateway — the `ExecStartPre` drop-in re-patches automatically on gateway restart.
+Removes the service, OpenClaw plugin, gateway drop-in, and restores any patched files. Policies and audit logs in `~/.rampart/` are preserved.