Observe
See what your agent does. Block nothing.
Findings stream to the audit DB and your sinks. Run it for a week before enforcement.
Official Cisco project · Apache-2.0
Security governance for Claude Code.
DefenseClaw inspects every prompt, completion, and tool call your AI coding agent makes — block, approve, or audit, per connector.
Connectors
Claude CodeCodexOpenClawCursorHermesGemini CLIGitHub Copilot CLIWindsurfZeptoClaw
Workflow
ObserveActionAsk approval
Audit
SQLiteJSONLOTLPSplunkWebhooks
~/projects/agent-gateway
Stories
Six things you can do today.
Stop Claude Code from running rm -rf
Switch action mode on, prove a destructive shell command never reaches the disk.
Read →
Catch a prompt injection on Codex
Regex packs flag the obvious; the LLM judge catches the clever ones.
Read →
Block secret exfiltration from Cursor
Cursor’s beforeShellExecution hook is the stop point. We scan, then ask before it runs.
Read →
Approve risky tool calls before they fire
HITL sits between observe and enforcement. Pause, review, then continue.
Read →
Pin local observability in under 60 seconds
One command brings up Prometheus, Loki, Tempo, and Grafana — pre-wired to the gateway.
Read →
Switch from OpenClaw to Codex without losing audit history
The audit DB is connector-agnostic. Setup rewires the data path; nothing else moves.
Read →
Three modes, one command
Start in observe. Earn enforcement.
Start in observe. Promote to action when the policy is tuned. Layer approval prompts on top for CRITICAL findings.
Action
Block on HIGH and CRITICAL.
CRITICAL findings always block. HIGH findings block unless approval mode pauses them for review.
Ask approval
Pause, review, then continue.
Reaches the operator via the connector’s native ask, or downgrades to a TUI prompt.
Connectors
One adapter per agent. Same enforcement contract.
Every connector lands in the same gateway with the same block / approve / observe verbs — pick the agent you ship with, the contract is identical.
Claude Code
Enforcement gated behind guardrail.claudecode_enforcement_enabled.
Open page →
CodexThree telemetry channels at boot: hooks, native OTel, and the notify bridge for agent-turn-complete events.
Open page →
OpenClawReference proxy connector — full data-path interception, sandbox enforcement, plugin-mediated HITL.
Open page →
Cursorhooks.json under ~/.cursor; MCP / skills / rules surfaces are workspace-scoped.
Open page →
HermesHooks live in ~/.hermes/config.yaml.
Open page →
Gemini CLIsettings.json hooks; native OTLP exporter wires directly to the gateway.
Open page →
GitHub Copilot CLIWorkspace-scoped hooks under <workspace>/.github/hooks/.
Open page →
WindsurfCascade hooks under ~/.codeium/windsurf/hooks.json.
Open page →
ZeptoClawapi_base redirect into the DefenseClaw proxy plus response-scan.
Open page →
Ready to put a guardrail around your agent?
Five minutes. No LLM key required.