Capability Matrix
Per-connector breakdown of block capability, native ask events, fail-closed support, subprocess policy, and HITL behaviour. The single source of truth for "can this connector do X?"
This page is the single source of truth for "can this connector do X?". Every row is hand-derived from the Go connector files in internal/gateway/connector/ and re-verified on every change. Use it to pick the connector that fits your safety posture, or to find the gaps you need to compensate for.
| Connector | Family | Tool inspection | Subprocess policy | Block | Native ask | Fail-closed | HITL behavior |
|---|---|---|---|---|---|---|---|
| Claude Code claudecode | hooks | pre-execution + response-scan | sandbox | ✓ | ✓ PreToolUse | ✓ | Claude Code supports native PreToolUse ask prompts. CRITICAL findings still block; HIGH findings can pause for approval. |
| Codex codex | hooks | pre-execution + response-scan | sandbox | ✓ | · | ✓ | Codex has no native ask surface here; confirm verdicts are downgraded with raw_action preserved. HITL routes through TUI / OpenClaw plugin. |
| OpenClaw openclaw | proxy | pre-execution + response-scan | sandbox | ✓ | ✓ before_tool_call | ✓ | OpenClaw supports DefenseClaw approval prompts for tool actions. Approvals reach chat-origin sessions via the bundled plugin. |
| Cursor cursor | hooks | pre-execution + response-scan | none | ✓ | ✓ beforeShellExecution, beforeMCPExecution | ✓ | Cursor supports native ask only on documented ask-capable hook events (beforeShellExecution, beforeMCPExecution). |
| Hermes hermes | hooks | pre-execution + response-scan | none | ✓ | · | · | Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly. |
| Gemini CLI geminicli | hooks | pre-execution + response-scan | none | ✓ | · | ✓ | Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly. |
| GitHub Copilot CLI copilot | hooks | pre-execution + response-scan | none | ✓ | ✓ preToolUse, PreToolUse | · | Copilot CLI supports native ask on documented preToolUse hooks. |
| Windsurf windsurf | hooks | pre-execution + response-scan | none | ✓ | · | · | Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly. |
| ZeptoClaw zeptoclaw | proxy | pre-execution + response-scan | sandbox | ✓ | · | ✓ | ZeptoClaw has no native ask surface; confirm verdicts are downgraded with raw_action preserved so operators can review in TUI/audit. |
Reading the matrix
Family
proxy = DefenseClaw sits in the LLM data path. hooks = DefenseClaw hooks into the agent's lifecycle; the agent talks directly to its upstream.
Tool inspection
When DefenseClaw can see the tool call. pre-execution + response-scan means we score before the call fires and after it returns.
Subprocess policy
sandbox = DefenseClaw wires the agent into the openshell sandbox. none = the agent's own runtime executes commands; we observe via hooks.
Block
Whether the hooks the connector exposes can return a block decision at all.
Native ask
Whether the connector's hooks can prompt the operator inside the agent UI for approval. Connectors without native ask downgrade HITL to a confirm verdict in the DefenseClaw TUI.
Fail-closed
Whether the hook surface supports a fail-closed response — i.e. block on transport failure to the gateway. Connectors marked false require operator-managed timeouts.
HITL behaviour
One-line summary of how human-in-the-loop approvals reach the operator for this connector.
Where the data comes from
| Field | Source |
|---|---|
| Family | internal/gateway/connector/*.go (whether the connector implements RoutingConnector for proxy mode) |
| Tool inspection | _CONNECTOR_META[<id>].tool_mode in cli/defenseclaw/commands/cmd_setup.py |
| Subprocess policy | _CONNECTOR_META[<id>].subprocess_policy in cli/defenseclaw/commands/cmd_setup.py |
| Block / Native ask / Fail-closed | HookCapability{} literals in internal/gateway/connector/hook_only.go and the per-connector files |
| HITL behaviour | _hilt_support_note(<id>) in cli/defenseclaw/commands/cmd_setup.py |
The component renders from data/capability-matrix.json, which is the single editable copy and is refreshed against the Go source on every connector change.
Common patterns
"I want maximum safety on a single connector"
Pick a row with proxy family, block: yes, native ask: yes, fail-closed: yes. That's OpenClaw today.
"I want enforcement on Claude Code without the proxy"
Hook-only enforcement is supported on Claude Code, Codex, Cursor, Gemini CLI, Hermes, Windsurf, and Copilot CLI. The constraint: hook-only enforcement cannot block a request the agent has not yet asked the hook about. Trust the hook surface to scope what's possible.
"I want HITL approvals to surface inside the agent UI"
Pick a row with native ask: yes: OpenClaw, Claude Code (PreToolUse), Cursor (beforeShellExecution / beforeMCPExecution), GitHub Copilot CLI (preToolUse). Other connectors downgrade to a confirm verdict.
"I want fail-closed on transport failures"
Pick a row with fail-closed: yes: OpenClaw, ZeptoClaw, Claude Code, Codex, Cursor, Gemini CLI, GitHub Copilot CLI. For Hermes and Windsurf, configure operator-side timeouts.
ZeptoClaw
ZeptoClaw routes through DefenseClaw via api_base redirect plus response-scan. Full guardrail pipeline runs on every request.
AI Discovery
Find every AI agent, model, MCP server, skill, and provider running on the host. DefenseClaw runs a continuous fingerprinting scanner in the gateway and ships defenseclaw agent discover for an instant operator-side inventory.