Capability Matrix
Per-connector breakdown of block capability, native ask events, fail-closed support, subprocess policy, and HITL behaviour. The single source of truth for "can this connector do X?"
This page is the single source of truth for "can this connector do X?". Every row is hand-derived from the Go connector files in internal/gateway/connector/ and re-verified on every change. Use it to pick the connector that fits your safety posture, or to find the gaps you need to compensate for.
| Connector | Family | Tool inspection | Subprocess policy | Block | Native ask | Fail-closed | HITL behavior |
|---|---|---|---|---|---|---|---|
| Claude Code claudecode | hooks | pre-execution + response-scan | sandbox | ✓ | ✓ PreToolUse | ✓ | Claude Code supports native PreToolUse ask prompts. CRITICAL findings still block; HIGH findings can pause for approval. |
| Codex codex | hooks | pre-execution + response-scan | sandbox | ✓ | · | ✓ | Codex has no native ask surface here; confirm becomes an alert/systemMessage with raw_action preserved. The TUI can review the event but cannot resume it. |
| OpenClaw openclaw | proxy | pre-execution + response-scan | sandbox | ✓ | ✓ before_tool_call | ✓ | OpenClaw supports DefenseClaw approval prompts for tool actions. Approvals reach chat-origin sessions via the bundled plugin. |
| Cursor cursor | hooks | pre-execution + response-scan | none | ✓ | ✓ beforeShellExecution, beforeMCPExecution | ✓ | Cursor supports native ask only on documented ask-capable hook events (beforeShellExecution, beforeMCPExecution). |
| Hermes hermes | hooks | pre-execution + response-scan | none | ✓ | · | · | Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly. |
| OpenCode opencode | hooks | pre-execution + response-scan | none | ✓ | · | ✓ | No native human-approval surface; blocks by throwing in the bridge plugin's tool.execute.before. confirm verdicts fall back to allow. |
| OmniGent omnigent | hooks | pre-execution + response-scan | none | ✓ | ✓ UserPromptSubmit, PreToolUse, BeforeModel | ✓ | OmniGent parks request, tool_call, and llm_request policy phases for native ASK approval; post-action confirm verdicts use the configured fallback. |
| Gemini CLI geminicli | hooks | pre-execution + response-scan | none | ✓ | · | ✓ | Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly. |
| GitHub Copilot CLI copilot | hooks | pre-execution + response-scan | none | ✓ | ✓ preToolUse | · | Copilot CLI supports native ask on documented preToolUse hooks. |
| OpenHands openhands | hooks | pre-execution + response-scan | none | ✓ | · | ✓ | OpenHands has no native ask surface in the documented hook contract; confirm verdicts are downgraded with raw_action preserved and optional additionalContext returned to the agent. |
| Antigravity antigravity | hooks | pre-execution + response-scan | none | ✓ | ✓ PreToolUse | · | Antigravity has an empirically verified native ask on PreToolUse. Returning decision=ask there overrides agy's --dangerously-skip-permissions flag; force_ask is retained only as internal raw_action telemetry. |
| Windsurf windsurf | hooks | pre-execution + response-scan | none | ✓ | · | · | Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly. |
| ZeptoClaw zeptoclaw | proxy | pre-execution + response-scan | sandbox | ✓ | · | ✓ | ZeptoClaw has no native ask surface; confirm uses its explicit fallback with raw_action preserved for TUI/audit review. There is no resumable approval. |
Reading the matrix
Family
proxy = DefenseClaw sits in the LLM data path. hooks = DefenseClaw hooks into the agent's lifecycle; the agent talks directly to its upstream.
Tool inspection
When DefenseClaw can see the tool call. pre-execution + response-scan means we score before the call fires and after it returns.
Subprocess policy
sandbox = DefenseClaw wires the agent into the openshell sandbox. none = the agent's own runtime executes commands; we observe via hooks.
Block
Whether the hooks the connector exposes can return a block decision at all.
Native ask
Whether the connector's hooks can prompt the operator inside the agent UI for approval. Without native ask, confirm uses a connector-specific alert/allow/context fallback; the TUI can review the event but cannot resume it.
Fail-closed
Whether the hook surface supports a fail-closed response — i.e. block on transport failure to the gateway. Connectors marked false require operator-managed timeouts.
HITL behaviour
One-line summary of how human-in-the-loop approvals reach the operator for this connector.
Where the data comes from
| Field | Source |
|---|---|
| Family | internal/gateway/connector/*.go (whether the connector implements RoutingConnector for proxy mode) |
| Tool inspection | _CONNECTOR_META[<id>].tool_mode in cli/defenseclaw/commands/cmd_setup.py |
| Subprocess policy | _CONNECTOR_META[<id>].subprocess_policy in cli/defenseclaw/commands/cmd_setup.py |
| Block / Native ask / Fail-closed | HookCapability{} literals in internal/gateway/connector/hook_only.go and the per-connector files |
| Hook contract versions | cli/defenseclaw/inventory/hook_contracts.json, checked against internal/gateway/connector/hook_contract.go |
| HITL behaviour | _hilt_support_note(<id>) in cli/defenseclaw/commands/cmd_setup.py |
The component renders from data/capability-matrix.json, which is the single editable copy and is refreshed against the Go source on every connector change.
Common patterns
"I want maximum safety on a single connector"
Pick a row with proxy family, block: yes, native ask: yes, fail-closed: yes. That's OpenClaw today.
"I want enforcement on Claude Code without the proxy"
Hook-only enforcement is supported on Claude Code, Codex, Cursor, Gemini CLI, Hermes, Windsurf, Copilot CLI, OpenHands, Antigravity, OpenCode, and OmniGent. The constraint: hook-only enforcement cannot block a request the agent has not yet asked the hook about. Trust the hook surface to scope what's possible.
"I want HITL approvals to surface inside the agent UI"
Pick a row with native ask: yes: OpenClaw, Claude Code (PreToolUse), Cursor (beforeShellExecution / beforeMCPExecution), GitHub Copilot CLI (preToolUse), Antigravity (verified PreToolUse), or OmniGent (request, tool_call, llm_request). Confirm verdicts on every other connector/event take an immediate connector-specific fallback; there is no TUI approval queue.
"I want fail-closed on transport failures"
Pick a row with fail-closed: yes: OpenClaw, ZeptoClaw, Claude Code, Codex, Cursor, Gemini CLI, OpenCode, OpenHands, and OmniGent. GitHub Copilot CLI, Hermes, Windsurf, and Antigravity do not expose a DefenseClaw-controlled fail-closed transport response.
ZeptoClaw
ZeptoClaw routes through DefenseClaw via api_base redirect plus response-scan. Full guardrail pipeline runs on every request.
AI Discovery
Find every AI agent, model, MCP server, skill, and provider running on the host. DefenseClaw runs a continuous fingerprinting scanner in the gateway and ships defenseclaw agent discover for an instant operator-side inventory.