Capability Matrix

Per-connector breakdown of block capability, native ask events, fail-closed support, subprocess policy, and HITL behaviour. The single source of truth for "can this connector do X?"

This page is the single source of truth for "can this connector do X?". Every row is hand-derived from the Go connector files in internal/gateway/connector/ and re-verified on every change. Use it to pick the connector that fits your safety posture, or to find the gaps you need to compensate for.

ConnectorFamilyTool inspectionSubprocess policyBlockNative askFail-closedHITL behavior
Claude Code
claudecode
hookspre-execution + response-scansandbox
PreToolUse
Claude Code supports native PreToolUse ask prompts. CRITICAL findings still block; HIGH findings can pause for approval.
Codex
codex
hookspre-execution + response-scansandbox·Codex has no native ask surface here; confirm becomes an alert/systemMessage with raw_action preserved. The TUI can review the event but cannot resume it.
OpenClaw
openclaw
proxypre-execution + response-scansandbox
before_tool_call
OpenClaw supports DefenseClaw approval prompts for tool actions. Approvals reach chat-origin sessions via the bundled plugin.
Cursor
cursor
hookspre-execution + response-scannone
beforeShellExecution, beforeMCPExecution
Cursor supports native ask only on documented ask-capable hook events (beforeShellExecution, beforeMCPExecution).
Hermes
hermes
hookspre-execution + response-scannone··Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly.
OpenCode
opencode
hookspre-execution + response-scannone·No native human-approval surface; blocks by throwing in the bridge plugin's tool.execute.before. confirm verdicts fall back to allow.
OmniGent
omnigent
hookspre-execution + response-scannone
UserPromptSubmit, PreToolUse, BeforeModel
OmniGent parks request, tool_call, and llm_request policy phases for native ASK approval; post-action confirm verdicts use the configured fallback.
Gemini CLI
geminicli
hookspre-execution + response-scannone·Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly.
GitHub Copilot CLI
copilot
hookspre-execution + response-scannone
preToolUse
·Copilot CLI supports native ask on documented preToolUse hooks.
OpenHands
openhands
hookspre-execution + response-scannone·OpenHands has no native ask surface in the documented hook contract; confirm verdicts are downgraded with raw_action preserved and optional additionalContext returned to the agent.
Antigravity
antigravity
hookspre-execution + response-scannone
PreToolUse
·Antigravity has an empirically verified native ask on PreToolUse. Returning decision=ask there overrides agy's --dangerously-skip-permissions flag; force_ask is retained only as internal raw_action telemetry.
Windsurf
windsurf
hookspre-execution + response-scannone··Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly.
ZeptoClaw
zeptoclaw
proxypre-execution + response-scansandbox·ZeptoClaw has no native ask surface; confirm uses its explicit fallback with raw_action preserved for TUI/audit review. There is no resumable approval.

Reading the matrix

Family

proxy = DefenseClaw sits in the LLM data path. hooks = DefenseClaw hooks into the agent's lifecycle; the agent talks directly to its upstream.

Tool inspection

When DefenseClaw can see the tool call. pre-execution + response-scan means we score before the call fires and after it returns.

Subprocess policy

sandbox = DefenseClaw wires the agent into the openshell sandbox. none = the agent's own runtime executes commands; we observe via hooks.

Block

Whether the hooks the connector exposes can return a block decision at all.

Native ask

Whether the connector's hooks can prompt the operator inside the agent UI for approval. Without native ask, confirm uses a connector-specific alert/allow/context fallback; the TUI can review the event but cannot resume it.

Fail-closed

Whether the hook surface supports a fail-closed response — i.e. block on transport failure to the gateway. Connectors marked false require operator-managed timeouts.

HITL behaviour

One-line summary of how human-in-the-loop approvals reach the operator for this connector.

Where the data comes from

FieldSource
Familyinternal/gateway/connector/*.go (whether the connector implements RoutingConnector for proxy mode)
Tool inspection_CONNECTOR_META[<id>].tool_mode in cli/defenseclaw/commands/cmd_setup.py
Subprocess policy_CONNECTOR_META[<id>].subprocess_policy in cli/defenseclaw/commands/cmd_setup.py
Block / Native ask / Fail-closedHookCapability{} literals in internal/gateway/connector/hook_only.go and the per-connector files
Hook contract versionscli/defenseclaw/inventory/hook_contracts.json, checked against internal/gateway/connector/hook_contract.go
HITL behaviour_hilt_support_note(<id>) in cli/defenseclaw/commands/cmd_setup.py

The component renders from data/capability-matrix.json, which is the single editable copy and is refreshed against the Go source on every connector change.

Common patterns

"I want maximum safety on a single connector"

Pick a row with proxy family, block: yes, native ask: yes, fail-closed: yes. That's OpenClaw today.

"I want enforcement on Claude Code without the proxy"

Hook-only enforcement is supported on Claude Code, Codex, Cursor, Gemini CLI, Hermes, Windsurf, Copilot CLI, OpenHands, Antigravity, OpenCode, and OmniGent. The constraint: hook-only enforcement cannot block a request the agent has not yet asked the hook about. Trust the hook surface to scope what's possible.

"I want HITL approvals to surface inside the agent UI"

Pick a row with native ask: yes: OpenClaw, Claude Code (PreToolUse), Cursor (beforeShellExecution / beforeMCPExecution), GitHub Copilot CLI (preToolUse), Antigravity (verified PreToolUse), or OmniGent (request, tool_call, llm_request). Confirm verdicts on every other connector/event take an immediate connector-specific fallback; there is no TUI approval queue.

"I want fail-closed on transport failures"

Pick a row with fail-closed: yes: OpenClaw, ZeptoClaw, Claude Code, Codex, Cursor, Gemini CLI, OpenCode, OpenHands, and OmniGent. GitHub Copilot CLI, Hermes, Windsurf, and Antigravity do not expose a DefenseClaw-controlled fail-closed transport response.