Command generator
Build a non-interactive `defenseclaw setup guardrail` command for any connector. Pick mode, scanner backend, detection strategy, rule pack, HITL behaviour, and every advanced knob; copy the result straight into your terminal or CI pipeline.
defenseclaw setup guardrail is fully scriptable — every prompt in the interactive wizard has a flag, with three documented exceptions. The generator below lets you build the exact --non-interactive invocation for any connector without leaving the docs. Pick the knobs; the command rewrites itself live; the Notes & validation panel flags combinations that won't behave the way you expect (e.g. HITL in observe mode, remote scanner with no Cisco endpoint, connectors that can't fail closed).
Generated commands are display-only. Nothing on this page runs against your machine — copy the result and paste it into the terminal of whichever host you operate.
Connector
Pick the agent framework.
Mode
observe logs without blocking. action enforces on configured severities.
Scanner backend
local is zero-key bundled regex. remote calls Cisco AI Defense. both runs the union.
Detection strategy
regex_only is the zero-key default. The judge variants need an LLM key.
Rule pack
Rule packs only apply when --mode is action.
Human-in-the-Loop (HITL)
HITL only fires in action mode. Switch above to enable.
Claude Code HITL: Claude Code supports native PreToolUse ask prompts. CRITICAL findings still block; HIGH findings can pause for approval.
Advanced
Knobs most operators leave untouched.
defenseclaw setup guardrail \ --non-interactive \ --connector claudecode \ --mode observe \ --scanner-mode local \ --detection-strategy regex_only
Notes & validation
No warnings. The command above should run cleanly with the connector and flags selected.
Claude Code capabilities
- Family
- hooks
- Scope
- user
- Tool inspection
- pre-execution + response-scan
- Subprocess policy
- sandbox
- Native ask
- yes
- Fail-closed
- supported
See /docs/connectors/claudecode for the full per-connector guide.
What the generator covers
Connector picker
All thirteen first-class connectors — proxy (OpenClaw, ZeptoClaw) and hooks (Claude Code, Codex, Cursor, Windsurf, Gemini CLI, GitHub Copilot CLI, Hermes, OpenCode, OmniGent, OpenHands, Antigravity). Each card surfaces whether the connector supports native ask and fail-closed enforcement so HITL decisions are informed.
Mode + scanner backend
--mode (observe / action) and --scanner-mode (local / remote / both). Picking remote or both surfaces the Cisco endpoint, API key env var, and timeout fields, and emits a placeholder export so you remember to set the key.
Detection strategy + judge
--detection-strategy (regex_only / regex_judge / judge_first). Switching off regex_only opens the judge model, judge API base, and judge API key env var inputs, unlocks the provider & auth section below, and adds the matching export line to the generated script.
Judge provider & auth
When a judge runs: --judge-provider / --judge-region / --judge-instance-name, --llm-role, --inherit-from / --inherit-llm, and the full Bedrock / Vertex / Azure judge-auth families (region, auth-mode, credential env vars, profile, inference profile, repeatable deployment aliases), plus --judge-tls-ca-cert-file / --judge-insecure-skip-verify. Only the auth block for the selected provider is emitted, and credential env vars get placeholder export lines.
Rule pack
--rule-pack (default / strict / permissive). Locked to action mode so the disabled state matches the CLI semantics.
HITL
--human-approval + --hilt-min-severity (critical / high / medium / low). Disabled in observe mode. The connector card explains whether the event can ask natively or takes a non-pausing connector fallback.
Advanced knobs
--port, --block-message, --workspace, --disable-redaction, --restart / --no-restart, --verify / --no-verify, plus --disable (teardown). The disable-redaction toggle emits a prominent warning so you don't ship un-redacted prompts to external sinks by accident; --disable collapses the command to the guardrail-off verb.
Conventions the generator follows
--non-interactiveis always emitted — the whole point of this page is producing a flag-driven command. Drop the flag if you want the wizard to prompt for anything the generator left blank.defenseclaw setup guardrailis always the generated verb. Connector aliases (defenseclaw setup claude-code,defenseclaw setup omnigent, etc.) default to observe mode but also accept action mode and a smaller connector-specific flag surface; the guardrail verb works for all thirteen connectors and remains the documented CI path.- Values containing whitespace or shell metacharacters are POSIX-quoted. Single quotes wrap any token outside the safe alphanumeric +
_./:@-allow-list, with the standard'\''escape for embedded apostrophes. Copy-paste intobash,zsh,dash, orfish(interactive mode) without surprises. - Conflicting choices surface as warnings, not errors. The generator never refuses to build a command — if you ask for
--human-approvalin observe mode, the flag is omitted (matching CLI behaviour) and a note explains why. Mistakes you should think about live in the Notes & validation panel. - Only the selected judge provider's auth block is emitted. Bedrock, Vertex AI, and Azure OpenAI each have their own
--judge-bedrock-*/--judge-vertex-*/--judge-azure-*flag family. Picking a provider hides the other two families so you never ship a command mixing Vertex credentials into a Bedrock judge. Repeatable flags (Bedrock/Azure deployment aliases) accept one entry per line and expand to one flag occurrence each. --disableis a teardown verb, so it collapses the command. Toggling Disable guardrail drops every configuration flag and emits exactlydefenseclaw setup guardrail --disable. The CLI returns before reading any other flag — including--connector— so this teardown is global; the panel points you atdefenseclaw guardrail disable --connector <id>when you need a connector-scoped teardown instead.
Related
defenseclaw setup guardrail
The narrative reference for every flag, including the three interactive-only prompts.
HITL
Per-connector native-ask events, explicit fallbacks, and the decision flow.
Capability matrix
Connector × capability comparison the generator reads from at build time.
CLI commands
Full CLI surface — first run, setup, audit, scanning, gateway control, status.
Overview
DefenseClaw is the Cisco governance layer for AI coding agents — scan capabilities before they run, inspect runtime traffic, and export durable audit evidence across thirteen first-class connectors.
Terminal UI (TUI)
The DefenseClaw terminal UI — a keyboard-driven dashboard over the defenseclaw CLI. How to open it and a tour of the panels.