Connectors
Thirteen first-class connectors — OpenClaw, ZeptoClaw, Claude Code, Codex, Cursor, Windsurf, Gemini CLI, GitHub Copilot CLI, OpenHands, Antigravity, Hermes, OpenCode, OmniGent — with a single enforcement contract.
Connectors are the adapter layer between agent frameworks and DefenseClaw's guardrail proxy. Each connector owns all security surfaces for its agent: LLM traffic routing, tool call inspection, agent hook events, component scanning, CodeGuard file scanning, and subprocess enforcement.
The two families
Proxy connectors
OpenClaw, ZeptoClaw. DefenseClaw sits in the LLM data path — every request and response is intercepted, scored, and forwarded.
Hook connectors
Claude Code, Codex, Cursor, Windsurf, Gemini CLI, GitHub Copilot CLI, OpenHands, Antigravity, Hermes, OpenCode, OmniGent. DefenseClaw wires into the agent's native lifecycle hooks or policy API; the agent talks directly to its upstream.
Compatibility contracts
Versioned hook contracts, setup-time connector version checks, and the runtime hook_contract_lock.json.
One gateway, many hook connectors. A single DefenseClaw gateway can serve several hook connectors at once, each with its own guardrail posture under guardrail.connectors.<name> — pick Add (not Replace) when you run a second setup <connector>. Proxy connectors (OpenClaw, ZeptoClaw) bind a listener and own the traffic plane, so they can't be multi peers. See Multi-connector.
Pick yours
Capability summary
| Connector | Family | Tool inspection | Subprocess policy | Block | Native ask | Fail-closed | HITL behavior |
|---|---|---|---|---|---|---|---|
| Claude Code claudecode | hooks | pre-execution + response-scan | sandbox | ✓ | ✓ PreToolUse | ✓ | Claude Code supports native PreToolUse ask prompts. CRITICAL findings still block; HIGH findings can pause for approval. |
| Codex codex | hooks | pre-execution + response-scan | sandbox | ✓ | · | ✓ | Codex has no native ask surface here; confirm becomes an alert/systemMessage with raw_action preserved. The TUI can review the event but cannot resume it. |
| OpenClaw openclaw | proxy | pre-execution + response-scan | sandbox | ✓ | ✓ before_tool_call | ✓ | OpenClaw supports DefenseClaw approval prompts for tool actions. Approvals reach chat-origin sessions via the bundled plugin. |
| Cursor cursor | hooks | pre-execution + response-scan | none | ✓ | ✓ beforeShellExecution, beforeMCPExecution | ✓ | Cursor supports native ask only on documented ask-capable hook events (beforeShellExecution, beforeMCPExecution). |
| Hermes hermes | hooks | pre-execution + response-scan | none | ✓ | · | · | Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly. |
| OpenCode opencode | hooks | pre-execution + response-scan | none | ✓ | · | ✓ | No native human-approval surface; blocks by throwing in the bridge plugin's tool.execute.before. confirm verdicts fall back to allow. |
| OmniGent omnigent | hooks | pre-execution + response-scan | none | ✓ | ✓ UserPromptSubmit, PreToolUse, BeforeModel | ✓ | OmniGent parks request, tool_call, and llm_request policy phases for native ASK approval; post-action confirm verdicts use the configured fallback. |
| Gemini CLI geminicli | hooks | pre-execution + response-scan | none | ✓ | · | ✓ | Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly. |
| GitHub Copilot CLI copilot | hooks | pre-execution + response-scan | none | ✓ | ✓ preToolUse | · | Copilot CLI supports native ask on documented preToolUse hooks. |
| OpenHands openhands | hooks | pre-execution + response-scan | none | ✓ | · | ✓ | OpenHands has no native ask surface in the documented hook contract; confirm verdicts are downgraded with raw_action preserved and optional additionalContext returned to the agent. |
| Antigravity antigravity | hooks | pre-execution + response-scan | none | ✓ | ✓ PreToolUse | · | Antigravity has an empirically verified native ask on PreToolUse. Returning decision=ask there overrides agy's --dangerously-skip-permissions flag; force_ask is retained only as internal raw_action telemetry. |
| Windsurf windsurf | hooks | pre-execution + response-scan | none | ✓ | · | · | Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly. |
| ZeptoClaw zeptoclaw | proxy | pre-execution + response-scan | sandbox | ✓ | · | ✓ | ZeptoClaw has no native ask surface; confirm uses its explicit fallback with raw_action preserved for TUI/audit review. There is no resumable approval. |
For the full breakdown including HITL behaviour, head to the Capability Matrix. For deterministic hook version pinning, see Connector Compatibility.
How a connector is structured
The interface is defined in internal/gateway/connector/connector.go; each per-connector file (claudecode.go, codex.go, cursor.go via hook_only.go, ...) implements it.
Enterprise hardening and deployment
Provision DefenseClaw as a managed operating-system service, understand its trust boundaries, and continuously repair per-user AI-agent hooks.
Connector Compatibility
Versioned hook contracts, setup-time compatibility checks, and the runtime hook contract lock for DefenseClaw connectors.