Connectors
Nine first-class connectors — OpenClaw, ZeptoClaw, Claude Code, Codex, Cursor, Windsurf, Gemini CLI, GitHub Copilot CLI, Hermes — with a single enforcement contract.
Connectors are the adapter layer between agent frameworks and DefenseClaw's guardrail proxy. Each connector owns all security surfaces for its agent: LLM traffic routing, tool call inspection, agent hook events, component scanning, CodeGuard file scanning, and subprocess enforcement.
The two families
Proxy connectors
OpenClaw, ZeptoClaw. DefenseClaw sits in the LLM data path — every request and response is intercepted, scored, and forwarded.
Hook connectors
Claude Code, Codex, Cursor, Windsurf, Gemini CLI, GitHub Copilot CLI, Hermes. DefenseClaw wires into the agent's native lifecycle hooks; the agent talks directly to its upstream.
Pick yours
OpenClaw
Reference proxy connector with the bundled fetch interceptor and before_tool_call plugin.
ZeptoClaw
api_base redirect into the DefenseClaw proxy plus response-scan.
Claude Code
Native hooks (PreToolUse, PostToolUse, UserPromptSubmit, Stop, PermissionRequest) + native OTel exporter.
Codex
config.toml hooks + native OTel + notify bridge for agent-turn-complete events.
Cursor
hooks.json with native ask on beforeShellExecution and beforeMCPExecution.
Windsurf
Cascade hooks across pre_user_prompt, pre_run_command, pre_mcp_tool_use.
Gemini CLI
settings.json hooks + native OTLP exporter pointing at the gateway.
GitHub Copilot CLI
Workspace-scoped hooks under .github/hooks/.
Hermes
config.yaml hooks for the Hermes agent runtime.
Capability summary
| Connector | Family | Tool inspection | Subprocess policy | Block | Native ask | Fail-closed | HITL behavior |
|---|---|---|---|---|---|---|---|
| Claude Code claudecode | hooks | pre-execution + response-scan | sandbox | ✓ | ✓ PreToolUse | ✓ | Claude Code supports native PreToolUse ask prompts. CRITICAL findings still block; HIGH findings can pause for approval. |
| Codex codex | hooks | pre-execution + response-scan | sandbox | ✓ | · | ✓ | Codex has no native ask surface here; confirm verdicts are downgraded with raw_action preserved. HITL routes through TUI / OpenClaw plugin. |
| OpenClaw openclaw | proxy | pre-execution + response-scan | sandbox | ✓ | ✓ before_tool_call | ✓ | OpenClaw supports DefenseClaw approval prompts for tool actions. Approvals reach chat-origin sessions via the bundled plugin. |
| Cursor cursor | hooks | pre-execution + response-scan | none | ✓ | ✓ beforeShellExecution, beforeMCPExecution | ✓ | Cursor supports native ask only on documented ask-capable hook events (beforeShellExecution, beforeMCPExecution). |
| Hermes hermes | hooks | pre-execution + response-scan | none | ✓ | · | · | Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly. |
| Gemini CLI geminicli | hooks | pre-execution + response-scan | none | ✓ | · | ✓ | Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly. |
| GitHub Copilot CLI copilot | hooks | pre-execution + response-scan | none | ✓ | ✓ preToolUse, PreToolUse | · | Copilot CLI supports native ask on documented preToolUse hooks. |
| Windsurf windsurf | hooks | pre-execution + response-scan | none | ✓ | · | · | Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly. |
| ZeptoClaw zeptoclaw | proxy | pre-execution + response-scan | sandbox | ✓ | · | ✓ | ZeptoClaw has no native ask surface; confirm verdicts are downgraded with raw_action preserved so operators can review in TUI/audit. |
For the full breakdown including HITL behaviour, head to the Capability Matrix.
How a connector is structured
The interface is defined in internal/gateway/connector/connector.go; each per-connector file (claudecode.go, codex.go, cursor.go via hook_only.go, ...) implements it.
Setup registries
Subscribe DefenseClaw to public or internal skill / MCP catalogs. Sources are fetched, scanned, and clean entries are auto-promoted into asset_policy so admission decisions can attribute the rule back to its origin.
Claude Code
Claude Code connector wires PreToolUse, PostToolUse, UserPromptSubmit, Stop, and PermissionRequest hooks plus the native OTel exporter. Native ask is supported on PreToolUse for HITL.