Connectors

Connectors

Thirteen first-class connectors — OpenClaw, ZeptoClaw, Claude Code, Codex, Cursor, Windsurf, Gemini CLI, GitHub Copilot CLI, OpenHands, Antigravity, Hermes, OpenCode, OmniGent — with a single enforcement contract.

Connectors are the adapter layer between agent frameworks and DefenseClaw's guardrail proxy. Each connector owns all security surfaces for its agent: LLM traffic routing, tool call inspection, agent hook events, component scanning, CodeGuard file scanning, and subprocess enforcement.

The two families

Proxy connectors

OpenClaw, ZeptoClaw. DefenseClaw sits in the LLM data path — every request and response is intercepted, scored, and forwarded.

Hook connectors

Claude Code, Codex, Cursor, Windsurf, Gemini CLI, GitHub Copilot CLI, OpenHands, Antigravity, Hermes, OpenCode, OmniGent. DefenseClaw wires into the agent's native lifecycle hooks or policy API; the agent talks directly to its upstream.

Compatibility contracts

Versioned hook contracts, setup-time connector version checks, and the runtime hook_contract_lock.json.

One gateway, many hook connectors. A single DefenseClaw gateway can serve several hook connectors at once, each with its own guardrail posture under guardrail.connectors.<name> — pick Add (not Replace) when you run a second setup <connector>. Proxy connectors (OpenClaw, ZeptoClaw) bind a listener and own the traffic plane, so they can't be multi peers. See Multi-connector.

Pick yours

Capability summary

ConnectorFamilyTool inspectionSubprocess policyBlockNative askFail-closedHITL behavior
Claude Code
claudecode
hookspre-execution + response-scansandbox
PreToolUse
Claude Code supports native PreToolUse ask prompts. CRITICAL findings still block; HIGH findings can pause for approval.
Codex
codex
hookspre-execution + response-scansandbox·Codex has no native ask surface here; confirm becomes an alert/systemMessage with raw_action preserved. The TUI can review the event but cannot resume it.
OpenClaw
openclaw
proxypre-execution + response-scansandbox
before_tool_call
OpenClaw supports DefenseClaw approval prompts for tool actions. Approvals reach chat-origin sessions via the bundled plugin.
Cursor
cursor
hookspre-execution + response-scannone
beforeShellExecution, beforeMCPExecution
Cursor supports native ask only on documented ask-capable hook events (beforeShellExecution, beforeMCPExecution).
Hermes
hermes
hookspre-execution + response-scannone··Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly.
OpenCode
opencode
hookspre-execution + response-scannone·No native human-approval surface; blocks by throwing in the bridge plugin's tool.execute.before. confirm verdicts fall back to allow.
OmniGent
omnigent
hookspre-execution + response-scannone
UserPromptSubmit, PreToolUse, BeforeModel
OmniGent parks request, tool_call, and llm_request policy phases for native ASK approval; post-action confirm verdicts use the configured fallback.
Gemini CLI
geminicli
hookspre-execution + response-scannone·Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly.
GitHub Copilot CLI
copilot
hookspre-execution + response-scannone
preToolUse
·Copilot CLI supports native ask on documented preToolUse hooks.
OpenHands
openhands
hookspre-execution + response-scannone·OpenHands has no native ask surface in the documented hook contract; confirm verdicts are downgraded with raw_action preserved and optional additionalContext returned to the agent.
Antigravity
antigravity
hookspre-execution + response-scannone
PreToolUse
·Antigravity has an empirically verified native ask on PreToolUse. Returning decision=ask there overrides agy's --dangerously-skip-permissions flag; force_ask is retained only as internal raw_action telemetry.
Windsurf
windsurf
hookspre-execution + response-scannone··Can block supported hook events but has no native human-approval surface; confirm verdicts fall back explicitly.
ZeptoClaw
zeptoclaw
proxypre-execution + response-scansandbox·ZeptoClaw has no native ask surface; confirm uses its explicit fallback with raw_action preserved for TUI/audit review. There is no resumable approval.

For the full breakdown including HITL behaviour, head to the Capability Matrix. For deterministic hook version pinning, see Connector Compatibility.

How a connector is structured

ConnectorSetup(ctx, opts)write hook scripts,back up agent files,register routes
ConnectorAuthenticate(r)verify gateway token
ConnectorRoute(r, body)extract upstream + model+ stream + headers
ConnectorTeardown(ctx, opts)restore agent files
ConnectorVerifyClean(opts)no residual artifacts
Every connector implements the same Go interface; the gateway routes traffic generically once a connector has resolved its signals.

The interface is defined in internal/gateway/connector/connector.go; each per-connector file (claudecode.go, codex.go, cursor.go via hook_only.go, ...) implements it.