Claude Code
Claude Code connector wires the documented lifecycle hook set plus native OTel. Fourteen current events can return block decisions, and PreToolUse supports native HITL ask.
The Claude Code connector wires DefenseClaw into Anthropic's documented hook surfaces without inserting a proxy in the data path. Claude Code talks directly to its native upstream; DefenseClaw inspects via hooks + native OTel.
The Claude Code connector is hook-only. There is no LLM-proxy data path — Claude Code talks directly to api.anthropic.com and DefenseClaw observes via hooks + native OTel.
mode=action is fully supported here, hook-natively. When guardrail.mode=action (or defenseclaw setup claude-code --mode action), the PreToolUse hook returns a permissionDecision: "deny" verdict on policy hits and Claude Code blocks the tool call inside its own permission flow — including the HITL ask dialog when --human-approval is on. No proxy listener is involved.
Setup
defenseclaw setup claude-code # observe (default) — record only
defenseclaw setup claude-code --mode action # block on policy hits via PreToolUse denysetup claude-code is shorthand for setup guardrail --connector claudecode: it adds or reconfigures Claude Code, wires hooks + native OTel, and can join an existing hook-connector roster when you choose Add. No proxy listener binds for Claude Code in either mode.
What this command sets vs. leaves at defaults
Every other knob falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.
| Knob | Value when omitted | Flag to override |
|---|---|---|
| Policy mode | observe (record only) | --mode observe|action |
| Scanner backend | local (bundled regex packs, zero key) | --scanner-mode local|remote|both |
| Rule pack | unset → built-in baseline (no overlay) | --rule-pack default|strict|permissive |
| LLM judge | off (regex-only triage) | --judge-model <model> plus --judge-api-key-env |
| Detection strategy | regex_judge if judge is on, else regex-only | --detection-strategy regex_only|regex_judge|judge_first |
| HITL minimum severity | HIGH (when --human-approval is on; stored uppercase in config) | --hilt-min-severity low|medium|high|critical (case-insensitive) |
| Hook fail-mode | current config; closed on a fresh install (open is retained for migrated legacy configs) | defenseclaw guardrail fail-mode <open|closed> (no flag) |
| Block message | empty (uses built-in copy) | --block-message "<text>" |
| Redaction | enabled | --disable-redaction (trusted single-tenant only) |
| Verify after setup | on | --no-verify |
See the full flag reference for the complete table or run defenseclaw setup guardrail --help.
Files DefenseClaw will modify
DefenseClaw stores a hash-checked backup of settings.json before edits. Teardown restores it byte-for-byte; if the file drifted, only DefenseClaw-owned entries are surgically removed.
Hook capabilities
Block events
- UserPromptSubmit
- UserPromptExpansion
- PreToolUse
- PermissionRequest
- PostToolUse
- PostToolBatch
- TaskCreated
- TaskCompleted
- TeammateIdle
- Stop
- SubagentStop
- PreCompact
- Elicitation
- ElicitationResult
Native ask events
- PreToolUse
Claude Code is one of the few connectors that supports native PreToolUse ask. HITL approvals surface inside the agent UI itself, so the operator never has to leave Claude Code to decide.
Telemetry channels at boot
Disable
defenseclaw setup guardrail --disableConnector Compatibility
Versioned hook contracts, setup-time compatibility checks, and the runtime hook contract lock for DefenseClaw connectors.
Codex
Codex connector wires config.toml hooks (UserPromptSubmit, PreToolUse, PermissionRequest, PostToolUse, Stop, SessionStart), the native OTel exporter, and the notify bridge for agent-turn-complete events.