Connectors

Claude Code

Claude Code connector wires the documented lifecycle hook set plus native OTel. Fourteen current events can return block decisions, and PreToolUse supports native HITL ask.

The Claude Code connector wires DefenseClaw into Anthropic's documented hook surfaces without inserting a proxy in the data path. Claude Code talks directly to its native upstream; DefenseClaw inspects via hooks + native OTel.

The Claude Code connector is hook-only. There is no LLM-proxy data path — Claude Code talks directly to api.anthropic.com and DefenseClaw observes via hooks + native OTel.

mode=action is fully supported here, hook-natively. When guardrail.mode=action (or defenseclaw setup claude-code --mode action), the PreToolUse hook returns a permissionDecision: "deny" verdict on policy hits and Claude Code blocks the tool call inside its own permission flow — including the HITL ask dialog when --human-approval is on. No proxy listener is involved.

Setup

defenseclaw setup claude-code                # observe (default) — record only
defenseclaw setup claude-code --mode action  # block on policy hits via PreToolUse deny

setup claude-code is shorthand for setup guardrail --connector claudecode: it adds or reconfigures Claude Code, wires hooks + native OTel, and can join an existing hook-connector roster when you choose Add. No proxy listener binds for Claude Code in either mode.

What this command sets vs. leaves at defaults

Every other knob falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.

KnobValue when omittedFlag to override
Policy modeobserve (record only)--mode observe|action
Scanner backendlocal (bundled regex packs, zero key)--scanner-mode local|remote|both
Rule packunset → built-in baseline (no overlay)--rule-pack default|strict|permissive
LLM judgeoff (regex-only triage)--judge-model <model> plus --judge-api-key-env
Detection strategyregex_judge if judge is on, else regex-only--detection-strategy regex_only|regex_judge|judge_first
HITL minimum severityHIGH (when --human-approval is on; stored uppercase in config)--hilt-min-severity low|medium|high|critical (case-insensitive)
Hook fail-modecurrent config; closed on a fresh install (open is retained for migrated legacy configs)defenseclaw guardrail fail-mode <open|closed> (no flag)
Block messageempty (uses built-in copy)--block-message "<text>"
Redactionenabled--disable-redaction (trusted single-tenant only)
Verify after setupon--no-verify

See the full flag reference for the complete table or run defenseclaw setup guardrail --help.

Files DefenseClaw will modify

settings.json (hooks block + OTEL_* env vars + CLAUDE_CODE_ENABLE_TELEMETRY)

DefenseClaw stores a hash-checked backup of settings.json before edits. Teardown restores it byte-for-byte; if the file drifted, only DefenseClaw-owned entries are surgically removed.

Hook capabilities

Block events

  • UserPromptSubmit
  • UserPromptExpansion
  • PreToolUse
  • PermissionRequest
  • PostToolUse
  • PostToolBatch
  • TaskCreated
  • TaskCompleted
  • TeammateIdle
  • Stop
  • SubagentStop
  • PreCompact
  • Elicitation
  • ElicitationResult

Native ask events

  • PreToolUse

Claude Code is one of the few connectors that supports native PreToolUse ask. HITL approvals surface inside the agent UI itself, so the operator never has to leave Claude Code to decide.

Telemetry channels at boot

Agent runtimeClaude Code
ConnectorPreToolUse / PostToolUse /UserPromptSubmit / Stop /PermissionRequest hooks
ConnectorNative OTel exporter(env-driven)
Control planedefenseclaw-gateway
Two telemetry channels: hooks for per-tool-call decisions and native OTel for raw model/token telemetry.

Disable

defenseclaw setup guardrail --disable