Codex
Codex connector wires config.toml hooks (UserPromptSubmit, PreToolUse, PermissionRequest, PostToolUse, Stop, SessionStart), the native OTel exporter, and the notify bridge for agent-turn-complete events.
The Codex connector wires DefenseClaw into Codex's documented hooks, native OpenTelemetry exporter, and the notify bridge for agent-turn-complete events.
The Codex connector is hook-only. There is no LLM-proxy data path — Codex talks directly to its native upstream (api.openai.com or the ChatGPT backend) and DefenseClaw observes via hooks + native OTel.
mode=action is fully supported here, hook-natively. When guardrail.mode=action (or defenseclaw setup codex --mode action), the PreToolUse hook returns a permissionDecision: "deny" verdict on policy hits and Codex blocks the tool call inside its own permission flow. No proxy listener is involved.
Setup
defenseclaw setup codex # observe (default) — record only
defenseclaw setup codex --mode action # block on policy hits via PreToolUse denysetup codex is shorthand for setup guardrail --connector codex: it adds or reconfigures Codex, wires hooks + OTel + notify bridge, and can join an existing hook-connector roster when you choose Add. No proxy listener binds for Codex in either mode.
What this command sets vs. leaves at defaults
The three flags above explicitly set: connector, mode, and post-setup restart. Every other knob falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.
| Knob | Value when omitted | Flag to override |
|---|---|---|
| Policy mode | observe (record only) | --mode observe|action |
| Scanner backend | local (bundled regex packs, zero key) | --scanner-mode local|remote|both |
| Rule pack | unset → built-in baseline (no overlay) | --rule-pack default|strict|permissive |
| LLM judge | off (regex-only triage) | --judge-model <model> plus --judge-api-key-env |
| Detection strategy | regex_judge if judge is on, else regex-only | --detection-strategy regex_only|regex_judge|judge_first |
| HITL | off (no operator approval prompts) | --human-approval plus --hilt-min-severity ... |
| Hook fail-mode | current config; closed on a fresh install (open is retained for migrated legacy configs) | defenseclaw guardrail fail-mode <open|closed> (no flag) |
| Block message | empty (uses built-in copy) | --block-message "<text>" |
| Redaction | enabled | --disable-redaction (trusted single-tenant only) |
| Verify after setup | on | --no-verify |
See the full flag reference for the complete table or run defenseclaw setup guardrail --help.
Files DefenseClaw will modify
The [hooks], [otel], and [notify] blocks are owned by DefenseClaw; everything else in config.toml is preserved verbatim.
Hook capabilities
Block events
- UserPromptSubmit
- PreToolUse
- PermissionRequest
- PostToolUse
- Stop
Native ask events
None — confirm verdicts are downgraded with the raw action preserved.
Codex has no native ask surface here. Confirm verdicts become an alert/system message with raw_action preserved so operators can review the original action in audit or the TUI. That review cannot resume the hook call.
Telemetry channels at boot
Disable
defenseclaw setup guardrail --disableClaude Code
Claude Code connector wires the documented lifecycle hook set plus native OTel. Fourteen current events can return block decisions, and PreToolUse supports native HITL ask.
OpenClaw
The reference proxy connector. DefenseClaw ships a TypeScript plugin that wires OpenClaw's fetch interceptor and before_tool_call hook directly into the gateway.