Connectors

Codex

Codex connector wires config.toml hooks (UserPromptSubmit, PreToolUse, PermissionRequest, PostToolUse, Stop, SessionStart), the native OTel exporter, and the notify bridge for agent-turn-complete events.

The Codex connector wires DefenseClaw into Codex's documented hooks, native OpenTelemetry exporter, and the notify bridge for agent-turn-complete events.

The Codex connector is hook-only. There is no LLM-proxy data path — Codex talks directly to its native upstream (api.openai.com or the ChatGPT backend) and DefenseClaw observes via hooks + native OTel.

mode=action is fully supported here, hook-natively. When guardrail.mode=action (or defenseclaw setup codex --mode action), the PreToolUse hook returns a permissionDecision: "deny" verdict on policy hits and Codex blocks the tool call inside its own permission flow. No proxy listener is involved.

Setup

defenseclaw setup codex                # observe (default) — record only
defenseclaw setup codex --mode action  # block on policy hits via PreToolUse deny

setup codex is shorthand for setup guardrail --connector codex: it adds or reconfigures Codex, wires hooks + OTel + notify bridge, and can join an existing hook-connector roster when you choose Add. No proxy listener binds for Codex in either mode.

What this command sets vs. leaves at defaults

The three flags above explicitly set: connector, mode, and post-setup restart. Every other knob falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.

KnobValue when omittedFlag to override
Policy modeobserve (record only)--mode observe|action
Scanner backendlocal (bundled regex packs, zero key)--scanner-mode local|remote|both
Rule packunset → built-in baseline (no overlay)--rule-pack default|strict|permissive
LLM judgeoff (regex-only triage)--judge-model <model> plus --judge-api-key-env
Detection strategyregex_judge if judge is on, else regex-only--detection-strategy regex_only|regex_judge|judge_first
HITLoff (no operator approval prompts)--human-approval plus --hilt-min-severity ...
Hook fail-modecurrent config; closed on a fresh install (open is retained for migrated legacy configs)defenseclaw guardrail fail-mode <open|closed> (no flag)
Block messageempty (uses built-in copy)--block-message "<text>"
Redactionenabled--disable-redaction (trusted single-tenant only)
Verify after setupon--no-verify

See the full flag reference for the complete table or run defenseclaw setup guardrail --help.

Files DefenseClaw will modify

config.toml ([hooks], [otel], [notify] blocks)

The [hooks], [otel], and [notify] blocks are owned by DefenseClaw; everything else in config.toml is preserved verbatim.

Hook capabilities

Block events

  • UserPromptSubmit
  • PreToolUse
  • PermissionRequest
  • PostToolUse
  • Stop

Native ask events

None — confirm verdicts are downgraded with the raw action preserved.

Codex has no native ask surface here. Confirm verdicts become an alert/system message with raw_action preserved so operators can review the original action in audit or the TUI. That review cannot resume the hook call.

Telemetry channels at boot

Agent runtimeCodex
ConnectorUserPromptSubmit / PreToolUse /PermissionRequest / PostToolUse /Stop / SessionStart
ConnectorNative OTel exporter
ConnectorNotify bridgeagent-turn-complete
Control planedefenseclaw-gateway
Three independent channels make Codex one of the most thoroughly inspected agents.

Disable

defenseclaw setup guardrail --disable