Connectors

Connector Compatibility

Versioned hook contracts, setup-time compatibility checks, and the runtime hook contract lock for DefenseClaw connectors.

DefenseClaw tracks hook connector compatibility with a packaged JSON manifest at cli/defenseclaw/inventory/hook_contracts.json. The manifest maps each connector version range to the hook contract DefenseClaw knows how to install, parse, evaluate, and respond to.

Current contracts

ConnectorGateSupported connector versionsContract / hook scriptAID surfaces
OpenClawproxy, not hook-gatednot gated by hook contractn/aproxy request/response
ZeptoClawproxy, not hook-gatednot gated by hook contractn/aproxy request/response
Codexhook contract>=0.124.0codex-hooks-v1 / v6prompt, tool_call, tool_result
Claude Codehook contract>=2.1.144claudecode-hooks-v1 / v6prompt, tool_call, tool_result, event_content
Hermeshook contract>=0.11.0hermes-hooks-v1 / v6prompt, tool_call, tool_result, event_content
Cursorhook contract>=1.7.0cursor-hooks-v1 / v6prompt, tool_call, tool_result
Windsurfhook contract>=1.12.41windsurf-hooks-v1 / v6prompt, tool_call, tool_result
Gemini CLIhook contract>=0.26.0geminicli-hooks-v1 / v6prompt, tool_call, tool_result
GitHub Copilot CLIhook contract>=1.0.18copilot-hooks-v1 / v6prompt, tool_call, tool_result
OpenHandshook contractunversioned / documented hooks; tested with OpenHands CLI 1.16.0openhands-hooks-v1 / v6prompt, tool_call, tool_result, event_content
Antigravityhook contract>=1.0.0antigravity-hooks-v2 / v7prompt, tool_call, tool_result
OpenCodehook contractunversioned / plugin API; tested with opencode 1.16.2opencode-hooks-v1 / v6tool_call, tool_result
OmniGenthook contractunversioned / documented custom-policy APIomnigent-custom-policy-v1 / v1prompt, tool_call, tool_result

DefenseClaw leaves max_exclusive empty until an upstream release publishes a breaking hook change. Future versions are tracked through hook_contract_lock.json and doctor drift checks rather than a guessed major-version cap.

The floors come from upstream release notes or current vendor docs: Codex 0.124.0 is the stable-hooks release, Gemini CLI 0.26.0 enabled hooks by default, Cursor 1.7.0 introduced beta hooks, Hermes 0.11.0 added shell hooks (hermes-hooks-v1 covers the full seven-event lifecycle — pre_llm_call, pre_tool_call, post_tool_call, post_llm_call, session start/end, subagent_stop), Windsurf 1.12.41 added user prompt hooks to the Cascade pre-hook set, and Copilot CLI 1.0.18 is the first release containing every event in the current DefenseClaw Copilot contract. OpenCode loads JS plugins through a stable plugin API rather than a versioned hook config, so it is accepted as unversioned (validated with opencode 1.16.2). OmniGent uses its documented six-phase custom policy API and is accepted as unversioned until upstream publishes a policy-contract floor. OpenHands uses the current documented .openhands/hooks.json contract, installs globally through ~/.openhands/hooks.json by default, has been validated with OpenHands CLI 1.16.0, and is accepted as unversioned until upstream publishes a hook-version floor. Antigravity (agy) is pinned at >=1.0.0 (the version agy --version returns today); the upper bound stays open because agy auto-updates and DefenseClaw tracks compatibility through hook_contract_lock.json plus doctor drift checks. Claude Code is pinned to the current documented hook surface captured at 2.1.144; older Claude Code versions exposed smaller event sets.

Setup-time checks

Every defenseclaw setup ... path that chooses a connector refreshes local agent discovery, reads the installed connector version, and checks it against the manifest before writing config. Unsupported or unverified hook connector versions are allowed in observe mode with a warning, but action mode fails closed unless DEFENSECLAW_ALLOW_HOOK_CONTRACT_DRIFT=1 is set for exploratory testing.

The most common reason a version can't be read is the connector binary living outside a trusted install prefix (for example a bespoke install under ~/.local). Interactive action-mode setup detects this and offers to trust the directory (defaulting to No, persisting to ~/.defenseclaw/.env, then re-running the full contract check — trusting a path never bypasses the version gate). Non-interactive runs print the equivalent remediation: defenseclaw setup trusted-paths add <dir>. See the trusted-paths group on the CLI reference and the trust model in AI Discovery.

Proxy connectors are recorded in the manifest too, but they are marked not-gated because their enforcement surface is the DefenseClaw proxy instead of an agent hook contract.

Runtime lock

After gateway setup completes, DefenseClaw writes hook_contract_lock.json under the configured data directory. The lock records:

FieldPurpose
raw_agent_versionThe exact connector version string discovered locally.
normalized_agent_versionThe semver-like value used for manifest range matching.
contract_idThe deterministic hook contract selected for this connector.
hook_script_versionThe DefenseClaw hook script generation installed on disk.
hook_script_digestsHashes of installed hook scripts for drift detection.
defenseclaw_versionThe DefenseClaw build that produced the lock.

defenseclaw doctor reads the lock and compares it with the current discovery cache so connector upgrades, hook contract changes, and hook script drift show up before action-mode enforcement depends on them.