Connectors

GitHub Copilot CLI

Copilot CLI connector wires global ~/.copilot/hooks by default, with optional workspace .github/hooks. Native ask supported on preToolUse; block events cover permissionRequest, agentStop, subagentStop, postToolUseFailure.

The GitHub Copilot CLI connector wires DefenseClaw into Copilot CLI hooks globally under ~/.copilot/hooks/ by default, with an optional workspace mode for <workspace>/.github/hooks/. Native ask is supported on preToolUse, so HITL approvals surface inside the agent UI.

Setup

defenseclaw setup copilot
defenseclaw setup copilot --workspace /path/to/repo

By default this is global/user-scoped: DefenseClaw writes hook entries into ~/.copilot/hooks/defenseclaw.json. Pass --workspace /path/to/repo only when you intentionally want repo-local <workspace>/.github/hooks/defenseclaw.json wiring. There is no proxy-enforcement path for Copilot CLI — blocking happens hook-side via the documented preToolUse, permissionRequest, agentStop, subagentStop, and postToolUseFailure events. Native ask is supported on preToolUse, so HITL approvals surface inside the agent UI for that surface.

What setup copilot actually does

The wrapper accepts exactly three flags. The underlying guardrail config falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.

FlagDefaultWhat it does
--yes / -yoffSkip the confirmation prompt (alias: --non-interactive, --accept-defaults).
--restart / --no-restart--restartBounce defenseclaw-gateway after applying changes so the new hooks wire in.
--with-local-stack / --no-local-stack--no-local-stackAlso bring up the bundled Prom/Loki/Tempo/Grafana stack via setup local-observability up.
--workspace / --workspace-dirunsetOpt into repo-local .github/hooks; unset means global ~/.copilot/hooks.

setup copilot is shorthand for setup guardrail --connector copilot: it adds or reconfigures GitHub Copilot CLI, defaults the connector to observe mode, and can join an existing hook-connector roster when you choose Add. claw.workspace_dir is cleared for global setup and set only when --workspace is supplied. To tune Copilot after install, keep using defenseclaw setup guardrail --connector copilot — see the variations below.

Global setup is the default because DefenseClaw is intended to govern the operator environment, not one repo at a time. Use --workspace only for a repository that must carry its own hook file.

Common variations — pick the recipe that fits your phase

defenseclaw setup copilot

Confirms once, writes ~/.copilot/hooks/defenseclaw.json, restarts the gateway. Findings flow to ~/.defenseclaw/gateway.jsonl and the TUI; no traffic is intercepted, no requests are blocked. Pass --yes to skip the confirmation in CI.

defenseclaw setup copilot --yes --with-local-stack

Same as standard but also runs setup local-observability up so Prom/Loki/Tempo/Grafana come up locally for ad-hoc dashboards. See Local observability.

export DEFENSECLAW_LLM_KEY='replace-with-your-key'

defenseclaw setup copilot                                 # global hooks first
defenseclaw setup guardrail \
  --connector copilot \
  --rule-pack strict \
  --scanner-mode both \
  --detection-strategy regex_judge \
  --judge-model anthropic/claude-sonnet-4-20250514 \
  --judge-api-key-env DEFENSECLAW_LLM_KEY \
  --restart

The alias selects Copilot and writes the global hook; the follow-up setup guardrail --connector copilot swaps in the strict rule pack, runs both local + Cisco AI Defense scanners, and turns the LLM judge on as a second-pass adjudicator on regex-flagged events.

Copilot has no proxy enforcement, but its hooks themselves can block. After setup copilot, edit ~/.defenseclaw/config.yaml and set the per-connector hook mode:

connector_hooks:
  copilot:
    enabled: true
    mode: action          # observe (default) | action
    fail_mode: open       # open | closed

Then defenseclaw setup guardrail --restart to re-wire. With mode: action, preToolUse surfaces a native ask in Copilot when the gateway returns a HITL verdict. The other block events (permissionRequest, agentStop, subagentStop, postToolUseFailure) use a non-pausing alert/context fallback with the raw confirm action retained in audit.

Decision aids — should I turn this on?

Not sure what to pick? Run defenseclaw setup guardrail (no flags) — the interactive wizard walks you through every choice with safe defaults pre-selected and inline help. The Prompt → flag mapping table gives you the CI-shaped command for the same configuration.

Files DefenseClaw will modify

Hook capabilities

Block events

  • preToolUse
  • permissionRequest
  • agentStop
  • subagentStop
  • postToolUseFailure

Native ask events

  • preToolUse

Copilot CLI supports native ask on documented preToolUse hooks. The approval prompt surfaces inside the agent UI, not the DefenseClaw TUI.

Disable

defenseclaw setup guardrail --disable

The teardown removes ~/.copilot/hooks/defenseclaw.json or the pinned workspace hook file and leaves any other hook files in the directory untouched.