GitHub Copilot CLI
Copilot CLI connector wires global ~/.copilot/hooks by default, with optional workspace .github/hooks. Native ask supported on preToolUse; block events cover permissionRequest, agentStop, subagentStop, postToolUseFailure.
The GitHub Copilot CLI connector wires DefenseClaw into Copilot CLI hooks globally under ~/.copilot/hooks/ by default, with an optional workspace mode for <workspace>/.github/hooks/. Native ask is supported on preToolUse, so HITL approvals surface inside the agent UI.
Setup
defenseclaw setup copilot
defenseclaw setup copilot --workspace /path/to/repoBy default this is global/user-scoped: DefenseClaw writes hook entries into ~/.copilot/hooks/defenseclaw.json. Pass --workspace /path/to/repo only when you intentionally want repo-local <workspace>/.github/hooks/defenseclaw.json wiring. There is no proxy-enforcement path for Copilot CLI — blocking happens hook-side via the documented preToolUse, permissionRequest, agentStop, subagentStop, and postToolUseFailure events. Native ask is supported on preToolUse, so HITL approvals surface inside the agent UI for that surface.
What setup copilot actually does
The wrapper accepts exactly three flags. The underlying guardrail config falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.
| Flag | Default | What it does |
|---|---|---|
--yes / -y | off | Skip the confirmation prompt (alias: --non-interactive, --accept-defaults). |
--restart / --no-restart | --restart | Bounce defenseclaw-gateway after applying changes so the new hooks wire in. |
--with-local-stack / --no-local-stack | --no-local-stack | Also bring up the bundled Prom/Loki/Tempo/Grafana stack via setup local-observability up. |
--workspace / --workspace-dir | unset | Opt into repo-local .github/hooks; unset means global ~/.copilot/hooks. |
setup copilot is shorthand for setup guardrail --connector copilot: it adds or reconfigures GitHub Copilot CLI, defaults the connector to observe mode, and can join an existing hook-connector roster when you choose Add. claw.workspace_dir is cleared for global setup and set only when --workspace is supplied. To tune Copilot after install, keep using defenseclaw setup guardrail --connector copilot — see the variations below.
Global setup is the default because DefenseClaw is intended to govern the operator environment, not one repo at a time. Use --workspace only for a repository that must carry its own hook file.
Common variations — pick the recipe that fits your phase
defenseclaw setup copilotConfirms once, writes ~/.copilot/hooks/defenseclaw.json, restarts the gateway. Findings flow to ~/.defenseclaw/gateway.jsonl and the TUI; no traffic is intercepted, no requests are blocked. Pass --yes to skip the confirmation in CI.
defenseclaw setup copilot --yes --with-local-stackSame as standard but also runs setup local-observability up so Prom/Loki/Tempo/Grafana come up locally for ad-hoc dashboards. See Local observability.
export DEFENSECLAW_LLM_KEY='replace-with-your-key'
defenseclaw setup copilot # global hooks first
defenseclaw setup guardrail \
--connector copilot \
--rule-pack strict \
--scanner-mode both \
--detection-strategy regex_judge \
--judge-model anthropic/claude-sonnet-4-20250514 \
--judge-api-key-env DEFENSECLAW_LLM_KEY \
--restartThe alias selects Copilot and writes the global hook; the follow-up setup guardrail --connector copilot swaps in the strict rule pack, runs both local + Cisco AI Defense scanners, and turns the LLM judge on as a second-pass adjudicator on regex-flagged events.
Copilot has no proxy enforcement, but its hooks themselves can block. After setup copilot, edit ~/.defenseclaw/config.yaml and set the per-connector hook mode:
connector_hooks:
copilot:
enabled: true
mode: action # observe (default) | action
fail_mode: open # open | closedThen defenseclaw setup guardrail --restart to re-wire. With mode: action, preToolUse surfaces a native ask in Copilot when the gateway returns a HITL verdict. The other block events (permissionRequest, agentStop, subagentStop, postToolUseFailure) use a non-pausing alert/context fallback with the raw confirm action retained in audit.
Decision aids — should I turn this on?
Human-in-the-loop (HITL)
Per-connector ask matrix. Copilot supports native ask on preToolUse; other events use a non-pausing fallback.
Full setup guardrail flag reference
All ~20 flags you can pass via `setup guardrail --connector copilot` when tuning Copilot.
Defaults & rule packs
What permissive / default / strict actually ship, and which one matches your risk tolerance.
Interactive wizard
Animated terminal demo of the prompt-by-prompt setup flow — the safest path the first time.
Not sure what to pick? Run defenseclaw setup guardrail (no flags) — the interactive wizard walks you through every choice with safe defaults pre-selected and inline help. The Prompt → flag mapping table gives you the CI-shaped command for the same configuration.
Files DefenseClaw will modify
Hook capabilities
Block events
- preToolUse
- permissionRequest
- agentStop
- subagentStop
- postToolUseFailure
Native ask events
- preToolUse
Copilot CLI supports native ask on documented preToolUse hooks. The approval prompt surfaces inside the agent UI, not the DefenseClaw TUI.
Disable
defenseclaw setup guardrail --disableThe teardown removes ~/.copilot/hooks/defenseclaw.json or the pinned workspace hook file and leaves any other hook files in the directory untouched.
Gemini CLI
Gemini CLI connector wires settings.json hooks (BeforeAgent, BeforeModel, BeforeTool, AfterTool, AfterAgent) plus the native OTLP exporter pointing at the gateway.
OpenHands
OpenHands connector wires DefenseClaw into global ~/.openhands/hooks.json command hooks by default, with MCP discovery through ~/.openhands/mcp.json and optional workspace-local skills.