CiscoCiscoDefenseClaw
Connectors

GitHub Copilot CLI

Copilot CLI connector wires workspace-scoped hooks under .github/hooks/. Native ask supported on preToolUse; block events cover permissionRequest, agentStop, subagentStop, postToolUseFailure.

The GitHub Copilot CLI connector wires DefenseClaw into Copilot's workspace-scoped hooks under <workspace>/.github/hooks/. Native ask is supported on preToolUse, so HITL approvals surface inside the agent UI.

Setup

defenseclaw setup copilot

This is workspace-scoped — run it from inside the project where you want Copilot to be governed. DefenseClaw writes hook entries into <workspace>/.github/hooks/defenseclaw.json and leaves the rest of .github/hooks/ alone. There is no proxy-enforcement path for Copilot CLI — blocking happens hook-side via the documented preToolUse, permissionRequest, agentStop, subagentStop, and postToolUseFailure events. Native ask is supported on preToolUse, so HITL approvals surface inside the agent UI for that surface.

What setup copilot actually does

The wrapper accepts exactly three flags. The underlying guardrail config falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.

FlagDefaultWhat it does
--yes / -yoffSkip the confirmation prompt (alias: --non-interactive, --accept-defaults).
--restart / --no-restart--restartBounce defenseclaw-gateway after applying changes so the new hooks wire in.
--with-local-stack / --no-local-stack--no-local-stackAlso bring up the bundled Prom/Loki/Tempo/Grafana stack via setup local-observability up.

Pinned by the alias regardless of flags: claw.mode=copilot, guardrail.connector=copilot, guardrail.mode=observe, guardrail.scanner_mode=local, guardrail.judge.enabled=false, guardrail.detection_strategy=regex_only. To tune any of those after install, use defenseclaw setup guardrail --connector copilot — see the variations below.

Because Copilot's hook config is workspace-scoped (lives at <workspace>/.github/hooks/defenseclaw.json), you need to re-run setup copilot once per repository where you want Copilot governed. The other knobs (guardrail.*, scanner backend, judge model, rule pack) are user-scoped in ~/.defenseclaw/config.yaml and apply globally.

Common variations — pick the recipe that fits your phase

cd /path/to/your/repo
defenseclaw setup copilot

Confirms once, writes <workspace>/.github/hooks/defenseclaw.json, restarts the gateway. Findings flow to ~/.defenseclaw/gateway.jsonl and the TUI; no traffic is intercepted, no requests are blocked. Pass --yes to skip the confirmation in CI.

cd /path/to/your/repo
defenseclaw setup copilot --yes --with-local-stack

Same as standard but also runs setup local-observability up so Prom/Loki/Tempo/Grafana come up locally for ad-hoc dashboards. See Local observability.

export DEFENSECLAW_LLM_KEY=<your-key>

cd /path/to/your/repo
defenseclaw setup copilot                                 # workspace hooks first
defenseclaw setup guardrail \
  --connector copilot \
  --rule-pack strict \
  --scanner-mode both \
  --detection-strategy regex_judge \
  --judge-model anthropic/claude-sonnet-4-20250514 \
  --judge-api-key-env DEFENSECLAW_LLM_KEY \
  --restart

The alias keeps the connector pinned and writes the workspace hook; the follow-up setup guardrail swaps in the strict rule pack, runs both local + Cisco AI Defense scanners, and turns the LLM judge on as a second-pass adjudicator on regex-flagged events.

Copilot has no proxy enforcement, but its hooks themselves can block. After setup copilot, edit ~/.defenseclaw/config.yaml and set the per-connector hook mode:

connector_hooks:
  copilot:
    enabled: true
    mode: action          # observe (default) | action
    fail_mode: open       # open | closed

Then defenseclaw setup guardrail --restart to re-wire. With mode: action, preToolUse surfaces a native ask in Copilot when the gateway returns a HITL verdict; the other block events (permissionRequest, agentStop, subagentStop, postToolUseFailure) downgrade to a confirm verdict in the DefenseClaw TUI.

Decision aids — should I turn this on?

Human-in-the-loop (HITL)

Per-connector ask matrix. Copilot supports native ask on preToolUse; the other block events downgrade to confirm.

Full setup guardrail flag reference

All ~20 flags you can pass via `setup guardrail --connector copilot` after the alias has pinned things.

Defaults & rule packs

What permissive / default / strict actually ship, and which one matches your risk tolerance.

Interactive wizard

Animated terminal demo of the prompt-by-prompt setup flow — the safest path the first time.

Not sure what to pick? Run defenseclaw setup guardrail (no flags) — the interactive wizard walks you through every choice with safe defaults pre-selected and inline help. The Prompt → flag mapping table gives you the CI-shaped command for the same configuration.

Files DefenseClaw will modify

Hook capabilities

Block events

  • preToolUse
  • PreToolUse
  • permissionRequest
  • PermissionRequest
  • agentStop
  • Stop
  • subagentStop
  • SubagentStop
  • postToolUseFailure
  • PostToolUseFailure

Native ask events

  • preToolUse
  • PreToolUse

Copilot CLI supports native ask on documented preToolUse hooks. The approval prompt surfaces inside the agent UI, not the DefenseClaw TUI.

Disable

defenseclaw setup guardrail --disable

The teardown removes <workspace>/.github/hooks/defenseclaw.json and leaves any other hook files in the directory untouched.

Gemini CLI

Gemini CLI connector wires settings.json hooks (BeforeAgent, BeforeModel, BeforeTool, AfterTool, AfterAgent) plus the native OTLP exporter pointing at the gateway.

Windsurf

Windsurf connector wires Cascade hooks across pre_user_prompt, pre_read_code, pre_write_code, pre_run_command, and pre_mcp_tool_use.