Windsurf
Windsurf connector wires Cascade hooks across pre_user_prompt, pre_read_code, pre_write_code, pre_run_command, and pre_mcp_tool_use.
The Windsurf connector wires DefenseClaw into Codeium's Cascade hooks so every prompt, code read, code write, command run, and MCP tool call is scored before it lands.
Setup
defenseclaw setup windsurfsetup windsurf is shorthand for setup guardrail --connector windsurf: it adds or reconfigures Windsurf and wires hooks against ~/.codeium/windsurf/hooks.json. DefenseClaw discovers existing MCP / rules but never auto-creates workspace configuration. There is no proxy-enforcement path for Windsurf — blocking happens hook-side via Cascade's pre_user_prompt, pre_read_code, pre_write_code, pre_run_command, and pre_mcp_tool_use events. Windsurf has no native ask surface, so confirm verdicts use its explicit non-pausing fallback with raw_action preserved for audit.
What setup windsurf actually does
The wrapper accepts exactly three flags. The underlying guardrail config falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.
| Flag | Default | What it does |
|---|---|---|
--yes / -y | off | Skip the confirmation prompt (alias: --non-interactive, --accept-defaults). |
--restart / --no-restart | --restart | Bounce defenseclaw-gateway after applying changes so the new hooks wire in. |
--with-local-stack / --no-local-stack | --no-local-stack | Also bring up the bundled Prom/Loki/Tempo/Grafana stack via setup local-observability up. |
The alias defaults Windsurf to observe mode and can join an existing hook-connector roster when you choose Add. To tune Windsurf after install, keep using defenseclaw setup guardrail --connector windsurf — see the variations below.
Common variations — pick the recipe that fits your phase
defenseclaw setup windsurfConfirms once, wires the hooks against ~/.codeium/windsurf/hooks.json, restarts the gateway. Findings flow to ~/.defenseclaw/gateway.jsonl and the TUI; no traffic is intercepted, no requests are blocked. Pass --yes to skip the confirmation in CI.
defenseclaw setup windsurf --yes --with-local-stackSame as standard but also runs setup local-observability up so Prom/Loki/Tempo/Grafana come up locally for ad-hoc dashboards. See Local observability.
export DEFENSECLAW_LLM_KEY='replace-with-your-key'
defenseclaw setup windsurf # base alias first
defenseclaw setup guardrail \
--connector windsurf \
--rule-pack strict \
--scanner-mode both \
--detection-strategy regex_judge \
--judge-model anthropic/claude-sonnet-4-20250514 \
--judge-api-key-env DEFENSECLAW_LLM_KEY \
--restartThe alias selects Windsurf; the follow-up setup guardrail --connector windsurf swaps in the strict rule pack, runs both local + Cisco AI Defense scanners, and turns the LLM judge on as a second-pass adjudicator on regex-flagged events.
Windsurf has no proxy enforcement, but its hooks themselves can block. After setup windsurf, edit ~/.defenseclaw/config.yaml and set the per-connector hook mode:
connector_hooks:
windsurf:
enabled: true
mode: action # observe (default) | action
fail_mode: open # open | closedThen defenseclaw setup guardrail --restart to re-wire. With mode: action, Cascade hooks block when policy returns block. Because Windsurf has no native ask surface, confirm uses its explicit fallback; operators can review the result in audit or the TUI, but cannot resume it there.
Decision aids — should I turn this on?
Human-in-the-loop (HITL)
Per-connector ask matrix. Windsurf has no native ask; confirm uses an immediate fallback preserved in audit.
Full setup guardrail flag reference
All ~20 flags you can pass via `setup guardrail --connector windsurf` when tuning Windsurf.
Defaults & rule packs
What permissive / default / strict actually ship, and which one matches your risk tolerance.
Interactive wizard
Animated terminal demo of the prompt-by-prompt setup flow — the safest path the first time.
Not sure what to pick? Run defenseclaw setup guardrail (no flags) — the interactive wizard walks you through every choice with safe defaults pre-selected and inline help. The Prompt → flag mapping table gives you the CI-shaped command for the same configuration.
Files DefenseClaw will modify
Hook capabilities
Block events
- pre_user_prompt
- pre_read_code
- pre_write_code
- pre_run_command
- pre_mcp_tool_use
Native ask events
None — confirm verdicts are downgraded with the raw action preserved.
Windsurf has no native human-approval surface. Confirm verdicts use an immediate fallback with raw_action preserved; operators can review them in the TUI or audit log, but cannot approve and resume them there.
Subprocess policy
none — Windsurf executes commands inside its own runtime; DefenseClaw observes via the pre_run_command hook rather than the openshell sandbox.
Disable
defenseclaw setup guardrail --disableAntigravity
Antigravity (`agy`) connector registers all five 2.0 lifecycle hooks in ~/.gemini/config/hooks.json; the empirically verified PreToolUse event provides native ask/deny decisions that override --dangerously-skip-permissions.
ZeptoClaw
ZeptoClaw routes through DefenseClaw via api_base redirect plus response-scan. Full guardrail pipeline runs on every request.