ZeptoClaw
ZeptoClaw routes through DefenseClaw via api_base redirect plus response-scan. Full guardrail pipeline runs on every request.
ZeptoClaw is the second proxy connector. DefenseClaw rewrites ~/.zeptoclaw/config.json providers to point at the local guardrail proxy; every request is inspected on its way out and every response on its way back.
Setup
defenseclaw setup zeptoclaw --mode observe --restart
defenseclaw setup zeptoclaw --mode action --rule-pack default --restartsetup zeptoclaw is an alias around defenseclaw setup guardrail --connector zeptoclaw and inherits every guardrail flag. Like OpenClaw the proxy is always in the data path: there is no observability-only branch, only --mode observe (log without blocking) vs --mode action (enforce).
What this command sets vs. leaves at defaults
The flags above explicitly set: connector, mode, and (optionally) rule pack. Every other knob falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.
| Knob | Value when omitted | Flag to override |
|---|---|---|
| Scanner backend | local (bundled regex packs, zero key) | --scanner-mode local|remote|both |
| Rule pack | unset → built-in baseline (no overlay) | --rule-pack default|strict|permissive |
| LLM judge | off (regex-only triage) | --judge-model <model> plus --judge-api-key-env |
| Detection strategy | regex_judge if judge is on, else regex-only | --detection-strategy regex_only|regex_judge|judge_first |
| HITL | off (no operator approval prompts) | --human-approval plus --hilt-min-severity ... |
| HITL minimum severity | HIGH (when --human-approval is on; stored uppercase in config) | --hilt-min-severity low|medium|high|critical (case-insensitive) |
| Hook fail-mode | open (allow on guardrail-side failure) | defenseclaw guardrail fail-mode <open|closed> (no flag) |
| Proxy port | 4000 | --port <int> |
| Block message | empty (uses built-in copy) | --block-message "<text>" |
| Redaction | enabled | --disable-redaction (trusted single-tenant only) |
| Verify after setup | on | --no-verify |
See the full flag reference for the complete table or run defenseclaw setup guardrail --help.
Common variations — pick the recipe that fits your phase
defenseclaw setup zeptoclaw \
--mode observe \
--rule-pack permissive \
--restartThe proxy is in the data path but nothing blocks. Every prompt and response lands in ~/.defenseclaw/gateway.jsonl. Run this for at least a week before promoting — see Defaults → tuning by risk tolerance.
defenseclaw setup zeptoclaw \
--mode action \
--human-approval \
--hilt-min-severity high \
--restartHIGH findings pause for operator approval; CRITICAL still blocks unconditionally. ZeptoClaw has no native ask surface, so HITL approvals downgrade to confirm verdicts in the DefenseClaw TUI / audit log — make sure operators are reachable there. See the HITL page for the per-connector matrix.
export DEFENSECLAW_LLM_KEY=<your-key>
defenseclaw setup zeptoclaw \
--mode action \
--human-approval \
--hilt-min-severity high \
--detection-strategy regex_judge \
--judge-model anthropic/claude-sonnet-4-20250514 \
--judge-api-key-env DEFENSECLAW_LLM_KEY \
--restartAdds the LLM judge as a second pass on regex-flagged prompts. Costs a few cents per turn; cuts false positives meaningfully on semantic jailbreaks regex misses.
defenseclaw policy activate strict
defenseclaw setup zeptoclaw \
--mode action \
--human-approval \
--hilt-min-severity low \
--rule-pack strict \
--restartBlock ≥ MEDIUM, no allow-list bypass, HITL on every LOW+ event. Pair with the OpenShell sandbox profile and an MCP allow-list for full lockdown.
Decision aids — should I turn this on?
Human-in-the-loop (HITL)
When --human-approval is worth it. ZeptoClaw downgrades to confirm verdicts since it has no native ask — operators see them in the TUI / audit log.
Mode + judge recipes
Side-by-side bash for observe / action / action+HITL / action+judge — copy-paste ready.
Defaults & rule packs
What permissive / default / strict actually ship, and which one matches your risk tolerance.
Interactive wizard
Animated terminal demo of the prompt-by-prompt setup flow — the safest path the first time.
Not sure what to pick? Run defenseclaw setup guardrail (no flags) — the interactive wizard walks you through every choice with safe defaults pre-selected and inline help. The Prompt → flag mapping table gives you the CI-shaped command for the same configuration.
Files DefenseClaw will modify
safety.allow_private_endpoints is set to true so the rewritten api_base (a 127.0.0.1 URL) is accepted.
Hook capabilities
Block events
- fetch_request
- fetch_response
- tool_call
Native ask events
None — confirm verdicts are downgraded with the raw action preserved.
ZeptoClaw has no native ask surface. Confirm verdicts are downgraded with raw_action preserved so operators can review the original request in the TUI / audit log.
Subprocess policy
sandbox — same openshell-sandbox path as OpenClaw.
Disable
defenseclaw setup guardrail --disableWindsurf
Windsurf connector wires Cascade hooks across pre_user_prompt, pre_read_code, pre_write_code, pre_run_command, and pre_mcp_tool_use.
Capability Matrix
Per-connector breakdown of block capability, native ask events, fail-closed support, subprocess policy, and HITL behaviour. The single source of truth for "can this connector do X?"