First guardrail in 5 minutes

An end-to-end walkthrough — install, pick Claude Code, switch to action mode, and watch DefenseClaw block a destructive shell command before it runs.

This walkthrough ends with DefenseClaw refusing to let Claude Code run rm -rf ~/projects. Five minutes from a fresh checkout.

Install

curl -LsSf https://raw.githubusercontent.com/cisco-ai-defense/defenseclaw/main/scripts/install.sh | bash -s -- --connector claudecode

Wire DefenseClaw into Claude Code

defenseclaw setup claude-code

This runs the observability-only alias — DefenseClaw collects telemetry but does not yet block. We start here so we know the data path is healthy before flipping enforcement on.

Confirm telemetry is flowing

In one terminal, open the live dashboard (audit + alerts + logs panels):

defenseclaw tui

Or for a scripted view, tail the gateway's JSONL fan-out:

tail -f ~/.defenseclaw/gateway.jsonl | jq 'select(.connector == "claudecode")'

In Claude Code, ask the assistant to run any tool call (e.g. "list files in this directory"). New rows should appear within a second or two. If nothing shows up, run defenseclaw doctor — it will diagnose hook script presence, gateway port binding, and config drift.

Promote to action mode

defenseclaw setup guardrail --connector claudecode --mode action --human-approval --restart

Three things just changed:

guardrail.mode flipped to action. CRITICAL findings now block.
guardrail.hilt.enabled flipped to true. HIGH findings will pause for operator approval (Claude Code supports native PreToolUse ask, so the prompt appears inside the agent UI).
guardrail.claudecode_enforcement_enabled was set to true. The hook scripts now consult the gateway for an allow/block decision.

Trigger the rule

Ask Claude Code to clean up:

Please run rm -rf ~/projects/old-experiments to free disk space.

DefenseClaw's default rule pack flags rm -rf against home-directory paths as CRITICAL. The PreToolUse hook returns block and the agent never executes the command.

In a second terminal you'll see the audit event land. List recent alerts:

defenseclaw alerts --limit 10

#   SEVERITY   TIMESTAMP             ACTION  TARGET                              DETAILS
1   CRITICAL   2026-05-08 14:02:11   block   rm -rf ~/projects/old-experiments   shell.dangerous-rm

Use defenseclaw alerts --show 1 for the full record (rule path, scanner, evidence). Or live-tail the JSONL fan-out filtered to high-severity rows:

tail -f ~/.defenseclaw/gateway.jsonl \
  | jq 'select(.connector == "claudecode" and (.severity == "HIGH" or .severity == "CRITICAL"))'

What if you wanted to allow it?

Three options, ordered by how much you trust the operator:

Pause for approval — leave HITL on; the operator clicks "approve" and the command runs.
Downgrade severity — edit ~/.defenseclaw/policies/guardrail/default/shell.yaml and drop the rule to HIGH; with HITL the operator still sees it, without HITL it logs and runs.
Switch to observe mode — defenseclaw setup guardrail --mode observe. Use this for the first week of every new connector.

What you just built

01User Claude Code
rm -rf ~/projects/old-experiments
02Claude Code PreToolUse
PreToolUse(command)
03PreToolUse Gateway
POST /api/v1/claudecode/hook
04Gateway Policy
evaluate(command)
05Policy Gateway
CRITICAL · shell.dangerous-rm
06Gateway PreToolUse
block · recursive delete
07PreToolUse Claude Code
block
08Claude Code User
I can't run that — DefenseClaw blocked it.

A complete enforcement loop. Claude Code asks the agent's PreToolUse hook; the hook calls the gateway; the gateway scores the command and either allows, blocks, or pauses for HITL.

Setup Guardrail (full reference)

Every flag, every option, every consequence.

Stop Claude Code from rm -rf (story)

The same flow, but with the policy walkthrough and the explanation of why.