Get Started

First guardrail in 5 minutes

An end-to-end walkthrough — install, pick Claude Code, switch to action mode, and safely verify a destructive-command rule against a disposable path.

This walkthrough ends with DefenseClaw refusing to remove a disposable directory under /var/tmp. The example is intentionally harmless even if the guardrail is misconfigured.

Install

VERSION=0.8.3
INSTALL_URL="https://raw.githubusercontent.com/cisco-ai-defense/defenseclaw/${VERSION}/scripts/install.sh"
curl -LsSf "$INSTALL_URL" | VERSION="$VERSION" bash -s -- --connector claudecode

Wire DefenseClaw into Claude Code

defenseclaw setup claude-code

This runs the observability-only alias — DefenseClaw collects telemetry but does not yet block. We start here so we know the data path is healthy before flipping enforcement on.

Confirm telemetry is flowing

In one terminal, open the live dashboard (audit + alerts + logs panels):

defenseclaw tui

Or for a scripted view, tail the gateway's JSONL fan-out:

tail -f ~/.defenseclaw/gateway.jsonl | jq 'select(.connector == "claudecode")'

In Claude Code, ask the assistant to run any tool call (e.g. "list files in this directory"). New rows should appear within a second or two. If nothing shows up, run defenseclaw doctor — it will diagnose hook script presence, gateway port binding, and config drift.

Promote to action mode

defenseclaw setup guardrail --connector claudecode --mode action --human-approval --restart

Two things just changed:

  • guardrail.mode flipped to action. CRITICAL findings now block via the PreToolUse hook's deny verdict.
  • guardrail.hilt.enabled flipped to true. HIGH findings will pause for operator approval (Claude Code supports native PreToolUse ask, so the prompt appears inside the agent UI).

Trigger the rule

Create an empty disposable target yourself:

mkdir -p /var/tmp/defenseclaw-demo-empty

Then ask Claude Code to clean it up:

Please run rm -rf /var/tmp/defenseclaw-demo-empty.

The default pack's CMD-RM-RF rule flags recursive force deletion under critical root prefixes such as /var as CRITICAL. The PreToolUse hook returns block and the agent does not execute the command. Arbitrary relative paths or home subdirectories are not matched by this rule merely because rm -rf is present.

In a second terminal you'll see the audit event land. List recent alerts:

defenseclaw alerts --limit 10
#   SEVERITY   TIMESTAMP             ACTION  TARGET                              DETAILS
1   CRITICAL   2026-05-08 14:02:11   block   rm -rf /var/tmp/defenseclaw-demo-empty   CMD-RM-RF

Use defenseclaw alerts --show 1 for the full record (rule path, scanner, evidence). Or live-tail the JSONL fan-out filtered to high-severity rows:

tail -f ~/.defenseclaw/gateway.jsonl \
  | jq 'select(.connector == "claudecode" and (.severity == "HIGH" or .severity == "CRITICAL"))'

What if you wanted to allow it?

Three safer options:

  • Use a narrower cleanup command — avoid force-recursive deletion when it is unnecessary.
  • Customize a copied rule pack — change rules/commands.yaml in a custom pack, then select it with --rule-pack-dir. Editing a bundled pack in place makes upgrades harder to review.
  • Switch to observe modedefenseclaw setup guardrail --mode observe. Use this for the first week of every new connector.

CRITICAL findings are not eligible for HITL approval.

What you just built

  1. 01User Claude Code

    rm -rf /var/tmp/defenseclaw-demo-empty

  2. 02Claude Code PreToolUse

    PreToolUse(command)

  3. 03PreToolUse Gateway

    POST /api/v1/claudecode/hook

  4. 04Gateway Policy

    evaluate(command)

  5. 05Policy Gateway

    CRITICAL · CMD-RM-RF

  6. 06Gateway PreToolUse

    block · recursive delete

  7. 07PreToolUse Claude Code

    block

  8. 08Claude Code User

    I can't run that — DefenseClaw blocked it.

A complete enforcement loop. Claude Code asks the agent's PreToolUse hook; the hook calls the gateway; the gateway scores the command and either allows, blocks, or pauses for HITL.

Next