First guardrail in 5 minutes
An end-to-end walkthrough — install, pick Claude Code, switch to action mode, and safely verify a destructive-command rule against a disposable path.
This walkthrough ends with DefenseClaw refusing to remove a disposable
directory under /var/tmp. The example is intentionally harmless even if the
guardrail is misconfigured.
Install
VERSION=0.8.3
INSTALL_URL="https://raw.githubusercontent.com/cisco-ai-defense/defenseclaw/${VERSION}/scripts/install.sh"
curl -LsSf "$INSTALL_URL" | VERSION="$VERSION" bash -s -- --connector claudecodeWire DefenseClaw into Claude Code
defenseclaw setup claude-codeThis runs the observability-only alias — DefenseClaw collects telemetry but does not yet block. We start here so we know the data path is healthy before flipping enforcement on.
Confirm telemetry is flowing
In one terminal, open the live dashboard (audit + alerts + logs panels):
defenseclaw tuiOr for a scripted view, tail the gateway's JSONL fan-out:
tail -f ~/.defenseclaw/gateway.jsonl | jq 'select(.connector == "claudecode")'In Claude Code, ask the assistant to run any tool call (e.g. "list files in this directory"). New rows should appear within a second or two. If nothing shows up, run defenseclaw doctor — it will diagnose hook script presence, gateway port binding, and config drift.
Promote to action mode
defenseclaw setup guardrail --connector claudecode --mode action --human-approval --restartTwo things just changed:
guardrail.modeflipped toaction. CRITICAL findings now block via thePreToolUsehook's deny verdict.guardrail.hilt.enabledflipped totrue. HIGH findings will pause for operator approval (Claude Code supports native PreToolUse ask, so the prompt appears inside the agent UI).
Trigger the rule
Create an empty disposable target yourself:
mkdir -p /var/tmp/defenseclaw-demo-emptyThen ask Claude Code to clean it up:
Please run
rm -rf /var/tmp/defenseclaw-demo-empty.
The default pack's CMD-RM-RF rule flags recursive force deletion under
critical root prefixes such as /var as CRITICAL. The PreToolUse hook returns
block and the agent does not execute the command. Arbitrary relative paths or
home subdirectories are not matched by this rule merely because rm -rf is
present.
In a second terminal you'll see the audit event land. List recent alerts:
defenseclaw alerts --limit 10# SEVERITY TIMESTAMP ACTION TARGET DETAILS
1 CRITICAL 2026-05-08 14:02:11 block rm -rf /var/tmp/defenseclaw-demo-empty CMD-RM-RFUse defenseclaw alerts --show 1 for the full record (rule path, scanner, evidence). Or live-tail the JSONL fan-out filtered to high-severity rows:
tail -f ~/.defenseclaw/gateway.jsonl \
| jq 'select(.connector == "claudecode" and (.severity == "HIGH" or .severity == "CRITICAL"))'What if you wanted to allow it?
Three safer options:
- Use a narrower cleanup command — avoid force-recursive deletion when it is unnecessary.
- Customize a copied rule pack — change
rules/commands.yamlin a custom pack, then select it with--rule-pack-dir. Editing a bundled pack in place makes upgrades harder to review. - Switch to observe mode —
defenseclaw setup guardrail --mode observe. Use this for the first week of every new connector.
CRITICAL findings are not eligible for HITL approval.
What you just built
rm -rf /var/tmp/defenseclaw-demo-empty
PreToolUse(command)
POST /api/v1/claudecode/hook
evaluate(command)
CRITICAL · CMD-RM-RF
block · recursive delete
block
I can't run that — DefenseClaw blocked it.
Next
Quickstart
First run in two minutes. Pick init for the guided wizard or quickstart for the zero-prompt scripted equivalent — both call the same first-run backend and end with a working guardrail.
Setup
Every defenseclaw setup verb in one place — from the central guardrail wizard to the auxiliary commands that wire keys, webhooks, registries, observability, and per-connector hooks.