OpenClaw integration
How DefenseClaw integrates with OpenClaw end-to-end — fetch interceptor, before_tool_call hook, correlation headers, plugin-mediated HITL approvals, and the audit loop.
OpenClaw is the connector DefenseClaw was designed against. It is also the only connector that ships a first-party plugin in the same repository (extensions/defenseclaw/). That plugin owns the OpenClaw-side wiring; the gateway and CLI own everything else.
Components
DefenseClaw plugin
TypeScript plugin under extensions/defenseclaw/. Hooks into OpenClaw's fetch interceptor and before_tool_call lifecycle.
defenseclaw-gateway
Go sidecar. Receives plugin requests, evaluates policy, returns verdicts, and writes the audit row.
DefenseClaw CLI
Python operator surface. Runs setup and exposes the TUI for audit, alerts, logs, and inventory.
Protocol compatibility
The DefenseClaw gateway client speaks the OpenClaw WebSocket handshake across the protocol v3-v4 range. During connect it sends minProtocol: 3 and maxProtocol: 4; OpenClaw returns the negotiated hello-ok protocol plus the supported method and event feature sets. That keeps current OpenClaw protocol v4 installs compatible while preserving the v3 challenge-response device flow for older OpenClaw endpoints.
End-to-end flow
prompt
fetch (LLM request)
POST /v1/inspect + correlation ID
allow / block / pause
publish approval prompt (when paused)
approval request in chat
approve / deny
approval response
resolve approval
resolved verdict
forward (or reject)
before_tool_call(name, args)
POST /v1/tool/inspect
verdict
allow / block
response
Correlation headers
Every plugin → gateway request carries X-DefenseClaw-Correlation-Id so the audit log can stitch a tool call back to the prompt that triggered it. The plugin generates one ID per OpenClaw turn; the gateway re-uses it for every downstream verdict.
HITL: the only connector with plugin-mediated approval
OpenClaw provides a native, plugin-mediated approval flow in its chat origin, so the operator approves or denies without leaving OpenClaw. Other native-ask connectors use their own host hook UI instead of this plugin path.
Connectors and hook events without native ask apply their documented alert/allow/context fallback. Their events remain visible in audit and defenseclaw tui, but the TUI cannot resume the original call. See the HITL page for the per-connector matrix.
Files DefenseClaw owns inside the OpenClaw tree
DefenseClaw never touches anything outside extensions/defenseclaw/ and the allow / load arrays in openclaw.json. Backups are byte-for-byte; teardown either restores the file or surgically removes only DefenseClaw entries when the file has drifted.
When this is the right connector
Pick OpenClaw when:
- You want the strongest enforcement contract: proxy-mode interception, sandbox subprocess policy, native ask + plugin-mediated approval.
- You're already running OpenClaw or are open to switching from Codex / Claude Code for security-critical workflows.
- You need fail-closed behaviour on transport failures.
If you're not running OpenClaw, the Claude Code connector is the closest hook-only equivalent and supports native ask on PreToolUse.
Defaults
What every fresh DefenseClaw install ships with — three OPA policies (permissive / default / strict), three matching guardrail rule packs, the operator-config defaults, and how to pick the combination that fits your team's risk tolerance.
Observability
Every prompt, tool call, scan finding, and HITL decision lands in your SIEM and your dashboards. DefenseClaw ships local Grafana/Loki/Tempo and local Splunk stacks you can stand up with one command.