SetupGuardrail

Disabling guardrail

defenseclaw setup guardrail --disable is the global rollback. Connector hooks are removed (or restored from the byte-for-byte backup), the proxy stops, and agents talk directly to their native upstreams again.

defenseclaw setup guardrail --disable

This is the safe rollback. It runs teardown for the configured connector wiring, removes DefenseClaw-owned hook entries (or restores agent files from the hash-checked backup), stops the guardrail proxy, and clears the guardrail.enabled flag in ~/.defenseclaw/config.yaml.

--disable always restarts the gateway. Leaving the proxy running defeats the purpose of disabling.

On a multi-connector install, setup guardrail --disable is intentionally broad: it unwires the active connector roster, stops the gateway path, and clears the global guardrail enable flag. To retire only one connector while keeping the rest protected, use the scoped kill switch instead:

defenseclaw guardrail disable --connector codex
defenseclaw guardrail enable  --connector codex

What it touches

ConnectorRestored from backupSurgically removed if file drifted
Claude Code~/.claude/settings.json (hooks + OTEL_* env)DefenseClaw hook entries only
Codex~/.codex/config.toml (hooks, otel, notify)DefenseClaw blocks only
Cursor~/.cursor/hooks.jsonDefenseClaw hook entries only
Windsurf~/.codeium/windsurf/hooks.jsonDefenseClaw hook entries only
Gemini CLI~/.gemini/settings.jsonDefenseClaw hook entries + native OTLP block
GitHub Copilot CLI~/.copilot/hooks/defenseclaw.json or pinned <workspace>/.github/hooks/defenseclaw.jsonDefenseClaw hook entries
OpenHands~/.openhands/hooks.json or pinned <workspace>/.openhands/hooks.jsonDefenseClaw hook entries
Antigravity~/.gemini/config/hooks.jsonDefenseClaw defenseclaw-antigravity-* entries
Hermes~/.hermes/config.yamlDefenseClaw hook entries
OpenCode~/.config/opencode/plugins/defenseclaw.jsManaged bridge plugin (file removed)
OmniGent$OMNIGENT_CONFIG_HOME/config.yaml when set (otherwise ~/.omnigent/config.yaml), managed policy module, Python .pth fileDefenseClaw policy entries; unchanged managed files are restored/removed
OpenClaw~/.openclaw/openclaw.jsonPlugin allow/load entries
ZeptoClaw~/.zeptoclaw/config.json (api_base, safety)DefenseClaw rewrites

The audit DB and ~/.defenseclaw/ config are not removed. Use defenseclaw uninstall for the full reset.

Verify the rollback

defenseclaw doctor

doctor will confirm that no DefenseClaw hook scripts remain in the agent's config and that the gateway is offline (or running without the proxy listener bound).