Changing connectors
Use defenseclaw setup <connector> to add or reconfigure connector wiring, and setup remove <connector> to retire a connector without deleting audit history.
DefenseClaw connector setup is centered on the connector alias:
defenseclaw setup codex
defenseclaw setup hermes --mode action
defenseclaw setup antigravity --mode observeOn a host that already has connector wiring, the interactive flow asks whether to Add the new connector alongside the existing one or Replace the old wiring. Add is the default multi-connector path. Replace is only for hosts where you intentionally want one connector wired after setup finishes.
The audit DB is connector-agnostic. Adding, reconfiguring, removing, or replacing connector wiring does not delete history; each audit row keeps its own connector attribution.
Add or reconfigure
Run the setup alias for the connector you want:
defenseclaw setup codexChoose Add when you want the existing connector(s) and the new connector protected by the same gateway. The new connector gets its own guardrail.connectors.<name> policy block, and defenseclaw status shows the full active roster.
Use --mode observe or --mode action to set the connector's enforcement posture during setup:
defenseclaw setup codex --mode observe
defenseclaw setup hermes --mode actionRemove a connector
When you no longer want a connector wired, remove it explicitly:
defenseclaw setup remove codexDefenseClaw refuses to remove the last connector by default because the gateway would enforce nothing. If that is intentional, pass --force:
defenseclaw setup remove codex --forceReplace instead of add
Choose Replace in the connector setup prompt when you want setup to tear down the previous connector's agent-side files before wiring the new one. This is useful when a single-user workstation is moving from one agent to another and you do not want both configured at the same time.
Verify
defenseclaw doctor
defenseclaw statusdoctor reports residual hook or config issues. status shows every active connector, its enforcement mode, and the shared gateway state.
See also
- Multi-connector - one gateway enforcing several hook connectors
- Quick aliases - connector setup alias reference
- Disabling - roll back agent-side hook entries
- HITL - per-connector approval behavior
Multi-connector
One DefenseClaw gateway enforces guardrail policy for N hook connectors at once — each with its own mode, fail mode, HILT, block message, and rule pack — under guardrail.connectors. Add a connector with setup <connector> → "Add", and claw.mode flips to multi.
Disabling guardrail
defenseclaw setup guardrail --disable is the global rollback. Connector hooks are removed (or restored from the byte-for-byte backup), the proxy stops, and agents talk directly to their native upstreams again.