SetupGuardrail

Changing connectors

Use defenseclaw setup <connector> to add or reconfigure connector wiring, and setup remove <connector> to retire a connector without deleting audit history.

DefenseClaw connector setup is centered on the connector alias:

defenseclaw setup codex
defenseclaw setup hermes --mode action
defenseclaw setup antigravity --mode observe

On a host that already has connector wiring, the interactive flow asks whether to Add the new connector alongside the existing one or Replace the old wiring. Add is the default multi-connector path. Replace is only for hosts where you intentionally want one connector wired after setup finishes.

The audit DB is connector-agnostic. Adding, reconfiguring, removing, or replacing connector wiring does not delete history; each audit row keeps its own connector attribution.

Add or reconfigure

Run the setup alias for the connector you want:

defenseclaw setup codex

Choose Add when you want the existing connector(s) and the new connector protected by the same gateway. The new connector gets its own guardrail.connectors.<name> policy block, and defenseclaw status shows the full active roster.

Use --mode observe or --mode action to set the connector's enforcement posture during setup:

defenseclaw setup codex --mode observe
defenseclaw setup hermes --mode action

Remove a connector

When you no longer want a connector wired, remove it explicitly:

defenseclaw setup remove codex

DefenseClaw refuses to remove the last connector by default because the gateway would enforce nothing. If that is intentional, pass --force:

defenseclaw setup remove codex --force

Replace instead of add

Choose Replace in the connector setup prompt when you want setup to tear down the previous connector's agent-side files before wiring the new one. This is useful when a single-user workstation is moving from one agent to another and you do not want both configured at the same time.

Verify

defenseclaw doctor
defenseclaw status

doctor reports residual hook or config issues. status shows every active connector, its enforcement mode, and the shared gateway state.

See also