Setup registries
Subscribe DefenseClaw to public or internal skill / MCP catalogs. Sources are fetched, scanned, and clean entries are auto-promoted into asset_policy so admission decisions can attribute the rule back to its origin.
A registry source is a fetchable manifest of skills and/or MCP servers that DefenseClaw ingests on demand. Public catalogs (clawhub, smithery), internal HTTPS YAMLs / JSONs, git repos, and on-disk YAMLs are all supported. Synced entries flow through the existing skill / MCP scanners; clean ones land in asset_policy.{skill,mcp}.registry so a later admission decision can say "approved by registry:<id>" instead of "approved by an unattributed rule someone wrote in 2024."
Why registries matter
Without a registry, every new skill / MCP that lands on disk is admission-evaluated against ad-hoc operator-authored rules. With one or more registries, the catalog drives admission: clean entries get auto-promoted, suspicious ones are quarantined for review, and toggling registry_required flips the asset class to deny-by-default for anything the catalog hasn't blessed.
Guided example · Registry sync is on demand
Turn a catalog entry into an admission decision
On-demand sync verifies source integrity, routes through a scanner, and promotes, reviews, or denies a pre-authored variant.
asset_policy: skill: registry: workspace-helper@1.2.0: action: allow reason: registry:internal-catalogasset_policy: skill: registry: workspace-helper@1.2.0: action: allow reason: registry:internal-catalog
Integrity verified and scanner result is clean
Write attributed asset_policy rule
What DefenseClaw did — and did not do
What it did
- Run registry sync on demand
- Verify source integrity and route through existing scanners
- Attribute promoted rules to the registry source
What it did not do
- Poll registries automatically at runtime
- Let registry trust bypass scanner findings unless policy allows it
- Read a credential value from auth_env
What you just saw
An on-demand registry sync verified source integrity, routed an entry through its existing scanner, and selected a deterministic outcome: promote a clean entry, hold a warning for review, or deny an unknown asset when registry_required=true. Stored sync settings do not create a runtime poller.
The seven registry kinds
Prop
Type
Three worked examples
The friendly default. No URL, no auth, just opt in to the catalog:
defenseclaw registry add clawhub \
--kind clawhub \
--content skill \
--non-interactive
defenseclaw registry sync clawhubThe first sync downloads the manifest, runs the skill scanner on every entry, and promotes the clean ones into asset_policy.skill.registry.
Most enterprises run a curated mirror inside their own DNS:
defenseclaw registry add corp-skills \
--kind http_yaml \
--url https://catalog.corp.example.com/skills.yaml \
--content skill \
--auth-env CORP_CATALOG_TOKEN \
--non-interactive
export CORP_CATALOG_TOKEN="$(vault kv get -field=token kv/defenseclaw/catalog)"
defenseclaw registry test corp-skills # dry-run: fetch + parse, no writes
defenseclaw registry sync corp-skills # fetch + scan + promoteThe --auth-env option takes the name of an env var; the literal token never lands in config.yaml. SHA-256 is required on every entry's source_url for http_yaml, http_json, git, and file kinds — the manifest publisher computes it once.
For the smithery.ai public MCP catalog:
defenseclaw registry add smithery-public \
--kind smithery \
--content mcp \
--non-interactive
defenseclaw registry sync smithery-publicEach entry is run through the MCP scanner (transport probe + behavioral introspection); clean ones land in asset_policy.mcp.registry so an MCP listed in the catalog passes admission attribution-clean.
All twelve subcommands
Prop
Type
The lifecycle of an entry
Promote and require — the deny-by-default story
Once entries are flowing in, asset_policy.<type>.registry_required flips the corresponding asset class to deny-by-default:
defenseclaw registry require --type skill --enabled
defenseclaw registry require --type mcp --enabledWhen registry_required=true:
- An asset whose name matches a rule in
asset_policy.<type>.registryfollows that rule. - An asset whose name does not match any rule falls through to the configured
registry_empty_action(defaultdeny). - An empty registry list with
require=onblocks every asset of that class by default until the nextsyncpopulates it. Settingregistry_empty_action: warnorallowrelaxes only this empty-registry gate and falls through to the type default;warnis non-blocking. The CLI warns you in colour when you fliprequire=onagainst an empty list — read the warning carefully.
The Go gateway tags every admission decision with Reason="registry:<id>" (or "registry:operator-approved" for manually approved entries) so you can grep ~/.defenseclaw/gateway.jsonl to see which catalog won.
What --auth-env, --allow-private, and SHA-256 actually do
| Knob | Default | Purpose |
|---|---|---|
--auth-env <ENV> | "" | Name of an env var holding a bearer token sent on every fetch. The CLI rejects values that look like literal secrets. |
--allow-private | off | Permit RFC1918 / ULA destinations. Off in production; on for an internal mirror behind a private subnet. Same flag exists on test and sync. |
--non-interactive | off | Required for CI; missing required flags exit non-zero with a clear error: --foo is required. |
SHA-256 on source_url | required for http_yaml / http_json / git / file | Per-entry integrity; the scanner refuses to download an entry whose computed digest does not match. |
Registry fetches use the same hardened URL path in test and sync: loopback, link-local, cloud-metadata, and private-network destinations are refused by default, including DNS resolutions that rebind into a reserved range. Use --allow-private only for a registry mirror you intentionally run on an internal network. Local file registries must use absolute paths, and remote entry downloads must pass the per-entry SHA-256 check before scanner promotion can happen.
Inspect what landed
defenseclaw registry list # one row per source, with cached counts
defenseclaw registry show corp-skills # full detail + verdict summary
defenseclaw registry entries corp-skills --status warning
defenseclaw registry approve corp-skills my-skill --type skill
defenseclaw registry reject corp-skills evil-skill --type skillapprove and reject re-promote against the cached manifest immediately by default, so the new rule lands without a network round-trip. Pass --no-repromote if you want to defer the change to the next registry sync.
Sync schedules
Today, syncing is on demand. The --auto-sync and --sync-interval-hours flags on add / edit are persisted but the runtime does not poll. Run registry sync --all from a cron / systemd timer / GitHub Actions schedule until scheduled sync ships in a future release:
# /etc/cron.d/defenseclaw-registry
0 * * * * defenseclaw registry sync --allCommon gotchas
Reference
cli/defenseclaw/commands/cmd_registry.py— every subcommand, validator, and the lifecycle helpers.cli/defenseclaw/registries/— adapters, manifest schema, sync engine, promotion rules.- Reference → CLI — full CLI catalog.
- Setup → Skill scanner and MCP scanner — what the scanners look at when verdicts get computed.
- Policies — how
asset_policydecisions blend with repo policies and the LLM judge.
Setup webhooks
Configure Slack, PagerDuty, Webex, and generic HMAC webhooks so the gateway can ping a chat or incident channel when high-severity events fire.
Enterprise hardening and deployment
Provision DefenseClaw as a managed operating-system service, understand its trust boundaries, and continuously repair per-user AI-agent hooks.