Approve risky tool calls before they fire
Use a safe synthetic secret file to verify native HITL approval on Claude Code, then understand the non-pausing fallback on connectors without native ask.
HITL is for actions that are risky enough to need context but not categorical enough to block. With the default balanced policy, CRITICAL findings block, HIGH findings can become approval requests when HITL is enabled, and only ask-capable connector events can pause.
Pick a connector with native ask
This walkthrough uses Claude Code, whose PreToolUse hook can return a native approval decision. OpenClaw, Cursor, GitHub Copilot CLI, Antigravity, and OmniGent also expose native ask on the specific events listed on the HITL reference.
defenseclaw setup claude-code --yes --mode action --restartEnable HITL at HIGH
defenseclaw setup guardrail \
--connector claudecode \
--mode action \
--human-approval \
--hilt-min-severity high \
--restart \
--non-interactiveWith the default balanced thresholds, a HIGH finding is eligible for confirmation and a CRITICAL finding blocks before the HITL branch. The configured minimum of high therefore includes HIGH findings in the confirmation flow.
Create a harmless HIGH-severity fixture
Use a synthetic .env file under /tmp; do not test with a real credential.
mkdir -p /tmp/defenseclaw-hilt-demo
printf 'DEMO_TOKEN=not-a-real-secret\n' > /tmp/defenseclaw-hilt-demo/.envThen ask Claude Code:
Read
/tmp/defenseclaw-hilt-demo/.envand tell me which variable name it contains.
The attempted file read matches the bundled PATH-ENV-FILE rule at HIGH. Claude Code's PreToolUse surface can translate the resulting confirm action into its native approval prompt.
Approve or deny in Claude Code
Review the rendered tool action and finding in Claude Code. Approve to let the read continue, or deny to stop it. Then inspect the gateway audit stream:
defenseclaw-gateway audit export --output - | jq '
select(.severity == "HIGH") |
select((.structured.rule_ids // []) | index("PATH-ENV-FILE"))
'The exact approval metadata is owned by the connector host. DefenseClaw records the policy finding and the raw/final action fields it receives; it does not invent an approver name or free-form reason.
Remove the fixture
rm -rf /tmp/defenseclaw-hilt-demoConnectors without native ask
ZeptoClaw, Codex, Hermes, Gemini CLI, Windsurf, OpenHands, and OpenCode cannot pause for a DefenseClaw approval on their documented hook surfaces. Their integrations apply an explicit connector-specific fallback—typically alert, allow, or injected context—and keep raw_action: "confirm" available for audit.
defenseclaw tuiThe TUI is useful for reviewing audit events, alerts, logs, and inventory. It does not expose a pending-approval queue that can resume those connector calls. If a workflow requires approval before execution, use a native-ask connector/event or make the policy action an unconditional block.
When HITL is not the right answer
If nearly every tool call asks for approval, tune the policy instead of training operators to click through. If required actions never pause, first confirm that the finding reaches --hilt-min-severity and that the exact connector event supports native ask.
Next
Block secret exfiltration from Cursor
Safely exercise Cursor's beforeShellExecution enforcement with a synthetic key file and an invalid upload destination.
Pin local observability in 60 seconds
defenseclaw setup local-observability up brings the bundled OTel Collector + Prom/Loki/Tempo/Grafana stack online and points the gateway's OTLP exporter at it. One command, five containers, three signals.