CiscoCiscoDefenseClaw
Stories

Approve risky tool calls before they fire

HITL is the middle ground between observe and full enforcement. CRITICAL findings still block; HIGH findings pause for the operator. Native ask on Claude Code, Cursor, Copilot CLI, OpenClaw; downgraded confirm elsewhere.

HITL is for the messy middle: actions that might be fine, usually are fine, but occasionally aren't. CRITICAL findings still block unconditionally — operators are slow, and CRITICAL exists for a reason. HITL is what keeps HIGH findings from being a constant blocker.

Pick a connector with native ask

For the cleanest operator UX, pick a connector with native ask: OpenClaw, Claude Code (PreToolUse), Cursor (beforeShellExecution / beforeMCPExecution), GitHub Copilot CLI (preToolUse). On these connectors the approval prompt surfaces inside the agent UI itself.

defenseclaw setup claude-code

Enable HITL with the right minimum severity

defenseclaw setup guardrail \
  --connector claudecode \
  --mode action \
  --human-approval \
  --hilt-min-severity high \
  --restart

--hilt-min-severity high means HIGH and CRITICAL findings reach the operator. CRITICAL still blocks regardless; HIGH pauses for approval. Drop to --hilt-min-severity medium for very cautious workflows; raise to --hilt-min-severity critical if you want HIGH findings to block silently.

Trigger an approval

In Claude Code:

Please move all files matching *.log from /var/log into /tmp/log-backup/.

The default pack flags mv /var/log/* as HIGH (touches a system path; not necessarily destructive). HITL pauses the call; Claude Code surfaces a PreToolUse approval prompt with the rendered command and the finding reason.

Approve or deny

The operator clicks approve. Claude Code resumes, the command runs, the audit row records both the original finding and the approval decision:

2026-05-08T17:42:20Z  HIGH  fs.system-path-mutation  approved
  command:    mv /var/log/*.log /tmp/log-backup/
  finding:    fs.system-path-mutation (HIGH)
  decision:   approve
  approver:   vineeth
  reason:     "log rotation cleanup"

The reason field is operator-supplied and stored in the audit DB.

What about connectors without native ask?

ZeptoClaw, Codex, Hermes, Gemini CLI, Windsurf downgrade HITL to a confirm verdict. The agent receives "blocked, awaiting operator approval"; the operator approves via defenseclaw tui (or the OpenClaw plugin queue). The raw_action is preserved in the audit log so the operator sees exactly what was requested.

defenseclaw tui

The TUI exposes a pending-approvals panel with the connector, hook, finding, and rendered action. Approving from there resumes the agent.

yes
no
Hook firesHIGH finding
Native asksupported?
Prompt in agent UI
Pause, surface indefenseclaw tui
Approve / deny
Resume agent
Native ask is faster (no context switch), but downgraded confirm is safer for long-running autonomous workflows where the operator is not in the agent UI.

When HITL is not the right answer

HITL is not a substitute for a tuned rule pack. If every other tool call is pausing for approval, the rule pack is too aggressive — fix the policy, not the operator's nerves. If nothing is ever pausing, raise --hilt-min-severity or you're paying the latency tax for no benefit.

Next

HITL reference

The full per-connector matrix and decision flow.

Switching connectors

Move from a downgraded-confirm connector to a native-ask one without losing audit history.

Block secret exfiltration from Cursor

Cursor's beforeShellExecution hook is the perfect stop point for `cat .env | curl ...`. DefenseClaw's secret-scanner pack flags it CRITICAL and the hook returns block before the command runs.

Pin local observability in 60 seconds

defenseclaw setup local-observability up brings the bundled Prom/Loki/Tempo/Grafana stack online and points the gateway's OTLP exporter at it. One command, four containers, three signals.