CiscoCiscoDefenseClaw
Stories

Switch connectors without losing audit history

defenseclaw setup mode <connector> rewires the data path without touching the audit DB. Move from OpenClaw to Codex (or Claude Code, or Cursor) in one command and keep every audit row.

The audit DB is connector-agnostic. Every audit row records its own connector column, so switching connectors moves the data path without losing history. New events land under the new connector; old events stay attributable to the old one.

Inspect current state

defenseclaw status
defenseclaw alerts --limit 25
tail -n 200 ~/.defenseclaw/gateway.jsonl | jq -r 'select(.connector) | .connector' | sort | uniq -c

status shows the active connector and enforcement flags. alerts lists the most recent decisions as a table. The third command is a quick by-connector histogram of recent events from the gateway's JSONL fan-out — replace tail -n 200 with cat for a full-DB view, or open defenseclaw tui for the interactive Audit panel.

Switch with smart inheritance

defenseclaw setup mode codex

The CLI runs the previous connector's Teardown() — restoring backed-up agent files — then the new connector's Setup(). Inheritance rules:

  • openclaw ↔ zeptoclaw: full guardrail config inherits verbatim (both are proxy connectors).
  • proxy → hooks: switch to observability-only, force enforcement off, preserve the rest of guardrail.* on disk.
  • hooks → proxy: enable guardrail in observe mode so the proxy binds; never auto-enable enforcement.
  • hooks ↔ hooks: apply the destination's observability-only template.

Full table on the Switching connectors page.

Verify

defenseclaw doctor
defenseclaw alerts --limit 10
tail -n 100 ~/.defenseclaw/gateway.jsonl | jq -r 'select(.connector) | .connector' | sort | uniq -c

doctor confirms the previous connector left no residual hook entries; alerts and the JSONL histogram show new events landing under the new connector.

What stays, what moves

Stays putMoves
Audit DB (~/.defenseclaw/audit.db)Active connector (guardrail.connector)
Rule packs (~/.defenseclaw/policies/)Hook scripts wired in agent config
Sinks (OTLP / Splunk / webhooks)claw.mode (drives source-of-truth files)
~/.defenseclaw/config.yaml (selectively rewritten)Backed-up agent files (restored to original)
shared
shared
shared
shared
Old connectore.g. openclaw
Teardown()restore backups,remove entries
New connectore.g. codex
Setup()write hooks,update config
Audit DBuntouched
Rule packsuntouched
Switching is a teardown + setup, scoped to the data path. The audit DB and policy directory are never touched.

When to switch

  • Trying a different agent. Operators switch connectors more often than they realise; the typical operator runs both Claude Code and Codex during a normal week.
  • Promoting an agent. You started with observability-only on Claude Code; now you want enforcement and want to use OpenClaw's plugin-mediated HITL instead. Switch.
  • Demoting an agent. You promoted Codex to enforcement; the rule pack is too aggressive; switch back to observability-only while you tune.

Caveats

The audit DB is portable across connectors but not across DefenseClaw versions in some cases. Run defenseclaw migrations status after a major version upgrade to see whether any schema migrations are pending; the CLI prompts you when this is needed and applies them automatically on the next command.

Pin local observability in 60 seconds

defenseclaw setup local-observability up brings the bundled Prom/Loki/Tempo/Grafana stack online and points the gateway's OTLP exporter at it. One command, four containers, three signals.

Reference

Lightweight reference index. CLI command index, gateway API surface, configuration files, and environment variables. Authoritative source for CLI flags is `defenseclaw <command> --help`.