Stories

Add a connector without losing audit history

Use defenseclaw setup <connector> to add or reconfigure agent wiring while preserving audit history for every connector.

The audit DB is connector-agnostic. Every audit row records its own connector column, so adding or replacing connector wiring does not erase history. New events land under the connector that produced them; old events stay attributable to the connector that produced them.

Inspect current state

defenseclaw status
defenseclaw alerts --limit 25
tail -n 200 ~/.defenseclaw/gateway.jsonl | jq -r 'select(.connector) | .connector' | sort | uniq -c

status shows enforcement flags plus a per-connector block for every active connector. alerts lists the most recent decisions as a table. The JSONL histogram gives you a quick by-connector view of recent gateway events.

Add or reconfigure the connector

defenseclaw setup codex

If another connector is already wired, choose Add to keep both active. Choose Replace only when you want DefenseClaw to tear down the previous connector's agent-side files before wiring the new one.

Use --mode action when this connector should block policy hits immediately:

defenseclaw setup codex --mode action

Verify

defenseclaw doctor
defenseclaw alerts --limit 10
tail -n 100 ~/.defenseclaw/gateway.jsonl | jq -r 'select(.connector) | .connector' | sort | uniq -c

doctor confirms connector health. alerts and the JSONL histogram show new events landing under the expected connector.

What stays, what changes

Stays putChanges
Audit DB (~/.defenseclaw/audit.db)Active connector roster
Rule packs (~/.defenseclaw/policies/)Hook scripts wired in agent config
Sinks (OTLP / Splunk / webhooks)guardrail.connectors.<name> policy blocks
Historical audit attributionBacked-up agent files for removed or replaced connectors

Use Add for multi-connector hosts. Use Replace only for a deliberate one-connector workstation. To retire a connector later, run defenseclaw setup remove <connector>.

When to change connector wiring

  • Trying a different agent. Add the second connector and compare behavior from defenseclaw status and defenseclaw alerts.
  • Promoting an agent. Re-run defenseclaw setup <connector> --mode action when a connector should start blocking.
  • Demoting an agent. Re-run defenseclaw setup <connector> --mode observe while you tune policy.
  • Retiring an agent. Run defenseclaw setup remove <connector> after you stop using it.

Caveats

The audit DB is portable across connectors but not across DefenseClaw versions in some cases. Use defenseclaw upgrade, which applies release-required migrations before reporting success. Run defenseclaw migrations status afterward to inspect the durable cursor; pending entries retry on the next upgrade, not on unrelated CLI commands.