Add a connector without losing audit history
Use defenseclaw setup <connector> to add or reconfigure agent wiring while preserving audit history for every connector.
The audit DB is connector-agnostic. Every audit row records its own connector column, so adding or replacing connector wiring does not erase history. New events land under the connector that produced them; old events stay attributable to the connector that produced them.
Inspect current state
defenseclaw status
defenseclaw alerts --limit 25
tail -n 200 ~/.defenseclaw/gateway.jsonl | jq -r 'select(.connector) | .connector' | sort | uniq -cstatus shows enforcement flags plus a per-connector block for every active connector. alerts lists the most recent decisions as a table. The JSONL histogram gives you a quick by-connector view of recent gateway events.
Add or reconfigure the connector
defenseclaw setup codexIf another connector is already wired, choose Add to keep both active. Choose Replace only when you want DefenseClaw to tear down the previous connector's agent-side files before wiring the new one.
Use --mode action when this connector should block policy hits immediately:
defenseclaw setup codex --mode actionVerify
defenseclaw doctor
defenseclaw alerts --limit 10
tail -n 100 ~/.defenseclaw/gateway.jsonl | jq -r 'select(.connector) | .connector' | sort | uniq -cdoctor confirms connector health. alerts and the JSONL histogram show new events landing under the expected connector.
What stays, what changes
| Stays put | Changes |
|---|---|
Audit DB (~/.defenseclaw/audit.db) | Active connector roster |
Rule packs (~/.defenseclaw/policies/) | Hook scripts wired in agent config |
| Sinks (OTLP / Splunk / webhooks) | guardrail.connectors.<name> policy blocks |
| Historical audit attribution | Backed-up agent files for removed or replaced connectors |
Use Add for multi-connector hosts. Use Replace only for a deliberate one-connector workstation. To retire a connector later, run defenseclaw setup remove <connector>.
When to change connector wiring
- Trying a different agent. Add the second connector and compare behavior from
defenseclaw statusanddefenseclaw alerts. - Promoting an agent. Re-run
defenseclaw setup <connector> --mode actionwhen a connector should start blocking. - Demoting an agent. Re-run
defenseclaw setup <connector> --mode observewhile you tune policy. - Retiring an agent. Run
defenseclaw setup remove <connector>after you stop using it.
Caveats
The audit DB is portable across connectors but not across DefenseClaw versions in some cases. Use defenseclaw upgrade, which applies release-required migrations before reporting success. Run defenseclaw migrations status afterward to inspect the durable cursor; pending entries retry on the next upgrade, not on unrelated CLI commands.
Pin local observability in 60 seconds
defenseclaw setup local-observability up brings the bundled OTel Collector + Prom/Loki/Tempo/Grafana stack online and points the gateway's OTLP exporter at it. One command, five containers, three signals.
Reference
Lightweight reference index. CLI command index, gateway API surface, configuration files, and environment variables. Authoritative source for CLI flags is `defenseclaw <command> --help`.