Overview
defenseclaw-gateway is the Go sidecar daemon. It connects to the
OpenClaw gateway WebSocket, enforces policy on tool calls in real time,
runs the audit pipeline, and exposes the local REST API that the Python
CLI drives.
Reference
Global synopsis
defenseclaw-gateway [flags] <command> [args]
Description
DefenseClaw gateway sidecar — connects to the OpenClaw gateway WebSocket, monitors tool_call and tool_result events, enforces policy in real time, and exposes a local REST API for the Python CLI.
Run without arguments to start the sidecar daemon.
Commands
| Command | Description |
|---|---|
| audit | Inspect and export the local audit database |
| policy | Manage and inspect OPA policies |
| provenance | Print binary and config provenance (v7 quartet) |
| restart | Restart the gateway sidecar daemon |
| sandbox | Manage the openshell-sandbox instance |
| scan | Run security scanners |
| start | Start the gateway sidecar as a background daemon |
| status | Show health of the running sidecar's subsystems |
| stop | Stop the running gateway sidecar daemon |
| tui | Launch the interactive TUI dashboard |
| watchdog | Health watchdog that notifies when the gateway is down |
Persistent flags
| Flag | Type | Default | Description |
|---|---|---|---|
--host | string | — | Gateway host (default: from config) |
--port | int | 0 | Gateway port (default: from config) |
Running as a daemon
- systemd:
scripts/systemd/defenseclaw-gateway.service(generated bydefenseclaw start --install-service). - launchd (macOS): managed by
defenseclaw start/defenseclaw stop. - Docker / k8s: run the binary as PID 1; it handles graceful shutdown signals and flushes audit sinks before exit.