Overview
This section is for contributors and integrators. If you're running DefenseClaw to protect agents, start with Install methods. If you're building DefenseClaw — adding scanners, adapting the gateway, or changing the OpenClaw plugin — you're in the right place.
Two languages, three processes
DefenseClaw is split between Python and Go by design. Each language owns what it does best:
| Language | Role | Where |
|---|---|---|
| Python (Click) | Operator CLI, human-facing UX, scanner SDKs (skill, MCP) | cli/defenseclaw/ |
| Go | Gateway sidecar, guardrail proxy, audit store, OPA host, sandbox supervisor, TUI | internal/ and cmd/ |
| Node.js/TS | OpenClaw plugin that forwards LLM traffic to the guardrail | extensions/defenseclaw/ |
Section map
| Page | What it's for |
|---|---|
| Architecture | Process topology, data flow, boundaries |
| Package tour | Every top-level package with 1-line purpose |
| Inspection pipeline | How a request flows through the guardrail |
| Bifrost provider adapter | How the gateway delegates LLM provider calls to Bifrost |
| Plugin protocol | How the OpenClaw plugin and the guardrail communicate |
| RPC contract | Stable JSON-RPC methods and their invariants |
| Telemetry contract | Span names, metric names, attribute keys |
| Testing | Test suites, harnesses, conventions |
| Building | Local dev loop, cross-compile, release builds |
| Release | Versioning, changelog, tag flow |
| Contributing | Coding standards, review expectations, CI gates |
Contracts you should not break
If you're touching DefenseClaw, memorize these boundaries:
- REST sidecar and proxy routes — stable once documented; see Endpoints.
- OpenClaw gateway WebSocket methods — stable; see RPC contract.
- Span and metric names — stable; see Telemetry contract.
- Audit event schema — stable; additions are allowed, removals and type changes are not.
- Exit codes — stable; see Exit codes.
- Plugin protocol — versioned; bump the protocol version before shipping incompatible changes.
- Rule-pack YAML schema — versioned via
schema_version; bump on any breaking change.
The repo layout at a glance
.
├── cli/defenseclaw/ # Python operator CLI
├── cmd/ # Go entrypoints (gateway, docgen)
├── internal/ # Go private packages (gateway, tui, ...)
├── extensions/defenseclaw/ # Node.js OpenClaw plugin
├── policies/ # Rego modules + default rule packs
├── scripts/ # installers, docgen, verification, E2E helpers
├── test/ # E2E data, fixtures, unit helpers
└── docs-site/ # This documentation
Where to start
- Fixing a bug — open an issue, add a failing test, fix it,
make test. See Contributing. - Adding a scanner — see Custom scanners for the runtime contract and the Add a custom scanner cookbook for packaging.
- Extending the API — see REST endpoints and RPC contract first; additions to
/v1are welcome when documented and tested. - Shipping a release — see Release. Changelog and version bump are required before tagging.