Overview
After install, confirm the CLI resolves, the gateway binary matches, and the sidecar answers on the REST API (default 18970). Use defenseclaw doctor for deep connectivity checks, defenseclaw status for a concise inventory, and defenseclaw version to detect drift between CLI, gateway, and plugin.
Commands
| Command | Purpose |
|---|---|
defenseclaw doctor | Config file, audit DB, scanners on PATH, sidecar /health, OpenClaw gateway, guardrail proxy, LLM keys, observability sinks, webhooks, registry credentials; optional --fix / --json-output |
defenseclaw status | Environment, data dir, config path, audit DB path, sandbox binary presence, scanner rows, DB counts, observability, sidecar snapshot |
defenseclaw version | Table of CLI, defenseclaw-gateway, plugin versions; exit 1 on drift (unless using --json for automation) |
Doctor exit code: 0 if no failures, 1 if any check failed.
Binary locations
| Artifact | Typical path |
|---|---|
defenseclaw | Symlink in ~/.local/bin → .venv/bin/defenseclaw (release) or repo .venv (dev) |
defenseclaw-gateway | ~/.local/bin/defenseclaw-gateway |
| Scanner helpers | skill-scanner, mcp-scanner, etc., may be symlinked beside the CLI after make cli-install |
litellm | Optional symlink from make cli-install |
| OpenClaw plugin | ~/.defenseclaw/extensions/defenseclaw/ (package.json, dist/) |
Example: healthy defenseclaw doctor (paraphrased)
After a good install and defenseclaw init, non-JSON output resembles:
DefenseClaw Doctor
══════════════════
[PASS] Config file — ~/.defenseclaw/config.yaml
[PASS] Audit database — ~/.defenseclaw/audit.db
── Scanners ──
[PASS] Scanner: skill-scanner — /…/skill-scanner
[PASS] Scanner: mcp-scanner — /…/mcp-scanner
── Services ──
[PASS] Sidecar API — 127.0.0.1:18970
[PASS] └─ gateway — running
[PASS] └─ watcher — running
…
[PASS] OpenClaw gateway — 127.0.0.1:<port>
[PASS] Guardrail proxy — healthy on port 4000
── Credentials ──
… (LLM key pass/skip/warn per provider)
── Observability ──
[SKIP] Observability — no destinations configured
── Webhooks ──
[SKIP] Webhooks — no webhooks configured
── Summary ──
N passed, …
Subsystem lines under the sidecar reflect JSON from /health (gateway, watcher, guardrail, api, telemetry, splunk, sandbox). Disabled subsystems may show [SKIP] unless config expects them enabled (stale sidecar → [WARN] with restart hint).
Gateway daemon (reference)
defenseclaw-gateway start runs the sidecar in the background; stop sends SIGTERM then SIGKILL if needed; restart stops then starts. Logs go to ~/.defenseclaw/gateway.log with PID in ~/.defenseclaw/gateway.pid.