Overview
defenseclaw tui launches a full-screen terminal interface built on charm.sh Bubbletea v2. It is not a separate tool — every action the TUI performs is shelled to the same defenseclaw or defenseclaw-gateway binary you would have typed directly. This means the TUI never holds state the CLI doesn't also hold, nothing in the TUI is TUI-only, and CI and TUI users converge on the exact same audit trail.
Launch
defenseclaw tui
The TUI inherits the resolved defenseclaw-gateway binary path via resolveSiblingBin, which prefers siblings of the running executable over PATH lookup. That means a locally-installed wheel and a system package never fight over which binary acts on your commands.
The 12 panels
| # | Panel | Shortcut | Purpose |
|---|---|---|---|
| 1 | Overview | 1 | Sidecar health, mode, key missing-credential summary, audit DB stats |
| 2 | Alerts | 2 | Live feed from /v1/alerts, filterable by severity/type/action |
| 3 | Skills | 3 | Installed OpenClaw skills, trust status, per-skill scan actions |
| 4 | MCPs | 4 | Registered MCP servers, scan/allow/block/set/unset actions |
| 5 | Plugins | 5 | DefenseClaw plugins (guardrail, CodeGuard, etc.), install/disable |
| 6 | Inventory | 6 | Cross-cutting asset index (skills + MCPs + plugins + tools) |
| 7 | Policy | 7 | OPA/Rego bundles + guardrail rule packs, hot reload, YAML viewer |
| 8 | Logs | 8 | Tail of ~/.defenseclaw/gateway.log with scroll + filter |
| 9 | Audit | 9 | Queryable audit store with filter bar, detail view, JSON export |
| 10 | Activity | — | Watcher activity (quarantine, admission, drift, rescan) |
| — | Tools | T | Per-tool inventory (declared by MCP servers); separate from Tools CLI |
| 0 | Setup | 0 | Wizard panel running the same flows as defenseclaw setup … |
Panel numbering (1–9, 0) is intentionally stable across releases so muscle memory survives upgrades. See internal/tui/app.go for the ordering contract.
Global shortcuts
| Key | Action |
|---|---|
Ctrl+C | Quit (the only hard quit) |
? | Open the help overlay |
: / Ctrl+K | Open the command palette |
/ | Start an in-panel filter (where supported) |
Tab / Shift+Tab | Cycle panels forward / backward |
1–9, 0, T | Jump to a panel directly |
esc | Close any overlay / form / filter |
q is deliberately not a global quit — it's reserved for panel-local actions like "close overlay" or "quarantine". This was a deliberate change after operators kept killing the TUI by pressing q inside a YAML viewer.
What the Overview panel shows
- Sidecar state (
gateway,watcher,api,guardrail,telemetry,sinks,sandbox). - Audit store stats (row counts per
event_type, oldest / newest timestamps). - Missing API keys (cached from
defenseclaw keys list --json). - A tip footer that points at the palette and the help overlay.
The panel refreshes every 5 seconds; heavier queries (audit store stats, doctor cache) refresh every 30 seconds. Both cadences are defined in app.go as refreshInterval / slowRefreshInterval.