### Start Guardrail Setup Wizard Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/GUARDRAIL_QUICKSTART.md Use the interactive wizard for a guided setup of the LLM guardrail. It helps configure mode, port, LLM judge, and detection strategy. ```bash defenseclaw setup guardrail ``` -------------------------------- ### Run Initial DefenseClaw Setup and Scans Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/README.md Commands to check local installation, initialize configuration, and scan capabilities. ```bash # Check the local install and dependencies defenseclaw doctor # Initialize config, scanner defaults, and guardrail plumbing defenseclaw init --enable-guardrail # Scan installed agent capabilities defenseclaw skill scan all defenseclaw mcp list defenseclaw plugin scan extensions/defenseclaw # Start the Go gateway sidecar defenseclaw-gateway start # Open the operator dashboard defenseclaw tui ``` -------------------------------- ### Install and Deploy DefenseClaw CLI Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/development/DEVELOPER_SPEC.md These commands install the DefenseClaw CLI, initialize its environment, start the claw within its sandbox, and open the TUI dashboard. This provides a quick setup for a governed claw environment. ```bash # Install curl -sSf https://get.defenseclaw.dev | sh # Initialize (creates sandbox, loads scanners, generates default policy) defenseclaw init # Start the claw inside the secured sandbox defenseclaw start # Open the TUI dashboard defenseclaw tui ``` -------------------------------- ### Install and Initialize OpenClaw Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/E2E.md Installs the OpenClaw gateway globally and initializes it. This is a one-time setup on the EC2 instance. ```bash npm install -g @openclaw/gateway openclaw init ``` -------------------------------- ### Install Dev Script - Skip Installation Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/INSTALL.md Runs the development installation script to build components but skip installing them to `~/.local/bin`. ```bash ./scripts/install-dev.sh --skip-install # Build but don't install to ~/.local/bin ``` -------------------------------- ### Development Install Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/INSTALL.md Performs a development installation, setting up a virtual environment with editable installs, dev dependencies, and building the Go gateway. ```bash make dev-install ``` -------------------------------- ### defenseclaw setup local-observability Source: https://context7.com/cisco-ai-defense/defenseclaw/llms.txt Start a local observability stack with Grafana, Prometheus, Loki, and Tempo for development and testing. Automatically configures OTLP export in the sidecar. ```APIDOC ## CLI: defenseclaw setup local-observability ### Description Start a local observability stack with Grafana, Prometheus, Loki, and Tempo for development and testing. Automatically configures OTLP export in the sidecar. ### Usage Examples ```bash # Start local observability stack defenseclaw setup local-observability up # Start the sidecar (reads config.yaml with OTLP settings) defenseclaw-gateway # Check stack status defenseclaw setup local-observability status # Stop the stack (preserves data volumes) defenseclaw setup local-observability down # Stop and wipe all data defenseclaw setup local-observability reset ``` ``` -------------------------------- ### Configure and Install GitHub Actions Runner Service Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/E2E.md Configures the GitHub Actions runner with the repository URL, token, and labels, then installs and starts it as a systemd service. ```bash # Configure ./config.sh --url https://github.com/YOUR_ORG/defenseclaw --token YOUR_TOKEN --labels e2e # Install and start as systemd service sudo ./svc.sh install sudo ./svc.sh start ``` -------------------------------- ### Install Go Gateway Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/INSTALL.md Installs the Go gateway binary to `~/.local/bin/defenseclaw-gateway` and includes the Defenseclaw CLI. ```bash # Gateway → ~/.local/bin/defenseclaw-gateway (+ defenseclaw CLI) make gateway-install ``` -------------------------------- ### Install Open-Shell Sandbox Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-productization.md Installs the Open-Shell sandbox using NVIDIA's installer script or `uv` if curl is unavailable. This is part of the sandbox setup flag during installation. ```bash OPENSHELL_VERSION= curl -LsSf .../install.sh | sh # Or via uv: uv tool install openshell== ``` -------------------------------- ### Install OpenShell via PyPI (Latest) Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-productization.md Installs the latest version of the OpenShell binary using `uv` from PyPI. This is an alternative installation method. ```bash # Latest uv tool install -U openshell ``` -------------------------------- ### Install OpenShell Binary Installer (Latest) Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-productization.md Installs the latest version of the OpenShell binary using the official curl installer script. This method is recommended for servers. ```bash # Latest curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh ``` -------------------------------- ### Install All Components Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/INSTALL.md Builds and installs all Defenseclaw components to their default locations. Activate the Python environment with `source .venv/bin/activate` after installation. ```bash make install ``` -------------------------------- ### Install Plugin with Configured Action Policy Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/PLUGINS.md Installs a plugin and applies the configured action policy. Replace '/path/to/plugin' with the actual plugin path. ```bash defenseclaw plugin install /path/to/plugin --action ``` -------------------------------- ### Run Example Custom Scanner Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/PLUGINS.md Execute a minimal custom scanner example using Go. This serves as a scaffold for developing your own scanners. ```bash go run ./plugins/examples/custom-scanner ``` -------------------------------- ### DefenseClaw Configuration Example Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/INSTALL.md Configure the active claw mode and home directory in '~/.defenseclaw/config.yaml'. The claw mode determines which skill and MCP directories are watched and used for installation resolution. ```yaml claw: mode: openclaw # openclaw (default) | nemoclaw | opencode | claudecode (future) home_dir: "" # auto-detected; override to use a custom path ``` -------------------------------- ### Install Node.js 20 for TypeScript Plugins Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/E2E.md Installs Node.js version 20, required for building TypeScript plugins. This script fetches and executes the NodeSource setup script. ```bash curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - sudo apt-get install -y nodejs ``` -------------------------------- ### Install OpenClaw Plugin Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/INSTALL.md Installs the OpenClaw plugin to `~/.defenseclaw/extensions/defenseclaw/` and includes the Defenseclaw CLI. ```bash # Plugin → ~/.defenseclaw/extensions/defenseclaw/ (+ defenseclaw CLI) make plugin-install ``` -------------------------------- ### Initialize External Scanners Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/CONTRIBUTING.md Use this command to install external scanners for DefenseClaw integration. Alternatively, use the setup script. ```bash defenseclaw init ``` -------------------------------- ### Custom Scanner Example Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/ARCHITECTURE.md A working example demonstrating how to implement a custom scanner by adhering to the `Scanner` interface. This serves as a template for creating new scanner binaries. ```Go plugins/examples/custom-scanner/main.go ``` -------------------------------- ### Install DefenseClaw from Release Script Source: https://context7.com/cisco-ai-defense/defenseclaw/llms.txt Installs DefenseClaw using the provided release script. Ensure you have curl installed. ```bash curl -LsSf https://raw.githubusercontent.com/cisco-ai-defense/defenseclaw/main/scripts/install.sh | bash ``` -------------------------------- ### Install from Local Distribution Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/INSTALL.md Tests release artifacts by installing the gateway binary, Python CLI wheel, and plugin from a local `dist/` directory without downloading from the internet. ```bash ./scripts/install.sh --local dist/ ``` -------------------------------- ### Install DefenseClaw using Release Script Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/README.md Installs DefenseClaw using the provided release script and initializes the guardrail. ```bash curl -LsSf https://raw.githubusercontent.com/cisco-ai-defense/defenseclaw/main/scripts/install.sh | bash defenseclaw init --enable-guardrail ``` -------------------------------- ### Initialize Defenseclaw Environment Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/CLI.md Creates the default configuration directory, SQLite database, and installs scanner dependencies. Use `--skip-install` to bypass automatic dependency installation. ```bash defenseclaw init [flags] ``` -------------------------------- ### Install DefenseClaw Gateway Binary Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-productization.md Installs the DefenseClaw gateway binary to `/usr/local/bin/`. This is the current behavior of the `install.sh` script. ```bash 1. Download defenseclaw binary from GitHub Releases 2. Install to /usr/local/bin/ 3. Print "Run defenseclaw init" ``` -------------------------------- ### Start DefenseClaw Sandbox Services Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-productization.md Starts the DefenseClaw sandbox services using systemd. Alternatively, a convenience wrapper can be used. ```bash sudo systemctl start defenseclaw-sandbox.target ``` ```bash defenseclaw-gateway sandbox start ``` -------------------------------- ### Install OpenShell Sandbox via uv tool Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-productization.md Fallback installation method for OpenShell sandbox if uv is available and curl is not. Replace with the desired version. ```bash uv tool install openshell== ``` -------------------------------- ### Install Dev Script - Dependency Checks Only Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/INSTALL.md Runs the development installation script to perform dependency checks without installing components. ```bash ./scripts/install-dev.sh --check # Dependency checks only ``` -------------------------------- ### defenseclaw sandbox setup Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-scanning.md A CLI command to automate the setup of the Defenseclaw sandbox environment. ```APIDOC ## `defenseclaw sandbox setup` Command ### Description Automates the configuration and setup of the Defenseclaw sandbox environment, including port forwarding, gateway token extraction, sidecar configuration, and plugin installation. ### Usage ```bash defenseclaw sandbox setup ``` ### Steps Performed 1. **Port Forwarding**: Establishes port forwarding using `openshell forward start 18789 `. 2. **Extract Gateway Token**: Retrieves the gateway authentication token from `~/.openclaw/openclaw.json` after running `openshell sandbox connect`. 3. **Configure Sidecar**: Writes the extracted token and sandbox name to `~/.defenseclaw/config.yaml`. 4. **Install `defenseclaw` CLI**: Installs the `defenseclaw` CLI within the sandbox environment via `openshell sandbox connect` and `pip install defenseclaw`. 5. **Copy Plugin**: Copies the plugin files from `extensions/defenseclaw/dist/` to the sandbox's `~/.openclaw/extensions/defenseclaw/` directory. 6. **Restart OpenClaw**: Signals the OpenClaw instance within the sandbox to reload its plugins. ### Configuration Changes After execution, `~/.defenseclaw/config.yaml` will be updated with the following: ```yaml gateway: token: "" watcher: enabled: false # host watcher disabled in sandbox mode openshell: enabled: true sandbox_name: "" sandbox_scan_poll_interval_s: 5 ``` ``` -------------------------------- ### Start DefenseClaw Sandbox (Non-systemd) Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/SANDBOX_SETUP.md Alternative method to start the DefenseClaw sandbox in environments without systemd, using a generated script. ```bash sudo /path/to/data_dir/scripts/run-sandbox.sh ``` -------------------------------- ### List Installed Components Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/QUICKSTART.md Lists the currently installed skills, MCP servers, and plugins within DefenseClaw. ```bash # List installed skills, MCP servers, and plugins defenseclaw skill list defenseclaw mcp list defenseclaw plugin list ``` -------------------------------- ### Install OpenShell Sandbox via NVIDIA Installer Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-productization.md Use this command to install the OpenShell sandbox using NVIDIA's provided script. Ensure openshell-sandbox is not already on your PATH. ```bash OPENSHELL_VERSION= curl -LsSf \ https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh ``` -------------------------------- ### Start Splunk Bridge with Compose Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/bundles/splunk_local_bridge/compose/README.md Use the public entrypoint to start the Splunk bridge. This command automatically packages the local-mode app before bringing up the services. ```bash bin/splunk-claw-bridge up ``` -------------------------------- ### Example .env file content Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/CONFIG_FILES.md This is an example of the content found in the `~/.defenseclaw/.env` file, which stores API key values. It is recommended to keep this file secure with mode 0600. ```env ANTHROPIC_API_KEY=sk-ant-api03-... ``` -------------------------------- ### Install Docker and Docker Compose Plugin Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/E2E.md Installs Docker and the Docker Compose plugin, then adds the current user to the docker group to allow Docker commands without sudo. ```bash sudo apt-get install -y docker.io docker-compose-plugin sudo usermod -aG docker $USER newgrp docker ``` -------------------------------- ### Install OpenShell via PyPI (Pinned Version) Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-productization.md Installs a specific, pinned version of the OpenShell binary using `uv` from PyPI. This ensures a consistent version is used. ```bash # Pinned version uv tool install openshell==0.6.2 ``` -------------------------------- ### Install OpenClaw Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/QUICKSTART.md Installs OpenClaw, a prerequisite for DefenseClaw. Requires Node.js 22.14+ or 24+. Ensure the gateway is up after onboarding. ```bash curl -fsSL https://openclaw.ai/install.sh | bash openclaw onboard --install-daemon ``` -------------------------------- ### Start DefenseClaw Sandbox Service Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/SANDBOX_SETUP.md Start the DefenseClaw sandbox service using systemd. This command initiates the sandbox environment, including pre- and post-start scripts. ```bash sudo systemctl start defenseclaw-sandbox.target ``` -------------------------------- ### Install and Scan Skill Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/CLI.md Installs a skill from clawhub, then scans it and optionally enforces policy based on scan severity. Use `--force` to overwrite existing skills. ```bash defenseclaw skill install [flags] ``` -------------------------------- ### Install Go for DefenseClaw Gateway Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/E2E.md Installs Go version 1.25.2 for building the DefenseClaw gateway. Ensure your system architecture is ARM64. The PATH is updated in .bashrc. ```bash wget -q https://go.dev/dl/go1.25.2.linux-arm64.tar.gz sudo tar -C /usr/local -xzf go1.25.2.linux-arm64.tar.gz echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.bashrc source ~/.bashrc ``` -------------------------------- ### Install DefenseClaw Scanners Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/INSTALL.md If 'defenseclaw status' shows scanners as not found, re-run init or install them manually using uv tool. Ensure uv tool binaries are on your PATH. ```bash # Re-run init to install them defenseclaw init # Or install manually uv tool install cisco-ai-skill-scanner uv tool install --python 3.13 cisco-ai-mcp-scanner uv tool install --python 3.13 cisco-aibom ``` ```bash export PATH=$PATH:$HOME/.local/bin ``` -------------------------------- ### CLI Command: Start Sandbox Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-productization.md Initiates the sandbox startup process via systemctl. Includes verification steps like checking OpenClaw health and performing a policy diff check. ```bash 1. Verify openshell.mode == "standalone" 2. Run: systemctl start defenseclaw-sandbox.target 3. Wait for OpenClaw health check (http://sandbox-ip:port/health) 4. Run policy diff check (see 7.7) — warn if endpoints are uncovered 5. Print status summary ``` -------------------------------- ### Initialize DefenseClaw Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/INSTALL.md Run this command once to initialize DefenseClaw. It creates necessary directories, installs dependencies, seeds databases, and copies policies. Supports flags to skip installations or enable guardrail setup. ```bash defenseclaw init ``` ```bash # Skip scanner installs (already have them) defenseclaw init --skip-install ``` ```bash # Init + guardrail in one step (recommended for first install) defenseclaw init --enable-guardrail ``` -------------------------------- ### Setup External Scanners Manually Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/CONTRIBUTING.md Manually install external scanners for DefenseClaw integration using this script. ```bash scripts/setup-scanners.sh ``` -------------------------------- ### DefenseClaw Sandbox Setup Steps Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-productization.md These are the detailed steps for configuring the DefenseClaw sandbox. Ensure all prerequisites are met before proceeding. ```bash 1. Validate prerequisites: - Linux OS - openshell-sandbox binary on PATH - sandbox user exists - OpenClaw installed (node, openclaw binary) 2. Configure DefenseClaw: - openshell.mode = standalone - openshell.sandbox_home = /home/sandbox (or --sandbox-home) - gateway.host = sandbox-ip - gateway.tls = false - gateway.api_bind = host-ip - guardrail.host = host-ip - claw.home_dir = /.openclaw - claw.config_file = /.openclaw/openclaw.json Setting claw.home_dir and claw.config_file makes all existing code (guardrail patching, codeguard skill install, skill/MCP dir resolution) automatically target the sandbox user's OpenClaw config and directories. No changes to guardrail.py or codeguard_skill.py needed. 3. Generate OpenShell policy: - Load template from /policies/openshell/ - Inject correct ports (gateway.port=18789, gateway.api_port=18970, guardrail.port=4000) - Inject host/sandbox IPs - Write to /openshell-policy.yaml 4. Generate gateway auth token: - Generate a random 32-byte token (secrets.token_urlsafe) - Store in /config.yaml as gateway.token 5. Pre-pair the sidecar device (see 6.6): - Shell out to defenseclaw-gateway to load/generate device key and compute device ID, or read /device.key directly - Inject the device as pre-approved into the sandbox's /.openclaw/devices.json (see 6.6) 6. Patch sandbox-side OpenClaw config: - Patch /.openclaw/openclaw.json with gateway.* fields (see 7.7 — gateway.port, gateway.mode, gateway.bind, gateway.token) - Update defenseclaw plugin (copy if newer version — see 7.7) - Set ownership (root:root for plugin, sandbox:sandbox for config) - Create /.defenseclaw/config.yaml (sidecar address) This is Python code in cmd_setup.py, using the same read-modify- write pattern as guardrail.py. NOT Go code. 7. Run setup guardrail (if guardrail enabled): - Calls existing `_enable_guardrail()` flow which uses cfg.claw.config_file (now pointing at sandbox's openclaw.json) - Sets baseUrl to http://{host-ip}:{guardrail-port} - Do NOT put LiteLLM master key in sandbox config (see Phase 7) 8. Generate DNS resolv.conf: - Write /sandbox-resolv.conf with configured nameservers - Default: 8.8.8.8, 1.1.1.1 (override via --dns flag) 9. Generate systemd unit files and launcher scripts (see Phase 6.2, 6.3) - All paths hardcoded from openshell.sandbox_home and data_dir - Install to /etc/systemd/system/ and /usr/local/lib/defenseclaw/ 10. Save config and print summary ``` -------------------------------- ### Start Local Observability Stack Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/bundles/local_observability_stack/README.md Use this command to set up the local observability stack, wait for readiness, and automatically configure the otel block in config.yaml. ```bash defenseclaw setup local-observability up ``` -------------------------------- ### Sandbox DNS Configuration Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-productization.md This is the content of the sandbox-resolv.conf file, which is created during setup and bind-mounted into the sandbox on each start for custom DNS resolution. ```bash # /sandbox-resolv.conf (e.g. /home/admin/.defenseclaw/sandbox-resolv.conf) nameserver 8.8.8.8 nameserver 1.1.1.1 ``` -------------------------------- ### GET /status Response Example Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/API.md This JSON response includes the health snapshot along with the gateway hello payload, which contains protocol version and features, if the gateway is connected. ```json { "health": { "..." }, "gateway_hello": { "protocol": "v3", "features": ["..."] } } ``` -------------------------------- ### GET /health Response Example Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/API.md This JSON response provides a snapshot of the subsystem health, including the state and uptime of various components like the gateway, watcher, API, and guardrail. ```json { "gateway": { "state": "running", "since": "...", "error": "" }, "watcher": { "state": "disabled", "since": "...", "error": "" }, "api": { "state": "running", "since": "...", "error": "" }, "guardrail": { "state": "running", "since": "...", "error": "" }, "uptime_s": 3600 } ``` -------------------------------- ### Install Python CLI Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-productization.md Installs the DefenseClaw Python CLI using pip. It can install from a bundled wheel file or editable source. Scanner dependencies are also installed. ```bash pip install ./defenseclaw-cli-*.whl pip install skill-scanner mcp-scanner ``` -------------------------------- ### Build DefenseClaw Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/CONTRIBUTING.md Run this command to build the DefenseClaw project. Ensure Go 1.26+ is installed. ```bash make build ``` -------------------------------- ### Install OpenShell Binary Installer (Pinned Version) Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-productization.md Installs a specific, pinned version of the OpenShell binary using the official curl installer script. DefenseClaw uses this method for reproducible builds. ```bash # Pinned version (what DefenseClaw uses) OPENSHELL_VERSION=0.6.2 curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh ``` -------------------------------- ### Verify DefenseClaw Installation Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-productization.md Commands to verify the successful installation of the DefenseClaw Python CLI, the Go gateway, and the Open-Shell sandbox (if installed). ```bash defenseclaw --version (Python CLI) defenseclaw-gateway --version (Go sidecar) openshell-sandbox --version (if --sandbox) ``` -------------------------------- ### Curl-to-Bash Installer with Version Pinning Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/INSTALL.md Installs a specific version of Defenseclaw using the curl-to-bash installer by setting the `VERSION` environment variable. ```bash VERSION=0.2.0 curl -LsSf .../install.sh | bash ``` -------------------------------- ### Enable DefenseClaw Sandbox on Boot Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/SANDBOX_SETUP.md Enable the DefenseClaw sandbox service to start automatically on system boot using systemd. ```bash sudo systemctl enable defenseclaw-sandbox.target ``` -------------------------------- ### Clone and Build DefenseClaw from Source Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/README.md Use these commands to clone the repository and build the project locally from source. ```bash git clone https://github.com/cisco-ai-defense/defenseclaw.git cd defenseclaw make all ``` -------------------------------- ### Troubleshoot Sandbox Startup Issues Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/SANDBOX_QUICKSTART.md Commands to check the status and logs of the openshell-sandbox service. Useful when the sandbox fails to start. ```bash systemctl status openshell-sandbox.service ``` ```bash journalctl -u openshell-sandbox -n 50 ``` -------------------------------- ### Install GitHub CLI Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/E2E.md Installs the GitHub CLI (gh) for local workflow debugging. This involves adding the GitHub CLI repository and then installing the package. ```bash type -p curl >/dev/null || sudo apt-get install -y curl curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg sudo chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list >/dev/null sudo apt-get update sudo apt-get install -y gh ``` -------------------------------- ### Install Python 3.12, uv, and jq Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/E2E.md Installs Python 3.12, the uv package manager, and jq for JSON parsing. uv is installed via a curl script. ```bash sudo apt-get install -y python3.12 python3.12-venv jq curl -LsSf https://astral.sh/uv/install.sh | sh ``` -------------------------------- ### Curl-to-Bash Installer Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/INSTALL.md Installs a released version of Defenseclaw by downloading artifacts directly from GitHub releases using `curl` and piping to `bash`. It automatically detects the platform and installs the gateway, CLI, and plugin. ```bash curl -LsSf https://github.com/defenseclaw/defenseclaw/releases/latest/download/install.sh | bash ``` -------------------------------- ### TUI-CLI Routing Example Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/TUI.md Illustrates how TUI actions route through the Python CLI, ensuring one implementation per action and audit parity. The example shows blocking a skill via the TUI. ```go internal/tui/app.go::executeActionMenuItem() │ ▼ (CommandExecutor, streams output to Activity panel) defenseclaw skill block --non-interactive │ ▼ (Click handler in cli/defenseclaw/commands/cmd_skill.py) audit event "skill.blocked" → SQLite → propagates back to all panels ``` -------------------------------- ### Create Sandbox Home Directories Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-productization.md Creates the necessary home directories for the sandbox user, including configuration and extension directories. ```bash /home/sandbox/.openclaw/ ``` ```bash /home/sandbox/.openclaw/extensions/ ``` ```bash /home/sandbox/.defenseclaw/ ``` -------------------------------- ### Install Dev Script - Non-interactive Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/INSTALL.md Runs the development installation script non-interactively, automatically confirming any prompts. ```bash ./scripts/install-dev.sh --yes # Non-interactive ``` -------------------------------- ### Defenseclaw Sandbox Setup Command Source: https://github.com/cisco-ai-defense/defenseclaw/blob/main/docs/design/sandbox-scanning.md The command to initiate the automated setup process for a Defenseclaw sandbox environment. ```bash defenseclaw sandbox setup ```