Gemini CLI
Gemini CLI connector wires settings.json hooks (BeforeAgent, BeforeModel, BeforeTool, AfterTool, AfterAgent) plus the native OTLP exporter pointing at the gateway.
The Gemini CLI connector wires DefenseClaw into Google's Gemini CLI hooks and points the agent's native OTLP exporter at the gateway so traces, metrics, and logs land in one place.
Setup
defenseclaw setup geminiclisetup geminicli is shorthand for setup guardrail --connector geminicli: it adds or reconfigures Gemini CLI, wires hooks against ~/.gemini/settings.json, and points Gemini's native OTLP exporter at the gateway. There is no proxy-enforcement path for Gemini CLI — blocking happens hook-side via the documented BeforeAgent, BeforeModel, BeforeTool, AfterTool, and AfterAgent events. Gemini CLI has no native ask surface, so confirm verdicts use an immediate alert/context fallback with raw_action preserved for audit.
What setup geminicli actually does
The wrapper accepts exactly three flags. The underlying guardrail config falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.
| Flag | Default | What it does |
|---|---|---|
--yes / -y | off | Skip the confirmation prompt (alias: --non-interactive, --accept-defaults). |
--restart / --no-restart | --restart | Bounce defenseclaw-gateway after applying changes so the new hooks + OTLP env vars wire in. |
--with-local-stack / --no-local-stack | --no-local-stack | Also bring up the bundled Prom/Loki/Tempo/Grafana stack via setup local-observability up. |
The alias defaults Gemini CLI to observe mode and can join an existing hook-connector roster when you choose Add. To tune Gemini CLI after install, keep using defenseclaw setup guardrail --connector geminicli — see the variations below.
Common variations — pick the recipe that fits your phase
defenseclaw setup geminicliConfirms once, wires the hooks against ~/.gemini/settings.json, points OTLP at the gateway, restarts the gateway. Findings flow to ~/.defenseclaw/gateway.jsonl and the TUI; no traffic is intercepted, no requests are blocked. Pass --yes to skip the confirmation in CI.
defenseclaw setup geminicli --yes --with-local-stackSame as standard but also runs setup local-observability up so Prom/Loki/Tempo/Grafana come up locally — particularly useful for Gemini since native OTLP feeds traces and metrics directly into Tempo and Prometheus. See Local observability.
export DEFENSECLAW_LLM_KEY='replace-with-your-key'
defenseclaw setup geminicli # base alias first
defenseclaw setup guardrail \
--connector geminicli \
--rule-pack strict \
--scanner-mode both \
--detection-strategy regex_judge \
--judge-model anthropic/claude-sonnet-4-20250514 \
--judge-api-key-env DEFENSECLAW_LLM_KEY \
--restartThe alias selects Gemini CLI; the follow-up setup guardrail --connector geminicli swaps in the strict rule pack, runs both local + Cisco AI Defense scanners, and turns the LLM judge on as a second-pass adjudicator on regex-flagged events.
Gemini CLI has no proxy enforcement, but its hooks themselves can block. After setup geminicli, edit ~/.defenseclaw/config.yaml and set the per-connector hook mode:
connector_hooks:
geminicli:
enabled: true
mode: action # observe (default) | action
fail_mode: open # open | closedThen defenseclaw setup guardrail --restart to re-wire. With mode: action, Gemini's lifecycle hooks block when policy returns block. Because Gemini CLI has no native ask surface, confirm uses an alert/context fallback; operators can review the event in audit or the TUI, but cannot resume it there.
Decision aids — should I turn this on?
Human-in-the-loop (HITL)
Per-connector ask matrix. Gemini CLI has no native ask; confirm uses an alert/context fallback preserved in audit.
Full setup guardrail flag reference
All ~20 flags you can pass via `setup guardrail --connector geminicli` when tuning Gemini CLI.
Defaults & rule packs
What permissive / default / strict actually ship, and which one matches your risk tolerance.
Interactive wizard
Animated terminal demo of the prompt-by-prompt setup flow — the safest path the first time.
Not sure what to pick? Run defenseclaw setup guardrail (no flags) — the interactive wizard walks you through every choice with safe defaults pre-selected and inline help. The Prompt → flag mapping table gives you the CI-shaped command for the same configuration.
Files DefenseClaw will modify
Hook capabilities
Block events
- BeforeAgent
- BeforeModel
- BeforeTool
- AfterTool
- AfterAgent
Native ask events
None — confirm verdicts are downgraded with the raw action preserved.
Gemini CLI has no native human-approval surface. Confirm verdicts fall back to an alert/context response with raw_action preserved in the audit log; the TUI is review-only.
Telemetry channels
Disable
defenseclaw setup guardrail --disableOmniGent
The OmniGent connector installs a custom Python policy that maps six policy phases to DefenseClaw ALLOW, ASK, and DENY decisions, with optional native OTLP telemetry.
GitHub Copilot CLI
Copilot CLI connector wires global ~/.copilot/hooks by default, with optional workspace .github/hooks. Native ask supported on preToolUse; block events cover permissionRequest, agentStop, subagentStop, postToolUseFailure.