CiscoCiscoDefenseClaw
Connectors

Gemini CLI

Gemini CLI connector wires settings.json hooks (BeforeAgent, BeforeModel, BeforeTool, AfterTool, AfterAgent) plus the native OTLP exporter pointing at the gateway.

The Gemini CLI connector wires DefenseClaw into Google's Gemini CLI hooks and points the agent's native OTLP exporter at the gateway so traces, metrics, and logs land in one place.

Setup

defenseclaw setup geminicli

Pins claw.mode=geminicli, wires hooks against ~/.gemini/settings.json and points Gemini's native OTLP exporter at the gateway. There is no proxy-enforcement path for Gemini CLI — blocking happens hook-side via the documented BeforeAgent, BeforeModel, BeforeTool, AfterTool, and AfterAgent events. Gemini CLI has no native ask surface, so HITL approvals downgrade to confirm verdicts in the DefenseClaw TUI.

What setup geminicli actually does

The wrapper accepts exactly three flags. The underlying guardrail config falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.

FlagDefaultWhat it does
--yes / -yoffSkip the confirmation prompt (alias: --non-interactive, --accept-defaults).
--restart / --no-restart--restartBounce defenseclaw-gateway after applying changes so the new hooks + OTLP env vars wire in.
--with-local-stack / --no-local-stack--no-local-stackAlso bring up the bundled Prom/Loki/Tempo/Grafana stack via setup local-observability up.

Pinned by the alias regardless of flags: claw.mode=geminicli, guardrail.connector=geminicli, guardrail.mode=observe, guardrail.scanner_mode=local, guardrail.judge.enabled=false, guardrail.detection_strategy=regex_only. To tune any of those after install, use defenseclaw setup guardrail --connector geminicli — see the variations below.

Common variations — pick the recipe that fits your phase

defenseclaw setup geminicli

Confirms once, wires the hooks against ~/.gemini/settings.json, points OTLP at the gateway, restarts the gateway. Findings flow to ~/.defenseclaw/gateway.jsonl and the TUI; no traffic is intercepted, no requests are blocked. Pass --yes to skip the confirmation in CI.

defenseclaw setup geminicli --yes --with-local-stack

Same as standard but also runs setup local-observability up so Prom/Loki/Tempo/Grafana come up locally — particularly useful for Gemini since native OTLP feeds traces and metrics directly into Tempo and Prometheus. See Local observability.

export DEFENSECLAW_LLM_KEY=<your-key>

defenseclaw setup geminicli                               # base alias first
defenseclaw setup guardrail \
  --connector geminicli \
  --rule-pack strict \
  --scanner-mode both \
  --detection-strategy regex_judge \
  --judge-model anthropic/claude-sonnet-4-20250514 \
  --judge-api-key-env DEFENSECLAW_LLM_KEY \
  --restart

The alias keeps the connector pinned; the follow-up setup guardrail swaps in the strict rule pack, runs both local + Cisco AI Defense scanners, and turns the LLM judge on as a second-pass adjudicator on regex-flagged events.

Gemini CLI has no proxy enforcement, but its hooks themselves can block. After setup geminicli, edit ~/.defenseclaw/config.yaml and set the per-connector hook mode:

connector_hooks:
  geminicli:
    enabled: true
    mode: action          # observe (default) | action
    fail_mode: open       # open | closed

Then defenseclaw setup guardrail --restart to re-wire. With mode: action, Gemini's lifecycle hooks block on findings; HITL approvals downgrade to confirm verdicts in the DefenseClaw TUI since Gemini CLI has no native ask surface — make sure operators are reachable there.

Decision aids — should I turn this on?

Human-in-the-loop (HITL)

Per-connector ask matrix. Gemini CLI downgrades to confirm verdicts in the TUI / audit log since it has no native ask.

Full setup guardrail flag reference

All ~20 flags you can pass via `setup guardrail --connector geminicli` after the alias has pinned things.

Defaults & rule packs

What permissive / default / strict actually ship, and which one matches your risk tolerance.

Interactive wizard

Animated terminal demo of the prompt-by-prompt setup flow — the safest path the first time.

Not sure what to pick? Run defenseclaw setup guardrail (no flags) — the interactive wizard walks you through every choice with safe defaults pre-selected and inline help. The Prompt → flag mapping table gives you the CI-shaped command for the same configuration.

Files DefenseClaw will modify

settings.json (hooks + telemetry blocks)

Hook capabilities

Block events

  • BeforeAgent
  • BeforeModel
  • BeforeTool
  • AfterTool
  • AfterAgent

Native ask events

None — confirm verdicts are downgraded with the raw action preserved.

Gemini CLI has no native human-approval surface. HITL approvals downgrade to confirm verdicts in the DefenseClaw TUI / audit log.

Telemetry channels

Gemini CLI
BeforeAgent / BeforeModel /BeforeTool / AfterTool / AfterAgent
Native OTLP exporter
defenseclaw-gateway
Hooks cover the lifecycle; native OTLP delivers traces and metrics out-of-band.

Disable

defenseclaw setup guardrail --disable

Hermes

Hermes connector wires config.yaml hooks for the Hermes agent runtime, with discovery for MCP, skills, and plugins.

GitHub Copilot CLI

Copilot CLI connector wires workspace-scoped hooks under .github/hooks/. Native ask supported on preToolUse; block events cover permissionRequest, agentStop, subagentStop, postToolUseFailure.