Connectors

Gemini CLI

Gemini CLI connector wires settings.json hooks (BeforeAgent, BeforeModel, BeforeTool, AfterTool, AfterAgent) plus the native OTLP exporter pointing at the gateway.

The Gemini CLI connector wires DefenseClaw into Google's Gemini CLI hooks and points the agent's native OTLP exporter at the gateway so traces, metrics, and logs land in one place.

Setup

defenseclaw setup geminicli

setup geminicli is shorthand for setup guardrail --connector geminicli: it adds or reconfigures Gemini CLI, wires hooks against ~/.gemini/settings.json, and points Gemini's native OTLP exporter at the gateway. There is no proxy-enforcement path for Gemini CLI — blocking happens hook-side via the documented BeforeAgent, BeforeModel, BeforeTool, AfterTool, and AfterAgent events. Gemini CLI has no native ask surface, so confirm verdicts use an immediate alert/context fallback with raw_action preserved for audit.

What setup geminicli actually does

The wrapper accepts exactly three flags. The underlying guardrail config falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.

FlagDefaultWhat it does
--yes / -yoffSkip the confirmation prompt (alias: --non-interactive, --accept-defaults).
--restart / --no-restart--restartBounce defenseclaw-gateway after applying changes so the new hooks + OTLP env vars wire in.
--with-local-stack / --no-local-stack--no-local-stackAlso bring up the bundled Prom/Loki/Tempo/Grafana stack via setup local-observability up.

The alias defaults Gemini CLI to observe mode and can join an existing hook-connector roster when you choose Add. To tune Gemini CLI after install, keep using defenseclaw setup guardrail --connector geminicli — see the variations below.

Common variations — pick the recipe that fits your phase

defenseclaw setup geminicli

Confirms once, wires the hooks against ~/.gemini/settings.json, points OTLP at the gateway, restarts the gateway. Findings flow to ~/.defenseclaw/gateway.jsonl and the TUI; no traffic is intercepted, no requests are blocked. Pass --yes to skip the confirmation in CI.

defenseclaw setup geminicli --yes --with-local-stack

Same as standard but also runs setup local-observability up so Prom/Loki/Tempo/Grafana come up locally — particularly useful for Gemini since native OTLP feeds traces and metrics directly into Tempo and Prometheus. See Local observability.

export DEFENSECLAW_LLM_KEY='replace-with-your-key'

defenseclaw setup geminicli                               # base alias first
defenseclaw setup guardrail \
  --connector geminicli \
  --rule-pack strict \
  --scanner-mode both \
  --detection-strategy regex_judge \
  --judge-model anthropic/claude-sonnet-4-20250514 \
  --judge-api-key-env DEFENSECLAW_LLM_KEY \
  --restart

The alias selects Gemini CLI; the follow-up setup guardrail --connector geminicli swaps in the strict rule pack, runs both local + Cisco AI Defense scanners, and turns the LLM judge on as a second-pass adjudicator on regex-flagged events.

Gemini CLI has no proxy enforcement, but its hooks themselves can block. After setup geminicli, edit ~/.defenseclaw/config.yaml and set the per-connector hook mode:

connector_hooks:
  geminicli:
    enabled: true
    mode: action          # observe (default) | action
    fail_mode: open       # open | closed

Then defenseclaw setup guardrail --restart to re-wire. With mode: action, Gemini's lifecycle hooks block when policy returns block. Because Gemini CLI has no native ask surface, confirm uses an alert/context fallback; operators can review the event in audit or the TUI, but cannot resume it there.

Decision aids — should I turn this on?

Not sure what to pick? Run defenseclaw setup guardrail (no flags) — the interactive wizard walks you through every choice with safe defaults pre-selected and inline help. The Prompt → flag mapping table gives you the CI-shaped command for the same configuration.

Files DefenseClaw will modify

settings.json (hooks + telemetry blocks)

Hook capabilities

Block events

  • BeforeAgent
  • BeforeModel
  • BeforeTool
  • AfterTool
  • AfterAgent

Native ask events

None — confirm verdicts are downgraded with the raw action preserved.

Gemini CLI has no native human-approval surface. Confirm verdicts fall back to an alert/context response with raw_action preserved in the audit log; the TUI is review-only.

Telemetry channels

Agent runtimeGemini CLI
ConnectorBeforeAgent / BeforeModel /BeforeTool / AfterTool / AfterAgent
ConnectorNative OTLP exporter
Control planedefenseclaw-gateway
Hooks cover the lifecycle; native OTLP delivers traces and metrics out-of-band.

Disable

defenseclaw setup guardrail --disable