AI coding app quick start

Gemini CLI quick start

Check Gemini extensions and MCP declarations before first use.

Prerequisite

Install Guard

If you haven't installed Guard yet, run the install script first. This installs hol-guard via pipx and configures it for Gemini CLI in one step.

Terminal

set -o pipefail; curl -fsSL https://hol.org/guard/install.sh | bash -s -- --harness gemini-cli --mode install --verify

Already have Guard installed? Skip to the harness command below. Full install guide.

Harness command

Attach to Gemini CLI

Terminal

hol-guard detect gemini

Guard stays local by default — no account required to protect your first session. Connect Guard Cloud later to sync security records across your devices.

What Guard checks

  • local Gemini extension manifests
  • mcp_config.json surfaces
  • linked extension paths

What install changes

  • Starts in detect-first mode before you opt into stronger enforcement.
  • Flags linked or local extensions as higher-signal change risk.

Verification

Confirm the setup before your first protected session.

1

Run the setup command

Start with the Guard command matched to this AI coding app and its setup mode.

Command

hol-guard detect gemini
2

Run the next verification commands

Confirm Guard sees the expected config paths before your first protected session.

Command

hol-guard detect gemini --json
3

Check your first security record

After Guard records a local decision, open the receipt list to confirm what was scanned.

Command

hol-guard receipts

Safe demo & test protection

Use --dry-run for demos and CI. Guard scans and reports without blocking, so you can show what it catches without interrupting a live session.

Sync to Guard Cloud

Connect Guard Cloud to carry your security records, team memory, and approval history across every machine and teammate — no rebuilding approvals when you switch devices.

Review Guard Cloud plans →

Troubleshooting

Something not working?

  • Guard does not intercept launches

    Run hol-guard doctor gemini-cli and check that the wrapper path matches your installed binary.

  • No security record after the first run

    Check that ~/.hol-guard/ is writable. Guard writes every decision there by default.

  • Cloud sync not reflecting local decisions

    Run hol-guard sync --status to see if Guard Cloud can reach the server. Local protection keeps running even when sync is unavailable.

Approval surface

Detect-only in v1 — Guard reports what it finds without blocking. Enforcement hooks are planned for a future release.

Run command

hol-guard detect gemini --json

Uninstall / revert

Guard leaves no background services. Your approval history stays on disk in ~/.hol-guard/ unless you delete that folder.

Uninstall command

hol-guard uninstall gemini

Current phase notes

  • No blocking or approval gating in v1. Use detect mode to audit your extensions before Guard enforces.
  • gemini-extension.json path may vary by Gemini CLI version. Run `hol-guard doctor gemini` to confirm what Guard resolved.