AI coding app quick start
Gemini CLI quick start
Check Gemini extensions and MCP declarations before first use.
Prerequisite
Install Guard
If you haven't installed Guard yet, run the install script first. This installs hol-guard via pipx and configures it for Gemini CLI in one step.
Terminal
set -o pipefail; curl -fsSL https://hol.org/guard/install.sh | bash -s -- --harness gemini-cli --mode install --verifyAlready have Guard installed? Skip to the harness command below. Full install guide.
Harness command
Attach to Gemini CLI
Terminal
hol-guard detect geminiGuard stays local by default — no account required to protect your first session. Connect Guard Cloud later to sync security records across your devices.
What Guard checks
- local Gemini extension manifests
- mcp_config.json surfaces
- linked extension paths
What install changes
- Starts in detect-first mode before you opt into stronger enforcement.
- Flags linked or local extensions as higher-signal change risk.
Verification
Confirm the setup before your first protected session.
Run the setup command
Start with the Guard command matched to this AI coding app and its setup mode.
Command
hol-guard detect geminiRun the next verification commands
Confirm Guard sees the expected config paths before your first protected session.
Command
hol-guard detect gemini --jsonCheck your first security record
After Guard records a local decision, open the receipt list to confirm what was scanned.
Command
hol-guard receiptsSafe demo & test protection
Use --dry-run for demos and CI. Guard scans and reports without blocking, so you can show what it catches without interrupting a live session.
Sync to Guard Cloud
Connect Guard Cloud to carry your security records, team memory, and approval history across every machine and teammate — no rebuilding approvals when you switch devices.
Review Guard Cloud plans →Troubleshooting
Something not working?
Guard does not intercept launches
Run
hol-guard doctor gemini-cliand check that the wrapper path matches your installed binary.No security record after the first run
Check that
~/.hol-guard/is writable. Guard writes every decision there by default.Cloud sync not reflecting local decisions
Run
hol-guard sync --statusto see if Guard Cloud can reach the server. Local protection keeps running even when sync is unavailable.
Approval surface
Detect-only in v1 — Guard reports what it finds without blocking. Enforcement hooks are planned for a future release.
Run command
hol-guard detect gemini --jsonUninstall / revert
Guard leaves no background services. Your approval history stays on disk in ~/.hol-guard/ unless you delete that folder.
Uninstall command
hol-guard uninstall geminiCurrent phase notes
- No blocking or approval gating in v1. Use detect mode to audit your extensions before Guard enforces.
- gemini-extension.json path may vary by Gemini CLI version. Run `hol-guard doctor gemini` to confirm what Guard resolved.