mirror of
https://github.com/google-gemini/gemini-cli.git
synced 2026-05-14 08:22:31 +00:00
88650f320d
Summary: Configures the `GATEWAY` authentication mode to natively supply an empty string for `apiKey` instead of injecting a dummy placeholder, avoiding client instantiation errors while directly suppressing conflicting `x-goog-api-key` network headers. Additionally, unifies environmental inference by updating `getAuthTypeFromEnv` to route any `GOOGLE_GEMINI_BASE_URL` usage to `GATEWAY` auth, guaranteeing absolute consistency across background CLI execution, subagents, and ACP sidecars. Details: Why this happened: Initializing a session with the `GATEWAY` auth method without specifying an API key previously caused the underlying `@google/genai` SDK to throw a constructor instantiation error. To circumvent this, a placeholder key (`'gateway-placeholder-key'`) was automatically injected. However, the SDK's internal `WebAuth` module unconditionally appended this placeholder as an `x-goog-api-key` header to outgoing network requests. When enterprise AI API Gateways received both an OIDC authentication header (e.g., `Authorization: Bearer <token>`) and the invalid placeholder key, they prioritized validating the API key and rejected the requests. Furthermore, background CLI execution or embedded SDK scenarios could crash or fail to authenticate consistently when custom proxy URLs were active without explicit auth settings. Solution Implemented: 1. Pristine SDK Instantiation: Configured `createContentGeneratorConfig` to fall back to `process.env['GEMINI_API_KEY']` to preserve any injected placeholder values from existing partner integrations, while supplying an empty string (`apiKey ?? ''`) when no key is provided. The `GoogleGenAI` constructor options explicitly preserve this empty string mapping under `GATEWAY` auth to satisfy internal null checks safely. 2. Network Header Suppression: Updated `createContentGenerator` to pre-clear the `x-goog-api-key` base header (`headers['x-goog-api-key'] = ''`) whenever `GATEWAY` auth runs with an empty string key. This triggers an early return inside the SDK's `WebAuth` interceptor, guaranteeing that outgoing requests heading to enterprise Gateways remain pristine. 3. Unified Environmental Mapping: Centralized `AuthType.GATEWAY` inference mapping inside `getAuthTypeFromEnv` when `GOOGLE_GEMINI_BASE_URL` is configured. This cleanly bypasses default `USE_GEMINI` startup validations consistently across all application entry points.