fix(google-vertex): strip "<authenticated>" ADC sentinel before provider call

[BingqingLyu]

Summary

• Fixes google-vertex ADC authentication which has been broken since the auth redesign in b04c838c15e + pi-ai 0.36.0 upgrade in bce62f8c0f
• pi-ai's getEnvApiKey("google-vertex") returns "<authenticated>" sentinel when ADC env vars are configured; this sentinel was being passed as a literal API key (x-goog-api-key: <authenticated>) → Vertex AI 401
• Wraps the registered google-vertex API provider to strip the sentinel so the provider uses ADC (GoogleAuth → real OAuth Bearer token)

Changes

Core fix: API provider wrapper (src/agents/custom-api-registry.ts)

installGoogleVertexAdcFix() wraps pi-ai's registered google-vertex API provider (both stream and streamSimple) to strip the "<authenticated>" sentinel from options.apiKey. This covers all code paths — stream, streamSimple, compact, branch-summary — because the interception happens at the provider registry level.

Called from discoverModels() in src/agents/pi-model-discovery.ts so it's applied once before any model is used.

Defense-in-depth: openclaw auth resolution (src/agents/model-auth.ts)

• resolveEnvApiKey: When getEnvApiKey("google-vertex") returns "<authenticated>", return empty apiKey instead of the sentinel
• resolveApiKeyForProvider: Return mode: "oauth" for "gcloud adc" source (ADC is OAuth-based, not API-key-based)

Skip setRuntimeApiKey for ADC mode (run.ts, compact.ts)

Allow mode === "oauth" (alongside existing "aws-sdk") to skip the setRuntimeApiKey call when no literal API key is available — same pattern already used for Amazon Bedrock.

Node 25 gaxios compat (src/infra/gaxios-fetch-compat.ts)

Add globalThis.window shim to cover both CJS and ESM gaxios builds. The previous prototype-only patch didn't cover the CJS build used by google-auth-library, causing Cannot convert undefined or null to object on Node 25.

Why this fix is correct

The "<authenticated>" sentinel was introduced in pi-ai 0.36.0 as a detection marker for model discovery ("is google-vertex auth configured?"). It was never meant to be used as a literal API key. The ideal fix is upstream in @mariozechner/pi-ai, but until then openclaw needs to intercept the sentinel.

The API provider wrapper is the correct interception point because:

1. It covers all code paths (stream, complete, compact) — not just the main chat stream
2. It's minimally invasive — one wrapper, installed once
3. It doesn't modify pi-ai internals or monkey-patch AuthStorage

Test plan

• Verified GOOGLE_APPLICATION_CREDENTIALS SA key generates valid ya29.c... OAuth token via ADC
• node dist/index.js agent --local --message "say hello" --agent greg-private returns successful response (was 401 before fix)
• Gateway health check passes after restart with new build
• Verify compaction path works (compact uses completeSimple with same apiKey flow)
• Run existing google-vertex tests if any

Closes openclaw#49191

🤖 Generated with Claude Code