fix(doctor): validate Gemini keys with Google auth

[thisisryanswift]

What does this PR do?

Fixes a false-positive in hermes doctor where valid Google AI Studio / Gemini API keys were reported as invalid.

The doctor API connectivity check dynamically includes the gemini API-key provider, but previously sent the key as an OpenAI-compatible bearer token. Google AI Studio Gemini API keys require Google-style API-key auth, so this PR adds a narrow Gemini-specific doctor health check that probes /models with x-goog-api-key.

It also updates the .env provider-config detector so GOOGLE_API_KEY, GEMINI_API_KEY, and GEMINI_BASE_URL count as configured provider settings.

This differs from #20204 by fixing the existing dynamic gemini provider health-check path directly, so doctor no longer emits the old bearer-auth gemini (invalid API key) result.

Related Issue

Fixes #21058
Fixes #21481

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 🔒 Security fix
• 📝 Documentation update
• ✅ Tests (adding or improving test coverage)
• ♻️ Refactor (no behavior change)
• 🎯 New skill (bundled or hub)

Changes Made

• hermes_cli/doctor.py: add a Gemini-specific API connectivity path that uses x-goog-api-key against {base}/models instead of Authorization: Bearer.
• hermes_cli/doctor.py: support GEMINI_BASE_URL for the doctor Gemini probe, defaulting to https://generativelanguage.googleapis.com/v1beta.
• hermes_cli/doctor.py: report Gemini auth failures with a Google-key-specific issue message.
• hermes_cli/doctor.py: recognize GOOGLE_API_KEY, GEMINI_API_KEY, and GEMINI_BASE_URL as provider configuration in .env detection.
• tests/hermes_cli/test_doctor.py: add regression coverage for Gemini env detection, Google-style auth, and auth-failure reporting.

How to Test

1. Configure a working Google AI Studio key as GOOGLE_API_KEY and use Gemini as the provider.
2. Run hermes chat -Q -q "Reply with exactly: hermes-ok" --max-turns 3 and confirm it returns hermes-ok.
3. Run hermes doctor and confirm API Connectivity reports ✓ gemini instead of gemini (invalid API key).
4. Run scripts/run_tests.sh tests/hermes_cli/test_doctor.py -v.

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
• [x ] I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature (no unrelated commits)
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes (required for bug fixes, strongly encouraged for features)
• I've tested on my platform: Fedora 43 / Linux, Python 3.11.14 in repo venv

Documentation & Housekeeping

• I've updated relevant documentation (README, docs/, docstrings) — or N/A
• I've updated cli-config.yaml.example if I added/changed config keys — or N/A
• I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
• I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
• I've updated tool descriptions/schemas if I changed tool behavior — or N/A

For New Skills

N/A

Screenshots / Logs

Before:

◆ API Connectivity
  Checking gemini API...
  ✗ gemini (invalid API key)

After running the patched command with a real Google AI Studio key:

◆ Configuration Files
  ✓ ~/.hermes/.env file exists
  ✓ API key or custom endpoint configured

◆ API Connectivity
  ⚠ OpenRouter API (not configured)
  Checking gemini API...
  ✓ gemini

Test run:

scripts/run_tests.sh tests/hermes_cli/test_doctor.py -v
41 passed in 4.18s

[alt-glitch]

Duplicate of #20642 — same Gemini doctor probe fix (x-goog-api-key instead of Bearer auth). Also overlaps with #20935 (which adds Alibaba skip on top of the same Gemini fix).

[teknium1]

Closing as already fixed on main.

Triage notes (high confidence):
Main hermes_cli/doctor.py:1549-1551 already swaps Authorization for x-goog-api-key on generativelanguage.googleapis.com (commit 364a1dd), addressing the same root cause this PR targets.

If you still see this on the latest version, please reopen with reproduction steps.

(Bulk-closed during a CLI triage sweep.)