fix: use Gemini API key query auth in doctor

[mudrii]

Bug

hermes doctor probed Google Generative Language /models with Authorization: Bearer, which returns false 401 invalid-key results for valid Gemini API keys. Google native Gemini API keys are supplied via the key query parameter.

Fixes #25108

Summary

Extract the generic /models probe request builder and make generativelanguage.googleapis.com use ?key= with URL encoding and no Bearer header. Other OpenAI-compatible providers continue to use Authorization: Bearer.

TDD / ATDD coverage

• Added a focused regression test that reproduces the reported behavior.
• Implemented the minimal production change needed to satisfy the regression.
• Re-ran the targeted test file to guard nearby behavior.

Test plan

• /Users/mudrii/src/hermes/hermes-agent/venv/bin/python -m pytest tests/hermes_cli/test_doctor_gemini_auth.py -q -o 'addopts=' -> 3 passed

Review notes

• Kept the change scoped to the issue-specific runtime path.
• No secrets are persisted or logged.

[Copilot]

Pull request overview

This PR fixes hermes doctor falsely flagging valid Google Gemini (Generative Language API) keys as invalid by switching the /models probe for generativelanguage.googleapis.com from Authorization: Bearer ... to the native ?key= query-parameter authentication.

Changes:

• Extracted a shared /models probe request builder to centralize URL/header construction.
• Updated the probe logic to use ?key= (URL-encoded) and omit Bearer auth for generativelanguage.googleapis.com.
• Added regression tests covering Gemini query-key auth, non-Gemini Bearer auth, and query-param preservation/encoding.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
hermes_cli/doctor.py	Introduces _build_models_probe_request and routes /models probes through it, using ?key= for generativelanguage.googleapis.com.
tests/hermes_cli/test_doctor_gemini_auth.py	Adds regression tests ensuring Gemini probing uses query-key auth and non-Gemini probing retains Bearer auth.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[alt-glitch]

Duplicate fix: This is the 6th+ PR addressing Gemini ?key= auth in hermes doctor. Existing competing PRs: #23364, #21490, #20642. The canonical issue is #21058 (and duplicate #25108). Recommend maintainer pick one and close the rest.

[mudrii]

Addressed Copilot feedback in commit 7f24896.

Changes:

• Removed the unused pname parameter from _build_models_probe_request().
• Updated call sites and tests to use the slimmer helper signature.

[mudrii]

Thanks for the duplicate-fix context. I kept this PR narrowly scoped to #25108 / Gemini doctor auth and added regression tests for the key behavior: Gemini uses URL-encoded ?key= auth, existing query params are preserved, and non-Gemini providers keep Bearer auth.

If maintainers prefer one of #23364/#21490/#20642, happy for this to be superseded; otherwise this PR is ready as a focused implementation.

[mudrii]

Status update: This bug is fixed upstream in v0.14.0. The doctor now uses x-goog-api-key header for generativelanguage.googleapis.com instead of Bearer auth (see doctor.py lines 1519-1527).\n\nThis PR can be closed as superseded by the v0.14.0 release.

[mudrii]

Closing as superseded by v0.14.0 which fixes Gemini doctor auth via x-goog-api-key header for generativelanguage.googleapis.com.