fix(doctor): use ?key= query auth for Gemini connectivity probe

[ai920wisco]

Problem

hermes doctor always reports gemini (invalid API key) — even for keys that work perfectly against the Gemini API — because the connectivity probe sends the key as a Bearer Authorization header:

GET https://generativelanguage.googleapis.com/v1beta/models
Authorization: Bearer AIza...

Google's native v1beta surface does not accept Bearer auth on this endpoint; it requires ?key=<value> query auth. The result is a hard 401, and the probe interprets that as "invalid API key" — a false positive that's misleading users into thinking their valid key is broken.

Verified locally: same key returns 200 with ?key=, 401 with Bearer.

Fix

When the probe URL targets generativelanguage.googleapis.com, append ?key=<value> and drop the Authorization header. All other providers are unchanged.

Test plan

• hermes doctor against a valid GEMINI_API_KEY / GOOGLE_API_KEY → now shows ✓
• Same key, invalidated → still shows ✗ (HTTP 400 from Google's API-key validation path)
• Other providers in _probe_apikey_provider (DeepSeek, GLM, Kimi, etc.) unaffected — gated on URL host.

[alt-glitch]

Duplicate fix — at least 4 open competing PRs for the same Gemini ?key= auth issue: #20642, #21490, #23364, #25139. Canonical issue: #21058 / #25108.

[teknium1]

Closing as duplicate — #26961 by @zwolniony lands the same Gemini doctor 401 fix using x-goog-api-key (Google's recommended header), which is a slightly cleaner shape than this PR's ?key= query form. Going with #26961 for the salvage. Thanks for diagnosing the same auth-shape bug — credit acknowledged in the salvage commit.