fix: suppress Authorization: Bearer for Gemini provider to prevent HT…

[AviArora02-commits]

Fixes #7893

Root Cause

Google's OpenAI-compatible endpoint (generativelanguage.googleapis.com/v1beta/openai)
does not accept Authorization: Bearer for AIzaSy API keys. The OpenAI Python SDK
automatically injects this header whenever a real key is passed as api_key=, causing:

HTTP 400: Multiple authentication credentials received. Please pass only one.

Fix

When base_url targets generativelanguage.googleapis.com, the OpenAI client is
now constructed with api_key="not-used" (suppresses Bearer injection) and the real
key is passed via default_headers={"x-goog-api-key": real_key} instead.

Applied to all 4 client construction paths:

• run_agent.py — primary agent client init
• run_agent.py — _apply_client_headers_for_base_url() (provider swap/recovery)
• agent/auxiliary_client.py — _resolve_api_key_provider() pool + main paths
• agent/auxiliary_client.py — resolve_provider_client() API-key branch

Tests

Added 2 regression tests asserting api_key == "not-used" and
x-goog-api-key == real_key. Updated 2 existing tests that were
asserting the old broken auth behavior.

[teknium1]

Merged via PR #11961 (commit 994faac on main) — your fix was the most complete, covering all five client-construction sites across run_agent.py and agent/auxiliary_client.py. Your authorship is preserved in git log. Thanks for the clean diagnosis and the safe not-used sentinel pattern.

Small delta from your original branch: the two existing tests you updated in tests/agent/test_auxiliary_client.py (test_explicit_google_alias_uses_gemini_credentials and test_vision_config_google_provider_uses_gemini_credentials) had since been removed by #11472's test cleanup, so the regression coverage now lives entirely in the new tests you added to tests/hermes_cli/test_gemini_provider.py.

#11961