fix(core): prevent silent hang during OAuth auth on headless Linux

[RhysSullivan]

Gemini CLI was hanging in my environment, tested these changes and they fixed it for me.

AI generated summary below:

=====

Summary

On headless Linux (WSL, SSH-without-DISPLAY, Docker, CI), gemini hangs silently with no output and never exits when the user has selected oauth-personal auth and there are no cached credentials. There is no error, no log line, no debug output — the process is just deadlocked early in startup, well before the TUI mounts or --debug could help.

Root cause is two compounding issues:

1. createContentGeneratorConfig eagerly awaits loadApiKey() for every auth type — even LOGIN_WITH_GOOGLE / COMPUTE_ADC, where the resulting geminiApiKey is unused (the function returns at the early branch). loadApiKey() goes through HybridTokenStorage → KeychainService, which performs a synchronous-looking probe of the OS keychain.

2. The keychain functional probe has no timeout on Linux. On macOS there is an explicit security default-keychain pre-check (isMacOSKeychainAvailable, lines 193–220) specifically to avoid blocking popups. Linux gets no equivalent. keytar.setPassword → libsecret → D-Bus → Secret Service: if no Secret Service is running (typical in WSL/SSH/Docker/CI), the call hangs indefinitely. There is no logging at this layer, hence the silent hang.

Repro

# Settings:
$ cat ~/.gemini/settings.json
{ "security": { "auth": { "selectedType": "oauth-personal" } } }
$ ls ~/.gemini/oauth_creds.json
ls: cannot access ...: No such file or directory

# Confirm headless Linux env (no DISPLAY, no Secret Service):
$ env | grep -E '^(DISPLAY|WAYLAND_DISPLAY|SSH_CONNECTION)='
SSH_CONNECTION=...

# Run, observe hang:
$ timeout 15 gemini -p hi
$ echo "Exit: $?"
Exit: 124   # timeout fired; produced 0 bytes of output

Workaround that confirms the cause: setting GEMINI_FORCE_FILE_STORAGE=true (skips the keytar probe) immediately makes gemini produce its real error output instead of hanging.

Fix

1. Skip the API-key load for auth types that don't need it.

createContentGeneratorConfig returned early for LOGIN_WITH_GOOGLE / COMPUTE_ADC after awaiting loadApiKey(). Move the early-return above the load — these auth types never read geminiApiKey, so the work was always wasted, and avoiding it sidesteps the keychain entirely on the OAuth happy path.

2. Bound the keychain functional probe with a timeout.

Promise.race the set/get/delete cycle against a 2s timeout. If the Secret Service doesn't respond, fall back to FileKeychain rather than blocking forever. This mirrors the spirit of the existing macOS pre-check and protects every other code path that hits the keychain (MCP token storage, manual API key save, etc.).

Impact

• OAuth users on headless Linux: the silent hang is gone; OAuth user-code prompt appears within ~2s.
• API-key users on headless Linux: the worst case becomes a 2s startup penalty before falling back to FileKeychain, instead of an infinite hang.
• Anyone with a working Secret Service: no observable change (probe completes well under 2s).

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a silent hang issue occurring on headless Linux environments (such as WSL, SSH, or Docker) when using the Gemini CLI. The deadlock was caused by an un-timed-out probe of the OS keychain during startup. By optimizing the authentication flow to skip unnecessary keychain checks and adding a timeout mechanism to the keychain probe, the CLI now gracefully falls back to file-based storage instead of hanging indefinitely.

Highlights

• Optimized Auth Initialization: Refactored createContentGeneratorConfig to perform an early return for Google-based authentication types, preventing unnecessary and potentially blocking keychain access.
• Keychain Probe Timeout: Introduced a 2-second timeout for the keychain functional probe in KeychainService to prevent indefinite hangs on headless Linux environments lacking a Secret Service.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request optimizes the createContentGeneratorConfig function by deferring API key loading until after authentication checks, preventing unnecessary keychain access. Additionally, it introduces a 2-second timeout for the keychain functional probe in KeychainService to prevent the CLI from hanging on headless Linux environments. I have no feedback to provide as there were no review comments.

[scidomino]

Looks good but for one nit. Please fix and I will approve.