openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/google/provider-registration.ts‎
Lines changed: 14 additions & 5 deletions b/‎extensions/google/provider-registration.ts‎
Lines changed: 14 additions & 5 deletions
diff --git a/‎extensions/google/transport-stream.test.ts‎
Lines changed: 99 additions & 3 deletions b/‎extensions/google/transport-stream.test.ts‎
Lines changed: 99 additions & 3 deletions
@@ -32,6 +32,7 @@ Docs: https://docs.openclaw.ai
 - CLI/browser: preserve parent flags while lazy-loading browser subcommands, so `openclaw browser --json open` and `openclaw browser --json tabs` keep machine-readable output after reparsing. Fixes #74574. Thanks @devintegeritsm.
 - Plugins/runtime-deps: add `openclaw plugins deps` inspection and repair with script-free package-manager defaults shared across plugin installers, so operators can repair missing bundled runtime deps without corrupting JSON output or blocking unrelated conflict-free deps. Thanks @vincentkoc.
 - Agents/output: strip internal `[tool calls omitted]` replay placeholders from user-facing replies while preserving visible reply whitespace. Fixes #74573. Thanks @blaspat.
+- Providers/Google Vertex: route authorized_user ADC credentials through OpenClaw's REST transport so Docker installs using gcloud application-default credentials no longer crash in the Google SDK before requests are sent. Fixes #74628. Thanks @frankhal2001-design.
 - Agents/sessions: emit a terminal lifecycle backstop when embedded timeout/error turns return without `agent_end`, so Gateway sessions no longer stay stuck in `running` after failover surfaces a timeout. Fixes #74607. Thanks @millerc79.
 - Gateway/diagnostics: include stuck-session reason hints and recovery skip causes in warnings, so operators can tell whether a lane is waiting on active work, queued work, or stale bookkeeping. Thanks @vincentkoc.
 - Agents/Codex: bound embedded-run cleanup, trajectory flushing, and command-lane task timeouts after runtime failures, so Discord and other chat sessions return to idle instead of staying stuck in processing. Thanks @vincentkoc.
 
@@ -9,7 +9,11 @@ import {
   normalizeGoogleProviderConfig,
   resolveGoogleGenerativeAiTransport,
 } from "./provider-policy.js";
-import { createGoogleGenerativeAiTransportStreamFn } from "./transport-stream.js";
+import {
+  createGoogleGenerativeAiTransportStreamFn,
+  createGoogleVertexTransportStreamFn,
+} from "./transport-stream.js";
+import { hasGoogleVertexAuthorizedUserAdcSync } from "./vertex-adc.js";
 
 export function buildGoogleProvider(): ProviderPlugin {
   return {
@@ -49,10 +53,15 @@ export function buildGoogleProvider(): ProviderPlugin {
         providerId: ctx.provider,
         ctx,
       }),
-    createStreamFn: ({ model }) =>
-      model.api === "google-generative-ai"
-        ? createGoogleGenerativeAiTransportStreamFn()
-        : undefined,
+    createStreamFn: ({ model }) => {
+      if (model.api === "google-generative-ai") {
+        return createGoogleGenerativeAiTransportStreamFn();
+      }
+      if (model.api === "google-vertex" && hasGoogleVertexAuthorizedUserAdcSync()) {
+        return createGoogleVertexTransportStreamFn();
+      }
+      return undefined;
+    },
     ...GOOGLE_GEMINI_PROVIDER_HOOKS,
     isModernModelRef: ({ modelId }) => isModernGoogleModel(modelId),
   };
 
@@ -1,5 +1,8 @@
+import { mkdtemp, writeFile } from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
 import type { Model } from "@mariozechner/pi-ai";
-import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+import { afterEach, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 
 const { buildGuardedModelFetchMock, guardedFetchMock } = vi.hoisted(() => ({
   buildGuardedModelFetchMock: vi.fn(),
@@ -13,6 +16,8 @@ vi.mock("openclaw/plugin-sdk/provider-transport-runtime", async (importOriginal)
 
 let buildGoogleGenerativeAiParams: typeof import("./transport-stream.js").buildGoogleGenerativeAiParams;
 let createGoogleGenerativeAiTransportStreamFn: typeof import("./transport-stream.js").createGoogleGenerativeAiTransportStreamFn;
+let createGoogleVertexTransportStreamFn: typeof import("./transport-stream.js").createGoogleVertexTransportStreamFn;
+let hasGoogleVertexAuthorizedUserAdcSync: typeof import("./vertex-adc.js").hasGoogleVertexAuthorizedUserAdcSync;
 
 const MODEL_PROVIDER_REQUEST_TRANSPORT_SYMBOL = Symbol.for(
   "openclaw.modelProviderRequestTransport",
@@ -63,8 +68,12 @@ function buildSseResponse(events: unknown[]): Response {
 
 describe("google transport stream", () => {
   beforeAll(async () => {
-    ({ buildGoogleGenerativeAiParams, createGoogleGenerativeAiTransportStreamFn } =
-      await import("./transport-stream.js"));
+    ({
+      buildGoogleGenerativeAiParams,
+      createGoogleGenerativeAiTransportStreamFn,
+      createGoogleVertexTransportStreamFn,
+    } = await import("./transport-stream.js"));
+    ({ hasGoogleVertexAuthorizedUserAdcSync } = await import("./vertex-adc.js"));
   });
 
   beforeEach(() => {
@@ -73,6 +82,10 @@ describe("google transport stream", () => {
     buildGuardedModelFetchMock.mockReturnValue(guardedFetchMock);
   });
 
+  afterEach(() => {
+    vi.unstubAllEnvs();
+  });
+
   it("uses the guarded fetch transport and parses Gemini SSE output", async () => {
     guardedFetchMock.mockResolvedValueOnce(
       buildSseResponse([
@@ -257,6 +270,89 @@ describe("google transport stream", () => {
     );
   });
 
+  it("refreshes authorized_user ADC before Google Vertex requests", async () => {
+    const tempDir = await mkdtemp(path.join(os.tmpdir(), "openclaw-google-vertex-adc-"));
+    const credentialsPath = path.join(tempDir, "application_default_credentials.json");
+    await writeFile(
+      credentialsPath,
+      JSON.stringify({
+        type: "authorized_user",
+        client_id: "client-id",
+        client_secret: "client-secret",
+        refresh_token: "refresh-token",
+      }),
+      "utf8",
+    );
+    vi.stubEnv("GOOGLE_APPLICATION_CREDENTIALS", credentialsPath);
+    vi.stubEnv("GOOGLE_CLOUD_PROJECT", "vertex-project");
+    vi.stubEnv("GOOGLE_CLOUD_LOCATION", "global");
+    const tokenFetchMock = vi.fn().mockResolvedValue(
+      new Response(JSON.stringify({ access_token: "ya29.vertex-token", expires_in: 3600 }), {
+        status: 200,
+        headers: { "content-type": "application/json" },
+      }),
+    );
+    guardedFetchMock.mockResolvedValueOnce(
+      buildSseResponse([
+        {
+          candidates: [{ content: { parts: [{ text: "ok" }] }, finishReason: "STOP" }],
+        },
+      ]),
+    );
+
+    expect(hasGoogleVertexAuthorizedUserAdcSync()).toBe(true);
+
+    const model = {
+      id: "gemini-3.1-pro-preview",
+      name: "Gemini 3.1 Pro Preview",
+      api: "google-vertex",
+      provider: "google-vertex",
+      baseUrl: "https://{location}-aiplatform.googleapis.com",
+      reasoning: true,
+      input: ["text"],
+      cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+      contextWindow: 128000,
+      maxTokens: 8192,
+    } satisfies Model<"google-vertex">;
+
+    const streamFn = createGoogleVertexTransportStreamFn();
+    const stream = await Promise.resolve(
+      streamFn(
+        model,
+        {
+          messages: [{ role: "user", content: "hello", timestamp: 0 }],
+        } as Parameters<typeof streamFn>[1],
+        {
+          apiKey: "gcp-vertex-credentials",
+          fetch: tokenFetchMock,
+        } as Parameters<typeof streamFn>[2],
+      ),
+    );
+    const result = await stream.result();
+
+    expect(tokenFetchMock).toHaveBeenCalledWith(
+      "https://oauth2.googleapis.com/token",
+      expect.objectContaining({ method: "POST" }),
+    );
+    expect(guardedFetchMock).toHaveBeenCalledWith(
+      "https://aiplatform.googleapis.com/v1/projects/vertex-project/locations/global/publishers/google/models/gemini-3.1-pro-preview:streamGenerateContent?alt=sse",
+      expect.objectContaining({
+        method: "POST",
+        headers: expect.objectContaining({
+          Authorization: "Bearer ya29.vertex-token",
+          "Content-Type": "application/json",
+          accept: "text/event-stream",
+        }),
+      }),
+    );
+    expect(result).toMatchObject({
+      api: "google-vertex",
+      provider: "google-vertex",
+      stopReason: "stop",
+      content: [{ type: "text", text: "ok" }],
+    });
+  });
+
   it("coerces replayed malformed tool-call args to an object for Google payloads", () => {
     const params = buildGoogleGenerativeAiParams(buildGeminiModel(), {
       messages: [