openclaw
diff --git a/‎extensions/google/package.json‎
Lines changed: 2 additions & 1 deletion b/‎extensions/google/package.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎extensions/google/transport-stream.test.ts‎
Lines changed: 120 additions & 6 deletions b/‎extensions/google/transport-stream.test.ts‎
Lines changed: 120 additions & 6 deletions
diff --git a/‎extensions/google/vertex-adc.ts‎
Lines changed: 146 additions & 26 deletions b/‎extensions/google/vertex-adc.ts‎
Lines changed: 146 additions & 26 deletions
@@ -6,7 +6,8 @@
   "type": "module",
   "dependencies": {
     "@earendil-works/pi-ai": "0.75.1",
-    "@google/genai": "2.2.0"
+    "@google/genai": "2.2.0",
+    "google-auth-library": "10.6.2"
   },
   "devDependencies": {
     "@openclaw/plugin-sdk": "workspace:*"
 
@@ -4,21 +4,40 @@ import path from "node:path";
 import type { Model } from "@earendil-works/pi-ai";
 import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 
-const { buildGuardedModelFetchMock, guardedFetchMock } = vi.hoisted(() => ({
-  buildGuardedModelFetchMock: vi.fn(),
-  guardedFetchMock: vi.fn(),
-}));
+const {
+  buildGuardedModelFetchMock,
+  guardedFetchMock,
+  googleAuthGetAccessTokenMock,
+  googleAuthMock,
+} = vi.hoisted(() => {
+  const googleAuthGetAccessTokenMock = vi.fn();
+  return {
+    buildGuardedModelFetchMock: vi.fn(),
+    guardedFetchMock: vi.fn(),
+    googleAuthGetAccessTokenMock,
+    googleAuthMock: vi.fn(function GoogleAuthMock() {
+      return {
+        getAccessToken: googleAuthGetAccessTokenMock,
+      };
+    }),
+  };
+});
 
 vi.mock("openclaw/plugin-sdk/provider-transport-runtime", async (importOriginal) => ({
   ...(await importOriginal()),
   buildGuardedModelFetch: buildGuardedModelFetchMock,
 }));
 
+vi.mock("google-auth-library", () => ({
+  GoogleAuth: googleAuthMock,
+}));
+
 let buildGoogleGenerativeAiParams: typeof import("./transport-stream.js").buildGoogleGenerativeAiParams;
 let buildGoogleGemini3FirstResponseRetryParams: typeof import("./transport-stream.js").buildGoogleGemini3FirstResponseRetryParams;
 let createGoogleGenerativeAiTransportStreamFn: typeof import("./transport-stream.js").createGoogleGenerativeAiTransportStreamFn;
 let createGoogleVertexTransportStreamFn: typeof import("./transport-stream.js").createGoogleVertexTransportStreamFn;
 let hasGoogleVertexAuthorizedUserAdcSync: typeof import("./vertex-adc.js").hasGoogleVertexAuthorizedUserAdcSync;
+let resolveGoogleVertexAuthorizedUserHeaders: typeof import("./vertex-adc.js").resolveGoogleVertexAuthorizedUserHeaders;
 let resetGoogleVertexAuthorizedUserTokenCacheForTest: typeof import("./vertex-adc.js").resetGoogleVertexAuthorizedUserTokenCacheForTest;
 
 const MODEL_PROVIDER_REQUEST_TRANSPORT_SYMBOL = Symbol.for(
@@ -254,13 +273,18 @@ describe("google transport stream", () => {
       createGoogleGenerativeAiTransportStreamFn,
       createGoogleVertexTransportStreamFn,
     } = await import("./transport-stream.js"));
-    ({ hasGoogleVertexAuthorizedUserAdcSync, resetGoogleVertexAuthorizedUserTokenCacheForTest } =
-      await import("./vertex-adc.js"));
+    ({
+      hasGoogleVertexAuthorizedUserAdcSync,
+      resolveGoogleVertexAuthorizedUserHeaders,
+      resetGoogleVertexAuthorizedUserTokenCacheForTest,
+    } = await import("./vertex-adc.js"));
   });
 
   beforeEach(() => {
     buildGuardedModelFetchMock.mockReset();
     guardedFetchMock.mockReset();
+    googleAuthGetAccessTokenMock.mockReset();
+    googleAuthMock.mockClear();
     buildGuardedModelFetchMock.mockReturnValue(guardedFetchMock);
     resetGoogleVertexAuthorizedUserTokenCacheForTest();
   });
@@ -271,6 +295,7 @@ describe("google transport stream", () => {
 
   afterAll(() => {
     vi.doUnmock("openclaw/plugin-sdk/provider-transport-runtime");
+    vi.doUnmock("google-auth-library");
     vi.resetModules();
   });
 
@@ -695,6 +720,95 @@ describe("google transport stream", () => {
     });
   });
 
+  it("detects supported Vertex ADC sources synchronously", async () => {
+    const tempDir = await mkdtemp(path.join(os.tmpdir(), "openclaw-google-vertex-adc-detect-"));
+    for (const type of ["authorized_user", "external_account", "service_account"]) {
+      const credentialsPath = path.join(tempDir, `${type}.json`);
+      await writeFile(credentialsPath, JSON.stringify({ type }), "utf8");
+
+      expect(
+        hasGoogleVertexAuthorizedUserAdcSync({
+          GOOGLE_APPLICATION_CREDENTIALS: credentialsPath,
+        }),
+      ).toBe(true);
+    }
+
+    expect(
+      hasGoogleVertexAuthorizedUserAdcSync({
+        HOME: path.join(tempDir, "empty-home"),
+        KUBERNETES_SERVICE_HOST: "10.0.0.1",
+      }),
+    ).toBe(true);
+    expect(
+      hasGoogleVertexAuthorizedUserAdcSync({
+        HOME: path.join(tempDir, "empty-home"),
+        K_SERVICE: "cloud-run-service",
+      }),
+    ).toBe(true);
+  });
+
+  it("resolves non-file Vertex ADC through google-auth-library without OAuth refresh fetch", async () => {
+    const tempDir = await mkdtemp(path.join(os.tmpdir(), "openclaw-google-vertex-authlib-"));
+    vi.stubEnv("GOOGLE_APPLICATION_CREDENTIALS", "");
+    vi.stubEnv("HOME", path.join(tempDir, "home"));
+    vi.stubEnv("APPDATA", "");
+    googleAuthGetAccessTokenMock.mockResolvedValueOnce("ya29.google-auth-token");
+    const tokenFetchMock = vi.fn();
+
+    await expect(resolveGoogleVertexAuthorizedUserHeaders(tokenFetchMock)).resolves.toEqual({
+      Authorization: "Bearer ya29.google-auth-token",
+    });
+
+    expect(googleAuthMock).toHaveBeenCalledWith({
+      scopes: ["https://www.googleapis.com/auth/cloud-platform"],
+    });
+    expect(googleAuthGetAccessTokenMock).toHaveBeenCalledTimes(1);
+    expect(tokenFetchMock).not.toHaveBeenCalled();
+  });
+
+  it("uses google-auth-library bearer auth for Google Vertex credential marker requests", async () => {
+    const tempDir = await mkdtemp(path.join(os.tmpdir(), "openclaw-google-vertex-authlib-stream-"));
+    vi.stubEnv("GOOGLE_APPLICATION_CREDENTIALS", "");
+    vi.stubEnv("HOME", path.join(tempDir, "home"));
+    vi.stubEnv("APPDATA", "");
+    vi.stubEnv("GOOGLE_CLOUD_PROJECT", "vertex-project");
+    vi.stubEnv("GOOGLE_CLOUD_LOCATION", "us-central1");
+    googleAuthGetAccessTokenMock.mockResolvedValueOnce("ya29.transport-token");
+    const tokenFetchMock = vi.fn();
+    guardedFetchMock.mockResolvedValueOnce(
+      buildSseResponse([
+        {
+          candidates: [{ content: { parts: [{ text: "ok" }] }, finishReason: "STOP" }],
+        },
+      ]),
+    );
+
+    const streamFn = createGoogleVertexTransportStreamFn();
+    const stream = await Promise.resolve(
+      streamFn(
+        buildGoogleVertexModel(),
+        {
+          messages: [{ role: "user", content: "hello", timestamp: 0 }],
+        } as Parameters<typeof streamFn>[1],
+        {
+          apiKey: "gcp-vertex-credentials",
+          fetch: tokenFetchMock,
+        } as Parameters<typeof streamFn>[2],
+      ),
+    );
+    await stream.result();
+
+    expect(tokenFetchMock).not.toHaveBeenCalled();
+    const guardedCall = requireMockCall(guardedFetchMock, 0, "guarded fetch");
+    const guardedInit = requireRequestInit(guardedCall, "guarded fetch");
+    expectHeaders(guardedInit, {
+      Authorization: "Bearer ya29.transport-token",
+      "Content-Type": "application/json",
+      accept: "text/event-stream",
+    });
+    expect(new Headers(guardedInit.headers).has("x-goog-api-key")).toBe(false);
+  });
+
   it("refreshes authorized_user ADC before Google Vertex requests", async () => {
     const tempDir = await mkdtemp(path.join(os.tmpdir(), "openclaw-google-vertex-adc-"));
     const credentialsPath = path.join(tempDir, "application_default_credentials.json");
 
@@ -17,13 +17,33 @@ type GoogleVertexAuthorizedUserToken = {
   refreshToken: string;
 };
 
+type GoogleVertexAdcToken = {
+  token: string;
+  expiresAtMs: number;
+};
+
 const GCP_VERTEX_CREDENTIALS_MARKER = "gcp-vertex-credentials";
 const GOOGLE_OAUTH_TOKEN_URL = "https://oauth2.googleapis.com/token";
+const GOOGLE_VERTEX_OAUTH_SCOPE = "https://www.googleapis.com/auth/cloud-platform";
+// Hold tokens slightly less long than reported expiry (Google's recommendation
+// is a 60s buffer) so we don't ship a request that's already revoked when it
+// leaves the gateway.
+const GOOGLE_VERTEX_TOKEN_EXPIRY_BUFFER_MS = 60_000;
 
 let cachedGoogleVertexAuthorizedUserToken: GoogleVertexAuthorizedUserToken | undefined;
+let cachedGoogleAuthClient:
+  | {
+      promise: Promise<{
+        getAccessToken: () => Promise<string | null | undefined>;
+      }>;
+    }
+  | undefined;
+let cachedGoogleVertexAdcToken: GoogleVertexAdcToken | undefined;
 
 export function resetGoogleVertexAuthorizedUserTokenCacheForTest(): void {
   cachedGoogleVertexAuthorizedUserToken = undefined;
+  cachedGoogleAuthClient = undefined;
+  cachedGoogleVertexAdcToken = undefined;
 }
 
 function normalizeOptionalString(value: unknown): string | undefined {
@@ -85,24 +105,64 @@ async function readGoogleAuthorizedUserCredentials(
   };
 }
 
+function readGoogleAdcCredentialsTypeSync(credentialsPath: string): string | undefined {
+  try {
+    const parsed = JSON.parse(readFileSync(credentialsPath, "utf8")) as unknown;
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      return undefined;
+    }
+    const type = (parsed as { type?: unknown }).type;
+    return typeof type === "string" ? type : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+/**
+ * Returns true when *any* Application Default Credentials source usable for
+ * Google Vertex AI is detectable synchronously. We still call the function
+ * `...AuthorizedUserAdcSync` for backwards compatibility with consumers in
+ * older OpenClaw revisions; the predicate now also covers:
+ *
+ *   1. `authorized_user` credentials file (existing case - `gcloud auth
+ *      application-default login` produces this).
+ *   2. `external_account` credentials file (Workload Identity Federation).
+ *   3. `service_account` credentials file (raw GSA key - rarely used in
+ *      OpenClaw, included for completeness).
+ *   4. GKE Workload Identity (no credentials file; the Google Cloud metadata
+ *      server is the source). Detected heuristically via the presence of
+ *      `KUBERNETES_SERVICE_HOST` (which the kubelet sets in every container).
+ *      The actual metadata-server probe happens at first request time inside
+ *      `google-auth-library`'s `GoogleAuth#getAccessToken()`.
+ *   5. Cloud Run / GAE / Compute Engine metadata server, detected via
+ *      `K_SERVICE` (Cloud Run), `GAE_SERVICE` (App Engine), or
+ *      `GCE_METADATA_HOST` (Compute Engine override).
+ *
+ * The point of the gating in `provider-registration.ts` is to decide whether
+ * to wire up the Google Vertex transport at all; returning `true` does not
+ * mean a token is available, it means we have evidence we *could* obtain
+ * one. The auth call still runs at request time and surfaces clear errors
+ * when no source is actually usable.
+ */
 export function hasGoogleVertexAuthorizedUserAdcSync(
   env: NodeJS.ProcessEnv = process.env,
 ): boolean {
   const credentialsPath = resolveGoogleApplicationCredentialsPath(env);
-  if (!credentialsPath) {
-    return false;
+  if (credentialsPath) {
+    const type = readGoogleAdcCredentialsTypeSync(credentialsPath);
+    if (type === "authorized_user" || type === "external_account" || type === "service_account") {
+      return true;
+    }
   }
-  try {
-    const parsed = JSON.parse(readFileSync(credentialsPath, "utf8")) as unknown;
-    return (
-      Boolean(parsed) &&
-      typeof parsed === "object" &&
-      !Array.isArray(parsed) &&
-      (parsed as { type?: unknown }).type === "authorized_user"
-    );
-  } catch {
-    return false;
+  if (
+    normalizeOptionalString(env.KUBERNETES_SERVICE_HOST) ||
+    normalizeOptionalString(env.K_SERVICE) ||
+    normalizeOptionalString(env.GAE_SERVICE) ||
+    normalizeOptionalString(env.GCE_METADATA_HOST)
+  ) {
+    return true;
   }
+  return false;
 }
 
 async function refreshGoogleVertexAuthorizedUserAccessToken(params: {
@@ -123,7 +183,7 @@ async function refreshGoogleVertexAuthorizedUserAccessToken(params: {
   if (
     cached?.credentialsPath === params.credentialsPath &&
     cached.refreshToken === refreshToken &&
-    cached.expiresAtMs - Date.now() > 60_000
+    cached.expiresAtMs - Date.now() > GOOGLE_VERTEX_TOKEN_EXPIRY_BUFFER_MS
   ) {
     return cached.token;
   }
@@ -166,23 +226,83 @@ async function refreshGoogleVertexAuthorizedUserAccessToken(params: {
   return token;
 }
 
+async function resolveGoogleVertexAccessTokenViaGoogleAuth(): Promise<string> {
+  // Lazy-import + cache so we don't pay the google-auth-library load cost on
+  // gateway startup; only when we actually need a non-authorized_user token.
+  if (!cachedGoogleAuthClient) {
+    cachedGoogleAuthClient = {
+      promise: import("google-auth-library").then(({ GoogleAuth }) => {
+        // GoogleAuth handles every ADC variant we care about for GKE:
+        // - external_account (Workload Identity Federation: STS exchange)
+        // - service_account (raw GSA key: JWT-bearer)
+        // - GKE Workload Identity (metadata server when no credentials file)
+        // - Compute Engine / Cloud Run / GAE metadata server fallback
+        // It also caches tokens internally and refreshes before expiry.
+        return new GoogleAuth({
+          scopes: [GOOGLE_VERTEX_OAUTH_SCOPE],
+        });
+      }),
+    };
+  }
+  const auth = await cachedGoogleAuthClient.promise;
+
+  const cached = cachedGoogleVertexAdcToken;
+  if (cached && cached.expiresAtMs - Date.now() > GOOGLE_VERTEX_TOKEN_EXPIRY_BUFFER_MS) {
+    return cached.token;
+  }
+
+  const token = await auth.getAccessToken();
+  const normalized = normalizeOptionalString(token);
+  if (!normalized) {
+    throw new Error(
+      "Google Vertex ADC fallback (google-auth-library) did not return an access token. " +
+        "Verify the GKE Workload Identity binding (KSA \u2192 GSA), `GOOGLE_APPLICATION_CREDENTIALS`, " +
+        "or other ADC source is reachable from this pod.",
+    );
+  }
+  // google-auth-library doesn't expose token expiry on the simple
+  // `getAccessToken()` return type, so we cache for a conservative 5 minutes.
+  // The library itself already refreshes well before its own internal expiry,
+  // so this cache is mainly to avoid hot-loop calls into the auth client.
+  cachedGoogleVertexAdcToken = {
+    token: normalized,
+    expiresAtMs: Date.now() + 5 * 60_000,
+  };
+  return normalized;
+}
+
+/**
+ * Resolve `Authorization: Bearer ...` headers for Google Vertex calls.
+ *
+ * We try the hand-rolled `authorized_user` refresh path first (preserves the
+ * existing fetchImpl test seam and the OpenClaw upstream behaviour); when the
+ * configured ADC source is anything other than `authorized_user` (the common
+ * production cases on GKE: Workload Identity, Workload Identity Federation,
+ * service-account JSON keys), we hand off to `google-auth-library` which
+ * understands all of those natively.
+ *
+ * Note: the function is still named `...AuthorizedUserHeaders` to avoid a
+ * symbol rename across the existing patch surface; the docstring above is
+ * the truth, the name is legacy.
+ */
 export async function resolveGoogleVertexAuthorizedUserHeaders(
   fetchImpl?: typeof fetch,
 ): Promise<Record<string, string>> {
   const credentialsPath = resolveGoogleApplicationCredentialsPath();
-  if (!credentialsPath) {
-    throw new Error(
-      "Google Vertex ADC credentials not found. Set GOOGLE_APPLICATION_CREDENTIALS or run gcloud auth application-default login.",
-    );
+  if (credentialsPath) {
+    const credentials = await readGoogleAuthorizedUserCredentials(credentialsPath);
+    if (credentials) {
+      const token = await refreshGoogleVertexAuthorizedUserAccessToken({
+        credentialsPath,
+        credentials,
+        fetchImpl,
+      });
+      return { Authorization: `Bearer ${token}` };
+    }
   }
-  const credentials = await readGoogleAuthorizedUserCredentials(credentialsPath);
-  if (!credentials) {
-    throw new Error("Google Vertex ADC fallback requires an authorized_user credentials file.");
-  }
-  const token = await refreshGoogleVertexAuthorizedUserAccessToken({
-    credentialsPath,
-    credentials,
-    fetchImpl,
-  });
+  // No file-based authorized_user ADC. Fall back to google-auth-library which
+  // handles GKE Workload Identity (metadata server), Workload Identity
+  // Federation (external_account), and service-account keys.
+  const token = await resolveGoogleVertexAccessTokenViaGoogleAuth();
   return { Authorization: `Bearer ${token}` };
 }