openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/auth-credential-semantics.md‎
Lines changed: 5 additions & 2 deletions b/‎docs/auth-credential-semantics.md‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎docs/cli/models.md‎
Lines changed: 7 additions & 1 deletion b/‎docs/cli/models.md‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎docs/plugins/manifest.md‎
Lines changed: 24 additions & 11 deletions b/‎docs/plugins/manifest.md‎
Lines changed: 24 additions & 11 deletions
diff --git a/‎docs/providers/google.md‎
Lines changed: 32 additions & 1 deletion b/‎docs/providers/google.md‎
Lines changed: 32 additions & 1 deletion
diff --git a/‎extensions/google/index.test.ts‎
Lines changed: 25 additions & 0 deletions b/‎extensions/google/index.test.ts‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎extensions/google/openclaw.plugin.json‎
Lines changed: 7 additions & 0 deletions b/‎extensions/google/openclaw.plugin.json‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎extensions/google/provider-registration.ts‎
Lines changed: 1 addition & 2 deletions b/‎extensions/google/provider-registration.ts‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎extensions/google/transport-stream.test.ts‎
Lines changed: 73 additions & 2 deletions b/‎extensions/google/transport-stream.test.ts‎
Lines changed: 73 additions & 2 deletions
diff --git a/‎extensions/google/vertex-adc.ts‎
Lines changed: 40 additions & 2 deletions b/‎extensions/google/vertex-adc.ts‎
Lines changed: 40 additions & 2 deletions
@@ -6,6 +6,7 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
+- Google Vertex: fall back to GCE metadata server service-account tokens when local ADC is missing or not `authorized_user`, and teach runtime auth, doctor, and `models status --probe` to recognize VM attached service-account auth without gcloud login or key files.
 - Release/plugin publishing: retry transient ClawHub CLI dependency install failures, keep preview-passing plugins publishable when one preview cell flakes, and verify every expected ClawHub package version after publish so maintenance releases are faster to recover and less likely to hide partial plugin publishes.
 - OpenAI: support `openai/chat-latest` as an explicit direct API-key model override for trying the moving ChatGPT Instant API alias without changing the stable default model.
 - Cron CLI: include computed `status` in `cron list --json` and `cron show --json` output so external tooling can read disabled/running/ok/error/skipped/idle state without reimplementing cron status derivation. (#78701) Thanks @aweiker.
 
@@ -74,8 +74,11 @@ the target agent signs in separately and creates its own local profile.
 
 ## Probe target resolution
 
-- Probe targets can come from auth profiles, environment credentials, or
-  `models.json`.
+- Probe targets can come from auth profiles, environment credentials,
+  provider-declared live auth evidence, or `models.json`.
+- Live auth evidence is only checked by live probe/runtime auth paths. For
+  example, Google Vertex can use a GCE metadata server access token from an
+  attached VM service account without a local ADC file.
 - If a provider has credentials but OpenClaw cannot resolve a probeable model
   candidate for it, `models status --probe` reports `status: no_model` with
   `reasonCode: no_model`.
 
@@ -39,7 +39,9 @@ Probes are real requests (may consume tokens and trigger rate limits).
 Use `--agent <id>` to inspect a configured agent’s model/auth state. When omitted,
 the command uses `OPENCLAW_AGENT_DIR`/`PI_CODING_AGENT_DIR` if set, otherwise the
 configured default agent.
-Probe rows can come from auth profiles, env credentials, or `models.json`.
+Probe rows can come from auth profiles, env credentials, live provider-owned
+auth evidence such as Google Vertex GCE metadata service-account credentials, or
+`models.json`.
 
 Notes:
 
@@ -52,6 +54,10 @@ Notes:
   markers, AWS Bedrock env/profile markers, and plugin synthetic-auth metadata;
   it does not load provider runtime, read keychain secrets, call provider
   APIs, or prove exact per-model execution readiness.
+- `models status --probe` may perform provider-declared live auth evidence
+  checks before building probe targets. For Google Vertex on GCE, a reachable
+  metadata server token can create a probe target even when no local ADC file or
+  service-account key is present.
 - `models list --all --provider <id>` can include provider-owned static catalog
   rows from plugin manifests or bundled provider catalog metadata even when you
   have not authenticated with that provider yet. Those rows still show as
 
@@ -495,6 +495,13 @@ before runtime loads.
             "requiresAllEnv": ["OPENAI_PROJECT"],
             "credentialMarker": "openai-local-credentials",
             "source": "openai local credentials"
+          },
+          {
+            "type": "gce-metadata-token",
+            "requiresAnyEnv": ["GOOGLE_CLOUD_PROJECT", "GCLOUD_PROJECT"],
+            "requiresAllEnv": ["GOOGLE_CLOUD_LOCATION"],
+            "credentialMarker": "gcp-vertex-credentials",
+            "source": "GCE metadata service account"
           }
         ]
       }
@@ -547,30 +554,36 @@ registration. These diagnostics are additive and do not reject legacy plugins.
 
 ### setup.providers reference
 
-| Field          | Required | Type       | What it means                                                                                    |
-| -------------- | -------- | ---------- | ------------------------------------------------------------------------------------------------ |
-| `id`           | Yes      | `string`   | Provider id exposed during setup or onboarding. Keep normalized ids globally unique.             |
-| `authMethods`  | No       | `string[]` | Setup/auth method ids this provider supports without loading full runtime.                       |
-| `envVars`      | No       | `string[]` | Env vars that generic setup/status surfaces can check before plugin runtime loads.               |
-| `authEvidence` | No       | `object[]` | Cheap local auth evidence checks for providers that can authenticate through non-secret markers. |
+| Field          | Required | Type       | What it means                                                                              |
+| -------------- | -------- | ---------- | ------------------------------------------------------------------------------------------ |
+| `id`           | Yes      | `string`   | Provider id exposed during setup or onboarding. Keep normalized ids globally unique.       |
+| `authMethods`  | No       | `string[]` | Setup/auth method ids this provider supports without loading full runtime.                 |
+| `envVars`      | No       | `string[]` | Env vars that generic setup/status surfaces can check before plugin runtime loads.         |
+| `authEvidence` | No       | `object[]` | Cheap auth evidence checks for providers that can authenticate through non-secret markers. |
 
-`authEvidence` is for provider-owned local credential markers that can be
-verified without loading runtime code. These checks must stay cheap and local:
-no network calls, no keychain or secret-manager reads, no shell commands, and no
-provider API probes.
+`authEvidence` is for provider-owned credential markers that can be verified
+without loading runtime code. Non-live checks must stay cheap and local: no
+network calls, no keychain or secret-manager reads, no shell commands, and no
+provider API probes. Live probe/runtime auth paths may verify explicit live
+evidence types such as GCE metadata tokens.
 
 Supported evidence entries:
 
 | Field              | Required | Type       | What it means                                                                                                  |
 | ------------------ | -------- | ---------- | -------------------------------------------------------------------------------------------------------------- |
-| `type`             | Yes      | `string`   | Currently `local-file-with-env`.                                                                               |
+| `type`             | Yes      | `string`   | `local-file-with-env` or `gce-metadata-token`.                                                                 |
 | `fileEnvVar`       | No       | `string`   | Env var containing an explicit credential file path.                                                           |
 | `fallbackPaths`    | No       | `string[]` | Local credential file paths checked when `fileEnvVar` is absent or empty. Supports `${HOME}` and `${APPDATA}`. |
 | `requiresAnyEnv`   | No       | `string[]` | At least one listed env var must be non-empty before the evidence is valid.                                    |
 | `requiresAllEnv`   | No       | `string[]` | Every listed env var must be non-empty before the evidence is valid.                                           |
 | `credentialMarker` | Yes      | `string`   | Non-secret marker returned when the evidence is present.                                                       |
 | `source`           | No       | `string`   | User-facing source label for auth/status output.                                                               |
 
+For `gce-metadata-token`, OpenClaw checks the GCE metadata token endpoint with
+the required `Metadata-Flavor: Google` header during live probe/runtime auth
+resolution and treats a JSON `access_token` response as evidence. The token is
+not persisted.
+
 ### setup fields
 
 | Field              | Required | Type       | What it means                                                                                       |
 
@@ -1,5 +1,5 @@
 ---
-summary: "Google Gemini setup (API key + OAuth, image generation, media understanding, TTS, web search)"
+summary: "Google Gemini and Vertex setup (API key, OAuth, GCE metadata ADC, image generation, media understanding, TTS, web search)"
 title: "Google (Gemini)"
 read_when:
   - You want to use Google Gemini models with OpenClaw
@@ -13,6 +13,8 @@ Gemini Grounding.
 - Provider: `google`
 - Auth: `GEMINI_API_KEY` or `GOOGLE_API_KEY`
 - API: Google Gemini API
+- Vertex provider: `google-vertex`
+- Vertex auth: local ADC or GCE metadata service-account ADC
 - Runtime option: `agents.defaults.agentRuntime.id: "google-gemini-cli"`
   reuses Gemini CLI OAuth while keeping model refs canonical as `google/*`.
 
@@ -128,6 +130,35 @@ Choose your preferred auth method and follow the setup steps.
   </Tab>
 </Tabs>
 
+## Vertex AI on GCE
+
+The `google-vertex` provider can use Application Default Credentials from a
+local `authorized_user` ADC file, or from the GCE metadata server when OpenClaw
+runs on a VM with an attached service account. Metadata auth does not require
+`gcloud auth application-default login` or a downloaded service-account key.
+
+Set the Vertex project and location on the gateway host:
+
+```bash
+export GOOGLE_CLOUD_PROJECT="my-gcp-project"
+export GOOGLE_CLOUD_LOCATION="global"
+```
+
+Then configure a Vertex model:
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "google-vertex/gemini-3.1-pro-preview" },
+    },
+  },
+}
+```
+
+On GCE, `models status --probe` and `openclaw doctor` recognize a reachable
+metadata token as provider-owned auth evidence for `google-vertex`.
+
 ## Capabilities
 
 | Capability             | Supported                     |
 
@@ -20,6 +20,31 @@ const googleProviderPlugin = {
 };
 
 describe("google provider plugin hooks", () => {
+  it("provides the Vertex transport without requiring file-based ADC discovery first", async () => {
+    const { providers } = await registerProviderPlugin({
+      plugin: googleProviderPlugin,
+      id: "google",
+      name: "Google Provider",
+    });
+    const provider = requireRegisteredProvider(providers, "google");
+    const streamFn = provider.createStreamFn?.({
+      model: {
+        id: "gemini-3.1-pro-preview",
+        name: "Gemini 3.1 Pro Preview",
+        api: "google-vertex",
+        provider: "google-vertex",
+        baseUrl: "https://{location}-aiplatform.googleapis.com",
+        reasoning: true,
+        input: ["text"],
+        cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+        contextWindow: 128000,
+        maxTokens: 8192,
+      } satisfies Model<"google-vertex">,
+    } as never);
+
+    expect(typeof streamFn).toBe("function");
+  });
+
   it("owns replay policy and reasoning mode for the direct Gemini provider", async () => {
     const { providers } = await registerProviderPlugin({
       plugin: googleProviderPlugin,
 
@@ -89,6 +89,13 @@
             "requiresAllEnv": ["GOOGLE_CLOUD_LOCATION"],
             "credentialMarker": "gcp-vertex-credentials",
             "source": "gcloud adc"
+          },
+          {
+            "type": "gce-metadata-token",
+            "requiresAnyEnv": ["GOOGLE_CLOUD_PROJECT", "GCLOUD_PROJECT"],
+            "requiresAllEnv": ["GOOGLE_CLOUD_LOCATION"],
+            "credentialMarker": "gcp-vertex-credentials",
+            "source": "GCE metadata service account"
           }
         ]
       }
 
@@ -13,7 +13,6 @@ import {
   createGoogleGenerativeAiTransportStreamFn,
   createGoogleVertexTransportStreamFn,
 } from "./transport-stream.js";
-import { hasGoogleVertexAuthorizedUserAdcSync } from "./vertex-adc.js";
 
 export function buildGoogleProvider(): ProviderPlugin {
   return {
@@ -57,7 +56,7 @@ export function buildGoogleProvider(): ProviderPlugin {
       if (model.api === "google-generative-ai") {
         return createGoogleGenerativeAiTransportStreamFn();
       }
-      if (model.api === "google-vertex" && hasGoogleVertexAuthorizedUserAdcSync()) {
+      if (model.api === "google-vertex") {
         return createGoogleVertexTransportStreamFn();
       }
       return undefined;
 
@@ -19,6 +19,7 @@ let createGoogleGenerativeAiTransportStreamFn: typeof import("./transport-stream
 let createGoogleVertexTransportStreamFn: typeof import("./transport-stream.js").createGoogleVertexTransportStreamFn;
 let hasGoogleVertexAuthorizedUserAdcSync: typeof import("./vertex-adc.js").hasGoogleVertexAuthorizedUserAdcSync;
 let resetGoogleVertexAuthorizedUserTokenCacheForTest: typeof import("./vertex-adc.js").resetGoogleVertexAuthorizedUserTokenCacheForTest;
+let resolveGoogleVertexAuthorizedUserHeaders: typeof import("./vertex-adc.js").resolveGoogleVertexAuthorizedUserHeaders;
 
 const MODEL_PROVIDER_REQUEST_TRANSPORT_SYMBOL = Symbol.for(
   "openclaw.modelProviderRequestTransport",
@@ -92,8 +93,11 @@ describe("google transport stream", () => {
       createGoogleGenerativeAiTransportStreamFn,
       createGoogleVertexTransportStreamFn,
     } = await import("./transport-stream.js"));
-    ({ hasGoogleVertexAuthorizedUserAdcSync, resetGoogleVertexAuthorizedUserTokenCacheForTest } =
-      await import("./vertex-adc.js"));
+    ({
+      hasGoogleVertexAuthorizedUserAdcSync,
+      resetGoogleVertexAuthorizedUserTokenCacheForTest,
+      resolveGoogleVertexAuthorizedUserHeaders,
+    } = await import("./vertex-adc.js"));
   });
 
   beforeEach(() => {
@@ -291,6 +295,73 @@ describe("google transport stream", () => {
     );
   });
 
+  it("uses GCE metadata server credentials for Google Vertex when no ADC file exists", async () => {
+    const tempDir = await mkdtemp(path.join(os.tmpdir(), "openclaw-google-vertex-metadata-"));
+    vi.stubEnv("GOOGLE_APPLICATION_CREDENTIALS", "");
+    vi.stubEnv("HOME", path.join(tempDir, "home"));
+    vi.stubEnv("APPDATA", path.join(tempDir, "appdata"));
+    const metadataFetchMock = vi.fn().mockResolvedValue(
+      new Response(JSON.stringify({ access_token: " metadata-access-token " }), {
+        status: 200,
+        headers: { "content-type": "application/json" },
+      }),
+    );
+
+    const headers = await resolveGoogleVertexAuthorizedUserHeaders(
+      metadataFetchMock as unknown as typeof fetch,
+    );
+
+    expect(headers).toEqual({ Authorization: "Bearer metadata-access-token" });
+    expect(metadataFetchMock).toHaveBeenCalledWith(
+      "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token",
+      expect.objectContaining({
+        headers: { "Metadata-Flavor": "Google" },
+      }),
+    );
+  });
+
+  it("throws the missing credentials error when neither ADC nor metadata credentials exist", async () => {
+    const tempDir = await mkdtemp(path.join(os.tmpdir(), "openclaw-google-vertex-no-adc-"));
+    vi.stubEnv("GOOGLE_APPLICATION_CREDENTIALS", "");
+    vi.stubEnv("HOME", path.join(tempDir, "home"));
+    vi.stubEnv("APPDATA", path.join(tempDir, "appdata"));
+    const metadataFetchMock = vi.fn().mockRejectedValue(new Error("metadata unavailable"));
+
+    await expect(
+      resolveGoogleVertexAuthorizedUserHeaders(metadataFetchMock as unknown as typeof fetch),
+    ).rejects.toThrow(
+      "Google Vertex ADC credentials not found. Set GOOGLE_APPLICATION_CREDENTIALS, run gcloud auth application-default login, or run on GCE with an attached service account.",
+    );
+  });
+
+  it("uses GCE metadata server credentials for Google Vertex when ADC is not authorized_user", async () => {
+    const tempDir = await mkdtemp(path.join(os.tmpdir(), "openclaw-google-vertex-sa-adc-"));
+    const credentialsPath = path.join(tempDir, "application_default_credentials.json");
+    await writeFile(
+      credentialsPath,
+      JSON.stringify({
+        type: "service_account",
+        client_email: "vertex-vm@example.iam.gserviceaccount.com",
+      }),
+      "utf8",
+    );
+    vi.stubEnv("GOOGLE_APPLICATION_CREDENTIALS", credentialsPath);
+    const metadataFetchMock = vi.fn().mockResolvedValue(
+      new Response(JSON.stringify({ access_token: "metadata-service-account-token" }), {
+        status: 200,
+        headers: { "content-type": "application/json" },
+      }),
+    );
+
+    const headers = await resolveGoogleVertexAuthorizedUserHeaders(
+      metadataFetchMock as unknown as typeof fetch,
+    );
+
+    expect(headers).toEqual({
+      Authorization: "Bearer metadata-service-account-token",
+    });
+  });
+
   it("refreshes authorized_user ADC before Google Vertex requests", async () => {
     const tempDir = await mkdtemp(path.join(os.tmpdir(), "openclaw-google-vertex-adc-"));
     const credentialsPath = path.join(tempDir, "application_default_credentials.json");
 
@@ -19,6 +19,9 @@ type GoogleVertexAuthorizedUserToken = {
 
 const GCP_VERTEX_CREDENTIALS_MARKER = "gcp-vertex-credentials";
 const GOOGLE_OAUTH_TOKEN_URL = "https://oauth2.googleapis.com/token";
+const GOOGLE_METADATA_TOKEN_URL =
+  "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token";
+const GOOGLE_METADATA_TOKEN_TIMEOUT_MS = 1_000;
 
 let cachedGoogleVertexAuthorizedUserToken: GoogleVertexAuthorizedUserToken | undefined;
 
@@ -166,18 +169,53 @@ async function refreshGoogleVertexAuthorizedUserAccessToken(params: {
   return token;
 }
 
+async function resolveGoogleVertexMetadataHeaders(
+  fetchImpl?: typeof fetch,
+): Promise<Record<string, string> | undefined> {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), GOOGLE_METADATA_TOKEN_TIMEOUT_MS);
+  try {
+    const response = await (fetchImpl ?? globalThis.fetch)(GOOGLE_METADATA_TOKEN_URL, {
+      headers: { "Metadata-Flavor": "Google" },
+      signal: controller.signal,
+    });
+    if (!response.ok) {
+      return undefined;
+    }
+    const payload = (await response.json().catch(() => undefined)) as
+      | { access_token?: unknown }
+      | undefined;
+    const token = normalizeOptionalString(payload?.access_token);
+    return token ? { Authorization: `Bearer ${token}` } : undefined;
+  } catch {
+    return undefined;
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
 export async function resolveGoogleVertexAuthorizedUserHeaders(
   fetchImpl?: typeof fetch,
 ): Promise<Record<string, string>> {
   const credentialsPath = resolveGoogleApplicationCredentialsPath();
   if (!credentialsPath) {
+    const metadataHeaders = await resolveGoogleVertexMetadataHeaders(fetchImpl);
+    if (metadataHeaders) {
+      return metadataHeaders;
+    }
     throw new Error(
-      "Google Vertex ADC credentials not found. Set GOOGLE_APPLICATION_CREDENTIALS or run gcloud auth application-default login.",
+      "Google Vertex ADC credentials not found. Set GOOGLE_APPLICATION_CREDENTIALS, run gcloud auth application-default login, or run on GCE with an attached service account.",
     );
   }
   const credentials = await readGoogleAuthorizedUserCredentials(credentialsPath);
   if (!credentials) {
-    throw new Error("Google Vertex ADC fallback requires an authorized_user credentials file.");
+    const metadataHeaders = await resolveGoogleVertexMetadataHeaders(fetchImpl);
+    if (metadataHeaders) {
+      return metadataHeaders;
+    }
+    throw new Error(
+      "Google Vertex ADC fallback requires an authorized_user credentials file or GCE metadata credentials.",
+    );
   }
   const token = await refreshGoogleVertexAuthorizedUserAccessToken({
     credentialsPath,
Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,13 @@`
`89`	`89`	`"requiresAllEnv": ["GOOGLE_CLOUD_LOCATION"],`
`90`	`90`	`"credentialMarker": "gcp-vertex-credentials",`
`91`	`91`	`"source": "gcloud adc"`
	`92`	`+ },`
	`93`	`+ {`
	`94`	`+ "type": "gce-metadata-token",`
	`95`	`+ "requiresAnyEnv": ["GOOGLE_CLOUD_PROJECT", "GCLOUD_PROJECT"],`
	`96`	`+ "requiresAllEnv": ["GOOGLE_CLOUD_LOCATION"],`
	`97`	`+ "credentialMarker": "gcp-vertex-credentials",`
	`98`	`+ "source": "GCE metadata service account"`
`92`	`99`	`}`
`93`	`100`	`]`
`94`	`101`	`}`