Bug: google-vertex sentinel '<authenticated>' passed as literal API key to pi-ai, causing silent auth failure in isolated sessions

[banna-commits]

Bug: google-vertex sentinel value "" passed as literal API key to pi-ai

Summary

When getEnvApiKey("google-vertex") returns the sentinel string "<authenticated>"
(indicating ADC credentials are available), OpenClaw passes this literal string as
options.apiKey to pi-ai's google-vertex.js provider. The provider then calls
createClientWithApiKey(model, "<authenticated>", ...) instead of createClient()
(the ADC path), causing auth failures.

Root cause (pi-ai source, google-vertex.js line ~38-42):

const apiKey = resolveApiKey(options); // returns options?.apiKey || process.env.GOOGLE_CLOUD_API_KEY
const client = apiKey
    ? createClientWithApiKey(model, apiKey, options?.headers)
    : createClient(model, resolveProject(options), resolveLocation(options), options?.headers);

When options.apiKey = "<authenticated>", apiKey is truthy → goes to createClientWithApiKey
with the literal string "" as key → fails silently → OpenClaw falls back to next model.

Expected behavior

The sentinel value "<authenticated>" should be detected by OpenClaw before being passed
to pi-ai, and the call should be made without options.apiKey so pi-ai uses the ADC path.

Workaround

Removed all google-vertex model references from cron jobs, using anthropic/claude-sonnet-4-6 directly.

Environment

• OpenClaw 2026.3.13
• pi-ai (@mariozechner/pi-ai)
• macOS, isolated cron sessions
• GOOGLE_APPLICATION_CREDENTIALS set correctly, SA token confirmed working via gcloud

[Ryce]

KeepMyClaw angle: boundary snapshot at the pi-ai auth / sentinel-value boundary

This is a silent auth-state divergence: the system believes it has a valid API key, but is actually passing a literal sentinel string to the provider, causing authentication to silently fail in isolated sessions.

What happens:

Google Vertex uses a sentinel value (<authenticated>) as an internal auth-state marker. When pi-ai constructs the outbound request to Vertex, it appears to be passing the literal string <authenticated> as the API key instead of resolving the sentinel to the actual authenticated session token. Vertex receives a key that looks valid syntactically but is semantically meaningless, and the auth failure is silent — no error surfaced to the user.

The divergence: OpenClaw believes it has an authenticated session (hence the sentinel was placed there), pi-ai passes the sentinel literally, Vertex receives garbage. The user has no visibility into which layer introduced the failure.

Why isolated sessions are the affected surface:

Isolated sessions may initialize auth differently from the main gateway session. The sentinel placement logic and the key resolution logic may diverge at session initialization, causing isolated sessions to use a literal sentinel where the main session would have resolved it. This makes the bug session-type-dependent and hard to reproduce outside isolated mode.

Where KeepMyClaw helps:

A boundary snapshot at the pi-ai request construction boundary — capturing what pi-ai actually sent as the Authorization header, what it believed it was sending, and the full request context at that moment — would immediately prove:

1. Whether the sentinel was resolved before the request was constructed, or passed literally
2. What the Vertex endpoint expected versus what it received
3. Whether the divergence was in the sentinel resolution path or the request construction path

The snapshot is the authoritative record of what left pi-ai versus what Vertex received — closing the diagnostic gap on a failure that currently produces zero user-visible error output.

https://keepmyclaw.com

[GMTekAI]

This looks valid against current source, and the failure seam appears to be on the OpenClaw side before the call reaches pi-ai.

What current code does:

• resolveEnvApiKey("google-vertex") in src/agents/model-auth.ts calls getEnvApiKey(normalized) and returns whatever comes back as { apiKey, source: "gcloud adc" }.
• There is no special-case handling there for a non-secret sentinel value like "<authenticated>".
• The embedded runner path then stores the resolved value directly via authStorage.setRuntimeApiKey(model.provider, apiKeyInfo.apiKey) in src/agents/pi-embedded-runner/run.ts.

So if @mariozechner/pi-ai returns "<authenticated>" for google-vertex to mean "ADC is available", OpenClaw will currently treat that as an actual runtime API key string and pass it downstream unchanged.

That makes the report's core claim plausible without needing to assume an isolated-session-only bug in pi-ai itself. The isolated-session angle may just be where this path is easiest to observe.

High-signal maintainer notes:

• this is probably not a generic Vertex auth failure; it is a sentinel-normalization bug in auth resolution
• current tests in src/agents/model-auth.profiles.test.ts cover a lot of env/provider auth cases, but I do not see coverage for a google-vertex sentinel marker being returned from getEnvApiKey(...)
• the smallest good fix is likely to normalize/drop the sentinel before ResolvedProviderAuth is converted into a runtime API key override

So the concrete next step seems pretty crisp:

1. add a regression test where getEnvApiKey("google-vertex") returns "<authenticated>"
2. assert that OpenClaw does not treat that as a literal API key for runtime override
3. route that case through the no-api-key / ADC path instead

That keeps the fix local to auth resolution and avoids turning it into a broader isolated-session investigation unless a second bug remains after the sentinel handling is corrected.

[Hollychou924]

Analysis: google-vertex ADC sentinel '' passed as literal API key — null-guard before pi-ai call

The reporter has pinpointed the exact failure path. This is a clean one-line guard needed in the OpenClaw layer before calling pi-ai.

Root cause

OpenClaw's getEnvApiKey("google-vertex") returns the sentinel string "<authenticated>" to signal that ADC (Application Default Credentials) are available — no explicit API key needed, pi-ai should use createClient() (the ADC path). But the sentinel string is then passed through to options.apiKey, and pi-ai's logic is:

const apiKey = resolveApiKey(options); // truthy string "<authenticated>"  
const client = apiKey
  ? createClientWithApiKey(model, apiKey, ...)  // ← wrong path
  : createClient(model, project, location, ...); // ← correct ADC path

Since "<authenticated>" is truthy, pi-ai takes the API key path with a literal invalid key → auth failure → OpenClaw falls back to next model silently.

Fix

Before building the options object passed to pi-ai's google-vertex provider, strip the sentinel:

// In the google-vertex provider dispatch path
const rawApiKey = getEnvApiKey('google-vertex');
const apiKey = rawApiKey === '<authenticated>' ? undefined : rawApiKey;

const options = {
  model: modelId,
  ...(apiKey ? { apiKey } : {}),  // omit entirely for ADC path
  // ... other options
};

Or as a one-liner guard at the point where options.apiKey is assigned:

options.apiKey = apiKey === '<authenticated>' ? undefined : apiKey;

When apiKey is undefined, resolveApiKey(options) in pi-ai returns undefined (falsy) → takes the createClient() ADC path → works correctly.

Why isolated cron sessions are more affected

The reporter notes this only affects isolated cron sessions. In interactive sessions, the main agent may have access to the ADC environment directly through a different auth resolution path. Isolated sessions may not inherit the ADC context correctly, making the sentinel the only indicator of auth availability — and passing it literally breaks the one signal that was working.

Sentinel pattern audit

Worth checking if any other providers use a similar sentinel pattern for OAuth/ADC flows (google, google-chat, etc.) and whether they have the same passthrough issue.

[vincentkoc]

Covered by the canonical google-vertex sentinel fix in #47304. On current main, pi-ai 0.70.2 from #71105 explicitly ignores <authenticated> and gcp-vertex-credentials, so they are not sent as Vertex API keys. Closing this duplicate.