[Bug]: `google-vertex` authEvidence detected by `models list` but no profile written; runtime fails with No API key found (2026.5.7)

[LooselySupervised]

Bug type

Behaviour bug

Summary

google-vertex plugin manifest declares authEvidence for ADC (env-based credentials with credentialMarker: gcp-vertex-credentials). On 2026.5.7, with all required env vars present, openclaw models list reports the provider as configured, but no profile is written to the agent's auth-profiles.json, and runtime requests fail with No API key found for provider "google-vertex".

The fix tracked in #47304 (closing #56253) is verified present in my install at both layers:

• OpenClaw's marker producer code (model-auth-env-*.js, model-auth-markers-*.js) contains GCP_VERTEX_CREDENTIALS_MARKER
• Bundled pi-ai 0.73.0 contains the marker filter in resolveApiKey()

But the marker never makes it into a profile, so the runtime resolver's profile lookup returns null before either layer is consulted at request time.

Environment

• OpenClaw: 2026.5.7 (npm global install, latest dist-tag)
• OS: Ubuntu 24
• Service: systemd --user service (openclaw-gateway.service)
• Auth method: service account JSON via GOOGLE_APPLICATION_CREDENTIALS
• GCP project: Vertex AI API enabled, SA has roles/aiplatform.user

Reproduction

1. Set in gateway env (verified in process via /proc/$PID/environ):

   GOOGLE_APPLICATION_CREDENTIALS=/path/to/sa.json
   GOOGLE_CLOUD_PROJECT=<project>
   GOOGLE_CLOUD_LOCATION=global
   

2. Start gateway, send a prompt to google-vertex/gemini-2.5-pro.
3. Observe error:

   FailoverError: No API key found for provider "google-vertex".
   Auth store: ~/.openclaw/agents/main/agent/auth-profiles.json
   (agentDir: ~/.openclaw/agents/main/agent).
   Configure auth for this agent (openclaw agents add <id>) or copy only portable
   static auth profiles from the main agentDir.
   

Diagnostic evidence

Plugin loaded with provider registered:

$ openclaw plugins list --json | jq '.plugins[] | select(.id=="google") | {enabled, status, providerIds}'
{
  "enabled": true,
  "status": "loaded",
  "providerIds": ["google", "google-gemini-cli", "google-vertex"]
}

Plugin manifest declares the auth evidence:

$ grep -n "google-vertex\|gcp-vertex-credentials\|authEvidence\|requiresAllEnv\|fileEnvVar\|credentialMarker" \
  ~/.npm-global/lib/node_modules/openclaw/dist/extensions/google/openclaw.plugin.json
10:    "google-vertex"
27:      "google-vertex": {
59:      "endpointClass": "google-vertex",
66:      "endpointClass": "google-vertex",
81:      "google-vertex": {
89:        "id": "google-vertex",
96:        "authEvidence": [
99:            "fileEnvVar": "GOOGLE_APPLICATION_CREDENTIALS",
108:            "requiresAllEnv": [
111:            "credentialMarker": "gcp-vertex-credentials",

models list reports the provider as configured:

$ openclaw models list | grep vertex
google-vertex/gemini-3.1-pro-preview-cu... text   195k   no   no   configured
google-vertex/gemini-2.5-pro               text   195k   no   no   configured
google-vertex/gemini-3.1-flash-lite-pre... text   195k   no   no   configured

But no profile exists:

$ openclaw models auth list --provider google-vertex
Agent: main
Auth state file: ~/.openclaw/agents/main/agent/auth-state.json
Provider: google-vertex
Profiles: (none)

And the CLI doesn't accept auth login for this provider (consistent with the design intent that env-based auth shouldn't require interactive login):

$ openclaw models auth login --provider google-vertex
Error: Unknown provider "google-vertex". Loaded providers: google, google-gemini-cli.

Direct REST call with the same SA JSON succeeds, ruling out credential, project, or model issues:

gcloud auth activate-service-account --key-file=/path/to/sa.json
TOKEN=$(gcloud auth print-access-token)
curl -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
  "https://aiplatform.googleapis.com/v1/projects/<project>/locations/global/publishers/google/models/gemini-2.5-pro:generateContent" \
  -d '{"contents":[{"role":"user","parts":[{"text":"hello"}]}]}'
# 200 OK

google/gemini-2.5-pro (AI Studio path, same project, side-by-side env) works fine — confirming the issue is specific to the google-vertex runtime auth path.

Expected behaviour

Either:

1. The env-evidence path (fileEnvVar + requiresAllEnv satisfied) writes a google-vertex profile entry with apiKey: "gcp-vertex-credentials" automatically when models list first detects the provider as configured, OR
2. The runtime auth resolver consults authEvidence directly when no profile is present, bypassing the profile-required path

Either way, an env-only ADC setup that passes the models list configured check should also pass the runtime auth check. Currently the two checks disagree.

Cross-references

• [Bug]: #47304 — umbrella ADC fix tracked here (closed 2026-04-25 as implemented)
• [Bug]: google-vertex provider ignores ADC credentials — throws 'No API key found' #56253 — closed as duplicate of [Bug]: #47304
• bug: google-vertex plugin not found / stale config entry not resolved on plugin load #54104 — google-vertex plugin loading issues (different cause; in my case the plugin loads correctly)
• [Bug]: google-vertex OAuth/service-account auth works on 2026.4.9, fails on 2026.4.10 with 401 CREDENTIALS_MISSING #64852 — prior regression on related code path (2026.4.9 → 2026.4.10)
• [Bug]: gateway install --force drops GOOGLE_APPLICATION_CREDENTIALS from generated gateway.systemd.env #79578 — adjacent install-time bug filed by me: gateway install --force drops GOOGLE_APPLICATION_CREDENTIALS from generated gateway.systemd.env. Not the cause of this issue (env confirmed in process before testing) but a related foot-gun on the way here.

Workaround

None found. Setting GOOGLE_VERTEX_BASE_URL (per #11413) has no effect. Synthetic auth-profiles.json entries didn't fire. Reverted to AI Studio (google/gemini-2.5-pro) for now, which works fine on the same project with the same env.

Willing to help

Happy to provide additional debug output, run targeted diagnostics, or test patches.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: this is a fresh external report with detailed release evidence that google-vertex ADC is detected by model listing but still fails at runtime, and current source inspection did not produce enough proof for an implemented-on-main, duplicate, or cannot-reproduce close.

Reproducibility: no. not from this review alone. The reporter provides a detailed live 2026.5.7 reproduction, but I did not reproduce it against current main or isolate a single failing source branch with high confidence.

Next step
The report is credible and user-blocking, but current source contains intended env-auth fallbacks, so a maintainer or promoted repair job needs a focused live/source reproduction before a safe fix can be scoped.

Review details

Best possible solution:

Add an end-to-end regression for google-vertex service-account ADC with no auth profile through the gateway runtime path, then make runtime auth consume the same manifest authEvidence result that models list uses or persist the non-secret marker consistently.

Do we have a high-confidence way to reproduce the issue?

No, not from this review alone. The reporter provides a detailed live 2026.5.7 reproduction, but I did not reproduce it against current main or isolate a single failing source branch with high confidence.

Is this the best way to solve the issue?

No. The best fix is not to require an interactive or stored profile for google-vertex ADC, but to align runtime resolution and model-list availability around one shared authEvidence contract with regression coverage.

Acceptance criteria:

• pnpm test src/agents/model-auth.profiles.test.ts extensions/google/transport-stream.test.ts src/commands/models.list.e2e.test.ts
• Add a focused regression that exercises google-vertex service-account ADC through the same runtime auth path used by gateway replies, with no auth-profiles.json entry.

What I checked:

• Reporter provided live release evidence: The issue body includes a 2026.5.7 Ubuntu/systemd reproduction with GOOGLE_APPLICATION_CREDENTIALS, GOOGLE_CLOUD_PROJECT, and GOOGLE_CLOUD_LOCATION present in the gateway process, models list showing google-vertex configured, models auth list --provider google-vertex showing no profiles, and runtime failing with No API key found for provider "google-vertex".
• google-vertex manifest declares ADC authEvidence: The bundled Google plugin declares google-vertex setup authEvidence using GOOGLE_APPLICATION_CREDENTIALS, project env, location env, and the gcp-vertex-credentials marker. (extensions/google/openclaw.plugin.json:592, e8049fec1ccf)
• models list uses authEvidence directly: The model-list auth index builds provider auth availability from provider env candidates and authEvidence, then calls resolveEnvApiKey over those maps, which explains how list/status can report env-backed google-vertex as configured without an auth profile. (src/commands/models/list.auth-index.ts:61, e8049fec1ccf)
• runtime resolver also has env/marker paths but needs end-to-end proof: resolveApiKeyForProvider has env-first and local-marker branches plus a later env fallback, so the remaining failure is likely in a specific runtime/profile/metadata path rather than the manifest declaration alone. (src/agents/model-auth.ts:647, e8049fec1ccf)
• service-account path differs from authorized_user transport path: The Google plugin’s custom Vertex transport is selected only when hasGoogleVertexAuthorizedUserAdcSync() recognizes an authorized_user ADC file; the reporter uses a service-account JSON, so the service-account path needs separate runtime proof. (extensions/google/provider-registration.ts:56, e8049fec1ccf)
• Related prior fix is not enough to close this report: [Bug]: #47304 was closed after marker and pi-ai filtering fixes, but this report explicitly says those layers are present in 2026.5.7 and the marker still does not reach runtime auth.

Likely related people:

• steipete: Recent commits and current blame/API history touch the google-vertex ADC support, auth profile semantics, and model-auth runtime path most relevant to this report. (role: recent maintainer and auth-path owner; confidence: high; commits: 0b59964ec945, 00bd2cf7a376, 2e78fc57af09; files: src/agents/model-auth.ts, extensions/google/vertex-adc.ts, extensions/google/provider-registration.ts)
• vincentkoc: Recent Google provider hook and provider-contract work is adjacent to the google/google-vertex runtime registration surface. (role: adjacent Google provider maintainer; confidence: medium; commits: 356110c52f79, c03f97f95411, 48c4a026dd65; files: extensions/google/provider-registration.ts, src/plugin-sdk/test-helpers/plugin-registration-contract-cases.ts)
• gumadeiras: Recent merged history restored the Gemini/Google provider contract, which is near the bundled google provider registration and hook aliases involved here. (role: Google provider contract contributor; confidence: low; commits: 83f47a4d0a40; files: extensions/google/openclaw.plugin.json, extensions/google/provider-registration.ts)

Remaining risk / open question:

• The exact current-main failing branch is not isolated: source shows intended env-auth fallbacks, while the reporter’s release evidence shows a runtime miss.
• No live GCP service-account replay was run during this read-only review, so service-account ADC behavior remains unproven here.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e8049fec1ccf.

[LooselySupervised]

Tested swapping to authorized_user ADC (gcloud auth application-default login, unset GOOGLE_APPLICATION_CREDENTIALS) per the hypothesis that this is the same as #79837. Same failure: models list configured, models auth list empty, request fails with "No API key found." So the runtime resolver's profile-required path fires before the ADC type check. Distinct from #79837 (which is downstream and also valid).

[LooselySupervised]

Apologies — this turns out to be user error, not a bug. GOOGLE_APPLICATION_CREDENTIALS had a malformed path (/Users/openclaw/... instead of /home/openclaw/...) which I didn't notice. The auth-evidence path was failing on ENOENT during file read, not at the profile-writing layer. With the path corrected, google-vertex works as expected and a profile is written. Closing.
The error message ("No API key found") was misleading — a file-not-found error from the credentials path would have made this much faster to diagnose. Worth a separate, much smaller issue if maintainers want clearer error reporting.

[teknolojay]

Confirming the same behavior on 2026.5.6 (DGX Spark, Ubuntu, systemd user service).

Setup: Service account JSON via GOOGLE_APPLICATION_CREDENTIALS, GOOGLE_CLOUD_PROJECT=lkkff-ai, GOOGLE_CLOUD_LOCATION=us-central1. Vertex AI API enabled, SA has roles/aiplatform.user. Direct curl with bearer token works fine from the same host.

Additional finding: Even after switching from service account to authorized_user ADC credentials (via gcloud auth application-default login), the same failure occurs. The vertex-adc.ts code that handles authorized_user → bearer token refresh (resolveGoogleVertexAuthorizedUserHeaders) is never reached because the auth profile is never written, exactly as described in this issue.

The code path is:

1. isGoogleVertexCredentialsMarker() correctly identifies undefined apiKey as a Vertex ADC trigger
2. hasGoogleVertexAuthorizedUserAdcSync() correctly finds the ADC file
3. createStreamFn checks model.api === "google-vertex" — but model.api is never set because normalizeTransport passes through undefined when no explicit api field is in config, and the config schema does not accept "google-vertex" as a valid api enum value
4. Falls through to the default OpenAI-compatible transport, which hits /chat/completions on the Vertex AI endpoint → 404

Workaround found: Renamed provider to vertex-ai (avoids the gcp-vertex-credentials marker interception), pointed baseUrl at Vertex AI's OpenAI-compatible endpoint (/v1beta1/projects/{project}/locations/{region}/endpoints/openapi), and inject a refreshed bearer token via cron. Functional but fragile.

Two separate issues appear to compound here:

1. Auth profile never written (as reported above)
2. Even if auth resolved, model.api never gets set to "google-vertex", so the Vertex transport stream function in createStreamFn is never selected