[Bug]: `google-vertex` provider returns 404 from Google when models are accessed via `openclaw agent`, but direct curl with same URL + ADC token works

[devinallen-07]

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

openclaw agent calls to google-vertex/* models fail with FailoverError: 404 even though the same URL + ADC token return HTTP 200 via curl, and patched debug logs in the google-vertex transport never trigger — indicating the request is being routed through an unexpected code path.

Steps to reproduce

Here's a clean copy-paste version for the GitHub issue:

---

Steps to Reproduce

Environment: OpenClaw 2026.5.18, macOS, GCP project with aiplatform.googleapis.com API enabled, ADC configured (gcloud auth application-default login).

1. Configure google-vertex provider in openclaw.json:

cat > /tmp/gv.json5 << 'EOF'
{
  "models": {
    "providers": {
      "google-vertex": {
        "baseUrl": "https://aiplatform.googleapis.com",
        "apiKey": "***",
        "models": [
          {
            "id": "gemini-2.5-flash",
            "name": "Gemini 2.5 Flash",
            "reasoning": true,
            "input": ["text", "image"],
            "cost": { "input": 0.30, "output": 2.50, "cacheRead": 0.03, "cacheWrite": 0.30 },
            "contextWindow": 1048576,
            "maxTokens": 65536
          }
        ]
      }
    }
  },
  "agents": {
    "defaults": {
      "models": { "google-vertex/gemini-2.5-flash": {} }
    }
  },
  "env": {
    "vars": {
      "GOOGLE_CLOUD_PROJECT": "<your-gcp-project>",
      "GOOGLE_CLOUD_LOCATION": "global"
    }
  }
}
EOF
openclaw config patch --file /tmp/gv.json5 --replace-path "models.providers.google-vertex"
openclaw gateway restart

2. Verify model is registered:

openclaw models list | grep gemini-2.5-flash
# google-vertex/gemini-2.5-flash    text+image  1024k  no  yes  configured

3. Call the model:

openclaw agent --agent main --model google-vertex/gemini-2.5-flash --message "hi"

Actual result:

GatewayClientRequestError: FailoverError: 404 <!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <title>Error 404 (Not Found)!!1</title>

Expected result: Model response (similar to anthropic-vertex/* models which work correctly with the same ADC).

4. Confirm the URL itself works via direct curl (with the same ADC token):

TOKEN=*** auth application-default print-access-token)
curl -s -o /dev/null -w "HTTP %{http_code}\n" \
  "https://aiplatform.googleapis.com/v1/projects/<your-project>/locations/global/publishers/google/models/gemini-2.5-flash:streamGenerateContent?alt=sse" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"contents":[{"role":"user","parts":[{"text":"hi"}]}]}'
# HTTP 200

This is the same URL OpenClaw's buildGoogleVertexRequestUrl() in dist/transport-stream-BGlgI5ge.js should construct. So the URL/auth/payload work — but the request from openclaw agent produces a 404 with HTML body (Google's default not-found page), suggesting the actual outgoing request goes to a different URL than expected.

Additional debug: Adding console.log statements at the entry of createGoogleTransportStreamFn (transport-stream.js) and inside createStreamFn (provider-registration.js, the Google plugin) — neither log line is reached when calling a google-vertex/* model. This suggests the request is being routed through a different code path entirely.

Expected behavior

openclaw agent --agent main --model google-vertex/gemini-2.5-flash --message "hi" should return the model's text response and route through createGoogleVertexTransportStreamFn in dist/transport-stream-BGlgI5ge.js — matching the behavior of anthropic-vertex/claude-opus-4-7 calls, which succeed against https://aiplatform.us.rep.googleapis.com using the same ADC credentials in this OpenClaw 2026.5.18 install.

Actual behavior

Calls to any google-vertex/* model immediately return GatewayClientRequestError: FailoverError: 404 <!DOCTYPE html>... <title>Error 404 (Not Found)!!1</title> (Google's default not-found HTML page), while identical requests to anthropic-vertex/* models succeed and the same target URL (https://aiplatform.googleapis.com/v1/projects/<id>/locations/global/publishers/google/models/gemini-2.5-flash:streamGenerateContent?alt=sse) returns HTTP 200 when called directly via curl with the gateway's ADC token; additionally, console.log statements added at the entry of createGoogleTransportStreamFn (dist/transport-stream-BGlgI5ge.js) and inside the Google plugin's createStreamFn (dist/provider-registration-DWpi0i_i.js) never appear in the gateway log when a google-vertex/* model is invoked, indicating the request never reaches the expected transport function.

OpenClaw version

OpenClaw 2026.5.18

Operating system

macOS 26.3.1

Install method

npm global

Model

google-vertex/gemini-2.5-flash (also reproduced with google-vertex/gemini-3.5-flash, google-vertex/gemini-3.1-pro-preview, google-vertex/gemini-2.5-pro, and google-vertex/gemini-2.5-flash-lite — all return the same 404).

Provider / routing chain

Direct: OpenClaw gateway → google plugin (dist/extensions/google/index.js) → google-vertex transport (expected: createGoogleVertexTransportStreamFn in dist/transport-stream-BGlgI5ge.js) → Vertex AI endpoint https://aiplatform.googleapis.com/v1/projects/<id>/locations/global/publishers/google/models/<model>:streamGenerateContent?alt=sse, with auth via ADC (gcp-vertex-credentials marker → resolveGoogleVertexAuthorizedUserHeaders minting a Bearer token from ~/.config/gcloud/application_default_credentials.json). No external proxies, gateways, or routers; the gateway is bound to loopback (ws://127.0.0.1:18789).

Additional provider/model setup details

• Same ADC works for anthropic-vertex (Claude Opus 4.7/4.6, Sonnet 4.6, Haiku 4.5 all succeed via the @openclaw/anthropic-vertex-provider plugin at ~/.openclaw/npm/node_modules/@openclaw/anthropic-vertex-provider), so credentials and ADC discovery are healthy.

• google provider with API key works for the same Gemini model IDs (google/gemini-2.5-flash, google/gemini-3.5-flash, etc.) using GEMINI_API_KEY from macOS Keychain — confirming the models themselves are reachable from this machine and project.

• Schema enforces models.providers.google-vertex.baseUrl as required, even though the plugin's providerEndpoints config in dist/extensions/google/openclaw.plugin.json defines host-based detection for both aiplatform.googleapis.com (with googleVertexRegion: global) and *-aiplatform.googleapis.com (with googleVertexRegionHostSuffix).

• Tried both endpoint patterns, all failed identically:

  • Regional: baseUrl=https://us-central1-aiplatform.googleapis.com + GOOGLE_CLOUD_LOCATION=us-central1
  • Global: baseUrl=https://aiplatform.googleapis.com + GOOGLE_CLOUD_LOCATION=global

• env.vars in openclaw.json does not propagate to gateway process.env — confirmed via ps eww on the gateway PID showing GOOGLE_CLOUD_PROJECT / GOOGLE_CLOUD_LOCATION absent until I added them to the LaunchAgent's service-env wrapper file. This may be relevant since resolveGoogleVertexProject() reads from process.env directly.

• Plugin registration confirmed: openclaw plugins list shows google plugin enabled (stock bundle dist/extensions/google/index.js, v2026.5.18), and openclaw models list shows all google-vertex/* entries with Auth: yes and configured tag.

• openclaw config validate passes for the offending config.

• Plist StandardErrorPath is /dev/null — debug console.error is dropped, so debug logs were added as console.log (which does reach ~/Library/Logs/openclaw/gateway.log) and still never fired for google-vertex/* calls.

Logs, screenshots, and evidence

**Gateway log — the actual 404 error** (`~/Library/Logs/openclaw/gateway.log`):

2026-05-20T15:40:10.374-06:00 [ws] ⇄ res ✗ agent errorCode=UNAVAILABLE 
  errorMessage=FailoverError: 404 <!DOCTYPE html>
  <html lang=en>
    <meta charset=utf-8>
    <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
    <title>Error 404 (Not Found)!!1</title>
    <style>
      *{margin:0;padding:0}html...
  runId=f9d34afc-89c2-4cee-ab89-4ff246f110a1


**Side-by-side: same URL via curl returns 200, via OpenClaw returns 404:**

$ TOKEN=*** auth application-default print-access-token)
$ for url in \
    "https://aiplatform.googleapis.com/v1/projects/<REDACTED>/locations/us-central1/publishers/google/models/gemini-2.5-flash:streamGenerateContent?alt=sse" \
    "https://aiplatform.googleapis.com/v1/projects/<REDACTED>/locations/global/publishers/google/models/gemini-2.5-flash:streamGenerateContent?alt=sse" \
    "https://us-central1-aiplatform.googleapis.com/v1/projects/<REDACTED>/locations/us-central1/publishers/google/models/gemini-2.5-flash:streamGenerateContent?alt=sse"; do
    curl -s -o /dev/null -w "HTTP %{http_code}  $url\n" "$url" \
      -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
      -d '{"contents":[{"role":"user","parts":[{"text":"hi"}]}]}'
  done

HTTP 200  https://aiplatform.googleapis.com/v1/projects/<REDACTED>/locations/us-central1/publishers/google/models/gemini-2.5-flash:streamGenerateContent?alt=sse
HTTP 200  https://aiplatform.googleapis.com/v1/projects/<REDACTED>/locations/global/publishers/google/models/gemini-2.5-flash:streamGenerateContent?alt=sse
HTTP 200  https://us-central1-aiplatform.googleapis.com/v1/projects/<REDACTED>/locations/us-central1/publishers/google/models/gemini-2.5-flash:streamGenerateContent?alt=sse

$ openclaw agent --agent main --model google-vertex/gemini-2.5-flash --message "hi" 2>&1 | tail -3
GatewayClientRequestError: FailoverError: 404 <!DOCTYPE html>
<html lang=en>
  <title>Error 404 (Not Found)!!1</title>


**`openclaw models list` — proving the model is configured and "Auth: yes":**

Model                                      Input      Ctx         Local Auth  Tags
anthropic-vertex/claude-opus-4-7           text+image 977k        no    yes   default,configured
anthropic-vertex/claude-haiku-4-5@20251001 text+image 195k        no    yes   configured
google-vertex/gemini-2.5-pro               text+image 1024k       no    yes   configured
google-vertex/gemini-2.5-flash             text+image 1024k       no    yes   configured
google-vertex/gemini-3.5-flash             text+image 1024k       no    yes   configured
google-vertex/gemini-3.1-pro-preview       text+image 1024k       no    yes   configured
google/gemini-2.5-flash                    text+image 1024k       no    yes   configured

(`anthropic-vertex/*` and `google/*` work; `google-vertex/*` 404s.)

**Debug patches that never triggered** — added to `/opt/homebrew/lib/node_modules/openclaw/dist/`:

// transport-stream-BGlgI5ge.js, entry of createGoogleTransportStreamFn:
console.log("[DEBUG-TRANSPORT-CALLED]", kind, "model.id=", rawModel?.id,
            "model.api=", rawModel?.api, "model.provider=", rawModel?.provider);

// provider-registration-DWpi0i_i.js, top of createStreamFn:
console.log("[DEBUG-CREATESTREAMFN]", "model.id=", model?.id, "model.api=", model?.api,
            "model.provider=", model?.provider, "hasADC=", hasGoogleVertexAuthorizedUserAdcSync());

Neither line ever appears in `~/Library/Logs/openclaw/gateway.log` after restart and multiple `google-vertex/*` calls. The same calls **do** produce the 404 errors logged above, so the gateway is making *some* outbound request — just not via this code path.

**Versions:**

$ openclaw --version
OpenClaw 2026.5.18 (50a2481)

$ node --version
v26.0.0

$ sw_vers
ProductName:    macOS
ProductVersion: 26.3.1
BuildVersion:   arm64

$ openclaw plugins list | grep google
@openclaw/google  google  openclaw  enabled  stock:google/index.js  2026.5.18


**Workaround in use:** `google` provider with `GEMINI_API_KEY` (works fine). The `google-vertex` config is left in place for when this is fixed.

Full investigation notes (with all debug steps) available at `~/.openclaw/workspace/issues/openclaw-google-vertex-404.md` — happy to attach or share if useful.

Impact and severity

• Affected users/systems/channels: Any OpenClaw user trying to access Google Gemini models via the google-vertex provider (ADC/Vertex AI billing path). The google provider (API key / AI Studio billing) and anthropic-vertex provider are unaffected.
• Severity: Blocks the Vertex AI routing workflow entirely for Gemini. Workaround exists (use google provider with GEMINI_API_KEY), so not a hard block — but it forces a billing-surface choice users may not want (AI Studio billing vs. unified GCP billing).
• Frequency: Always reproducible. Every openclaw agent call against any google-vertex/* model fails with the same 404 in this install.
• Consequence: (1) Cannot route Gemini calls through Vertex AI for unified GCP billing/quota/audit alongside Anthropic on Vertex. (2) Cost-tracking and quota dashboards in GCP miss the Gemini portion of agent traffic. (3) Engineering time lost debugging (in this case ~6 hours across multiple gateway restarts before identifying the workaround). (4) Forces dual-billing setup (GCP for Anthropic-Vertex, Google AI Studio for Gemini API key) which complicates expense management for orgs that prefer single-vendor billing.

Additional information

NOT_ENOUGH_INFO

(We don't have a known-good version for google-vertex on this install — it's been broken since we first configured it today. No prior baseline exists to identify when it regressed, if ever.)

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: the report is detailed and current main still has a credible source-level routing gap where google-vertex can be advertised/configured while the agent model-resolution path does not consistently preserve a google-vertex transport API into the Google Vertex stream function.

Reproducibility: yes. at source level: current main advertises google-vertex, but the model-resolution and transport-aware paths do not consistently keep google-vertex as a supported transport API, while the Google plugin only invokes the Vertex stream when model.api is exactly google-vertex. I did not perform the live GCP call.

Next step
This is a narrow provider-routing bug with clear likely files and focused regression tests, so it is a good repair-lane candidate if a maintainer promotes it.

Review details

Best possible solution:

Preserve or derive the google-vertex transport identity through model resolution and register the Vertex stream path for configured Vertex models, with regression coverage proving the generated Vertex URL and auth path.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level: current main advertises google-vertex, but the model-resolution and transport-aware paths do not consistently keep google-vertex as a supported transport API, while the Google plugin only invokes the Vertex stream when model.api is exactly google-vertex. I did not perform the live GCP call.

Is this the best way to solve the issue?

Yes, the narrow maintainable fix is to keep the existing Google plugin ownership and make the resolved model/transport path carry google-vertex into createGoogleVertexTransportStreamFn, rather than adding a new provider or workaround path.

Label changes:

• add P2: The issue appears to break a documented provider path for affected Google Vertex users, but the blast radius is limited to that provider route.
• add impact:auth-provider: The failure is in provider routing/auth transport selection for google-vertex models.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P2: The issue appears to break a documented provider path for affected Google Vertex users, but the blast radius is limited to that provider route.
• impact:auth-provider: The failure is in provider routing/auth transport selection for google-vertex models.

Acceptance criteria:

• node scripts/run-vitest.mjs extensions/google/transport-stream.test.ts extensions/google/provider-models.test.ts src/agents/provider-transport-stream.test.ts src/agents/pi-embedded-runner/model.test.ts
• node scripts/run-vitest.mjs src/agents/models-config.providers.google-antigravity.test.ts src/agents/model-selection.test.ts
• If Google Vertex credentials are available in a safe test environment, run a live smoke equivalent to openclaw agent --agent main --model google-vertex/gemini-2.5-flash --message "hi" with redacted project/log evidence.

What I checked:

• Current source: Vertex stream hook exists but requires model.api to survive as google-vertex: The bundled Google provider only returns createGoogleVertexTransportStreamFn() when the resolved runtime model has model.api === "google-vertex" and ADC is detected; otherwise it returns no Vertex stream function. (extensions/google/provider-registration.ts:56, 46030f548986)
• Current source: inline model API normalization drops google-vertex: normalizeResolvedTransportApi accepts google-generative-ai but not google-vertex, so a configured Vertex transport API cannot be normalized through this path. (src/agents/pi-embedded-runner/model.inline-provider.ts:35, 46030f548986)
• Current source: configured baseUrl fallback becomes OpenAI-compatible: When no explicit supported API is resolved, a provider config with baseUrl falls back to openai-completions, which is consistent with an OpenAI-compatible request being sent to a Vertex hostname instead of the Vertex streamGenerateContent URL. (src/agents/pi-embedded-runner/model.ts:345, 46030f548986)
• Current source: transport-aware helper supports Google Gemini API but not Vertex: SUPPORTED_TRANSPORT_APIS and SIMPLE_TRANSPORT_API_ALIAS include google-generative-ai only, so the helper that registers provider-owned transport streams has no google-vertex alias path. (src/agents/provider-transport-stream.ts:14, 46030f548986)
• Documented behavior: Google Vertex is an advertised provider: The docs list google-vertex as a bundled Google provider and say Vertex uses gcloud ADC, so a configured google-vertex agent model is an expected product surface rather than a new feature request. Public docs: docs/concepts/model-providers.md. (docs/concepts/model-providers.md:217, 46030f548986)
• Manifest contract: Vertex endpoints are classified before runtime loads: The Google plugin manifest maps aiplatform.googleapis.com and *-aiplatform.googleapis.com to the google-vertex endpoint class with region metadata. (extensions/google/openclaw.plugin.json:557, 46030f548986)

Likely related people:

• Dallin Romney: Current blame for the Google provider stream hook, provider transport helper, and model API normalization paths points to 9a6744baba6e7f534b19f8d6cf7a5842248f27ce, a recent plugin-discovery refactor touching the central files for this routing path. (role: recent area contributor; confidence: medium; commits: 9a6744baba6e; files: extensions/google/provider-registration.ts, src/agents/provider-transport-stream.ts, src/agents/pi-embedded-runner/model.inline-provider.ts)

Remaining risk / open question:

• I did not run a live Vertex call because this read-only review does not have the reporter's GCP project and ADC setup; the source path and reporter logs are strong enough to keep the issue open.
• The issue also mentions gateway environment propagation for GOOGLE_CLOUD_PROJECT and GOOGLE_CLOUD_LOCATION; that may need validation, but the routing/API preservation gap should be fixed first.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 46030f548986.

[steipete]

Fixed the Vertex routing side of this in PR #88946 with commit c1b1fd6.

What changed:

• google-vertex provider configs that point at native Vertex hosts (aiplatform.googleapis.com or regional *-aiplatform.googleapis.com) now resolve to the canonical google-vertex transport instead of falling back to OpenAI-compatible chat completions.
• The Google provider stream hook now routes Vertex-hosted Gemini models through the native Vertex streamGenerateContent transport.
• Explicit OpenAI-compatible Vertex endpoint configs such as /endpoints/openapi with api: "openai-completions" remain on the OpenAI-compatible path.

Proof run on the PR branch:

• node scripts/run-vitest.mjs extensions/google/api.test.ts extensions/google/provider-registration.test.ts extensions/google/index.test.ts src/agents/embedded-agent-runner/model.test.ts
• node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.extensions.json extensions/google/api.ts extensions/google/provider-policy.ts extensions/google/provider-registration.ts extensions/google/api.test.ts extensions/google/provider-registration.test.ts extensions/google/index.test.ts
• node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json src/agents/embedded-agent-runner/model.provider-runtime.test-support.ts src/agents/embedded-agent-runner/model.test.ts
• node scripts/run-tsgo.mjs -p tsconfig.extensions.json --incremental false
• node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental false
• git diff --check

Leaving this open until PR #88946 lands so GitHub can close it from the merge commit.

[bader-28]

Peter, Thanks for the quick turn on this — and for preserving the explicit openai-completions path on /endpoints/openapi. Clean fix. We've been running both gateways on a local routing patch since 2026-05-24 to keep google-vertex/gemini-3.1-pro-preview live in production. PR #88946 lets us retire that patch. One question: which tagged release carries c1b1fd6? Want to upgrade off a tag rather than main if there's a cut in flight. Happy to validate the fix against our prod (peregrine-ws-int, SA-impersonated ADC, regional europe-west1-aiplatform.googleapis.com) once we cut over and report back here. — Bader

…

On Tue, Jun 2, 2026 at 6:04 AM Peter Steinberger ***@***.***> wrote: Closed #84804 <#84804> as completed via #88946 <#88946>. — Reply to this email directly, view it on GitHub <#84804?email_source=notifications&email_token=AUCJOBHFMIH5XKNUAZ3SEIL45Y7Z7A5CNFSNUABQM5UWIORPF5TWS5BNNB2WEL2JONZXKZKFOZSW45CON52GSZTJMNQXI2LPNYXTENRSGE3DKMRSGQ2TTJTSMVQXG33OU5RW63LNMVXHJJLFOZSW45FMMZXW65DFOJPWG3DJMNVQ#event-26216522459>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AUCJOBGMMUTH5FG2GC5FDAD45Y7Z7AVCNFSM6AAAAACZHBK26CVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMRWGIYTMNJSGI2DKOI> . Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS <https://github.com/notifications/mobile/ios/AUCJOBCDO4K2AC5O6KNMJXD45Y7Z7A5CNFSNUABQM5UWIORPF5TWS5BNNB2WEL2JONZXKZKFOZSW45CON52GSZTJMNQXI2LPNYXTENRSGE3DKMRSGQ2TTJTSMVQXG33OU5RW63LNMVXHJJLFOZSW45FKMZXW65DFOJPWS33T> and Android <https://github.com/notifications/mobile/android/AUCJOBBBHFL3J5BPCGIZWR345Y7Z7A5CNFSNUABQM5UWIORPF5TWS5BNNB2WEL2JONZXKZKFOZSW45CON52GSZTJMNQXI2LPNYXTENRSGE3DKMRSGQ2TTJTSMVQXG33OU5RW63LNMVXHJJLFOZSW45FOMZXW65DFOJPWC3TEOJXWSZA>. Download it today! You are receiving this because you commented.Message ID: ***@***.***>