Feat/google genai sdk as common provider across Google AI Studio and Google Cloud

[zeroasterisk]

Summary

This PR integrates the new unified @google/genai SDK into OpenClaw, enabling support for both Google AI Studio (Gemini API) and Vertex AI (Google Cloud) via a single provider (google-genai).

• Problem: Google AI Studio API_KEY and Google Cloud Vertex AI are confusing to users, and hard to configure - non-API_KEY auth needs to be standardized in several spots in the codebase.
• Why it matters: IAM or ADC auth is more secure than API_KEYs and may help users get access.
• What changed: Similar to the AWS SDK provider, we added a Google Gen AI SDK which is unified across endpoints and maintained by Google.
• What did NOT change (scope boundary): We did not yet deprecate or migrate other providers, but that's a reasonable next step.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Related google-vertex ADC broken: '<authenticated>' marker passed as apiKey to @google/genai SDK #48033, google-vertex ADC auth broken: "<authenticated>" sentinel passed as literal API key → 401 #49191, google-vertex provider authentication fails when running through proxychains #52648, Vertex AI ADC OAuth Authentication Fails with 401 Error #62212 (Resolves/improves Vertex AI ADC authentication issues by providing a working SDK integration).

Regression Test Plan (if applicable)

For bug fixes or regressions, name the smallest reliable test coverage that should catch this. Otherwise write N/A.

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/agents/google-genai.live.test.ts
• Scenario the test should lock in: Successful streaming and authentication for both API Key and Vertex AI (ADC) paths.
• Why this is the smallest reliable guardrail: It exercises the actual SDK network calls and authentication resolution against live Google endpoints.
• Existing test that already covers this (if any): None (this is a new provider integration).
• If no new test is added, why not: N/A

User-visible / Behavior Changes

List user-visible changes (including defaults/config).
If none, write None.

• Added a new provider google-genai that can be used in openclaw.json.
• Added support for google-genai-sdk authentication mode.
• Defaulted Vertex AI location to "global" to better support modern model aliases (like gemini-flash-latest).

Diagram (if applicable)

For UI changes or non-trivial logic flows, include a small ASCII diagram reviewers can scan quickly. Otherwise write N/A.

Before (Vertex AI):
[User Config] -> [Legacy Auth Resolution] -> [Failures on ADC/IAM paths]

After (google-genai):
[User Config] -> [google-genai-sdk Auth] -> [Checks API Key -> Falls back to ADC (global default)] -> [Success]

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (Yes)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:
  • Risk: New network calls to Google GenAI endpoints.
  • Mitigation: The calls use standard official Google SDKs and follow secure Application Default Credentials (ADC) patterns, which are preferred over static API keys.

Repro + Verification

Environment

• OS: Linux
• Runtime/container: Node.js (ESM)
• Model/provider: gemini-flash-latest via google-genai
• Integration/channel (if any): N/A
• Relevant config (redacted): Set GEMINI_LIVE_TEST=1, GEMINI_API_KEY or GOOGLE_APPLICATION_CREDENTIALS.

Steps

1. Configure environment with either an API Key or a Service Account JSON file.
2. Run the live test: pnpm exec vitest run src/agents/google-genai.live.test.ts

Expected

• Both tests (API Key and Vertex AI) pass and stream content successfully.

Actual

• Both tests passed successfully after applying a workaround for a known gaxios bug in Node ESM.

Evidence

Attach at least one:

• Failing test/log before + passing after (The Vertex AI test originally failed with a gaxios dynamic import error before the polyfill fix).
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: Live streaming via API Key and live streaming via Vertex AI using a Service Account JSON key.
• Edge cases checked: Verified that omitting the location defaults to global and successfully resolves the gemini-flash-latest alias on Vertex AI.
• What you did not verify: Did not verify gcloud auth application-default login directly due to environment constraints on the test machine, but verified the identical ADC resolution path via a service account file.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (Yes - adds new config options for the new provider).
• Migration needed? (No)
• If yes, exact upgrade steps: N/A

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

• Risk: The underlying gaxios library has a bug in Node ESM environments where it fails to dynamically import node-fetch when checking for window.fetch.
  • Mitigation: We added documentation in docs/google-genai-auth.md explaining the workaround (global.window = globalThis) and applied it in the test file.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9c0b825675

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[greptile-apps]

Greptile Summary

This PR integrates the @google/genai unified SDK as a new google-genai provider, supporting both Google AI Studio (API key) and Vertex AI (ADC) through a single auth mode (google-genai-sdk). The auth layer, schema, and stream routing follow the existing AWS SDK pattern cleanly.

• P1 (stream-resolution gap): google-genai-stream.ts only reads project/location from environment variables, but the error message at line 43 tells users to set models.providers.google-genai.vertexai.project in openclaw.json — a config path that the stream function never reads. The vertexai schema/type fields are effectively dead config until the stream function is updated to consume them.

Confidence Score: 3/5

Safe to merge for API-key users; the Vertex AI config path (vertexai.project/location in openclaw.json) is broken — the error message guides users to set it but the stream function ignores it.

One P1 finding: the error message in google-genai-stream.ts references a config option (vertexai.project) that the code never reads, making the Vertex AI config path dysfunctional for users who follow the documented advice. Remaining findings are P2 style/cleanup.

src/agents/google-genai-stream.ts — the vertexai config block needs to be plumbed through to this function or the error message must be corrected to env-only guidance.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/agents/google-genai-stream.ts
Line: 43

Comment:
**`vertexai` config fields are silently ignored**

The error message tells users to set `models.providers.google-genai.vertexai.project` in `openclaw.json`, but the stream function never reads from that path — it only reads `GOOGLE_CLOUD_PROJECT` and `GOOGLE_CLOUD_LOCATION` from `env`. The `vertexai` block is defined in the Zod schema and `ModelProviderConfig` type but is never injected into this function, so any user who follows this advice will get no effect.

Either pass the resolved `vertexai` config down to this function (e.g., add `vertexai?: { project?: string; location?: string }` to the `model` parameter) and read from it with `env` fallback, or remove the misleading config reference from the error message.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/agents/google-genai-stream.ts
Line: 126

Comment:
**Use subsystem logger instead of `console.error`**

Other stream/transport handlers in this codebase use `createSubsystemLogger` for error reporting. Raw `console.error` bypasses structured logging, log-level filtering, and subsystem tagging.

(Import `createSubsystemLogger` from `"../logging/subsystem.js"` and replace the `console.error` call.)

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/agents/google-genai.live.test.ts
Line: 1-2

Comment:
**Global side-effect at module load time has no cleanup**

`(global as any).window = globalThis` runs unconditionally when this file is imported — even when `GEMINI_LIVE_TEST` is unset and every `describeLive` block is skipped. The CLAUDE.md guidelines require tests to clean up globals so `--isolate=false` stays green. Scope this inside a `beforeAll`/`afterAll` pair and restore the original value with `delete (global as any).window` in `afterAll`.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "docs: Add 404 troubleshooting to auth gu..." | Re-trigger Greptile}

[zeroasterisk]

Tip

Next Step: Migration Path for Legacy Provider

I have also prepared a follow-up branch feat/google-genai-migration (on my fork) that implements a runtime fallback. If a user still has google-generative-ai configured, it will route through to this new SDK implementation but emit a visible deprecation warning encouraging them to update their openclaw.json.

This ensures zero breakage for existing users while guiding them to the new unified SDK. Let me know if you'd like me to open a follow-up PR with those changes after this one lands!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b7f00e4e23

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Pass tool definitions to Google GenAI requests

In createGoogleGenAiStreamFnForModel, the generateContentStream payload is built from context.messages but never includes context.tools, so models on this provider cannot emit function calls for agent tools. This breaks tool-dependent runs (e.g., web/file/tool workflows) because the model is never told which functions are available, unlike the existing Google transport path that serializes tool declarations.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Guard new keyless auth mode in all runtime callers

resolveApiKeyForProvider now returns google-genai-sdk with no apiKey, but only the embedded-runner auth checks were updated to allow that. I checked src/agents/btw.ts and it still only exempts aws-sdk before calling requireApiKey, so /btw runs using models.providers.<id>.auth: "google-genai-sdk" will fail immediately with a missing API key error.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b13b8264b1

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Forward generation controls to Google GenAI stream

createGoogleGenAiStreamFnForModel builds generateContentStream params with only systemInstruction and omits SimpleStreamOptions controls like maxTokens, temperature, and request cancellation. As a result, callers that set token limits or sampling settings get provider-default behavior instead, which can produce overlong/unexpected responses and higher token spend compared with other transports using the same run options.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Derive stop reason from Google stream finish metadata

The streaming loop consumes only chunk.text and never maps the model's finish reason, so output.stopReason remains the default "stop" for all non-error completions. When the provider ends on max-token or safety-related finish conditions, downstream logic will misclassify the result as a normal stop and may skip expected retry/handling paths.

Useful? React with 👍 / 👎.

[clawsweeper]

Codex review: needs real behavior proof before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Adds a core google-genai provider and google-genai-sdk auth mode with direct @google/genai streaming, Vertex project/location config, docs, and live-test coverage for API-key and ADC paths.

Reproducibility: yes. for the review findings: source inspection of the PR head and current main shows stale imports, duplicate core provider routing, a direct SDK stream path, dropped request controls, and partial keyless auth plumbing. No high-confidence live reproduction exists for the claimed fix because no inspectable proof artifact is attached.

PR rating
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🧂 unranked krab
Summary: Missing real behavior proof plus current-main compatibility, provider-boundary, and auth correctness blockers make the PR not quality-ready yet.

Rank-up moves:

• Add redacted live proof for API-key and Vertex ADC streaming from the latest PR head.
• Rebase onto current main and update the Pi package imports.
• Align the implementation with the chosen Google plugin/native Vertex direction before further repair.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Needs real behavior proof before merge: Missing: the PR body claims live API-key and Vertex ADC streaming, but no inspectable redacted terminal output, logs, screenshot, recording, copied live output, or linked artifact is attached; the contributor should add proof with private details redacted and update the PR body to trigger re-review.

Risk before merge

• Merging the branch as-is can fail against current main because the new files import the old @mariozechner Pi packages while current main uses @earendil-works.
• The new google-genai core provider duplicates Google AI Studio and Vertex behavior already owned by the bundled Google plugin, creating competing provider/config/auth surfaces.
• The direct GoogleGenAI SDK stream path can bypass OpenClaw's guarded provider transport semantics for proxy/TLS policy, capture, timeout, cancellation, payload hooks, and diagnostics.
• The google-genai-sdk keyless auth mode is only partially threaded through runtime callers, so paths like /btw can still reject it before reaching the provider stream.
• The claimed live API-key and Vertex ADC verification is not backed by inspectable redacted terminal output, logs, screenshots, recordings, or linked artifacts.

Maintainer options:

1. Pause for provider-direction decision (recommended)
   Decide whether OpenClaw wants the existing plugin/native Google Vertex path or a new core google-genai provider before spending more repair work on this branch.
2. Rework through the guarded Google plugin transport
   If this direction continues, move the useful auth/config pieces into the Google plugin transport path so provider behavior keeps the existing request boundary and payload contract.
3. Accept a separate provider only with upgrade proof
   Maintainers could intentionally accept the new provider surface, but it needs current-main rebase, full runtime auth threading, compatibility proof, and real API-key plus ADC behavior proof first.

Next step before merge
The remaining action is maintainer provider/auth direction plus contributor real behavior proof, not a safe automated repair lane.

Security
Needs attention: The patch introduces a direct Google SDK request path and a new keyless auth mode, so provider transport and auth boundaries need attention before merge.

Review findings

• [P1] Use the current Pi package scope — src/agents/google-genai-stream.ts:2-3
• [P1] Keep Google routing in the plugin transport — src/agents/pi-embedded-runner/stream-resolution.ts:121-122
• [P2] Keep Google requests on guarded transport — src/agents/google-genai-stream.ts:40-50

Review details

Best possible solution:

Keep Google AI Studio and Vertex behavior in the plugin-owned guarded Google transport unless maintainers explicitly approve a new provider surface, then require the chosen path to preserve auth, config, tools/options, cancellation, diagnostics, and redacted live proof.

Do we have a high-confidence way to reproduce the issue?

Yes for the review findings: source inspection of the PR head and current main shows stale imports, duplicate core provider routing, a direct SDK stream path, dropped request controls, and partial keyless auth plumbing. No high-confidence live reproduction exists for the claimed fix because no inspectable proof artifact is attached.

Is this the best way to solve the issue?

No. A parallel core direct-SDK provider is not the narrowest maintainable solution while current main keeps Google behavior in the bundled Google plugin's guarded transport path and newer Vertex PRs are already scoped to native ADC improvements.

Label justifications:

• P2: This is a normal-priority provider/auth feature with limited blast radius to Google model users but real merge blockers.
• merge-risk: 🚨 compatibility: The branch is conflict-marked and imports Pi package names that current main no longer declares.
• merge-risk: 🚨 auth-provider: The PR adds a new keyless Google auth mode and Vertex ADC route that are not fully threaded through all runtime callers.
• merge-risk: 🚨 security-boundary: The direct SDK request path may bypass OpenClaw's guarded provider transport controls for network policy and diagnostics.
• rating: 🧂 unranked krab: Current PR rating is 🧂 unranked krab because proof is 🧂 unranked krab, patch quality is 🧂 unranked krab, and Missing real behavior proof plus current-main compatibility, provider-boundary, and auth correctness blockers make the PR not quality-ready yet.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: Missing: the PR body claims live API-key and Vertex ADC streaming, but no inspectable redacted terminal output, logs, screenshot, recording, copied live output, or linked artifact is attached; the contributor should add proof with private details redacted and update the PR body to trigger re-review.

Full review comments:

• [P1] Use the current Pi package scope — src/agents/google-genai-stream.ts:2-3
  Current main depends on @earendil-works/pi-agent-core and @earendil-works/pi-ai, but this new stream imports the old @mariozechner packages. A rebase or merge onto current main will fail module resolution until these imports are updated.
  Confidence: 0.95
• [P1] Keep Google routing in the plugin transport — src/agents/pi-embedded-runner/stream-resolution.ts:121-122
  This adds a new core google-genai stream branch even though current main already routes Google AI Studio and Vertex behavior through the bundled Google plugin. A second provider path creates competing auth/config semantics and bypasses the plugin-owned Google transport source of truth.
  Confidence: 0.9
• [P2] Keep Google requests on guarded transport — src/agents/google-genai-stream.ts:40-50
  Constructing GoogleGenAI directly sends model traffic through the SDK's internal request path instead of OpenClaw's guarded model fetch, so proxy/TLS policy, capture, timeout, cancellation, and transport diagnostics may not apply.
  Confidence: 0.9
• [P2] Forward tools and run controls — src/agents/google-genai-stream.ts:96-100
  The generateContentStream call only sends model, contents, and optional system instruction, so tool declarations, tool choice, max tokens, temperature, cached content, payload hooks, finish-reason mapping, and cancellation do not match other provider transports.
  Confidence: 0.91
• [P2] Thread keyless auth through every caller — src/agents/model-auth.ts:422-423
  This branch can return google-genai-sdk without an API key, but only some embedded-runner checks are relaxed. Other runtime callers such as /btw still only exempt aws-sdk, so this mode can fail before reaching the provider stream.
  Confidence: 0.88

Overall correctness: patch is incorrect
Overall confidence: 0.92

Security concerns:

• [medium] Direct SDK requests bypass guarded transport — src/agents/google-genai-stream.ts:40
new GoogleGenAI(...) and ai.models.generateContentStream(...) use the SDK request path instead of OpenClaw's guarded provider transport, so proxy, TLS, request-policy, capture, timeout, cancellation, and diagnostics may not apply to Google traffic.
  Confidence: 0.9

What I checked:

• live-pr-state: Live GitHub metadata shows the PR is open at head b13b826, has mergeable=CONFLICTING, and the body claims live API-key/Vertex ADC runs without an attached inspectable artifact. (b13b8264b154)
• pr-head-stale-pi-imports: The PR head imports @mariozechner/pi-agent-core and @mariozechner/pi-ai in the new stream file, while current main has moved to the @earendil-works package scope. (src/agents/google-genai-stream.ts:2, b13b8264b154)
• current-main-pi-scope: Current main declares @earendil-works/pi-agent-core, @earendil-works/pi-ai, and @earendil-works/pi-coding-agent, so the old package imports introduced by the PR are no longer aligned with the dependency surface. (package.json:1772, a13468320c63)
• current-main-google-plugin-owns-provider: Current main registers google, google-gemini-cli, and google-vertex through the bundled Google plugin and returns plugin-owned stream functions for Google Generative AI and Vertex routes. (extensions/google/provider-registration.ts:23, a13468320c63)
• current-main-guarded-google-transport: Current main's Google transport builds requests with buildGuardedModelFetch, payload hooks, provider headers, and SSE handling, while the PR constructs a GoogleGenAI client and calls the SDK stream directly. (extensions/google/transport-stream.ts:1208, a13468320c63)
• current-main-google-payload-contract: Current main forwards system instructions, tools, tool choice, max tokens, temperature, cached content, thinking config, finish reasons, and usage through buildGoogleGenerativeAiParams; the PR stream only passes model, contents, and optional system instruction. (extensions/google/transport-stream.ts:693, a13468320c63)

Likely related people:

• Peter Steinberger: History attributes the plugin move, guarded transport boundary fix, and model config/auth redesign to Peter, which are central to deciding whether this PR should add a parallel core provider. (role: recent Google transport and config-history contributor; confidence: high; commits: 85826c83e4a1, 1af8bd90c337, b04c838c15e5; files: extensions/google/transport-stream.ts, extensions/google/provider-registration.ts, src/config/types.models.ts)
• Vincent Koc: Git history shows Vincent introduced the Google transport runtime, shared transport helpers, and cached content support that this PR would bypass or duplicate. (role: Google transport runtime introducer; confidence: high; commits: e697fa5e7591, d8458a1481e9, d766465e38e1; files: extensions/google/transport-stream.ts, src/plugin-sdk/provider-stream-shared.ts)
• damianFelixPago: Authored the newer open production ADC PR that keeps the native Google Vertex transport path and includes redacted live GKE metadata-server proof. (role: adjacent Google Vertex ADC implementation candidate author; confidence: medium; commits: 39c20790d685; files: extensions/google/vertex-adc.ts, extensions/google/transport-stream.test.ts, src/config/types.models.ts)
• PewterZz: Authored the open Google Vertex provider PR and canonical issue that overlap this PR's Vertex ADC and endpoint-routing motivation. (role: adjacent Google Vertex provider proposal author; confidence: medium; commits: 5bfb353ade92; files: extensions/google/transport-stream.ts, extensions/google/provider-registration.ts, extensions/google/openclaw.plugin.json)

Codex review notes: model gpt-5.5, reasoning high; reviewed against a13468320c63.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

[zeroasterisk]

I think mine is legacy and now deprecated by:

• fix(google-vertex): support production ADC modes #83971
• fix(google-vertex): add Google Vertex AI onboarding wizard, fix ADC auth, add provider docs #87800

Thanks yall