fix: always set GEMINI_API_BASE_URL when api-proxy is enabled (#1944)

Copilot · lpcox · Copilot · web-flow · commit cb389222ae8f · 2026-04-12T16:56:10.000-07:00
* Initial plan * fix: always set GEMINI_API_BASE_URL when api-proxy is enabled When --enable-api-proxy is active, always set GEMINI_API_BASE_URL to the api-proxy address and set the GEMINI_API_KEY placeholder in the agent container, even when GEMINI_API_KEY is absent from the AWF runner environment (e.g. held as a CI secret not forwarded to the AWF process). Previously, if geminiApiKey was undefined at compose-generation time, GEMINI_API_BASE_URL was never injected. The Gemini CLI then fell back to direct auth and exited with code 41 because GEMINI_API_KEY had already been excluded from the agent env by line 600. Also promote the misconfiguration log from WARN to ERROR so the problem surfaces at startup rather than silently failing later. Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/3a5f306a-94b1-4208-bce1-e2bb9cd450c8 * fix: downgrade missing GEMINI_API_KEY from error to warn The Gemini key is optional — most users enable api-proxy for OpenAI/Anthropic/Copilot only. Logging at ERROR level created noisy false alerts. Downgrade to WARN and clarify this is expected when Gemini is not being used. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: merge main; downgrade warn logs, adopt main's Gemini block Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/7dfdcfc8-882e-4195-af4a-9b2b4a0b776a --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Landon Cox <landon.cox@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/src/docker-manager.ts b/src/docker-manager.ts
@@ -1749,8 +1749,8 @@ export function generateDockerCompose(
     logger.debug('GEMINI_API_KEY set to placeholder value for credential isolation');
     if (!config.geminiApiKey) {
       logger.warn('--enable-api-proxy is active but GEMINI_API_KEY is not set.');
-      logger.warn(`   The api-proxy Gemini listener (port ${API_PROXY_PORTS.GEMINI}) will start in fallback mode and return 503 responses until GEMINI_API_KEY is set.`);
-      logger.warn('   Set GEMINI_API_KEY in the AWF runner environment to enable Gemini credential isolation.');
+      logger.warn(`   The api-proxy Gemini listener (port ${API_PROXY_PORTS.GEMINI}) will return 503 responses until GEMINI_API_KEY is provided.`);
+      logger.warn('   This is expected when Gemini is not being used.');
     }
 
     logger.info('API proxy sidecar enabled - API keys will be held securely in sidecar container');
