fix: include Gemini in api-proxy validation, add 503 fallback (#1808)

* Initial plan

* fix: include Gemini in api-proxy validation, add 503 fallback

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/a39432e2-e38c-4850-97ba-ae1596be856c

* fix: address review feedback for Gemini api-proxy changes

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/a39432e2-e38c-4850-97ba-ae1596be856c

* Update src/docker-manager.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Landon Cox <landon.cox@microsoft.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 3 people

containers/api-proxy/server.js

@@ -911,6 +911,28 @@ if (require.main === module) {
     geminiServer.listen(10003, '0.0.0.0', () => {
       logRequest('info', 'server_start', { message: 'Google Gemini proxy listening on port 10003', target: GEMINI_API_TARGET });
     });
+  } else {
+    // No Gemini key — listen on port 10003 and return 503 so the Gemini CLI
+    // gets an actionable error instead of a silent connection-refused.
+    const geminiServer = http.createServer((req, res) => {
+      if (req.url === '/health' && req.method === 'GET') {
+        res.writeHead(503, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ status: 'not_configured', service: 'gemini-proxy', error: 'GEMINI_API_KEY not configured in api-proxy sidecar' }));
+        return;
+      }
+
+      res.writeHead(503, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Gemini proxy not configured (no GEMINI_API_KEY). Set GEMINI_API_KEY in the AWF runner environment to enable credential isolation.' }));
+    });
+
+    geminiServer.on('upgrade', (req, socket) => {
+      socket.write('HTTP/1.1 503 Service Unavailable\r\nConnection: close\r\n\r\n');
+      socket.destroy();
+    });
+
+    geminiServer.listen(10003, '0.0.0.0', () => {
+      logRequest('info', 'server_start', { message: 'Gemini endpoint listening on port 10003 (Gemini not configured — returning 503)' });
+    });
   }
 
   // OpenCode API proxy (port 10004) — routes to Anthropic (default BYOK provider)

src/cli.test.ts

@@ -1397,6 +1397,7 @@ describe('cli', () => {
       expect(result.enabled).toBe(true);
       expect(result.warnings).toHaveLength(2);
       expect(result.warnings[0]).toContain('no API keys found');
+      expect(result.warnings[1]).toContain('GEMINI_API_KEY');
       expect(result.debugMessages).toEqual([]);
     });
 
@@ -1430,14 +1431,23 @@ describe('cli', () => {
       expect(result.debugMessages[0]).toContain('Copilot');
     });
 
-    it('should detect all three keys', () => {
-      const result = validateApiProxyConfig(true, true, true, true);
+    it('should detect Gemini key', () => {
+      const result = validateApiProxyConfig(true, false, false, false, true);
       expect(result.enabled).toBe(true);
       expect(result.warnings).toEqual([]);
-      expect(result.debugMessages).toHaveLength(3);
+      expect(result.debugMessages).toHaveLength(1);
+      expect(result.debugMessages[0]).toContain('Gemini');
+    });
+
+    it('should detect all four keys', () => {
+      const result = validateApiProxyConfig(true, true, true, true, true);
+      expect(result.enabled).toBe(true);
+      expect(result.warnings).toEqual([]);
+      expect(result.debugMessages).toHaveLength(4);
       expect(result.debugMessages[0]).toContain('OpenAI');
       expect(result.debugMessages[1]).toContain('Anthropic');
       expect(result.debugMessages[2]).toContain('Copilot');
+      expect(result.debugMessages[3]).toContain('Gemini');
     });
 
     it('should not warn when disabled even with keys', () => {
@@ -1446,6 +1456,15 @@ describe('cli', () => {
       expect(result.warnings).toEqual([]);
       expect(result.debugMessages).toEqual([]);
     });
+
+    it('should detect mixed key combination (OpenAI + Gemini)', () => {
+      const result = validateApiProxyConfig(true, true, false, false, true);
+      expect(result.enabled).toBe(true);
+      expect(result.warnings).toEqual([]);
+      expect(result.debugMessages).toHaveLength(2);
+      expect(result.debugMessages[0]).toContain('OpenAI');
+      expect(result.debugMessages[1]).toContain('Gemini');
+    });
   });
 
   describe('buildRateLimitConfig', () => {

src/cli.ts

@@ -277,13 +277,15 @@ export interface ApiProxyValidationResult {
  * @param hasOpenaiKey - Whether an OpenAI API key is present
  * @param hasAnthropicKey - Whether an Anthropic API key is present
  * @param hasCopilotKey - Whether a GitHub Copilot API key is present
+ * @param hasGeminiKey - Whether a Google Gemini API key is present
  * @returns ApiProxyValidationResult with warnings and debug messages
  */
 export function validateApiProxyConfig(
   enableApiProxy: boolean,
   hasOpenaiKey?: boolean,
   hasAnthropicKey?: boolean,
-  hasCopilotKey?: boolean
+  hasCopilotKey?: boolean,
+  hasGeminiKey?: boolean
 ): ApiProxyValidationResult {
   if (!enableApiProxy) {
     return { enabled: false, warnings: [], debugMessages: [] };
@@ -292,9 +294,9 @@ export function validateApiProxyConfig(
   const warnings: string[] = [];
   const debugMessages: string[] = [];
 
-  if (!hasOpenaiKey && !hasAnthropicKey && !hasCopilotKey) {
+  if (!hasOpenaiKey && !hasAnthropicKey && !hasCopilotKey && !hasGeminiKey) {
     warnings.push('⚠️  API proxy enabled but no API keys found in environment');
-    warnings.push('   Set OPENAI_API_KEY, ANTHROPIC_API_KEY, or COPILOT_GITHUB_TOKEN to use the proxy');
+    warnings.push('   Set OPENAI_API_KEY, ANTHROPIC_API_KEY, COPILOT_GITHUB_TOKEN, or GEMINI_API_KEY to use the proxy');
   }
   if (hasOpenaiKey) {
     debugMessages.push('OpenAI API key detected - will be held securely in sidecar');
@@ -305,6 +307,9 @@ export function validateApiProxyConfig(
   if (hasCopilotKey) {
     debugMessages.push('GitHub Copilot API key detected - will be held securely in sidecar');
   }
+  if (hasGeminiKey) {
+    debugMessages.push('Google Gemini API key detected - will be held securely in sidecar');
+  }
 
   return { enabled: true, warnings, debugMessages };
 }
@@ -1912,12 +1917,13 @@ program
       config.enableApiProxy || false,
       !!config.openaiApiKey,
       !!config.anthropicApiKey,
-      !!config.copilotGithubToken
+      !!config.copilotGithubToken,
+      !!config.geminiApiKey
     );
 
     // Log API proxy status at info level for visibility
     if (config.enableApiProxy) {
-      logger.info(`API proxy enabled: OpenAI=${!!config.openaiApiKey}, Anthropic=${!!config.anthropicApiKey}, Copilot=${!!config.copilotGithubToken}`);
+      logger.info(`API proxy enabled: OpenAI=${!!config.openaiApiKey}, Anthropic=${!!config.anthropicApiKey}, Copilot=${!!config.copilotGithubToken}, Gemini=${!!config.geminiApiKey}`);
     }
 
     for (const warning of apiProxyValidation.warnings) {
@@ -1937,7 +1943,7 @@ program
     // to prevent sensitive data from flowing to logger (CodeQL sensitive data logging)
     const redactedConfig: Record<string, unknown> = {};
     for (const [key, value] of Object.entries(config)) {
-      if (key === 'openaiApiKey' || key === 'anthropicApiKey' || key === 'copilotGithubToken') continue;
+      if (key === 'openaiApiKey' || key === 'anthropicApiKey' || key === 'copilotGithubToken' || key === 'geminiApiKey') continue;
       redactedConfig[key] = key === 'agentCommand' ? redactSecrets(value as string) : value;
     }
     logger.debug('Configuration:', JSON.stringify(redactedConfig, null, 2));

src/docker-manager.ts

@@ -1612,6 +1612,10 @@ export function generateDockerCompose(
       // Real authentication happens via GEMINI_API_BASE_URL pointing to api-proxy.
       environment.GEMINI_API_KEY = 'gemini-api-key-placeholder-for-credential-isolation';
       logger.debug('GEMINI_API_KEY set to placeholder value for credential isolation');
+    } else {
+      logger.warn('--enable-api-proxy is active but GEMINI_API_KEY is not set.');
+      logger.warn(`   The api-proxy Gemini listener (port ${API_PROXY_PORTS.GEMINI}) will start in fallback mode and return 503 responses until GEMINI_API_KEY is set.`);
+      logger.warn('   Set GEMINI_API_KEY in the AWF runner environment to enable Gemini credential isolation.');
     }
 
     logger.info('API proxy sidecar enabled - API keys will be held securely in sidecar container');