feat(acp): Add support for AI Gateway auth

[skeshive]

Related Issues

Fixes https://github.com/google-gemini/maintainers-gemini-cli/issues/1329

[gemini-cli]

Hi @skeshive, thank you so much for your contribution to Gemini CLI! We really appreciate the time and effort you've put into this.

We're making some updates to our contribution process to improve how we track and review changes. Please take a moment to review our recent discussion post: Improving Our Contribution Process & Introducing New Guidelines.

Key Update: Starting January 26, 2026, the Gemini CLI project will require all pull requests to be associated with an existing issue. Any pull requests not linked to an issue by that date will be automatically closed.

Thank you for your understanding and for being a part of our community!

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new authentication method, AuthType.GATEWAY, enabling users to connect to AI services through custom API gateways. It enhances the existing authentication flow by allowing the specification of a base URL and custom headers, providing greater flexibility and control over how AI models are accessed. This change broadens the compatibility of the CLI with various AI service deployments.

Highlights

• New Authentication Method: Introduced a new AuthType.GATEWAY to support authentication via custom AI API Gateways, allowing for more flexible integration with various AI service deployments.
• Extended Authentication Parameters: Extended the refreshAuth mechanism across the codebase to handle baseUrl and customHeaders, enabling gateway-specific configurations for AI service access.
• Gateway Configuration Parsing: Implemented logic within the GeminiAgent to parse gateway configuration details (like baseUrl and headers) from authentication requests.
• Comprehensive Test Coverage: Added a new dedicated test case to validate the GATEWAY authentication flow, ensuring proper functionality and integration.

Changelog

• packages/cli/src/zed-integration/zedIntegration.test.ts
  • Increased the expected number of authentication methods.
  • Verified the metadata structure for the new GATEWAY authentication type.
  • Updated existing refreshAuth calls to accommodate new parameters.
  • Added a dedicated test case to validate the GATEWAY authentication flow.
• packages/cli/src/zed-integration/zedIntegration.ts
  • Added baseUrl and customHeaders properties to the GeminiAgent class.
  • Registered AuthType.GATEWAY as a supported authentication method with descriptive metadata.
  • Implemented logic within authenticate to extract and store gateway-specific baseUrl and customHeaders from the request.
  • Modified calls to config.refreshAuth in checkAuth and verifyAuth to pass the new gateway parameters.
• packages/core/src/config/config.ts
  • Updated the refreshAuth method signature to accept optional baseUrl and customHeaders.
  • Passed the new baseUrl and customHeaders parameters to createContentGeneratorConfig.
• packages/core/src/core/contentGenerator.ts
  • Defined AuthType.GATEWAY in the AuthType enum.
  • Extended ContentGeneratorConfig interface to include optional baseUrl and customHeaders.
  • Modified createContentGeneratorConfig function signature to accept optional baseUrl and customHeaders.
  • Populated contentGeneratorConfig with baseUrl and customHeaders.
  • Expanded the condition for applying headers in createContentGenerator to include AuthType.GATEWAY.
  • Integrated customHeaders into the HTTP options for content generation.
  • Conditionally set baseUrl in HTTP options if provided.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: +1.58 kB (+0.01%)

Total Size: 26 MB

Filename	Size	Change
./bundle/gemini.js	25.5 MB	+1.58 kB (+0.01%)

ℹ️ View Unchanged

Filename	Size
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB
./bundle/sandbox-macos-strict-open.sb	4.82 kB
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request introduces a new AuthType.GATEWAY authentication method, enabling the use of a custom AI API Gateway with configurable baseUrl and customHeaders. The changes involve updating the GeminiAgent to store and pass these new gateway parameters to the refreshAuth and createContentGeneratorConfig functions, which in turn use them to configure the content generator. New test cases were added to verify the gateway authentication flow. However, a review comment raises a critical security concern, noting that the authenticate method extracts baseUrl and headers from the request's _meta.gateway without sufficient validation. This lack of validation could lead to credential leakage or the overriding of sensitive authentication headers. The reviewer recommends implementing strict validation for baseUrl (e.g., enforcing HTTPS, allow-listing), filtering headers to prevent sensitive overrides, and throwing an error for malformed gateway metadata instead of silently failing.

[scidomino]

Thanks for putting this together! This is a great addition for supporting AI Gateways. I've reviewed the PR against our architectural guidelines and have a few requested changes, particularly around how the new authentication state is persisted and validated:

1. 🚨 Terminal UX Bleed (Major Bug)

In packages/cli/src/acp/acpClient.ts, when authenticating via the gateway, AuthType.GATEWAY is currently being saved to SettingScope.User:

this.settings.setValue(
  SettingScope.User,
  'security.auth.selectedType',
  method,
);

Because baseUrl and customHeaders are kept in memory and not persisted to settings, saving GATEWAY to the user's global settings will break their standalone terminal CLI experience. The next time they run gemini in their terminal, it will attempt to use GATEWAY auth but without the required URL or headers, resulting in an error.
Recommendation: Please ensure GATEWAY is either saved to SettingScope.Session instead, or explicitly bypass writing to user settings for this specific auth type.

2. 🛡️ Security & Validation (Silent Failures)

Echoing the automated reviewer, if gatewaySchema.safeParse(meta['gateway']) fails, the code currently silently sets baseUrl and headers to undefined. This will result in mysterious HTTP errors downstream because the client will default to Google's production endpoints without an API key or the required custom headers.
Recommendation: If !result.success, explicitly throw an acp.RequestError with the validation details (e.g., malformed gateway payload). Additionally, it would be a good idea to add URL validation to the schema for baseUrl to ensure it's a valid HTTP(S) URL.

3. 🧹 Method Signature Creep (packages/core)

In packages/core/src/config/config.ts and contentGenerator.ts, refreshAuth and createContentGeneratorConfig are accumulating multiple optional parameters (apiKey, baseUrl, customHeaders). This is leading to awkward call sites like refreshAuth(AuthType.GATEWAY, undefined, undefined, undefined).
Recommendation: Refactor these methods to accept an options object for the additional parameters. For example: refreshAuth(authType: AuthType, options?: { apiKey?: string, baseUrl?: string, customHeaders?: Record<string, string> }).

[skeshive]

Thanks for putting this together! This is a great addition for supporting AI Gateways. I've reviewed the PR against our architectural guidelines and have a few requested changes, particularly around how the new authentication state is persisted and validated:

1. 🚨 Terminal UX Bleed (Major Bug)

In packages/cli/src/acp/acpClient.ts, when authenticating via the gateway, AuthType.GATEWAY is currently being saved to SettingScope.User:

this.settings.setValue(
  SettingScope.User,
  'security.auth.selectedType',
  method,
);

Because baseUrl and customHeaders are kept in memory and not persisted to settings, saving GATEWAY to the user's global settings will break their standalone terminal CLI experience. The next time they run gemini in their terminal, it will attempt to use GATEWAY auth but without the required URL or headers, resulting in an error. Recommendation: Please ensure GATEWAY is either saved to SettingScope.Session instead, or explicitly bypass writing to user settings for this specific auth type.

2. 🛡️ Security & Validation (Silent Failures)

Echoing the automated reviewer, if gatewaySchema.safeParse(meta['gateway']) fails, the code currently silently sets baseUrl and headers to undefined. This will result in mysterious HTTP errors downstream because the client will default to Google's production endpoints without an API key or the required custom headers. Recommendation: If !result.success, explicitly throw an acp.RequestError with the validation details (e.g., malformed gateway payload). Additionally, it would be a good idea to add URL validation to the schema for baseUrl to ensure it's a valid HTTP(S) URL.

3. 🧹 Method Signature Creep (packages/core)

In packages/core/src/config/config.ts and contentGenerator.ts, refreshAuth and createContentGeneratorConfig are accumulating multiple optional parameters (apiKey, baseUrl, customHeaders). This is leading to awkward call sites like refreshAuth(AuthType.GATEWAY, undefined, undefined, undefined). Recommendation: Refactor these methods to accept an options object for the additional parameters. For example: refreshAuth(authType: AuthType, options?: { apiKey?: string, baseUrl?: string, customHeaders?: Record<string, string> }).

For 1) This only applies to ACP usage so not a big concern
2) Fixed
3) Ack, will need to fix in a follow up to keep this PR small

[galz10]

/patch preview

[github-actions]

✅ Patch workflow(s) dispatched successfully!

📋 Details:

• Channels: preview
• Commit: 7ec477d40df7070bf4a6a0676d2eae0a87085835
• Workflows Created: 1

🔗 Track Progress:

• View patch workflows
• This workflow run

[github-actions]

🚀 Patch PR Created!

📋 Patch Details:

• Environment: prod
• Channel: preview → will publish to npm tag preview
• Commit: 7ec477d40df7070bf4a6a0676d2eae0a87085835
• Hotfix Branch: hotfix/v0.33.0-preview.3/0.33.0-preview.4/preview/cherry-pick-7ec477d/pr-21305
• Hotfix PR: #21349

📝 Next Steps:

1. Review and approve the hotfix PR: #21349
2. Once merged, the patch release will automatically trigger
3. You'll receive updates here when the release completes

🔗 Track Progress:

• View hotfix PR #21349

[github-actions]

🚀 Patch Release Started!

📋 Release Details:

• Environment: prod
• Channel: preview → publishing to npm tag preview
• Version: v0.33.0-preview.3
• Hotfix PR: Merged ✅
• Release Branch: release/v0.33.0-preview.3-pr-21305

⏳ Status: The patch release is now running. You'll receive another update when it completes.

🔗 Track Progress:

• View release workflow

[github-actions]

✅ Patch Release Complete!

📦 Release Details:

• Version: 0.33.0-preview.4
• NPM Tag: preview
• Channel: preview
• Dry Run: false

🎉 Status: Your patch has been successfully released and published to npm!

📝 What's Available:

• GitHub Release: View release v0.33.0-preview.4
• NPM Package: npm install @google/gemini-cli@preview

🔗 Links:

• GitHub Release
• Workflow Run