fix: warn on agent-sdk + AUTO_COMPRESS, accept GOOGLE_API_KEY as Gemini alias (#149)

[rohitg00]

Problem

When GOOGLE_API_KEY was set instead of GEMINI_API_KEY, detectProvider() silently fell through to agent-sdk. With AGENTMEMORY_AUTO_COMPRESS=true, this routed every compression call through Claude Code's own API quota, burning a Pro subscription dry during heavy sessions (#149).

Fix

1. GOOGLE_API_KEY alias for Gemini (src/config.ts)

Many Google SDKs use GOOGLE_API_KEY. Now accepted as a fallback for GEMINI_API_KEY, with an advisory logged to stderr:

[agentmemory] GOOGLE_API_KEY detected — treating as GEMINI_API_KEY.
Set GEMINI_API_KEY in ~/.agentmemory/.env to silence this warning.

2. Startup warning when agent-sdk + AUTO_COMPRESS (src/config.ts)

If no provider key is found and AGENTMEMORY_AUTO_COMPRESS=true, emits a clear warning before starting:

[agentmemory] WARNING: AGENTMEMORY_AUTO_COMPRESS=true but no LLM provider key found
(GEMINI_API_KEY, ANTHROPIC_API_KEY, OPENROUTER_API_KEY). Falling back to agent-sdk
which shares Claude Code's API quota — this can exhaust a Pro subscription during
heavy sessions. Set an API key in ~/.agentmemory/.env to avoid rate limits (#149).

3. Runtime key resolution (src/providers/index.ts)

createBaseProvider for gemini now resolves GOOGLE_API_KEY as fallback so the alias works end-to-end, not just at detection time.

Closes #149.

Summary by CodeRabbit

• Bug Fixes

  • File compression now rejects symbolic links to prevent unintended operations.

• Improvements

  • Gemini provider will be selected when either Gemini or Google API key is present; Google key is accepted as a fallback.
  • Startup now emits clearer warnings when API keys are missing or when a Google key is being treated as Gemini.

• Tests

  • Added tests ensuring symlink rejection and related behaviors.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d2d8b6f9-11e2-452e-8cd8-1fadc1b24cf0

📥 Commits

Reviewing files that changed from the base of the PR and between 12c15b5 and 6810c7b.

📒 Files selected for processing (1)

• src/providers/index.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/providers/index.ts

---

📝 Walkthrough

Walkthrough

Updated provider selection to treat GEMINI_API_KEY or GOOGLE_API_KEY as Gemini, emit warnings when GOOGLE_API_KEY is used or when AUTO_COMPRESS is enabled without an LLM key, and added an lstat preflight in the file-compression function to reject symbolic links and handle lstat failures.

Changes

Cohort / File(s)	Summary
Provider configuration & detection src/config.ts, src/providers/index.ts	Gemini key resolution now reads GEMINI_API_KEY and falls back to GOOGLE_API_KEY; emits a stderr deprecation/warning when treating GOOGLE_API_KEY as Gemini. Added startup warning path when AGENTMEMORY_AUTO_COMPRESS === "true" and no LLM provider key is present.
File compression & tests src/functions/compress-file.ts, test/compress-file.test.ts	Added lstat import and preflight to reject symbolic links and return clear errors on lstat failures. Tests extended with symlinkPaths and mocked lstat to verify symlink rejection.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: add token-efficient recall and file compression tool #150: Related changes to src/functions/compress-file.ts (symlink preflight and tests) touching the same function and behavior.
• fix: stop burning Claude tokens on every PostToolUse hook (#138) #140: Related to provider/startup configuration and AGENTMEMORY_AUTO_COMPRESS handling; overlaps in provider detection logic.

Poem

🐰
I sniffed the keys across the lawn,
GEMINI found where Google shone,
Symlinks stopped — hop! — not on my watch,
Startup whispers, nothing botched,
Tiny paws applaud the patch.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Out of Scope Changes check	❓ Inconclusive	All changes directly support the issue #149 objectives. The only tangential change is adding symlink validation to compress-file, which is a reasonable safety improvement in the same code path but not explicitly linked to issue #149.	The symlink validation in compress-file.ts is a safety enhancement unrelated to issue #149. Clarify if this was intended as a separate security improvement or if it should be moved to a separate PR.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the two main changes: accepting GOOGLE_API_KEY as a fallback for Gemini and adding warnings for agent-sdk auto-compress misconfiguration.
Linked Issues check	✅ Passed	The PR implementation addresses all key coding requirements from issue #149: accepts GOOGLE_API_KEY as fallback for GEMINI_API_KEY with warnings, emits startup warning when no provider key exists with AUTO_COMPRESS enabled, and prevents silent fallback to agent-sdk.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/agent-sdk-quota-149

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/functions/compress-file.ts`:
- Around line 113-120: The current lstat(absolutePath) symlink check (and
variable absolutePath) is vulnerable to TOCTOU because the file can be swapped
before the later write; instead of relying on lstat alone, open the target with
flags that prevent following symlinks and write via the obtained file
descriptor. Replace the post-check write that currently uses writeFile /
fs.write with an fs.open call using constants.O_NOFOLLOW (and appropriate
O_CREAT/O_TRUNC/O_WRONLY flags), perform the write to the returned fd, fstat if
needed on the fd, then close the fd; keep handling of ENOENT/ELOOP/EINVAL errors
and remove reliance on lstat as the sole protection so the write cannot be
redirected via a swapped symlink.

In `@src/providers/index.ts`:
- Around line 75-77: The current geminiKey assignment uses nullish coalescing
which treats an empty string as a valid value and prevents falling back to
GOOGLE_API_KEY; update the geminiKey initialization in providers (the getEnvVar
calls) to use logical OR (||) so an empty string from
getEnvVar("GEMINI_API_KEY") will fall back to getEnvVar("GOOGLE_API_KEY"), and
keep the subsequent validation that checks for a falsy geminiKey.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 433855f9-b799-42fa-a583-80c73a75953b

📥 Commits

Reviewing files that changed from the base of the PR and between 1bdeaad and 12c15b5.

📒 Files selected for processing (4)

• src/config.ts
• src/functions/compress-file.ts
• src/providers/index.ts
• test/compress-file.test.ts