Skip to content

fix: warn on agent-sdk + AUTO_COMPRESS, accept GOOGLE_API_KEY as Gemini alias (#149)#154

Merged
rohitg00 merged 4 commits intomainfrom
fix/agent-sdk-quota-149
Apr 16, 2026
Merged

fix: warn on agent-sdk + AUTO_COMPRESS, accept GOOGLE_API_KEY as Gemini alias (#149)#154
rohitg00 merged 4 commits intomainfrom
fix/agent-sdk-quota-149

Conversation

@rohitg00
Copy link
Copy Markdown
Owner

@rohitg00 rohitg00 commented Apr 16, 2026

Problem

When GOOGLE_API_KEY was set instead of GEMINI_API_KEY, detectProvider() silently fell through to agent-sdk. With AGENTMEMORY_AUTO_COMPRESS=true, this routed every compression call through Claude Code's own API quota, burning a Pro subscription dry during heavy sessions (#149).

Fix

1. GOOGLE_API_KEY alias for Gemini (src/config.ts)

Many Google SDKs use GOOGLE_API_KEY. Now accepted as a fallback for GEMINI_API_KEY, with an advisory logged to stderr:

[agentmemory] GOOGLE_API_KEY detected — treating as GEMINI_API_KEY.
Set GEMINI_API_KEY in ~/.agentmemory/.env to silence this warning.

2. Startup warning when agent-sdk + AUTO_COMPRESS (src/config.ts)

If no provider key is found and AGENTMEMORY_AUTO_COMPRESS=true, emits a clear warning before starting:

[agentmemory] WARNING: AGENTMEMORY_AUTO_COMPRESS=true but no LLM provider key found
(GEMINI_API_KEY, ANTHROPIC_API_KEY, OPENROUTER_API_KEY). Falling back to agent-sdk
which shares Claude Code's API quota — this can exhaust a Pro subscription during
heavy sessions. Set an API key in ~/.agentmemory/.env to avoid rate limits (#149).

3. Runtime key resolution (src/providers/index.ts)

createBaseProvider for gemini now resolves GOOGLE_API_KEY as fallback so the alias works end-to-end, not just at detection time.

Closes #149.

Summary by CodeRabbit

  • Bug Fixes

    • File compression now rejects symbolic links to prevent unintended operations.
  • Improvements

    • Gemini provider will be selected when either Gemini or Google API key is present; Google key is accepted as a fallback.
    • Startup now emits clearer warnings when API keys are missing or when a Google key is being treated as Gemini.
  • Tests

    • Added tests ensuring symlink rejection and related behaviors.

…writes (#151)

lstat() check before any I/O now rejects symlinks, closing the bypass
where notes.md -> vault.txt passed the .md extension check but the
subsequent readFile/writeFile followed the symlink to the real target.

Adds a regression test that marks a path as a symlink in the mock and
verifies the function returns {success:false, error: "symlinks are not supported"}.
…ni alias (#149)

Two changes:
1. detectProvider() now accepts GOOGLE_API_KEY as an alias for GEMINI_API_KEY.
   Emits a stderr advisory to rename the variable.
2. When no provider key is found and AGENTMEMORY_AUTO_COMPRESS=true, emits a
   clear warning that agent-sdk will share Claude Code's API quota — the root
   cause of #149 where a wrong env var name caused silent fallback to agent-sdk
   during a heavy Opus session.
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 16, 2026

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d2d8b6f9-11e2-452e-8cd8-1fadc1b24cf0

📥 Commits

Reviewing files that changed from the base of the PR and between 12c15b5 and 6810c7b.

📒 Files selected for processing (1)
  • src/providers/index.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/providers/index.ts

📝 Walkthrough

Walkthrough

Updated provider selection to treat GEMINI_API_KEY or GOOGLE_API_KEY as Gemini, emit warnings when GOOGLE_API_KEY is used or when AUTO_COMPRESS is enabled without an LLM key, and added an lstat preflight in the file-compression function to reject symbolic links and handle lstat failures.

Changes

Cohort / File(s) Summary
Provider configuration & detection
src/config.ts, src/providers/index.ts
Gemini key resolution now reads GEMINI_API_KEY and falls back to GOOGLE_API_KEY; emits a stderr deprecation/warning when treating GOOGLE_API_KEY as Gemini. Added startup warning path when AGENTMEMORY_AUTO_COMPRESS === "true" and no LLM provider key is present.
File compression & tests
src/functions/compress-file.ts, test/compress-file.test.ts
Added lstat import and preflight to reject symbolic links and return clear errors on lstat failures. Tests extended with symlinkPaths and mocked lstat to verify symlink rejection.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Poem

🐰
I sniffed the keys across the lawn,
GEMINI found where Google shone,
Symlinks stopped — hop! — not on my watch,
Startup whispers, nothing botched,
Tiny paws applaud the patch.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Out of Scope Changes check ❓ Inconclusive All changes directly support the issue #149 objectives. The only tangential change is adding symlink validation to compress-file, which is a reasonable safety improvement in the same code path but not explicitly linked to issue #149. The symlink validation in compress-file.ts is a safety enhancement unrelated to issue #149. Clarify if this was intended as a separate security improvement or if it should be moved to a separate PR.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and concisely summarizes the two main changes: accepting GOOGLE_API_KEY as a fallback for Gemini and adding warnings for agent-sdk auto-compress misconfiguration.
Linked Issues check ✅ Passed The PR implementation addresses all key coding requirements from issue #149: accepts GOOGLE_API_KEY as fallback for GEMINI_API_KEY with warnings, emits startup warning when no provider key exists with AUTO_COMPRESS enabled, and prevents silent fallback to agent-sdk.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/agent-sdk-quota-149

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/functions/compress-file.ts`:
- Around line 113-120: The current lstat(absolutePath) symlink check (and
variable absolutePath) is vulnerable to TOCTOU because the file can be swapped
before the later write; instead of relying on lstat alone, open the target with
flags that prevent following symlinks and write via the obtained file
descriptor. Replace the post-check write that currently uses writeFile /
fs.write with an fs.open call using constants.O_NOFOLLOW (and appropriate
O_CREAT/O_TRUNC/O_WRONLY flags), perform the write to the returned fd, fstat if
needed on the fd, then close the fd; keep handling of ENOENT/ELOOP/EINVAL errors
and remove reliance on lstat as the sole protection so the write cannot be
redirected via a swapped symlink.

In `@src/providers/index.ts`:
- Around line 75-77: The current geminiKey assignment uses nullish coalescing
which treats an empty string as a valid value and prevents falling back to
GOOGLE_API_KEY; update the geminiKey initialization in providers (the getEnvVar
calls) to use logical OR (||) so an empty string from
getEnvVar("GEMINI_API_KEY") will fall back to getEnvVar("GOOGLE_API_KEY"), and
keep the subsequent validation that checks for a falsy geminiKey.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 433855f9-b799-42fa-a583-80c73a75953b

📥 Commits

Reviewing files that changed from the base of the PR and between 1bdeaad and 12c15b5.

📒 Files selected for processing (4)
  • src/config.ts
  • src/functions/compress-file.ts
  • src/providers/index.ts
  • test/compress-file.test.ts

Comment thread src/functions/compress-file.ts
Comment thread src/providers/index.ts
@rohitg00 rohitg00 merged commit 4feff55 into main Apr 16, 2026
3 checks passed
@rohitg00 rohitg00 deleted the fix/agent-sdk-quota-149 branch April 16, 2026 23:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

429 rate limit errors when AUTO_COMPRESS uses agent-sdk provider in a heavy Claude Code session

1 participant