feat(transport): automatic API key fallback for gemini-cli quota exhaustion#393
Merged
RyderFreeman4Logos merged 1 commit intomainfrom Mar 10, 2026
Merged
Conversation
…exhaustion When gemini-cli OAuth quota is exhausted and all model-switch retries fail, automatically fall back to the configured api_key from [tools.gemini-cli] in global config. This preserves OAuth-first priority while enabling seamless recovery without manual intervention. - Add api_key field to GlobalToolConfig with redaction in diagnostic output - Inject _CSA_API_KEY_FALLBACK via extra_env pipeline (gemini-cli only) - Transport retry loop: after 3 model retries, attempt one final run with GEMINI_API_KEY injected from fallback - Guard fallback injection to gemini-cli tool exclusively - Add unit + integration tests for fallback promotion and both execute paths
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Owner
Author
Merge RationaleCloud bot: disabled ( Local review coverage:
Review findings addressed:
Test results: 2465 unit + 16 e2e tests pass. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
api_keyfield toGlobalToolConfigfor structured fallback credential storageGEMINI_API_KEYfrom config and retry onceapi_keyinredacted_for_display()to prevent credential leakage in diagnosticsDesign
OAuth-first, API-key-fallback: The transport retry loop tries OAuth auth with 3 different models first. Only after all fail with quota/429 errors does it check for a configured
api_keyand attempt one final run withGEMINI_API_KEYinjected. When quota recovers, OAuth resumes automatically with no config change needed.Pipeline:
[tools.gemini-cli].api_key→_CSA_API_KEY_FALLBACKin extra_env →inject_api_key_fallback()promotes toGEMINI_API_KEY→ gemini-cli uses it.Test plan
inject_api_key_fallbackpromotes key and cleans internal signalexecute_infallback path after all retries exhaustedTransport::executefallback path after all retries exhaustedjust pre-commitpasses (fmt, clippy, deny, test, monolith check)