diff --git a/mcp-server/src/legal_mcp/services/gemini_session.py b/mcp-server/src/legal_mcp/services/gemini_session.py
index 088a9bb..da8e9a5 100644
--- a/mcp-server/src/legal_mcp/services/gemini_session.py
+++ b/mcp-server/src/legal_mcp/services/gemini_session.py
@@ -14,8 +14,9 @@ sensitive work — decision writing, analysis, halacha extraction — stays on
 ``claude_session`` (Daphna's subscription, zero API cost). This is a deliberate
 per-task provider choice, not a wholesale move off Claude.
 
-Key: ``GEMINI_API_KEY`` (host ~/.env; SoT Infisical nautilus:/external-apis/gemini
-as ``GOOGLE_GEMINI_API_KEY``). Model: ``GEMINI_MODEL`` (default gemini-2.5-flash).
+Key: ``GOOGLE_GEMINI_API_KEY`` (the canonical host ~/.env / Infisical name, SoT
+nautilus:/external-apis/gemini); ``GEMINI_API_KEY`` is also accepted as an alias.
+Model: ``GEMINI_MODEL`` (default gemini-2.5-flash).
 Direct REST via httpx — no extra SDK dependency.
 """
 
@@ -39,11 +40,19 @@ class GeminiError(RuntimeError):
 
 
 def _api_key() -> str:
-    key = os.environ.get("GEMINI_API_KEY", "").strip()
+    # Accept BOTH names: the canonical Infisical / host-~/.env secret is
+    # ``GOOGLE_GEMINI_API_KEY`` (SoT nautilus:/external-apis/gemini), while older
+    # call sites / container envs may export ``GEMINI_API_KEY``. Reading only the
+    # latter silently broke ALL host metadata extraction (the key is present but
+    # under the canonical name). Prefer GEMINI_API_KEY if set, else the SoT name.
+    key = (
+        os.environ.get("GEMINI_API_KEY", "").strip()
+        or os.environ.get("GOOGLE_GEMINI_API_KEY", "").strip()
+    )
     if not key:
         raise GeminiError(
-            "GEMINI_API_KEY אינו מוגדר (host ~/.env / Infisical "
-            "nautilus:/external-apis/gemini)."
+            "GEMINI_API_KEY/GOOGLE_GEMINI_API_KEY אינו מוגדר (host ~/.env / "
+            "Infisical nautilus:/external-apis/gemini)."
         )
     return key