ezer-mishpati/legal-ai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(metadata): accept GOOGLE_GEMINI_API_KEY (canonical) in gemini_session — host metadata extraction broke
All checks were successful
G12 Leak-Guard / leak-guard (pull_request) Successful in 4s
Details
Lint — undefined names / undefined-names (pull_request) Successful in 10s
Details

Browse Source 
_api_key() read ONLY `GEMINI_API_KEY`, but the canonical secret (host ~/.env and
Infisical SoT nautilus:/external-apis/gemini) is `GOOGLE_GEMINI_API_KEY`. The key
was present but under the canonical name → `_api_key()` raised "GEMINI_API_KEY אינו
מוגדר" on every call → ALL host precedent-metadata extraction via Gemini failed
silently (186 such errors in the legal-metadata-drain err log, latest 2026-06-14).

Fix: read GEMINI_API_KEY if set, else fall back to GOOGLE_GEMINI_API_KEY. No new
secret, no duplication — aligns the code to the existing SoT name (G1: fix at
source). Verified live: _api_key() resolves (len=53) and a real gemini query_json
call returns {"ok": true}.

Invariants: G1 (fix at source — code reads the canonical secret name, not a
parallel/duplicated env var) · X10 (deploy-env-secrets: single SoT name honored).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Chaim
2026-06-14 20:33:15 +00:00
parent 6bc9fa89a2
commit a40c4ee828
1 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
mcp-server/src/legal_mcp/services/gemini_session.py
View File

@@ -14,8 +14,9 @@ sensitive work — decision writing, analysis, halacha extraction — stays on
``claude_session`` (Daphna's subscription, zero API cost). This is a deliberate
per-task provider choice, not a wholesale move off Claude.
Key: ``GEMINI_API_KEY`` (host ~/.env; SoT Infisical nautilus:/external-apis/gemini
as ``GOOGLE_GEMINI_API_KEY``). Model: ``GEMINI_MODEL`` (default gemini-2.5-flash).
Key: ``GOOGLE_GEMINI_API_KEY`` (the canonical host ~/.env / Infisical name, SoT
nautilus:/external-apis/gemini); ``GEMINI_API_KEY`` is also accepted as an alias.
Model: ``GEMINI_MODEL`` (default gemini-2.5-flash).
Direct REST via httpx — no extra SDK dependency.
"""
@@ -39,11 +40,19 @@ class GeminiError(RuntimeError):
def _api_key() -> str:
key = os.environ.get("GEMINI_API_KEY", "").strip()
# Accept BOTH names: the canonical Infisical / host-~/.env secret is
# ``GOOGLE_GEMINI_API_KEY`` (SoT nautilus:/external-apis/gemini), while older
# call sites / container envs may export ``GEMINI_API_KEY``. Reading only the
# latter silently broke ALL host metadata extraction (the key is present but
# under the canonical name). Prefer GEMINI_API_KEY if set, else the SoT name.
key = (
os.environ.get("GEMINI_API_KEY", "").strip()
or os.environ.get("GOOGLE_GEMINI_API_KEY", "").strip()
)
if not key:
raise GeminiError(
"GEMINI_API_KEY אינו מוגדר (host ~/.env / Infisical "
"nautilus:/external-apis/gemini)."
"GEMINI_API_KEY/GOOGLE_GEMINI_API_KEY אינו מוגדר (host ~/.env / "
"Infisical nautilus:/external-apis/gemini)."
)
return key