fix(core, a2a-server): prevent hang during OAuth in non-interactive sessions

[spencer426]

Summary

Prevent Gemini CLI and a2a-server from hanging during OAuth authentication in non-interactive environments by guarding the manual authorization flow and implementing an automated fallback to COMPUTE_ADC in cloud environments.

Details

• Core (packages/core):
  • Added a config.isInteractive() check in oauth2.ts before attempting the manual user code flow. If the session is non-interactive, it now throws a FatalAuthenticationError instead of hanging on a readline prompt.
  • Added a 5-minute timeout to the readline prompt in authWithUserCode to prevent indefinite hangs even in interactive sessions.
• A2A Server (packages/a2a-server):
  • Updated loadConfig to dynamically set the interactive flag using isHeadlessMode().
  • Enhanced refreshAuthentication to automatically attempt fallback to Application Default Credentials (COMPUTE_ADC) if LOGIN_WITH_GOOGLE fails in a cloud environment (e.g., Cloud Shell) or when forced via GEMINI_CLI_USE_COMPUTE_ADC=true.

Related Issues

Fixes #20854

How to Validate

1. Run a2a-server in a headless environment (e.g., echo | USE_CCPA=true a2a-server ...) and verify it fails fast with a descriptive error message instead of hanging.
2. Run core OAuth tests: npm test -w @google/gemini-cli-core -- src/code_assist/oauth2.test.ts
3. Run a2a-server config tests: npm test -w @google/gemini-cli-a2a-server -- src/config/config.test.ts

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical issue where the Gemini CLI and a2a-server could hang indefinitely during OAuth authentication in non-interactive environments. The changes introduce robust error handling for non-interactive sessions, prevent indefinite waits for user input, and provide an intelligent fallback to alternative authentication methods in cloud contexts, significantly improving the reliability and user experience in automated or headless deployments.

Highlights

• Non-interactive OAuth Handling: The core library now explicitly prevents manual OAuth authorization flows in non-interactive sessions by throwing a FatalAuthenticationError, ensuring applications like a2a-server do not hang.
• Readline Prompt Timeout: A 5-minute timeout has been added to the readline prompt used for manual user code entry, preventing indefinite hangs even in interactive sessions.
• Dynamic Interactivity Detection: The a2a-server now dynamically determines its interactivity status using isHeadlessMode(), correctly configuring the underlying core library.
• Automated Authentication Fallback: The a2a-server implements an automatic fallback mechanism to COMPUTE_ADC (Application Default Credentials) if LOGIN_WITH_GOOGLE authentication fails in a cloud environment or when explicitly requested via an environment variable.

Changelog

• packages/a2a-server/src/config/config.test.ts
  • Imported AuthType, isHeadlessMode, and FatalAuthenticationError for testing.
  • Mocked isHeadlessMode and logger.warn for isolated test scenarios.
  • Added new test suites to verify dynamic interactivity settings based on isHeadlessMode.
  • Included tests for the authentication fallback logic, ensuring COMPUTE_ADC is attempted after LOGIN_WITH_GOOGLE failure in cloud environments.
• packages/a2a-server/src/config/config.ts
  • Imported isHeadlessMode and FatalAuthenticationError from the core library.
  • Modified interactive and enableInteractiveShell configuration parameters to be dynamically set based on the result of isHeadlessMode().
  • Implemented a try-catch block around config.refreshAuth(AuthType.LOGIN_WITH_GOOGLE) to catch FatalAuthenticationError and attempt config.refreshAuth(AuthType.COMPUTE_ADC) as a fallback in cloud environments or when GEMINI_CLI_USE_COMPUTE_ADC is true.
  • Added a new helper function isCloudEnvironment() to detect if the application is running in a cloud shell.
• packages/core/src/code_assist/oauth2.test.ts
  • Imported FatalAuthenticationError for new test cases.
  • Updated mock Config objects to include an isInteractive() method.
  • Added a test case to assert that FatalAuthenticationError is thrown when manual authorization is required in a non-interactive session.
  • Ensured existing tests for user code login correctly use the isInteractive() mock.
• packages/core/src/code_assist/oauth2.ts
  • Added a conditional check if (!config.isInteractive()) before attempting manual user code authorization, throwing a FatalAuthenticationError if the session is non-interactive.
  • Introduced a 5-minute timeout for the readline prompt in authWithUserCode, rejecting the promise with a FatalAuthenticationError if the timeout is reached.

Activity

• No specific activity (comments, reviews, progress updates) was provided for this pull request.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively addresses an issue where the CLI could hang during OAuth in non-interactive sessions. The changes introduce an interactivity check before attempting manual authorization and add a timeout to user prompts. For a2a-server, it correctly detects headless mode and implements a fallback to Application Default Credentials in cloud environments, preventing hangs. The test coverage for these new behaviors is thorough. I have one suggestion to improve the error reporting during the authentication fallback to provide better diagnostic information, aligning with our guidelines for detailed error logging.

[github-actions]

Size Change: +610 B (0%)

Total Size: 26 MB

ℹ️ View Unchanged

Filename	Size	Change
./bundle/gemini.js	25.5 MB	+610 B (0%)
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B

_{compressed-size-action}

[ehedlund]

nit: remove

[jacob314]

[joelatrr]

thank goodness, I've been trying to do gemini-cli development with gemini-cli on google-cloud using the OIDC login... Ive had to revert to 18.4! I sure hope this doesn't regress again, I saw some of the other attempts didn't include unit tests to capture this, so hopefully the coverage here helps keep this from happening again