fix(core): avoid keep-alive socket reuse during OAuth token exchange

[ryium]

Summary

OAuth "Sign in with Google" fails on Node.js >= 24.17.0 with
Failed to exchange authorization code for tokens: ... Premature close.
A Node http.Agent socket-reuse regression makes node-fetch throw a spurious
ERR_STREAM_PREMATURE_CLOSE when a pooled keep-alive socket is reused, breaking
login for everyone on current Node. This change makes the OAuth token exchange
use a fresh (non-keep-alive) connection so sign-in works again without
downgrading Node.

Details

The token exchange runs through google-auth-library → gaxios → node-fetch,
which uses Node's global keep-alive agent. On Node >= 24.17.0 the "fix response
queue poisoning in http.Agent" change exposes a reuse race that surfaces as a
false "Premature close" (see nodejs/node#63989). This matches reports that
downgrading to Node 20 makes login work again.

Fix: in initOauthClient (packages/core/src/code_assist/oauth2.ts), pass
new https.Agent({ keepAlive: false }) to the OAuth2Client transporter when no
proxy is configured, forcing a fresh connection per request and avoiding the
poisoned-socket reuse. The proxy path is left unchanged, since supplying our own
agent would make gaxios ignore the configured proxy. Because the same client
also backs the Code Assist API calls, the whole code-assist flow benefits.

Related Issues

• GeminiCLI.com Feedback: Login problem #28072
• Gaxios HTTP client cancels TLS handshake to *.googleapis.com on slow/unstable networks like cellular tethering; affects v20/v22/v24 #26411

How to Validate

1. Use Node.js >= 24.17.0 (node -v).
2. Build core: npm run generate && npm run build --workspace=@google/gemini-cli-core.
3. Run the unit tests: npx vitest run packages/core/src/code_assist/oauth2.test.ts
   • New cases assert the OAuth transporter uses a keepAlive: false agent when
     no proxy is set, and keeps proxy (no custom agent) when a proxy is set.
4. End-to-end: launch the CLI and choose "Login with Google"; the
   authorization-code → token exchange completes instead of failing with
   "Premature close".
5. Edge case (proxy): with HTTPS_PROXY set / --proxy configured, login still
   routes through the proxy as before.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical regression in Node.js versions 24.17.0 and later, where socket reuse in the global http.Agent causes OAuth token exchange failures. By forcing a fresh connection per request via a custom https.Agent when no proxy is configured, the fix restores login functionality for users on newer Node.js versions while maintaining support for existing proxy environments.

Highlights

• OAuth Connection Fix: Implemented a workaround for a Node.js regression (>= 24.17.0) that caused 'ERR_STREAM_PREMATURE_CLOSE' errors during OAuth token exchange by disabling keep-alive for non-proxy connections.
• Proxy Compatibility: Ensured that existing proxy configurations remain functional by only applying the custom agent when no proxy is detected, preventing gaxios from ignoring proxy settings.
• Regression Testing: Added unit tests to verify that the OAuth transporter correctly disables keep-alive when no proxy is present and preserves proxy settings when configured.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

📊 PR Size: size/M

• Lines changed: 89
• Additions: +86
• Deletions: -3
• Files changed: 2

[gemini-code-assist]

Code Review

This pull request introduces a workaround for a Node.js regression (nodejs/node#63989) where socket reuse in http.Agent causes node-fetch to throw a spurious ERR_STREAM_PREMATURE_CLOSE error during OAuth token exchange. To resolve this, HTTP keep-alive is disabled by configuring a custom https.Agent with keepAlive: false when initializing the OAuth2Client, unless a proxy is configured. Corresponding unit tests have been added to verify this behavior under both proxy and non-proxy configurations. There are no review comments, so I have no feedback to provide.