refactor(auth): rename ADC secret from GOOGLE_APPLICATION_CREDENTIALS to gcloud-adc

ptone · ptone · commit fe084f385ebe · 2026-04-03T15:48:27.000Z
The GOOGLE_APPLICATION_CREDENTIALS name was ambiguous — it collides with
the standard GCP env var of the same name (which holds a path to a file),
making it confusing when used as a secret key whose value is file contents.

Rename the special file-type secret to "gcloud-adc". This secret writes
ADC contents to ~/.config/gcloud/application_default_credentials.json
inside the container, where the GCP SDK auto-discovers it. Scion no
longer sets the GOOGLE_APPLICATION_CREDENTIALS env var for vertex-ai
auth, since the well-known path suffices.

Users who need conventional GOOGLE_APPLICATION_CREDENTIALS usage can set
up both an environment-type secret (with the path value) and a file
secret (that writes the credential file) independently.

Also removes the now-unused GoogleAppCredentialsExplicit field from
AuthConfig, since no harness conditionally sets the env var anymore.
diff --git a/cmd/common.go b/cmd/common.go
@@ -478,7 +478,7 @@ func RunAgent(cmd *cobra.Command, args []string, resume bool) error {
 		util.Debugf("[auth]   hasGeminiAPIKey=%t, hasGoogleAPIKey=%t", localAuth.GeminiAPIKey != "", localAuth.GoogleAPIKey != "")
 		util.Debugf("[auth]   hasAnthropicAPIKey=%t", localAuth.AnthropicAPIKey != "")
 		util.Debugf("[auth]   hasOAuthCreds=%t (%s)", localAuth.OAuthCreds != "", localAuth.OAuthCreds)
-		util.Debugf("[auth]   hasGoogleAppCredentials=%t (explicit=%t)", localAuth.GoogleAppCredentials != "", localAuth.GoogleAppCredentialsExplicit)
+		util.Debugf("[auth]   hasGoogleAppCredentials=%t", localAuth.GoogleAppCredentials != "")
 		util.Debugf("[auth]   cloudProject=%q, cloudRegion=%q", localAuth.GoogleCloudProject, localAuth.GoogleCloudRegion)
 	}
 
@@ -678,7 +678,7 @@ func startAgentViaHub(hubCtx *HubContext, agentName, task string, resume bool, i
 		util.Debugf("[auth]   hasGeminiAPIKey=%t, hasGoogleAPIKey=%t", localAuth.GeminiAPIKey != "", localAuth.GoogleAPIKey != "")
 		util.Debugf("[auth]   hasAnthropicAPIKey=%t", localAuth.AnthropicAPIKey != "")
 		util.Debugf("[auth]   hasOAuthCreds=%t (%s)", localAuth.OAuthCreds != "", localAuth.OAuthCreds)
-		util.Debugf("[auth]   hasGoogleAppCredentials=%t (explicit=%t)", localAuth.GoogleAppCredentials != "", localAuth.GoogleAppCredentialsExplicit)
+		util.Debugf("[auth]   hasGoogleAppCredentials=%t", localAuth.GoogleAppCredentials != "")
 		util.Debugf("[auth]   cloudProject=%q, cloudRegion=%q", localAuth.GoogleCloudProject, localAuth.GoogleCloudRegion)
 	}
 
diff --git a/docs-site/src/content/docs/advanced-local/agent-credentials.md b/docs-site/src/content/docs/advanced-local/agent-credentials.md
@@ -77,7 +77,7 @@ scion hub secret set GEMINI_API_KEY "AIza..."
 Uses Google Cloud's Vertex AI endpoints with Application Default Credentials (ADC).
 
 **Required Sources:**
-- `GOOGLE_APPLICATION_CREDENTIALS`: Path to the ADC JSON file (automatically discovered at `~/.config/gcloud/application_default_credentials.json` if present locally).
+- ADC JSON file: Automatically discovered at `~/.config/gcloud/application_default_credentials.json` if present locally. In Hub mode, upload via the `gcloud-adc` file secret.
 - `GOOGLE_CLOUD_PROJECT`: Your Google Cloud project ID.
 - `GOOGLE_CLOUD_REGION`: The region (e.g., `us-east5`). Required for Claude, optional but recommended for Gemini.
 
@@ -90,18 +90,22 @@ scion start --harness claude my-agent
 ```
 
 **Hub Setup:**
-For Hub mode, you must upload the ADC file as a file-type secret and set the environment variables via the Web Interface or CLI:
+For Hub mode, you must upload the ADC file as the `gcloud-adc` file secret and set the environment variables via the Web Interface or CLI:
 ```bash
-# 1. Upload the credential file
+# 1. Upload the ADC credential file (written to ~/.config/gcloud/application_default_credentials.json in container)
 scion hub secret set --type file \
   --target ~/.config/gcloud/application_default_credentials.json \
-  GOOGLE_APPLICATION_CREDENTIALS @~/.config/gcloud/application_default_credentials.json
+  gcloud-adc @~/.config/gcloud/application_default_credentials.json
 
 # 2. Set the environment variables
 scion hub secret set GOOGLE_CLOUD_PROJECT "my-project"
 scion hub secret set GOOGLE_CLOUD_REGION "us-east5"
 ```
 
+:::note
+The `gcloud-adc` secret writes the ADC file to the well-known GCP path inside the container. The GCP SDK auto-discovers it there, so Scion does **not** set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable. If you need to use `GOOGLE_APPLICATION_CREDENTIALS` for other purposes (e.g., pointing to a non-standard path), set it up as a separate environment-type secret alongside a file secret that writes the credential file.
+:::
+
 ### Harness specific credential file (`auth-file`)
 
 Some harnesses support their own specific credential files, such as OAuth tokens.
diff --git a/pkg/agent/run.go b/pkg/agent/run.go
@@ -954,8 +954,7 @@ func isAuthEnvKey(key string) bool {
 		"ANTHROPIC_VERTEX_PROJECT_ID",
 		"GOOGLE_CLOUD_REGION",
 		"CLOUD_ML_REGION",
-		"GOOGLE_CLOUD_LOCATION",
-		"GOOGLE_APPLICATION_CREDENTIALS":
+		"GOOGLE_CLOUD_LOCATION":
 		return true
 	default:
 		return false
@@ -964,7 +963,7 @@ func isAuthEnvKey(key string) bool {
 
 func authFileKind(name, target string) string {
 	switch {
-	case name == "GOOGLE_APPLICATION_CREDENTIALS" || strings.HasSuffix(target, "/application_default_credentials.json"):
+	case name == "gcloud-adc" || strings.HasSuffix(target, "/application_default_credentials.json"):
 		return "adc"
 	case name == "GEMINI_OAUTH_CREDS" || strings.HasSuffix(target, "/oauth_creds.json"):
 		return "gemini-oauth"
diff --git a/pkg/agent/run_test.go b/pkg/agent/run_test.go
@@ -1755,7 +1755,7 @@ func TestBuildAuthEnvOverlay_EmptyValueOverriddenBySecret(t *testing.T) {
 func TestFilterResolvedSecretsForResolvedAuth(t *testing.T) {
 	secrets := []api.ResolvedSecret{
 		{Name: "GEMINI_API_KEY", Type: "environment", Target: "GEMINI_API_KEY", Value: "gemini"},
-		{Name: "GOOGLE_APPLICATION_CREDENTIALS", Type: "file", Target: "/home/scion/.config/gcloud/application_default_credentials.json", Value: "adc"},
+		{Name: "gcloud-adc", Type: "file", Target: "/home/scion/.config/gcloud/application_default_credentials.json", Value: "adc"},
 		{Name: "NOT_AUTH_SECRET", Type: "environment", Target: "NOT_AUTH_SECRET", Value: "keep"},
 	}
 	resolved := &api.ResolvedAuth{
@@ -1780,8 +1780,8 @@ func TestFilterResolvedSecretsForResolvedAuth(t *testing.T) {
 	if _, ok := got["NOT_AUTH_SECRET"]; !ok {
 		t.Error("expected NOT_AUTH_SECRET to be kept")
 	}
-	if _, ok := got["GOOGLE_APPLICATION_CREDENTIALS"]; ok {
-		t.Error("expected GOOGLE_APPLICATION_CREDENTIALS to be dropped for api-key auth")
+	if _, ok := got["gcloud-adc"]; ok {
+		t.Error("expected gcloud-adc to be dropped for api-key auth")
 	}
 }
 
diff --git a/pkg/api/types.go b/pkg/api/types.go
@@ -358,13 +358,12 @@ func (c *ScionConfig) IsDetached() bool {
 
 type AuthConfig struct {
 	// Google/Gemini auth
-	GeminiAPIKey                 string
-	GoogleAPIKey                 string
-	GoogleAppCredentials         string
-	GoogleAppCredentialsExplicit bool // true when value came from GOOGLE_APPLICATION_CREDENTIALS env var
-	GoogleCloudProject           string
-	GoogleCloudRegion            string
-	OAuthCreds                   string
+	GeminiAPIKey         string
+	GoogleAPIKey         string
+	GoogleAppCredentials string
+	GoogleCloudProject   string
+	GoogleCloudRegion    string
+	OAuthCreds           string
 
 	// Anthropic auth
 	AnthropicAPIKey string
diff --git a/pkg/harness/auth.go b/pkg/harness/auth.go
@@ -72,9 +72,6 @@ func GatherAuthWithEnv(env map[string]string, localSources bool) api.AuthConfig
 		GoogleAppCredentials: lookup("GOOGLE_APPLICATION_CREDENTIALS"),
 	}
 
-	// Mark whether GOOGLE_APPLICATION_CREDENTIALS was explicitly set via env var
-	auth.GoogleAppCredentialsExplicit = auth.GoogleAppCredentials != ""
-
 	// File-sourced fields: check well-known paths (skip in broker mode)
 	if localSources {
 		home, _ := os.UserHomeDir()
@@ -121,10 +118,9 @@ func OverlayFileSecrets(auth *api.AuthConfig, secrets []api.ResolvedSecret) {
 		name := s.Name
 
 		switch {
-		case name == "GOOGLE_APPLICATION_CREDENTIALS" ||
+		case name == "gcloud-adc" ||
 			strings.HasSuffix(target, "/application_default_credentials.json"):
 			auth.GoogleAppCredentials = target
-			auth.GoogleAppCredentialsExplicit = false // container GCP SDK auto-discovers well-known path
 		case name == "GEMINI_OAUTH_CREDS" ||
 			strings.HasSuffix(target, "/oauth_creds.json"):
 			auth.OAuthCreds = target
@@ -215,7 +211,7 @@ func RequiredAuthSecrets(harnessName, authSelectedType string) []api.RequiredSec
 		if effectiveType == "vertex-ai" {
 			return []api.RequiredSecret{
 				{
-					Key:         "GOOGLE_APPLICATION_CREDENTIALS",
+					Key:         "gcloud-adc",
 					Type:        "file",
 					Description: "Google Cloud Application Default Credentials (ADC) file for vertex-ai authentication",
 				},
@@ -243,12 +239,12 @@ func DetectAuthTypeFromFileSecrets(harnessName string, fileSecretNames map[strin
 		if _, ok := fileSecretNames["GEMINI_OAUTH_CREDS"]; ok {
 			return "auth-file"
 		}
-		if _, ok := fileSecretNames["GOOGLE_APPLICATION_CREDENTIALS"]; ok {
+		if _, ok := fileSecretNames["gcloud-adc"]; ok {
 			return "vertex-ai"
 		}
 	case "claude":
 		// Auto-detect priority: api-key → ADC (vertex-ai)
-		if _, ok := fileSecretNames["GOOGLE_APPLICATION_CREDENTIALS"]; ok {
+		if _, ok := fileSecretNames["gcloud-adc"]; ok {
 			return "vertex-ai"
 		}
 	case "codex":
diff --git a/pkg/harness/auth_test.go b/pkg/harness/auth_test.go
@@ -438,10 +438,10 @@ func TestRequiredAuthSecrets(t *testing.T) {
 		wantKey  string
 		wantType string
 	}{
-		{"claude vertex-ai", "claude", "vertex-ai", false, "GOOGLE_APPLICATION_CREDENTIALS", "file"},
-		{"gemini vertex-ai", "gemini", "vertex-ai", false, "GOOGLE_APPLICATION_CREDENTIALS", "file"},
-		{"opencode vertex-ai", "opencode", "vertex-ai", false, "GOOGLE_APPLICATION_CREDENTIALS", "file"},
-		{"codex vertex-ai", "codex", "vertex-ai", false, "GOOGLE_APPLICATION_CREDENTIALS", "file"},
+		{"claude vertex-ai", "claude", "vertex-ai", false, "gcloud-adc", "file"},
+		{"gemini vertex-ai", "gemini", "vertex-ai", false, "gcloud-adc", "file"},
+		{"opencode vertex-ai", "opencode", "vertex-ai", false, "gcloud-adc", "file"},
+		{"codex vertex-ai", "codex", "vertex-ai", false, "gcloud-adc", "file"},
 		{"claude api-key", "claude", "api-key", true, "", ""},
 		{"gemini api-key", "gemini", "api-key", true, "", ""},
 		{"claude empty auth type", "claude", "", true, "", ""},
@@ -491,15 +491,15 @@ func TestDetectAuthTypeFromFileSecrets(t *testing.T) {
 			"auth-file",
 		},
 		{
-			"gemini with GOOGLE_APPLICATION_CREDENTIALS",
+			"gemini with gcloud-adc",
 			"gemini",
-			map[string]struct{}{"GOOGLE_APPLICATION_CREDENTIALS": {}},
+			map[string]struct{}{"gcloud-adc": {}},
 			"vertex-ai",
 		},
 		{
 			"gemini with both OAuth and ADC prefers OAuth",
 			"gemini",
-			map[string]struct{}{"GEMINI_OAUTH_CREDS": {}, "GOOGLE_APPLICATION_CREDENTIALS": {}},
+			map[string]struct{}{"GEMINI_OAUTH_CREDS": {}, "gcloud-adc": {}},
 			"auth-file",
 		},
 		{
@@ -521,9 +521,9 @@ func TestDetectAuthTypeFromFileSecrets(t *testing.T) {
 			"auth-file",
 		},
 		{
-			"claude with GOOGLE_APPLICATION_CREDENTIALS",
+			"claude with gcloud-adc",
 			"claude",
-			map[string]struct{}{"GOOGLE_APPLICATION_CREDENTIALS": {}},
+			map[string]struct{}{"gcloud-adc": {}},
 			"vertex-ai",
 		},
 		{
@@ -747,15 +747,12 @@ func TestOverlayFileSecrets(t *testing.T) {
 		{
 			name: "ADC by name",
 			secrets: []api.ResolvedSecret{
-				{Name: "GOOGLE_APPLICATION_CREDENTIALS", Type: "file", Target: "/home/gemini/.config/gcloud/application_default_credentials.json"},
+				{Name: "gcloud-adc", Type: "file", Target: "/home/gemini/.config/gcloud/application_default_credentials.json"},
 			},
 			check: func(t *testing.T, auth api.AuthConfig) {
 				if auth.GoogleAppCredentials != "/home/gemini/.config/gcloud/application_default_credentials.json" {
 					t.Errorf("GoogleAppCredentials = %q, want ADC path", auth.GoogleAppCredentials)
 				}
-				if auth.GoogleAppCredentialsExplicit {
-					t.Errorf("GoogleAppCredentialsExplicit should be false for ADC overlay")
-				}
 			},
 		},
 		{
@@ -805,7 +802,7 @@ func TestOverlayFileSecrets(t *testing.T) {
 		{
 			name: "non-file secrets are skipped",
 			secrets: []api.ResolvedSecret{
-				{Name: "GOOGLE_APPLICATION_CREDENTIALS", Type: "environment", Target: "GOOGLE_APPLICATION_CREDENTIALS", Value: "/some/path"},
+				{Name: "gcloud-adc", Type: "environment", Target: "gcloud-adc", Value: "/some/path"},
 			},
 			check: func(t *testing.T, auth api.AuthConfig) {
 				if auth.GoogleAppCredentials != "" {
diff --git a/pkg/harness/claude_code.go b/pkg/harness/claude_code.go
@@ -362,7 +362,7 @@ func (c *ClaudeCode) ResolveAuth(auth api.AuthConfig) (*api.ResolvedAuth, error)
 		return c.resolveVertexAI(auth), nil
 	}
 
-	return nil, fmt.Errorf("claude: no valid auth method found; set ANTHROPIC_API_KEY for direct API access, or provide GOOGLE_APPLICATION_CREDENTIALS + GOOGLE_CLOUD_PROJECT + GOOGLE_CLOUD_REGION for Vertex AI")
+	return nil, fmt.Errorf("claude: no valid auth method found; set ANTHROPIC_API_KEY for direct API access, or provide ADC (gcloud-adc secret or ~/.config/gcloud/application_default_credentials.json) + GOOGLE_CLOUD_PROJECT + GOOGLE_CLOUD_REGION for Vertex AI")
 }
 
 func (c *ClaudeCode) resolveVertexAI(auth api.AuthConfig) *api.ResolvedAuth {
@@ -376,9 +376,6 @@ func (c *ClaudeCode) resolveVertexAI(auth api.AuthConfig) *api.ResolvedAuth {
 		},
 	}
 	if auth.GoogleAppCredentials != "" {
-		if auth.GoogleAppCredentialsExplicit {
-			result.EnvVars["GOOGLE_APPLICATION_CREDENTIALS"] = adcContainerPath
-		}
 		result.Files = append(result.Files, api.FileMapping{
 			SourcePath:    auth.GoogleAppCredentials,
 			ContainerPath: adcContainerPath,
diff --git a/pkg/harness/gemini_cli.go b/pkg/harness/gemini_cli.go
@@ -378,9 +378,6 @@ func (g *GeminiCLI) resolveExplicit(auth api.AuthConfig) (*api.ResolvedAuth, err
 		}
 		if auth.GoogleAppCredentials != "" {
 			adcContainerPath := "~/.config/gcloud/application_default_credentials.json"
-			if auth.GoogleAppCredentialsExplicit {
-				result.EnvVars["GOOGLE_APPLICATION_CREDENTIALS"] = adcContainerPath
-			}
 			result.Files = append(result.Files, api.FileMapping{
 				SourcePath:    auth.GoogleAppCredentials,
 				ContainerPath: adcContainerPath,
@@ -449,9 +446,6 @@ func (g *GeminiCLI) resolveAutoDetect(auth api.AuthConfig) (*api.ResolvedAuth, e
 				},
 			},
 		}
-		if auth.GoogleAppCredentialsExplicit {
-			result.EnvVars["GOOGLE_APPLICATION_CREDENTIALS"] = adcContainerPath
-		}
 		if auth.GoogleCloudRegion != "" {
 			result.EnvVars["GOOGLE_CLOUD_REGION"] = auth.GoogleCloudRegion
 			result.EnvVars["GOOGLE_CLOUD_LOCATION"] = auth.GoogleCloudRegion
diff --git a/pkg/harness/gemini_cli_test.go b/pkg/harness/gemini_cli_test.go
@@ -205,11 +205,10 @@ func TestGeminiResolveAuth_ExplicitAuthFileMissing(t *testing.T) {
 func TestGeminiResolveAuth_ExplicitVertexAI(t *testing.T) {
 	g := &GeminiCLI{}
 	auth := api.AuthConfig{
-		SelectedType:                 "vertex-ai",
-		GoogleCloudProject:           "proj",
-		GoogleCloudRegion:            "us-east1",
-		GoogleAppCredentials:         "/path/to/adc.json",
-		GoogleAppCredentialsExplicit: true,
+		SelectedType:         "vertex-ai",
+		GoogleCloudProject:   "proj",
+		GoogleCloudRegion:    "us-east1",
+		GoogleAppCredentials: "/path/to/adc.json",
 	}
 	result, err := g.ResolveAuth(auth)
 	if err != nil {
diff --git a/pkg/harness/generic.go b/pkg/harness/generic.go
@@ -136,9 +136,6 @@ func (g *Generic) ResolveAuth(auth api.AuthConfig) (*api.ResolvedAuth, error) {
 
 	if auth.GoogleAppCredentials != "" {
 		adcContainerPath := "~/.config/gcloud/application_default_credentials.json"
-		if auth.GoogleAppCredentialsExplicit {
-			result.EnvVars["GOOGLE_APPLICATION_CREDENTIALS"] = adcContainerPath
-		}
 		result.Files = append(result.Files, api.FileMapping{
 			SourcePath:    auth.GoogleAppCredentials,
 			ContainerPath: adcContainerPath,
diff --git a/pkg/runtime/common_test.go b/pkg/runtime/common_test.go
@@ -136,8 +136,7 @@ func TestBuildCommonRunArgs(t *testing.T) {
 				ResolvedAuth: &api.ResolvedAuth{
 					Method: "compute-default-credentials",
 					EnvVars: map[string]string{
-						"GEMINI_DEFAULT_AUTH_TYPE":       "compute-default-credentials",
-						"GOOGLE_APPLICATION_CREDENTIALS": "/home/scion/.config/gcp/application_default_credentials.json",
+						"GEMINI_DEFAULT_AUTH_TYPE": "compute-default-credentials",
 					},
 					Files: []api.FileMapping{
 						{SourcePath: adcFile, ContainerPath: "~/.config/gcp/application_default_credentials.json"},
@@ -147,7 +146,6 @@ func TestBuildCommonRunArgs(t *testing.T) {
 			},
 			wantIn: []string{
 				"-v", fmt.Sprintf("%s:/home/scion/.config/gcp/application_default_credentials.json:ro", adcFile),
-				"-e", "GOOGLE_APPLICATION_CREDENTIALS=/home/scion/.config/gcp/application_default_credentials.json",
 				"-e", "GEMINI_DEFAULT_AUTH_TYPE=compute-default-credentials",
 			},
 		},
diff --git a/pkg/runtime/k8s_parity_test.go b/pkg/runtime/k8s_parity_test.go
@@ -143,7 +143,7 @@ func TestBuildPod_ResolvedAuth_ComposesWithSecrets(t *testing.T) {
 		ResolvedAuth: &api.ResolvedAuth{
 			Method: "vertex-ai",
 			EnvVars: map[string]string{
-				"GOOGLE_APPLICATION_CREDENTIALS": "/home/scion/.config/gcloud/adc.json",
+				"GOOGLE_CLOUD_PROJECT": "my-project",
 			},
 		},
 	}
@@ -166,8 +166,8 @@ func TestBuildPod_ResolvedAuth_ComposesWithSecrets(t *testing.T) {
 		t.Error("API_KEY should come from secretKeyRef (ResolvedSecrets)")
 	}
 	// ResolvedAuth env should also be present (no longer mutually exclusive)
-	if envMap["GOOGLE_APPLICATION_CREDENTIALS"] != "/home/scion/.config/gcloud/adc.json" {
-		t.Error("GOOGLE_APPLICATION_CREDENTIALS should be set from ResolvedAuth")
+	if envMap["GOOGLE_CLOUD_PROJECT"] != "my-project" {
+		t.Error("GOOGLE_CLOUD_PROJECT should be set from ResolvedAuth")
 	}
 }
 
diff --git a/pkg/runtimebroker/handlers_envgather_test.go b/pkg/runtimebroker/handlers_envgather_test.go

Original file line number	Diff line number	Diff line change
`@@ -1755,7 +1755,7 @@ func TestBuildAuthEnvOverlay_EmptyValueOverriddenBySecret(t *testing.T) {`
`1755`	`1755`	`func TestFilterResolvedSecretsForResolvedAuth(t *testing.T) {`
`1756`	`1756`	`secrets := []api.ResolvedSecret{`
`1757`	`1757`	`{Name: "GEMINI_API_KEY", Type: "environment", Target: "GEMINI_API_KEY", Value: "gemini"},`
`1758`		`- {Name: "GOOGLE_APPLICATION_CREDENTIALS", Type: "file", Target: "/home/scion/.config/gcloud/application_default_credentials.json", Value: "adc"},`
	`1758`	`+ {Name: "gcloud-adc", Type: "file", Target: "/home/scion/.config/gcloud/application_default_credentials.json", Value: "adc"},`
`1759`	`1759`	`{Name: "NOT_AUTH_SECRET", Type: "environment", Target: "NOT_AUTH_SECRET", Value: "keep"},`
`1760`	`1760`	`}`
`1761`	`1761`	`resolved := &api.ResolvedAuth{`
`@@ -1780,8 +1780,8 @@ func TestFilterResolvedSecretsForResolvedAuth(t *testing.T) {`
`1780`	`1780`	`if _, ok := got["NOT_AUTH_SECRET"]; !ok {`
`1781`	`1781`	`t.Error("expected NOT_AUTH_SECRET to be kept")`
`1782`	`1782`	`}`
`1783`		`- if _, ok := got["GOOGLE_APPLICATION_CREDENTIALS"]; ok {`
`1784`		`- t.Error("expected GOOGLE_APPLICATION_CREDENTIALS to be dropped for api-key auth")`
	`1783`	`+ if _, ok := got["gcloud-adc"]; ok {`
	`1784`	`+ t.Error("expected gcloud-adc to be dropped for api-key auth")`
`1785`	`1785`	`}`
`1786`	`1786`	`}`
`1787`	`1787`
Original file line number	Diff line number	Diff line change
`@@ -362,7 +362,7 @@ func (c ClaudeCode) ResolveAuth(auth api.AuthConfig) (api.ResolvedAuth, error)`
`362`	`362`	`return c.resolveVertexAI(auth), nil`
`363`	`363`	`}`
`364`	`364`
`365`		`- return nil, fmt.Errorf("claude: no valid auth method found; set ANTHROPIC_API_KEY for direct API access, or provide GOOGLE_APPLICATION_CREDENTIALS + GOOGLE_CLOUD_PROJECT + GOOGLE_CLOUD_REGION for Vertex AI")`
	`365`	`+ return nil, fmt.Errorf("claude: no valid auth method found; set ANTHROPIC_API_KEY for direct API access, or provide ADC (gcloud-adc secret or ~/.config/gcloud/application_default_credentials.json) + GOOGLE_CLOUD_PROJECT + GOOGLE_CLOUD_REGION for Vertex AI")`
`366`	`366`	`}`
`367`	`367`
`368`	`368`	`func (c ClaudeCode) resolveVertexAI(auth api.AuthConfig) api.ResolvedAuth {`
`@@ -376,9 +376,6 @@ func (c ClaudeCode) resolveVertexAI(auth api.AuthConfig) api.ResolvedAuth {`
`376`	`376`	`},`
`377`	`377`	`}`
`378`	`378`	`if auth.GoogleAppCredentials != "" {`
`379`		`- if auth.GoogleAppCredentialsExplicit {`
`380`		`- result.EnvVars["GOOGLE_APPLICATION_CREDENTIALS"] = adcContainerPath`
`381`		`- }`
`382`	`379`	`result.Files = append(result.Files, api.FileMapping{`
`383`	`380`	`SourcePath: auth.GoogleAppCredentials,`
`384`	`381`	`ContainerPath: adcContainerPath,`