Correct Gemini CLI LLM gateway config to proxy mode (#5142)

* Correct Gemini CLI LLM gateway config to proxy mode

Gemini CLI has no dynamic token-command equivalent (no apiKeyHelper
analogue), so it must use proxy mode like Cursor rather than direct mode.

The previous config used two invalid settings.json keys:
- /auth/tokenCommand  — not a recognised Gemini CLI field
- /baseUrl            — silently ignored as a top-level key

Replace with the correct proxy-mode keys:
- /security/auth/selectedType = "gemini-api-key" (required so that
  GOOGLE_GEMINI_BASE_URL is honoured; OAuth auth ignores the override,
  fixed in gemini-cli v0.40.0 PR #25357)
- /env/GEMINI_API_KEY = placeholder key (proxy does not validate it)
- /env/GOOGLE_GEMINI_BASE_URL = local proxy address

Fixes #5141

* fixes from review

---------

Co-authored-by: taskbot <taskbot@users.noreply.github.com>

Author: yrobla

cmd/thv/app/llm.go

@@ -375,6 +375,10 @@ func (a *clientManagerAdapter) LLMGatewayModeFor(clientType string) string {
 	return a.cm.LLMGatewayModeFor(client.ClientApp(clientType))
 }
 
+func (a *clientManagerAdapter) LLMSetupNoteFor(clientType string) string {
+	return a.cm.LLMSetupNoteFor(client.ClientApp(clientType))
+}
+
 func (a *clientManagerAdapter) RevertLLMGateway(clientType, configPath string) error {
 	return a.cm.RevertLLMGateway(client.ClientApp(clientType), configPath)
 }

pkg/client/config.go

@@ -159,16 +159,29 @@ const (
 // path (e.g. "/apiKeyHelper" or "/env/ANTHROPIC_BASE_URL"). Dots in flat
 // top-level key names (e.g. "/cursor.general.openAIBaseURL") are treated as
 // literals by hujson.Patch.
-// ValueField names which LLMApplyConfig field to write: "GatewayURL",
-// "ProxyBaseURL", "TokenHelperCommand", "PlaceholderAPIKey" (constant "thv-proxy"),
-// or "NodeTLSRejectUnauthorized" (writes "0" when TLSSkipVerify is true).
-// ClearWhenEmpty: when true and the resolved value is empty, the key is removed
-// from the settings file rather than skipped. Use for conditional keys like
-// NODE_TLS_REJECT_UNAUTHORIZED that must be cleaned up when the flag is cleared.
+//
+// Exactly one of ValueField or Literal must be set:
+//   - ValueField names which ApplyConfig field to write. Valid values:
+//     "GatewayURL", "ProxyBaseURL", "ProxyOrigin", "TokenHelperCommand",
+//     "PlaceholderAPIKey", "NodeTLSRejectUnauthorized".
+//     An unrecognised ValueField is a programming error and causes
+//     ConfigureLLMGateway to return an error.
+//   - Literal is written verbatim into the settings key (e.g. a fixed auth
+//     type string). Use Literal instead of ValueField for constant values so
+//     that typos in ValueField are caught as errors rather than silently
+//     written as unexpected strings.
+//
+// ClearWhenEmpty: when true and the resolved value is empty, the key is
+// removed from the settings file rather than skipped. Use for conditional
+// keys like NODE_TLS_REJECT_UNAUTHORIZED that must be cleaned up when the
+// flag is cleared. Ignored when Literal is set (literals are never empty).
 type LLMGatewayKeySpec struct {
-	JSONPointer    string // RFC 6901 path
-	ValueField     string // "GatewayURL" | "ProxyBaseURL" | "TokenHelperCommand" | "PlaceholderAPIKey" | "NodeTLSRejectUnauthorized"
-	ClearWhenEmpty bool   // remove the key when the resolved value is empty
+	JSONPointer string // RFC 6901 path
+	// ValueField: "GatewayURL" | "ProxyBaseURL" | "ProxyOrigin" |
+	// "TokenHelperCommand" | "PlaceholderAPIKey" | "NodeTLSRejectUnauthorized"
+	ValueField     string
+	Literal        string // constant value written verbatim; mutually exclusive with ValueField
+	ClearWhenEmpty bool   // remove the key when the resolved value is empty (ignored for Literal)
 }
 
 // clientAppConfig represents a configuration path for a supported MCP client.
@@ -223,6 +236,10 @@ type clientAppConfig struct {
 	// LLMGatewayKeys lists the JSON Pointer paths and value-field mappings to
 	// apply when setting up (or reverting) LLM gateway access.
 	LLMGatewayKeys []LLMGatewayKeySpec
+	// LLMSetupNote is an optional message printed to stdout after a successful
+	// "thv llm setup" for this client. Use it to surface manual steps that
+	// toolhive cannot automate (e.g. env vars the tool reads from a .env file).
+	LLMSetupNote string
 }
 
 // extractServersKeyFromConfig extracts the servers key from MCPServersPathPrefix
@@ -839,17 +856,29 @@ var supportedClientIntegrations = []clientAppConfig{
 		SupportsSkills:    true,
 		SkillsGlobalPath:  []string{".agents", skillsDirName},
 		SkillsProjectPath: []string{".agents", skillsDirName},
-		// LLM gateway: patches the same settings.json used for MCP
-		LLMGatewayMode:     "direct",
+		// LLM gateway: patches the same settings.json used for MCP.
+		// Gemini CLI has no dynamic token-command equivalent, so it uses the
+		// proxy path. GOOGLE_GEMINI_BASE_URL is only honoured when
+		// security.auth.selectedType is "gemini-api-key" (fixed in
+		// gemini-cli v0.40.0, PR #25357); OAuth auth ignores the override.
+		//
+		// NODE_TLS_REJECT_UNAUTHORIZED is intentionally omitted: in proxy mode
+		// the tool connects to the local proxy over plain HTTP, so there is no
+		// TLS handshake on that leg. Setting the env var would globally disable
+		// TLS verification for all other HTTPS requests the Gemini CLI process
+		// makes, which is an unacceptable side-effect.
+		LLMGatewayMode:     "proxy",
 		LLMBinaryName:      "gemini",
 		LLMSettingsFile:    "settings.json",
 		LLMSettingsRelPath: []string{".gemini"},
 		LLMGatewayKeys: []LLMGatewayKeySpec{
-			{JSONPointer: "/auth/tokenCommand", ValueField: "TokenHelperCommand"},
-			{JSONPointer: "/baseUrl", ValueField: "GatewayURL"},
-			// NODE_TLS_REJECT_UNAUTHORIZED is only written when --tls-skip-verify is set.
-			// ClearWhenEmpty ensures it is removed when the flag is later cleared.
-			{JSONPointer: "/env/NODE_TLS_REJECT_UNAUTHORIZED", ValueField: "NodeTLSRejectUnauthorized", ClearWhenEmpty: true},
+			// Force API-key auth so GOOGLE_GEMINI_BASE_URL is respected.
+			{JSONPointer: "/security/auth/selectedType", Literal: "gemini-api-key"},
+			// Placeholder API key (proxy does not validate it).
+			{JSONPointer: "/env/GEMINI_API_KEY", Literal: llmPlaceholderAPIKey},
+			// Proxy origin for Gemini CLI; path is stripped because Gemini
+			// CLI appends its own /v1beta/... path to the base URL.
+			{JSONPointer: "/env/GOOGLE_GEMINI_BASE_URL", ValueField: "ProxyOrigin"},
 		},
 	},
 	{

pkg/client/llm_gateway.go

@@ -80,9 +80,20 @@ func (cm *ClientManager) ConfigureLLMGateway(clientType ClientApp, cfg llmgatewa
 // allowing conditional keys (e.g. NODE_TLS_REJECT_UNAUTHORIZED) to be cleaned
 // up when the associated flag is cleared.
 func applyLLMGatewayKeys(v *hujson.Value, specs []LLMGatewayKeySpec, cfg llmgateway.ApplyConfig, filePath string) error {
+	// Resolve all values up front so an unknown ValueField fails fast before
+	// any file is modified.
+	values := make([]string, len(specs))
+	for i, spec := range specs {
+		val, err := llmValueForSpec(spec, cfg)
+		if err != nil {
+			return err
+		}
+		values[i] = val
+	}
+
 	// Ensure ancestors only for specs that will be written (not removed).
-	for _, spec := range specs {
-		if spec.ClearWhenEmpty && llmValueForSpec(spec.ValueField, cfg) == "" {
+	for i, spec := range specs {
+		if spec.ClearWhenEmpty && values[i] == "" {
 			continue
 		}
 		if err := ensureLLMAncestors(v, spec.JSONPointer, filePath); err != nil {
@@ -96,8 +107,8 @@ func applyLLMGatewayKeys(v *hujson.Value, specs []LLMGatewayKeySpec, cfg llmgate
 		return fmt.Errorf("standardizing %s: %w", filePath, err)
 	}
 
-	for _, spec := range specs {
-		value := llmValueForSpec(spec.ValueField, cfg)
+	for i, spec := range specs {
+		value := values[i]
 		if spec.ClearWhenEmpty && value == "" {
 			if err := removeLLMKey(v, spec.JSONPointer, filePath, standardized); err != nil {
 				return err
@@ -219,6 +230,15 @@ func (cm *ClientManager) LLMGatewayModeFor(clientType ClientApp) string {
 	return cfg.LLMGatewayMode
 }
 
+// LLMSetupNoteFor returns the post-setup note for clientType, or "" if none.
+func (cm *ClientManager) LLMSetupNoteFor(clientType ClientApp) string {
+	cfg := cm.lookupClientAppConfig(clientType)
+	if cfg == nil {
+		return ""
+	}
+	return cfg.LLMSetupNote
+}
+
 // DetectedLLMGatewayClients returns the subset of LLM-gateway-capable clients
 // that are installed on this machine. A client is considered installed when:
 //  1. Its settings directory exists on disk.
@@ -258,26 +278,35 @@ func (cm *ClientManager) buildLLMSettingsPath(cfg *clientAppConfig) string {
 	)
 }
 
-// llmValueForSpec returns the config value corresponding to the ValueField name.
-// For "NodeTLSRejectUnauthorized", returns "0" when TLSSkipVerify is true, or ""
-// when false (which triggers removal when ClearWhenEmpty is set on the spec).
-func llmValueForSpec(valueField string, cfg llmgateway.ApplyConfig) string {
-	switch valueField {
+// llmValueForSpec returns the value to write for spec given cfg.
+// If spec.Literal is set it is returned directly.
+// Otherwise spec.ValueField is resolved against cfg; an unrecognised ValueField
+// returns an error so typos are caught at call time rather than silently written
+// as unexpected strings into the user's settings file.
+func llmValueForSpec(spec LLMGatewayKeySpec, cfg llmgateway.ApplyConfig) (string, error) {
+	if spec.Literal != "" {
+		return spec.Literal, nil
+	}
+	switch spec.ValueField {
 	case "GatewayURL":
-		return cfg.GatewayURL
+		return cfg.GatewayURL, nil
 	case "ProxyBaseURL":
-		return cfg.ProxyBaseURL
+		return cfg.ProxyBaseURL, nil
 	case "TokenHelperCommand":
-		return cfg.TokenHelperCommand
+		return cfg.TokenHelperCommand, nil
 	case "PlaceholderAPIKey":
-		return llmPlaceholderAPIKey
+		return llmPlaceholderAPIKey, nil
 	case "NodeTLSRejectUnauthorized":
 		if cfg.TLSSkipVerify {
-			return "0"
+			return "0", nil
 		}
-		return ""
+		return "", nil
+	case "ProxyOrigin":
+		// Like ProxyBaseURL but with the path stripped; see llmgateway.ProxyOriginOf.
+		return llmgateway.ProxyOriginOf(cfg.ProxyBaseURL), nil
 	default:
-		return valueField // treat unknown field names as literal values
+		return "", fmt.Errorf("unknown ValueField %q in LLMGatewayKeySpec for %q; use Literal for constant values",
+			spec.ValueField, spec.JSONPointer)
 	}
 }