From 78f347036848b0b27c71e8e6e46ec01b2721d205 Mon Sep 17 00:00:00 2001
From: Shakker <shakkerdroid@gmail.com>
Date: Wed, 29 Apr 2026 19:06:20 +0100
Subject: [PATCH] fix: preserve explicit auth evidence path semantics

---
 src/agents/model-auth-env.ts           |  4 ++--
 src/agents/model-auth.profiles.test.ts | 25 +++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/src/agents/model-auth-env.ts b/src/agents/model-auth-env.ts
index 0091239fcc3..6739fbe4d75 100644
--- a/src/agents/model-auth-env.ts
+++ b/src/agents/model-auth-env.ts
@@ -49,8 +49,8 @@ function hasRequiredAuthEvidenceEnv(
 function hasLocalFileAuthEvidence(evidence: ProviderAuthEvidence, env: NodeJS.ProcessEnv): boolean {
   if (evidence.fileEnvVar) {
     const explicitPath = normalizeOptionalSecretInput(env[evidence.fileEnvVar]);
-    if (explicitPath && fs.existsSync(explicitPath)) {
-      return true;
+    if (explicitPath) {
+      return fs.existsSync(explicitPath);
     }
   }
   for (const rawPath of evidence.fallbackPaths ?? []) {
diff --git a/src/agents/model-auth.profiles.test.ts b/src/agents/model-auth.profiles.test.ts
index ba24be08f3e..976287a5ec4 100644
--- a/src/agents/model-auth.profiles.test.ts
+++ b/src/agents/model-auth.profiles.test.ts
@@ -864,6 +864,31 @@ describe("getApiKeyForModel", () => {
     }
   });
 
+  it("resolveEnvApiKey('google-vertex') rejects missing explicit ADC path before fallback paths", async () => {
+    const homeDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-google-adc-home-"));
+    const fallbackDir = path.join(homeDir, ".config", "gcloud");
+    const missingCredentialsPath = path.join(homeDir, "missing-adc.json");
+    await fs.mkdir(fallbackDir, { recursive: true });
+    await fs.writeFile(
+      path.join(fallbackDir, "application_default_credentials.json"),
+      "{}",
+      "utf8",
+    );
+
+    try {
+      const resolved = resolveEnvApiKey("google-vertex", {
+        GOOGLE_APPLICATION_CREDENTIALS: missingCredentialsPath,
+        GOOGLE_CLOUD_LOCATION: "us-central1",
+        GOOGLE_CLOUD_PROJECT: "vertex-project",
+        HOME: homeDir,
+      } as NodeJS.ProcessEnv);
+
+      expect(resolved).toBeNull();
+    } finally {
+      await fs.rm(homeDir, { recursive: true, force: true });
+    }
+  });
+
   it("resolveEnvApiKey('anthropic-vertex') accepts GOOGLE_APPLICATION_CREDENTIALS with project_id", async () => {
     await expectVertexAdcEnvApiKey({
       provider: "anthropic-vertex",