From 995c702b0732c8709727c2ef815a83739c9e8db4 Mon Sep 17 00:00:00 2001
From: Jason O'Neal <jason.allen.oneal@gmail.com>
Date: Tue, 5 May 2026 15:36:16 -0400
Subject: [PATCH] fix(google): wrap Gemini CLI refresh credentials

# Conflicts:
#	CHANGELOG.md
---
 CHANGELOG.md               |  1 +
 extensions/google/oauth.ts | 10 ++++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 770669344fe..f82a7f37919 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -34,6 +34,7 @@ Docs: https://docs.openclaw.ai
 - Agents/sessions: preserve fresh post-compaction token snapshots across stale usage updates, preventing repeated auto-compaction after every message. Fixes #82576. (#82578) Thanks @njuboy11.
 - Agents/OpenAI Responses: log redacted diagnostics for detail-less `response.failed` events while preserving failed response ids, so operators can correlate provider-side failures. Fixes #82558.
 - Agents/auth: redact OAuth refresh failure causes against in-memory, attempted, and reloaded credentials before generic token masking while ensuring failed ACP dispatch cleanup closes initialized runtimes.
+- Google/Gemini CLI OAuth: add provider-owned refresh support for `google-gemini-cli` so expired Gemini CLI tokens refresh in OpenClaw instead of falling through to the generic unknown-provider path. Fixes #42541. Thanks @jason-allen-oneal.
 - Telegram: cache successful startup bot identity by account and token fingerprint for up to 24 hours, so restarts can skip redundant `getMe` probes during Telegram API slow periods without permanently pinning renamed bots. Refs #82525.
 - Gateway/sessions: discard stale metadata when recreating dead main session rows, so replacement sessions do not inherit old labels or transcript paths.
 - Codex app-server: mark native context compaction completion events as successful, preventing false "Compaction incomplete" notices after successful Codex-managed compaction. Fixes #82470. (#81593) Thanks @Kyzcreig.
diff --git a/extensions/google/oauth.ts b/extensions/google/oauth.ts
index 18b92ffffce..d816067048b 100644
--- a/extensions/google/oauth.ts
+++ b/extensions/google/oauth.ts
@@ -1,3 +1,4 @@
+import type { OAuthCredential } from "openclaw/plugin-sdk/provider-auth";
 import { clearCredentialsCache, extractGeminiCliCredentials } from "./oauth.credentials.js";
 import {
   buildAuthUrl,
@@ -93,6 +94,11 @@ async function manualFlow(
 
 export async function refreshGeminiCliOAuthToken(
   credentials: Pick<GeminiCliOAuthCredentials, "refresh" | "email" | "projectId">,
-): Promise<GeminiCliOAuthCredentials> {
-  return await refreshTokensForGeminiCli(credentials);
+): Promise<OAuthCredential> {
+  const refreshed = await refreshTokensForGeminiCli(credentials);
+  return {
+    type: "oauth",
+    provider: "google-gemini-cli",
+    ...refreshed,
+  };
 }