From d430ddd5686cb03919a142c656cc82e65127db82 Mon Sep 17 00:00:00 2001
From: Juan Camilo <juancamilo.auriti@gmail.com>
Date: Thu, 2 Apr 2026 15:40:07 +0200
Subject: [PATCH] fix: prevent ANTHROPIC_API_KEY from interfering with Gemini
 provider auth

Two fixes for issue #133 where setting ANTHROPIC_API_KEY=dummy alongside
CLAUDE_CODE_USE_GEMINI=1 causes "Invalid API key" errors:

1. auth.ts: In the CI branch of getAnthropicApiKeyWithSource(), the
   ANTHROPIC_API_KEY value was returned without checking isUsing3PServices().
   A dummy key leaked into the Anthropic key resolution pipeline even when
   Gemini was the active provider. Now guards with isUsing3PServices().

2. errors.ts: The x-api-key error handler surfaced "Invalid API key" for
   any provider. Added getAPIProvider() === 'firstParty' guard so 3P users
   see the real underlying error instead of a misleading auth message.

Note: The cli.tsx Gemini validation fix (originally part of this PR) was
independently implemented in PR #121 and is already on main.
---
 src/services/api/errors.ts | 3 ++-
 src/utils/auth.ts          | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/services/api/errors.ts b/src/services/api/errors.ts
index 1a7edc52..d77c92a9 100644
--- a/src/services/api/errors.ts
+++ b/src/services/api/errors.ts
@@ -812,7 +812,8 @@ export function getAssistantMessageFromError(
 
   if (
     error instanceof Error &&
-    error.message.toLowerCase().includes('x-api-key')
+    error.message.toLowerCase().includes('x-api-key') &&
+    getAPIProvider() === 'firstParty'
   ) {
     // In CCR mode, auth is via JWTs - this is likely a transient network issue
     if (isCCRMode()) {
diff --git a/src/utils/auth.ts b/src/utils/auth.ts
index 37d1ca1f..310799fb 100644
--- a/src/utils/auth.ts
+++ b/src/utils/auth.ts
@@ -286,7 +286,7 @@ export function getAnthropicApiKeyWithSource(
       )
     }
 
-    if (apiKeyEnv) {
+    if (apiKeyEnv && !isUsing3PServices()) {
       return {
         key: apiKeyEnv,
         source: 'ANTHROPIC_API_KEY',
@@ -294,6 +294,7 @@ export function getAnthropicApiKeyWithSource(
     }
 
     // OAuth token is present but this function returns API keys only
+    // Also reached when 3P provider is active — ANTHROPIC_API_KEY is ignored
     return {
       key: null,
       source: 'none',