AI Agents

Gemini CLI executor — credential bootstrap (spec 0027)

The gemini executor runs Google's Gemini CLI on Thomas's AI Pro subscription quota via Google-account OAuth. One-time setup:

0. Data-policy pre-flight (non-negotiable — spec 0045 d3)

Before any sensitive document flows through this executor, verify on the tompisula@gmail.com account that CLI/Code Assist prompts are not used for model training for your subscription tier, and turn off Gemini Apps Activity if in doubt (myactivity.google.com → Gemini Apps Activity). Health/financial originals are the payload here.

1. One-time login (any machine with a browser)

npm install -g @google/gemini-cli
gemini   # choose "Login with Google", complete OAuth as tompisula@gmail.com, then /quit
ls ~/.gemini/oauth_creds.json   # the refresh credentials

2. Create the credential Secret (both envs)

for ns in ai-agents-dev ai-agents-prod; do
  kubectl -n "$ns" create secret generic gemini-cli-credentials \
    --from-file=token="$HOME/.gemini/oauth_creds.json"
done

Bootstrap-kubectl for now (the life-membrane-mcp-credentials precedent) — convert to an ExternalSecret when it needs to survive a namespace rebuild.

3. Use it

Any AiAgent with executor: gemini (the gemini AiModel resolves by the executor's default). maxConcurrency: 2 on the AiModel protects the subscription's daily quota — raise deliberately, never casually. Workspace uploads land in the job workdir, so a submitted PDF is readable by the CLI directly (@file.pdf in the prompt or by path).

If Google invalidates the refresh token (rare), re-run step 1 and recreate the Secret.