Gemini CLI executor — credential bootstrap (spec 0027)
The gemini executor runs Google's Gemini CLI on Thomas's AI Pro subscription quota
via Google-account OAuth. One-time setup:
0. Data-policy pre-flight (non-negotiable — spec 0045 d3)
Before any sensitive document flows through this executor, verify on the tompisula@gmail.com account that CLI/Code Assist prompts are not used for model training for your subscription tier, and turn off Gemini Apps Activity if in doubt (myactivity.google.com → Gemini Apps Activity). Health/financial originals are the payload here.
1. One-time login (any machine with a browser)
npm install -g @google/gemini-cli
gemini # choose "Login with Google", complete OAuth as tompisula@gmail.com, then /quit
ls ~/.gemini/oauth_creds.json # the refresh credentials
2. Create the credential Secret (both envs)
for ns in ai-agents-dev ai-agents-prod; do
kubectl -n "$ns" create secret generic gemini-cli-credentials \
--from-file=token="$HOME/.gemini/oauth_creds.json"
done
Bootstrap-kubectl for now (the life-membrane-mcp-credentials precedent) — convert to an
ExternalSecret when it needs to survive a namespace rebuild.
3. Use it
Any AiAgent with executor: gemini (the gemini AiModel resolves by the executor's
default). maxConcurrency: 2 on the AiModel protects the subscription's daily quota —
raise deliberately, never casually. Workspace uploads land in the job workdir, so a
submitted PDF is readable by the CLI directly (@file.pdf in the prompt or by path).
If Google invalidates the refresh token (rare), re-run step 1 and recreate the Secret.