From 229987e7885c11a1a3131b776a560348e4f9e9c8 Mon Sep 17 00:00:00 2001
From: mawkone <mark@getacquired.com>
Date: Fri, 27 Feb 2026 19:51:48 -0800
Subject: [PATCH] fix: use service account JSON key for Vertex AI auth instead
 of metadata server

The VM's metadata server doesn't grant cloud-platform scope by default.
Read GOOGLE_APPLICATION_CREDENTIALS_JSON env var (service account key JSON)
and pass it directly to GoogleAuth. Falls back to metadata server if unset.
This restores GLM-5 access via Vertex AI.

Made-with: Cursor
---
 dist/llm.js | 20 +++++++++++++++++---
 src/llm.ts  | 20 +++++++++++++++++---
 2 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/dist/llm.js b/dist/llm.js
index a571b02..db8d001 100644
--- a/dist/llm.js
+++ b/dist/llm.js
@@ -12,9 +12,23 @@ const uuid_1 = require("uuid");
 // ---------------------------------------------------------------------------
 let _cachedToken = '';
 let _tokenExpiry = 0;
-const _googleAuth = new google_auth_library_1.GoogleAuth({
-    scopes: ['https://www.googleapis.com/auth/cloud-platform']
-});
+// Prefer an explicit JSON key (set as env var in Coolify) over the metadata server.
+// This avoids the "insufficient scope" error that occurs when the VM's service
+// account was created without the cloud-platform scope.
+function buildGoogleAuth() {
+    const jsonKey = process.env.GOOGLE_APPLICATION_CREDENTIALS_JSON;
+    if (jsonKey) {
+        try {
+            const credentials = JSON.parse(jsonKey);
+            return new google_auth_library_1.GoogleAuth({ credentials, scopes: ['https://www.googleapis.com/auth/cloud-platform'] });
+        }
+        catch {
+            console.warn('[llm] GOOGLE_APPLICATION_CREDENTIALS_JSON is set but failed to parse — falling back to metadata server');
+        }
+    }
+    return new google_auth_library_1.GoogleAuth({ scopes: ['https://www.googleapis.com/auth/cloud-platform'] });
+}
+const _googleAuth = buildGoogleAuth();
 async function getVertexToken() {
     const now = Date.now();
     if (_cachedToken && now < _tokenExpiry)
diff --git a/src/llm.ts b/src/llm.ts
index 860d5dc..ba45f71 100644
--- a/src/llm.ts
+++ b/src/llm.ts
@@ -70,9 +70,23 @@ export interface LLMClient {
 let _cachedToken = '';
 let _tokenExpiry = 0;
 
-const _googleAuth = new GoogleAuth({
-    scopes: ['https://www.googleapis.com/auth/cloud-platform']
-});
+// Prefer an explicit JSON key (set as env var in Coolify) over the metadata server.
+// This avoids the "insufficient scope" error that occurs when the VM's service
+// account was created without the cloud-platform scope.
+function buildGoogleAuth(): GoogleAuth {
+    const jsonKey = process.env.GOOGLE_APPLICATION_CREDENTIALS_JSON;
+    if (jsonKey) {
+        try {
+            const credentials = JSON.parse(jsonKey);
+            return new GoogleAuth({ credentials, scopes: ['https://www.googleapis.com/auth/cloud-platform'] });
+        } catch {
+            console.warn('[llm] GOOGLE_APPLICATION_CREDENTIALS_JSON is set but failed to parse — falling back to metadata server');
+        }
+    }
+    return new GoogleAuth({ scopes: ['https://www.googleapis.com/auth/cloud-platform'] });
+}
+
+const _googleAuth = buildGoogleAuth();
 
 async function getVertexToken(): Promise<string> {
     const now = Date.now();