#16684: fix:(antigravity): align Antigravity OAuth project discovery headers and endpoint fallbacks

## Summary Describe the problem and fix in 2–5 bullets: - Problem: Antigravity OAuth had header/metadata drift, a bad timeout utility import path, and one unbounded network call during login. - Why it matters: Drift and unbounded calls can reduce auth reliability, and the import path caused a TypeScript build failure (`TS2307`). - What changed: Fixed import/build issue by using a local timeout helper in the extension, applied timeout protection to `fetchUserEmail`, aligned project discovery headers/metadata and endpoint fallback ordering, and aligned usage fetcher metadata/header shape to the same platform/client metadata pattern. - What did NOT change (scope boundary): No credential schema changes, no provider ID changes, no onboarding warning/docs changes. ## Change Type (select all) - [x] Bug fix - [ ] Feature - [ ] Refactor - [ ] Docs - [ ] Security hardening - [ ] Chore/infra ## Scope (select all touched areas) - [ ] Gateway / orchestration - [ ] Skills / tool execution - [x] Auth / tokens - [ ] Memory / storage - [x] Integrations - [ ] API / contracts - [ ] UI / DX - [ ] CI/CD / infra ## Linked Issue/PR - Closes # - Related #14203 ## User-visible / Behavior Changes List user-visible changes (including defaults/config). If none, write `None`. - Antigravity OAuth login flow is more resilient under slow/hung network conditions due to timeout coverage on all login-path fetches. - Project resolution is more robust via bounded endpoint fallbacks and env fallback (`GOOGLE_CLOUD_PROJECT` / `GOOGLE_CLOUD_PROJECT_ID`). ## Security Impact (required) - New permissions/capabilities? (`Yes/No`) No - Secrets/tokens handling changed? (`Yes/No`) No - New/changed network calls? (`Yes/No`) Yes - Command/tool execution surface changed? (`Yes/No`) No - Data access scope changed? (`Yes/No`) No - If any `Yes`, explain risk + mitigation: - Risk: Additional fallback attempts may increase external requests during discovery. - Mitigation: Fixed, small endpoint list with per-request timeout and graceful fallback. ## Repro + Verification ### Environment - OS: macOS - Runtime/container: Node 22 + pnpm workspace - Model/provider: google-antigravity - Integration/channel (if any): OAuth provider plugin + provider usage fetcher - Relevant config (redacted): Optional `GOOGLE_CLOUD_PROJECT=<redacted>` ### Steps 1. Run `openclaw models auth login --provider google-antigravity --set-default`. 2. Complete OAuth and observe successful token exchange + userinfo + project resolution. 3. Trigger provider usage fetch path and verify metadata/header compatibility behavior. ### Expected - No TS import/type failure in extension (`TS2307` resolved). - OAuth calls are timeout-bounded, including userinfo lookup. - Antigravity usage fetcher uses aligned metadata/client headers. ### Actual - Implemented as above; scoped lint/tests pass. ## Evidence Attach at least one: - [ ] Failing test/log before + passing after - [x] Trace/log snippets - [ ] Screenshot/recording - [ ] Perf numbers (if relevant) Scoped checks run: - `pnpm exec oxlint extensions/google-antigravity-auth/index.ts src/infra/provider-usage.fetch.antigravity.ts` - `pnpm test src/infra/provider-usage.fetch.antigravity.test.ts` ## Human Verification (required) What you personally verified (not just CI), and how: - Verified scenarios: OAuth/login code paths in extension; usage fetch request metadata/header construction. - Edge cases checked: timeout cleanup/abort behavior, missing project ID fallback chain, non-OK endpoint fallback. - What you did **not** verify: live OAuth execution against Google endpoints in this branch. ## Compatibility / Migration - Backward compatible? (`Yes/No`) Yes - Config/env changes? (`Yes/No`) No - Migration needed? (`Yes/No`) No - If yes, exact upgrade steps: ## Failure Recovery (if this breaks) - How to disable/revert this change quickly: Revert commits `e1040a82e` and parity-header commit set on this branch. - Files/config to restore: `extensions/google-antigravity-auth/index.ts`, `src/infra/provider-usage.fetch.antigravity.ts`. - Known bad symptoms reviewers should watch for: login stalls, missing project ID despite valid auth, provider usage endpoint auth/header errors. ## Risks and Mitigations List only real risks for this PR. Add/remove entries as needed. If none, write `None`. - Risk: Header/metadata assumptions may still vary across backend environments. - Mitigation: Keep bounded fallback behavior and preserve conservative defaults. ## AI Assistance - [x] AI-assisted - [x] Lightly tested Agent-Signoff: LobsterGuard <!-- greptile_comment --> <h3>Greptile Summary</h3> Aligns Antigravity OAuth headers, metadata, and endpoint fallback behavior across auth extension and usage fetcher. Adds timeout protection to previously unbounded network calls (`fetchUserEmail`) and fixes import path issues. The changes improve auth reliability under slow network conditions and provide more robust project discovery through environment variable fallbacks and expanded endpoint list. <h3>Confidence Score: 3/5</h3> - Safe to merge with moderate confidence - addresses the stated issues but has code duplication that should be resolved - The PR successfully fixes the import/build issue and adds timeout protection, but the duplicate `fetchWithTimeout` implementation (already flagged in previous threads) remains unresolved. The logic is sound and tests exist, but the code duplication creates maintenance burden and memory management inconsistency - extensions/google-antigravity-auth/index.ts needs the duplicate fetchWithTimeout implementation replaced with the existing utility _{Last reviewed commit: cf185ac} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->