#16786: fix: support google-antigravity OAuth for Gemini embeddings

## Problem When `memorySearch` is configured with `provider: "gemini"`, the embedding client in `resolveGeminiEmbeddingClient()` hard-codes `provider: "google"` for auth lookup. Users who authenticated via **google-antigravity OAuth** (free Gemini access) have their credentials stored under `google-antigravity`, causing: ``` No API key found for provider "google". Auth store: .../auth-profiles.json ``` Even if the provider lookup succeeded, there are two additional issues: 1. Antigravity OAuth returns a JSON string `{token, projectId}` via `buildOAuthApiKey()`, not a raw API key 2. OAuth tokens need `Authorization: Bearer` header, not `x-goog-api-key` ## Fix - Falls back to `google-antigravity` provider when `google` has no credentials - Detects OAuth mode and parses the JSON token format - Sends OAuth tokens via `Authorization: Bearer` header instead of `x-goog-api-key` ## Notes - Google's `generativelanguage.googleapis.com` embedding endpoint currently requires the `generativelanguage` scope which antigravity OAuth tokens may not include. This fix ensures the **auth plumbing** works correctly so that if/when the scope is available, embeddings work seamlessly. - Users can set `memorySearch.remote.apiKey` with a free [Google AI Studio](https://aistudio.google.com/apikey) API key as a workaround (1,500 free embedding requests/day). ## Testing - [x] Verified auth resolution path against bundled dist code - [x] Confirmed antigravity fallback triggers when `google` provider has no valid profiles - [x] Validated Bearer header construction with parsed JSON token - [x] Manual curl tests against Gemini embedding API with both API key and OAuth token --- 🤖 **AI-assisted:** Written by Aurora (OpenClaw agent) running Claude Opus 4.6. Lightly tested against bundled dist — would benefit from unit test coverage. cc @steipete @vignesh07 <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds `google-antigravity` OAuth fallback for Gemini embeddings to support users who authenticated via free Gemini access. When the `google` provider has no credentials, the code now falls back to `google-antigravity`, parses the JSON token format `{token, projectId}` returned by OAuth, and sends OAuth tokens via `Authorization: Bearer` header instead of `x-goog-api-key`. The implementation correctly handles the three auth plumbing issues described in the PR: provider fallback, JSON token parsing, and OAuth header construction. However, there's a known issue (already commented on) where error messages will still reference "google" even when the antigravity fallback succeeded. <h3>Confidence Score: 3/5</h3> - This PR fixes important auth plumbing but has two logical edge cases that could cause unexpected behavior - Score reflects correct implementation of the main OAuth fallback flow, but there are two edge cases: (1) non-credential errors are silently swallowed during provider fallback, and (2) non-JSON OAuth tokens may be sent via the wrong header. The known issue with error messages referencing "google" instead of "google-antigravity" is already documented in previous comments. - Pay close attention to `src/memory/embeddings-gemini.ts` error handling and OAuth token parsing logic _{Last reviewed commit: 44e1439} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->