Enable --enable-api-proxy flag for Gemini engine and add parse_gemini_log.cjs

.github/workflows/smoke-gemini.md

@@ -11,7 +11,9 @@ permissions:
   issues: read
   pull-requests: read
 name: Smoke Gemini
-engine: gemini
+engine:
+  id: gemini
+  model: gemini-2.0-flash-lite
 strict: true
 imports:
   - shared/gh.md

actions/setup/js/parse_gemini_log.cjs

@@ -0,0 +1,98 @@
+// @ts-check
+/// <reference types="@actions/github-script" />
+
+const { createEngineLogParser } = require("./log_parser_shared.cjs");
+
+const main = createEngineLogParser({
+  parserName: "Gemini",
+  parseFunction: parseGeminiLog,
+  supportsDirectories: false,
+});
+
+/**
+ * Parse Gemini CLI streaming JSON log output and format as markdown.
+ * Gemini CLI outputs one JSON object per line when using --output-format stream-json (JSONL).
+ * @param {string} logContent - The raw log content to parse
+ * @returns {{markdown: string, logEntries: Array, mcpFailures: Array<string>, maxTurnsHit: boolean}} Parsed log data
+ */
+function parseGeminiLog(logContent) {
+  if (!logContent) {
+    return {
+      markdown: "## 🤖 Gemini\n\nNo log content provided.\n\n",
+      logEntries: [],
+      mcpFailures: [],
+      maxTurnsHit: false,
+    };
+  }
+
+  let markdown = "";
+  let totalInputTokens = 0;
+  let totalOutputTokens = 0;
+  let lastResponse = "";
+
+  const lines = logContent.split("\n");
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed) {
+      continue;
+    }
+
+    // Try to parse each line as a JSON object (Gemini --output-format json output)
+    try {
+      const parsed = JSON.parse(trimmed);
+
+      if (parsed.response) {
+        lastResponse = parsed.response;
+      }
+
+      // Aggregate token usage from stats
+      if (parsed.stats && parsed.stats.models) {
+        for (const modelStats of Object.values(parsed.stats.models)) {
+          if (modelStats && typeof modelStats === "object") {
+            if (typeof modelStats.input_tokens === "number") {
+              totalInputTokens += modelStats.input_tokens;
+            }
+            if (typeof modelStats.output_tokens === "number") {
+              totalOutputTokens += modelStats.output_tokens;
+            }
+          }
+        }
+      }
+    } catch (_e) {
+      // Not JSON - skip non-JSON lines
+    }
+  }
+
+  // Build markdown output
+  if (lastResponse) {
+    markdown += "## 🤖 Reasoning\n\n";
+    markdown += lastResponse + "\n\n";
+  }
+
+  markdown += "## 📊 Information\n\n";
+  const totalTokens = totalInputTokens + totalOutputTokens;
+  if (totalTokens > 0) {
+    markdown += `**Total Tokens Used:** ${totalTokens.toLocaleString()}\n\n`;
+    if (totalInputTokens > 0) {
+      markdown += `**Input Tokens:** ${totalInputTokens.toLocaleString()}\n\n`;
+    }
+    if (totalOutputTokens > 0) {
+      markdown += `**Output Tokens:** ${totalOutputTokens.toLocaleString()}\n\n`;
+    }
+  }
+
+  return {
+    markdown,
+    logEntries: [],
+    mcpFailures: [],
+    maxTurnsHit: false,
+  };
+}
+
+// Export for testing
+if (typeof module !== "undefined" && module.exports) {
+  module.exports = {
+    main,
+    parseGeminiLog,
+  };
+}

pkg/workflow/awf_helpers.go

@@ -170,7 +170,8 @@ func BuildAWFArgs(config AWFCommandConfig) []string {
 	awfArgs = append(awfArgs, "--proxy-logs-dir", string(constants.AWFProxyLogsDir))
 
 	// Add --enable-host-access when MCP servers are configured (gateway is used)
-	if HasMCPServers(config.WorkflowData) {
+	// OR when the API proxy sidecar is enabled (needs to reach host.docker.internal:<port>)
+	if HasMCPServers(config.WorkflowData) || config.UsesAPIProxy {
 		awfArgs = append(awfArgs, "--enable-host-access")
 		awfHelpersLog.Print("Added --enable-host-access for MCP gateway communication")
 	}

pkg/workflow/enable_api_proxy_test.go

@@ -88,4 +88,31 @@ func TestEngineAWFEnableApiProxy(t *testing.T) {
 			t.Error("Expected Codex AWF command to contain '--enable-api-proxy' flag")
 		}
 	})
+
+	t.Run("Gemini AWF command includes enable-api-proxy flag (supports LLM gateway)", func(t *testing.T) {
+		workflowData := &WorkflowData{
+			Name: "test-workflow",
+			EngineConfig: &EngineConfig{
+				ID: "gemini",
+			},
+			NetworkPermissions: &NetworkPermissions{
+				Firewall: &FirewallConfig{
+					Enabled: true,
+				},
+			},
+		}
+
+		engine := NewGeminiEngine()
+		steps := engine.GetExecutionSteps(workflowData, "test.log")
+
+		if len(steps) == 0 {
+			t.Fatal("Expected at least one execution step")
+		}
+
+		stepContent := strings.Join(steps[0], "\n")
+
+		if !strings.Contains(stepContent, "--enable-api-proxy") {
+			t.Error("Expected Gemini AWF command to contain '--enable-api-proxy' flag")
+		}
+	})
 }

pkg/workflow/gemini_engine.go

@@ -179,8 +179,8 @@ func (e *GeminiEngine) GetExecutionSteps(workflowData *WorkflowData, logFile str
 	// Without this, Gemini CLI's default approval mode rejects tool calls with "Tool execution denied by policy"
 	geminiArgs = append(geminiArgs, "--yolo")
 
-	// Add headless mode with JSON output
-	geminiArgs = append(geminiArgs, "--output-format", "json")
+	// Add streaming JSON output (JSONL format, compatible with the log parser)
+	geminiArgs = append(geminiArgs, "--output-format", "stream-json")
 
 	// Add prompt argument
 	geminiArgs = append(geminiArgs, "--prompt", "\"$(cat /tmp/gh-aw/aw-prompts/prompt.txt)\"")
@@ -206,18 +206,22 @@ func (e *GeminiEngine) GetExecutionSteps(workflowData *WorkflowData, logFile str
 		npmPathSetup := GetNpmBinPathSetup()
 		geminiCommandWithPath := fmt.Sprintf("%s && %s", npmPathSetup, geminiCommand)
 
+		// Enable API proxy sidecar if this engine supports LLM gateway
+		llmGatewayPort := e.SupportsLLMGateway()
+		usesAPIProxy := llmGatewayPort > 0
+
 		command = BuildAWFCommand(AWFCommandConfig{
 			EngineName:     "gemini",
 			EngineCommand:  geminiCommandWithPath,
 			LogFile:        logFile,
 			WorkflowData:   workflowData,
 			UsesTTY:        false,
-			UsesAPIProxy:   false,
+			UsesAPIProxy:   usesAPIProxy,
 			AllowedDomains: allowedDomains,
 		})
 	} else {
 		command = fmt.Sprintf(`set -o pipefail
-%s 2>&1 | tee %s`, geminiCommand, logFile)
+%s 2>&1 | tee -a %s`, geminiCommand, logFile)
 	}
 
 	// Build environment variables
@@ -232,6 +236,12 @@ func (e *GeminiEngine) GetExecutionSteps(workflowData *WorkflowData, logFile str
 		env["GH_AW_MCP_CONFIG"] = "${{ github.workspace }}/.gemini/settings.json"
 	}
 
+	// When the firewall (AWF) is enabled with --enable-api-proxy, point Gemini CLI at the
+	// LLM gateway sidecar instead of the real googleapis.com endpoint.
+	if firewallEnabled {
+		env["GEMINI_API_BASE_URL"] = fmt.Sprintf("http://host.docker.internal:%d", constants.GeminiLLMGatewayPort)
+	}
+
 	// Add safe outputs env
 	applySafeOutputEnvToMap(env, workflowData)
 

pkg/workflow/gemini_engine_test.go

@@ -152,7 +152,7 @@ func TestGeminiEngineExecution(t *testing.T) {
 		assert.Contains(t, stepContent, "id: agentic_execution", "Should have agentic_execution ID")
 		assert.Contains(t, stepContent, "gemini", "Should invoke gemini command")
 		assert.Contains(t, stepContent, "--yolo", "Should include --yolo flag for auto-approving tool executions")
-		assert.Contains(t, stepContent, "--output-format json", "Should use JSON output format")
+		assert.Contains(t, stepContent, "--output-format stream-json", "Should use streaming JSON output format")
 		assert.Contains(t, stepContent, `--prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"`, "Should include prompt argument with correct shell quoting")
 		assert.Contains(t, stepContent, "/tmp/test.log", "Should include log file")
 		assert.Contains(t, stepContent, "GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}", "Should set GEMINI_API_KEY env var")
@@ -273,6 +273,8 @@ func TestGeminiEngineFirewallIntegration(t *testing.T) {
 		// Should use AWF command
 		assert.Contains(t, stepContent, "awf", "Should use AWF when firewall is enabled")
 		assert.Contains(t, stepContent, "--allow-domains", "Should include allow-domains flag")
+		assert.Contains(t, stepContent, "--enable-api-proxy", "Should include --enable-api-proxy flag")
+		assert.Contains(t, stepContent, "GEMINI_API_BASE_URL: http://host.docker.internal:10003", "Should set GEMINI_API_BASE_URL to LLM gateway URL")
 	})
 
 	t.Run("firewall disabled", func(t *testing.T) {
@@ -293,5 +295,6 @@ func TestGeminiEngineFirewallIntegration(t *testing.T) {
 		// Should use simple command without AWF
 		assert.Contains(t, stepContent, "set -o pipefail", "Should use simple command with pipefail")
 		assert.NotContains(t, stepContent, "awf", "Should not use AWF when firewall is disabled")
+		assert.NotContains(t, stepContent, "GEMINI_API_BASE_URL", "Should not set GEMINI_API_BASE_URL when firewall is disabled")
 	})
 }

pkg/workflow/strict_mode_llm_gateway_test.go

@@ -287,6 +287,11 @@ func TestSupportsLLMGateway(t *testing.T) {
 			expectedPort: constants.CopilotLLMGatewayPort,
 			description:  "Copilot engine uses dedicated port for LLM gateway",
 		},
+		{
+			engineID:     "gemini",
+			expectedPort: constants.GeminiLLMGatewayPort,
+			description:  "Gemini engine uses dedicated port for LLM gateway",
+		},
 	}
 
 	for _, tt := range tests {

smoke_test_push_22239107636.txt

@@ -0,0 +1 @@
+Test file for PR push - smoke test run 22239107636