CLI silently loads API key from .env file, bypasses /auth selection, causes unintended Vertex AI billing

[n3g3ntr0pe]

I recently discovered I'd been billed $34 for Vertex AI usage that I believed I'd configured to use the free tier. I'm sharing what I found in case it helps others, and because I think there are some UX improvements worth considering.

What happened

I had selected Type: "vertex-ai" in my settings.json and a GOOGLE_API_KEY in a ~/.env file that I'd created months ago for a different purpose. I wasn't aware the CLI would find and load it.

Over several sessions, I used /auth signin and /auth signout to switch Google accounts, believing this controlled which account was billed. It didn't — those commands change identity, not billing method. The /auth command (bare) changes the billing method, but the naming doesn't make this distinction clear.

I also tried deleting mcp-oauth-tokens-v2.json and signing out of my browser. Neither helped, because the actual credential was the API key being silently loaded from .env.

Root cause

• findEnvFile() (chunk-EAXTBDLN.js:62483) walks the entire directory tree upward, then falls back to ~/.env
• loadEnvironment() (line 62523) parses the file via dotenv and injects all variables into process.env
• createContentGeneratorConfig() (chunk-2OFO4ODK.js:278016) checks for GOOGLE_API_KEY — if present and selectedType is
  vertex-ai, requests route to the paid Vertex AI endpoint
• No log message, warning, or UI indicator tells the user this has happened

Suggestions

1. Log or display when .env variables are loaded — especially billing-sensitive ones like GOOGLE_API_KEY
2. Show the active billing path persistently in the UI — e.g. "Auth: Vertex AI (paid)" vs "Auth: Google Sign-in
   (free)" in the status bar
3. Clarify /auth vs /auth signin — the current naming implies they're related when they control completely different
   things (billing method vs account identity)
4. Warn when selecting Vertex AI — a simple "(paid, per-token billing)" label on option 3 in the auth dialog would
   help

Environment

• Gemini CLI v0.35.2–0.35.3 (now updated to 0.36.0)
• Linux, personal Google account
• Free tier models (2.5 Pro/Flash) were sufficient — I received no additional value from the paid path

Related discussions: #4472, #4841, #4495

Thanks for building the CLI — I use it regularly and want it to succeed. These are solvable UX issues that would save
others from the same experience.