✨ Add Google/Gemini provider support to parallel analyze subagents

Extend SubagentRunner to support Google/Gemini as a provider option alongside
OpenAI and Anthropic. Add resolve_gemini_client helper with the same API key
resolution pattern (config → env → client default) and error sanitization.

Also expand OpenAI API key validation to accept both 'sk-' and 'sk-proj-'
prefixes via new api_key_prefixes() method, allowing project-scoped keys.

Add api_key_if_set() helper to ProviderConfig for cleaner empty-string
handling and refactor IrisAgent and IrisAgentService to use it.

Includes comprehensive test coverage for multi-prefix validation,
api_key_if_set behavior, and all-provider resolution paths.

Author: hyperb1iss

src/agents/iris.rs

@@ -416,8 +416,7 @@ impl IrisAgent {
         self.config
             .as_ref()
             .and_then(|c| c.get_provider_config(&self.provider))
-            .map(|pc| pc.api_key.as_str())
-            .filter(|k| !k.is_empty())
+            .and_then(|pc| pc.api_key_if_set())
     }
 
     /// Build the actual agent for execution

src/agents/provider.rs

@@ -3,7 +3,7 @@
 //! This module provides runtime provider selection using enum dispatch,
 //! allowing git-iris to work with any supported provider based on config.
 
-use anyhow::{Context, Result};
+use anyhow::Result;
 use rig::{
     agent::{Agent, AgentBuilder, PromptResponse},
     client::{CompletionClient, ProviderClient},
@@ -95,16 +95,16 @@ fn validate_and_warn(key: &str, provider: Provider, source: &str) {
 /// in config while still supporting env-only setups.
 pub fn resolve_api_key(api_key: Option<&str>, provider: Provider) -> (Option<String>, ApiKeySource) {
     // If explicit key provided and non-empty, use it
-    if let Some(key) = api_key {
-        if !key.is_empty() {
-            tracing::trace!(
-                provider = %provider,
-                source = "config",
-                "Using API key from configuration"
-            );
-            validate_and_warn(key, provider, "config");
-            return (Some(key.to_string()), ApiKeySource::Config);
-        }
+    if let Some(key) = api_key
+        && !key.is_empty()
+    {
+        tracing::trace!(
+            provider = %provider,
+            source = "config",
+            "Using API key from configuration"
+        );
+        validate_and_warn(key, provider, "config");
+        return (Some(key.to_string()), ApiKeySource::Config);
     }
 
     // Fall back to environment variable
@@ -138,11 +138,17 @@ pub fn resolve_api_key(api_key: Option<&str>, provider: Provider) -> (Option<Str
 ///
 /// # Errors
 /// Returns an error if client creation fails (invalid credentials or missing env var).
+///
+/// # Security
+/// Error messages are sanitized to prevent potential API key exposure.
 pub fn openai_builder(model: &str, api_key: Option<&str>) -> Result<OpenAIBuilder> {
     let (resolved_key, _source) = resolve_api_key(api_key, Provider::OpenAI);
     let client = match resolved_key {
         Some(key) => openai::Client::new(&key)
-            .context("Failed to create OpenAI client with provided credentials")?,
+            // Sanitize error to prevent potential key exposure in error messages
+            .map_err(|_| anyhow::anyhow!(
+                "Failed to create OpenAI client: authentication or configuration error"
+            ))?,
         None => openai::Client::from_env(),
     };
     Ok(client.completions_api().agent(model))
@@ -159,11 +165,17 @@ pub fn openai_builder(model: &str, api_key: Option<&str>) -> Result<OpenAIBuilde
 ///
 /// # Errors
 /// Returns an error if client creation fails (invalid credentials or missing env var).
+///
+/// # Security
+/// Error messages are sanitized to prevent potential API key exposure.
 pub fn anthropic_builder(model: &str, api_key: Option<&str>) -> Result<AnthropicBuilder> {
     let (resolved_key, _source) = resolve_api_key(api_key, Provider::Anthropic);
     let client = match resolved_key {
         Some(key) => anthropic::Client::new(&key)
-            .context("Failed to create Anthropic client with provided credentials")?,
+            // Sanitize error to prevent potential key exposure in error messages
+            .map_err(|_| anyhow::anyhow!(
+                "Failed to create Anthropic client: authentication or configuration error"
+            ))?,
         None => anthropic::Client::from_env(),
     };
     Ok(client.agent(model))
@@ -180,11 +192,17 @@ pub fn anthropic_builder(model: &str, api_key: Option<&str>) -> Result<Anthropic
 ///
 /// # Errors
 /// Returns an error if client creation fails (invalid credentials or missing env var).
+///
+/// # Security
+/// Error messages are sanitized to prevent potential API key exposure.
 pub fn gemini_builder(model: &str, api_key: Option<&str>) -> Result<GeminiBuilder> {
     let (resolved_key, _source) = resolve_api_key(api_key, Provider::Google);
     let client = match resolved_key {
         Some(key) => gemini::Client::new(&key)
-            .context("Failed to create Gemini client with provided credentials")?,
+            // Sanitize error to prevent potential key exposure in error messages
+            .map_err(|_| anyhow::anyhow!(
+                "Failed to create Gemini client: authentication or configuration error"
+            ))?,
         None => gemini::Client::from_env(),
     };
     Ok(client.agent(model))
@@ -242,4 +260,35 @@ mod tests {
         assert_eq!(ApiKeySource::ClientDefault, ApiKeySource::ClientDefault);
         assert_ne!(ApiKeySource::Config, ApiKeySource::Environment);
     }
+
+    #[test]
+    fn test_resolve_api_key_all_providers() {
+        // Test that resolve_api_key works for all supported providers
+        for provider in Provider::ALL {
+            let (key, source) =
+                resolve_api_key(Some("test-key-123456789012345"), *provider);
+            assert_eq!(key, Some("test-key-123456789012345".to_string()));
+            assert_eq!(source, ApiKeySource::Config);
+        }
+    }
+
+    #[test]
+    fn test_resolve_api_key_config_precedence() {
+        // Even if env var is set, config should take precedence
+        // We can't easily mock env vars in unit tests, but we can verify
+        // that a provided config key is always used regardless of env state
+        let config_key = "sk-from-config-abcdef1234567890";
+        let (key, source) = resolve_api_key(Some(config_key), Provider::OpenAI);
+
+        assert_eq!(key.as_deref(), Some(config_key));
+        assert_eq!(source, ApiKeySource::Config);
+    }
+
+    #[test]
+    fn test_api_key_source_debug_impl() {
+        // Verify Debug is implemented for logging purposes
+        let source = ApiKeySource::Config;
+        let debug_str = format!("{:?}", source);
+        assert!(debug_str.contains("Config"));
+    }
 }

src/agents/setup.rs

@@ -488,7 +488,7 @@ impl IrisAgentService {
     pub fn api_key(&self) -> Option<String> {
         self.config
             .get_provider_config(&self.provider)
-            .filter(|pc| !pc.api_key.is_empty())
-            .map(|pc| pc.api_key.clone())
+            .and_then(|pc| pc.api_key_if_set())
+            .map(String::from)
     }
 }

src/agents/tools/parallel_analyze.rs

@@ -8,7 +8,7 @@ use anyhow::Result;
 use rig::{
     client::{CompletionClient, ProviderClient},
     completion::{Prompt, ToolDefinition},
-    providers::{anthropic, openai},
+    providers::{anthropic, gemini, openai},
     tool::Tool,
 };
 use schemars::JsonSchema;
@@ -71,6 +71,10 @@ enum SubagentRunner {
         client: anthropic::Client,
         model: String,
     },
+    Gemini {
+        client: gemini::Client,
+        model: String,
+    },
 }
 
 impl SubagentRunner {
@@ -90,14 +94,21 @@ impl SubagentRunner {
                     model: model.to_string(),
                 })
             }
+            "google" | "gemini" => {
+                let client = Self::resolve_gemini_client(api_key)?;
+                Ok(Self::Gemini {
+                    client,
+                    model: model.to_string(),
+                })
+            }
             _ => Err(anyhow::anyhow!(
-                "Unsupported provider for parallel analysis: {}",
+                "Unsupported provider for parallel analysis: {}. Supported: openai, anthropic, google",
                 provider
             )),
         }
     }
 
-    /// Create OpenAI client using shared resolution logic
+    /// Create `OpenAI` client using shared resolution logic
     ///
     /// Uses `resolve_api_key` from provider module to maintain consistent
     /// resolution order: config → env var → client default
@@ -111,7 +122,7 @@ impl SubagentRunner {
         }
     }
 
-    /// Create Anthropic client using shared resolution logic
+    /// Create `Anthropic` client using shared resolution logic
     ///
     /// Uses `resolve_api_key` from provider module to maintain consistent
     /// resolution order: config → env var → client default
@@ -125,6 +136,20 @@ impl SubagentRunner {
         }
     }
 
+    /// Create `Gemini` client using shared resolution logic
+    ///
+    /// Uses `resolve_api_key` from provider module to maintain consistent
+    /// resolution order: config → env var → client default
+    fn resolve_gemini_client(api_key: Option<&str>) -> Result<gemini::Client> {
+        let (resolved_key, _source) = resolve_api_key(api_key, Provider::Google);
+        match resolved_key {
+            Some(key) => gemini::Client::new(&key)
+                // Sanitize error to avoid exposing key material
+                .map_err(|_| anyhow::anyhow!("Failed to create Gemini client: authentication or configuration error")),
+            None => Ok(gemini::Client::from_env()),
+        }
+    }
+
     async fn run_task(&self, task: &str) -> SubagentResult {
         let preamble = "You are a specialized analysis sub-agent. Complete the assigned \
             task thoroughly and return a focused summary.\n\n\
@@ -146,6 +171,11 @@ impl SubagentRunner {
                 let agent = crate::attach_core_tools!(builder).build();
                 agent.prompt(task).await
             }
+            Self::Gemini { client, model } => {
+                let builder = client.agent(model).preamble(preamble).max_tokens(4096);
+                let agent = crate::attach_core_tools!(builder).build();
+                agent.prompt(task).await
+            }
         };
 
         match result {

src/providers.rs

@@ -66,22 +66,33 @@ impl Provider {
         }
     }
 
-    /// Expected API key prefix for basic format validation
+    /// Valid API key prefixes for format validation
     ///
-    /// Returns the expected prefix for the provider's API keys, if known.
-    /// This helps catch typos and misconfigurations early.
+    /// Returns the expected prefixes for the provider's API keys.
+    /// `OpenAI` has multiple valid prefixes (sk-, sk-proj-).
+    pub fn api_key_prefixes(&self) -> &'static [&'static str] {
+        match self {
+            Self::OpenAI => &["sk-", "sk-proj-"],
+            Self::Anthropic => &["sk-ant-"],
+            Self::Google => &[], // Google API keys don't have a consistent prefix
+        }
+    }
+
+    /// Expected API key prefix for basic format validation (primary prefix)
+    ///
+    /// Returns the primary expected prefix for display in error messages.
     pub const fn api_key_prefix(&self) -> Option<&'static str> {
         match self {
             Self::OpenAI => Some("sk-"),
             Self::Anthropic => Some("sk-ant-"),
-            Self::Google => None, // Google API keys don't have a consistent prefix
+            Self::Google => None,
         }
     }
 
     /// Validate API key format
     ///
     /// Performs basic validation to catch obvious misconfigurations:
-    /// - Checks for expected prefix (OpenAI: `sk-`, Anthropic: `sk-ant-`)
+    /// - Checks for expected prefix (`OpenAI`: `sk-` or `sk-proj-`, `Anthropic`: `sk-ant-`)
     /// - Ensures key is not suspiciously short
     ///
     /// Returns `Ok(())` if valid, or a warning message if potentially invalid.
@@ -97,15 +108,23 @@ impl Provider {
             ));
         }
 
-        // Check expected prefix
-        if let Some(prefix) = self.api_key_prefix() {
-            if !key.starts_with(prefix) {
-                return Err(format!(
-                    "{} API key should start with '{}' (key has unexpected prefix)",
-                    self.name(),
-                    prefix
-                ));
-            }
+        // Check expected prefixes
+        let prefixes = self.api_key_prefixes();
+        if !prefixes.is_empty() && !prefixes.iter().any(|p| key.starts_with(p)) {
+            let expected = if prefixes.len() == 1 {
+                format!("'{}'", prefixes[0])
+            } else {
+                prefixes
+                    .iter()
+                    .map(|p| format!("'{p}'"))
+                    .collect::<Vec<_>>()
+                    .join(" or ")
+            };
+            return Err(format!(
+                "{} API key should start with {} (key has unexpected prefix)",
+                self.name(),
+                expected
+            ));
         }
 
         Ok(())
@@ -210,6 +229,19 @@ impl ProviderConfig {
     pub fn has_api_key(&self) -> bool {
         !self.api_key.is_empty()
     }
+
+    /// Get API key if set (non-empty), otherwise None
+    ///
+    /// This is the canonical way to extract an API key for passing to
+    /// provider builders. Returns `None` for empty strings, allowing
+    /// fallback to environment variables.
+    pub fn api_key_if_set(&self) -> Option<&str> {
+        if self.api_key.is_empty() {
+            None
+        } else {
+            Some(&self.api_key)
+        }
+    }
 }
 
 #[cfg(test)]
@@ -251,13 +283,44 @@ mod tests {
         assert_eq!(Provider::Google.api_key_prefix(), None);
     }
 
+    #[test]
+    fn test_api_key_if_set() {
+        // Non-empty key returns Some
+        let mut config = ProviderConfig::with_defaults(Provider::OpenAI);
+        config.api_key = "sk-test-key-12345678901234567890".to_string();
+        assert_eq!(
+            config.api_key_if_set(),
+            Some("sk-test-key-12345678901234567890")
+        );
+
+        // Empty key returns None
+        config.api_key = String::new();
+        assert_eq!(config.api_key_if_set(), None);
+    }
+
+    #[test]
+    fn test_api_key_prefixes() {
+        // OpenAI accepts multiple prefixes
+        assert_eq!(Provider::OpenAI.api_key_prefixes(), &["sk-", "sk-proj-"]);
+        assert_eq!(Provider::Anthropic.api_key_prefixes(), &["sk-ant-"]);
+        assert!(Provider::Google.api_key_prefixes().is_empty());
+    }
+
     #[test]
     fn test_api_key_validation_valid_openai() {
         // Valid OpenAI key format (starts with sk-, long enough)
         let result = Provider::OpenAI.validate_api_key_format("sk-1234567890abcdefghijklmnop");
         assert!(result.is_ok());
     }
 
+    #[test]
+    fn test_api_key_validation_valid_openai_project_key() {
+        // Valid OpenAI project key format (starts with sk-proj-, long enough)
+        let result =
+            Provider::OpenAI.validate_api_key_format("sk-proj-1234567890abcdefghijklmnop");
+        assert!(result.is_ok());
+    }
+
     #[test]
     fn test_api_key_validation_valid_anthropic() {
         // Valid Anthropic key format (starts with sk-ant-, long enough)
@@ -287,6 +350,8 @@ mod tests {
         assert!(result.is_err());
         let err = result.unwrap_err();
         assert!(err.contains("should start with"));
+        // Error should mention valid prefixes
+        assert!(err.contains("'sk-'") || err.contains("'sk-proj-'"));
         // Verify we don't expose the actual key prefix in error messages
         assert!(!err.contains("wrong-"));
     }