The Problem
Google One AI Pro subscriber here. Sign in with Google OAuth, CLI detects the tier correctly ("Gemini Code Assist in Google One AI Pro"), but every prompt fails:
403 PERMISSION_DENIED
The caller does not have permission
Endpoint: cloudcode-pa.googleapis.com/v1internal:streamGenerateContent
There are 35+ issues reporting this same pattern (#25189, #25226, #25431, #25797, #25954, #26036, #26039, #26080, #26190, #26564 — long list). Most were closed as "not_planned" by automation with boilerplate. But the code hasn't changed.
What I Found In main Branch
Two community PRs were submitted to fix the root causes. Both have the code ready. Neither was merged.
PR #25450 — Ghost project hijacking fix. Submitted Apr 15. loadCodeAssist sometimes returns a phantom cloudaicompanionProject for personal accounts. The CodeAssistServer uses it blindly → 403 because the account has no IAM access on that phantom project. The fix strips the phantom project ID when the user didn't explicitly set one. Never merged.
PR #26420 — GOOGLE_CLOUD_PROJECT override fix. Submitted May 4. If you have GOOGLE_CLOUD_PROJECT set (common for anyone doing GCP dev work), the CLI force-uses it for ALL auth types including OAuth. For personal accounts, this routes through the enterprise Code Assist path → 403. The fix skips the env var for LOGIN_WITH_GOOGLE and falls back to the server-managed project. Never merged.
What did land: PR #20507 (retry logic for OAuth on 429/499) — merged Feb 27. Good fix, but doesn't address the 403.
Code That Still Breaks
packages/core/src/code_assist/setup.ts line 98:
const projectId = process.env['GOOGLE_CLOUD_PROJECT'] || ...
Unconditional read. No auth-type check.
packages/core/src/code_assist/server.ts — loadCodeAssist:
Accepts whatever cloudaicompanionProject the backend returns. No stripping for personal accounts without an explicit project.
The fix code already exists in #25450 and #26420. Small changes — 89 lines and 103 lines.
## What I'm Asking
Can someone review and merge #25450 and #26420? They've been sitting for weeks. Users are still hitting 403 every day because of these two bugs. The fixes are written, tested, and waiting.
The Problem
Google One AI Pro subscriber here. Sign in with Google OAuth, CLI detects the tier correctly ("Gemini Code Assist in Google One AI Pro"), but every prompt fails:
403 PERMISSION_DENIED
The caller does not have permission
Endpoint:
cloudcode-pa.googleapis.com/v1internal:streamGenerateContentThere are 35+ issues reporting this same pattern (#25189, #25226, #25431, #25797, #25954, #26036, #26039, #26080, #26190, #26564 — long list). Most were closed as "not_planned" by automation with boilerplate. But the code hasn't changed.
What I Found In main Branch
Two community PRs were submitted to fix the root causes. Both have the code ready. Neither was merged.
PR #25450 — Ghost project hijacking fix. Submitted Apr 15.
loadCodeAssistsometimes returns a phantomcloudaicompanionProjectfor personal accounts. TheCodeAssistServeruses it blindly → 403 because the account has no IAM access on that phantom project. The fix strips the phantom project ID when the user didn't explicitly set one. Never merged.PR #26420 —
GOOGLE_CLOUD_PROJECToverride fix. Submitted May 4. If you haveGOOGLE_CLOUD_PROJECTset (common for anyone doing GCP dev work), the CLI force-uses it for ALL auth types including OAuth. For personal accounts, this routes through the enterprise Code Assist path → 403. The fix skips the env var forLOGIN_WITH_GOOGLEand falls back to the server-managed project. Never merged.What did land: PR #20507 (retry logic for OAuth on 429/499) — merged Feb 27. Good fix, but doesn't address the 403.
Code That Still Breaks
packages/core/src/code_assist/setup.tsline 98:Unconditional read. No auth-type check.
packages/core/src/code_assist/server.ts—loadCodeAssist:Accepts whatever
cloudaicompanionProjectthe backend returns. No stripping for personal accounts without an explicit project.The fix code already exists in #25450 and #26420. Small changes — 89 lines and 103 lines.
## What I'm Asking
Can someone review and merge #25450 and #26420? They've been sitting for weeks. Users are still hitting 403 every day because of these two bugs. The fixes are written, tested, and waiting.