Add gateway providers and default dev-browser off

[numman-ali]

Description

This PR expands provider coverage and aligns defaults with the updated product direction:

• Adds GatewayZ, Vercel AI Gateway, and NanoGPT providers across core, TUI, CLI, and docs.
• Introduces brand themes + splash art for all three new providers.
• Defaults the dev-browser skill to off (still opt-in) to reduce friction for quick setups.
• Updates maintainer context/decisions to reflect team mode removal and provider expansion focus.

Type of Change

• New feature (non-breaking change that adds functionality)
• Bug fix (non-breaking change that fixes an issue)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update

Related Issues

• Related: [Feature] Add support for Claude via cloud providers #23 (Add support for Claude via cloud providers)
• Implements ideas from PRs feat: add GatewayZ provider with Anthropic API support #4 (GatewayZ), feat: add Vercel AI Gateway provider #21 (Vercel), feat: add NanoGPT as a provider #5 (NanoGPT)

What’s Included

Providers

• GatewayZ (gatewayz)
  • Anthropic-compatible base URL https://api.gatewayz.ai
  • authToken mode + requires model mapping
• Vercel AI Gateway (vercel)
  • Base URL https://ai-gateway.vercel.sh
  • authToken mode + requires model mapping
  • Enforces empty ANTHROPIC_API_KEY (token-only auth)
• NanoGPT (nanogpt)
  • Base URL https://nano-gpt.com/api
  • authToken mode (no model mapping requirement)

UX / TUI

• Provider education panels and quick comparisons updated.
• Model config placeholders for GatewayZ and Vercel.
• Provider haikus added.
• New splash art + ANSI colors for each provider.

Defaults / Behavior

• dev-browser skill default is now off in TUI + core defaults.

Docs / Tests

• README and CLI help updated with new providers and themes.
• Architecture overview updated.
• E2E provider matrix + ASCII art tests updated for new providers.

How Has This Been Tested?

• Ran npm test -- --test-name-pattern="E2E:"
• Pre-commit hook ran npm test (coverage) + tsc --noEmit + lint
• Tested the TUI flow manually
• Tested CLI commands manually

Checklist

• My code follows the project's style guidelines
• I have performed a self-review of my code
• I have commented my code where necessary
• I have updated the documentation if needed
• My changes generate no new warnings
• I have added tests that prove my fix/feature works
• New and existing tests pass locally

Notes / Follow-ups

• If you want model mapping to be optional for any gateway provider, we can adjust per-provider defaults.
• We may want to add a short docs section explaining the dev-browser opt-in decision.

[claude]

Code Review: Add Gateway Providers and Default dev-browser Off

Great work on this PR! The implementation is solid and follows the project's conventions well. Here's my detailed review:

✅ Strengths

1. Consistent Implementation Pattern: All three new providers (GatewayZ, Vercel, NanoGPT) follow the established pattern perfectly:

   • Provider definitions in src/providers/index.ts with correct auth modes
   • Complete brand themes in src/brands/*.ts with custom color palettes
   • ASCII splash art in wrapper scripts
   • Full test coverage in E2E suite

2. Good UX Defaults: Defaulting dev-browser skill to false (src/core/variant-builder/VariantBuilder.ts:44, VariantUpdater.ts:41) reduces friction for quick setups while keeping it easily opt-in. This aligns well with the stated goal of minimizing setup complexity.

3. Comprehensive Test Coverage:

   • All providers added to test/e2e/providers.ts with expected theme IDs and splash styles
   • ASCII art tests validate ANSI color codes in wrapper scripts
   • Provider matrix expanded properly

4. Documentation Updates: README and architecture docs updated appropriately.

🔍 Code Quality Issues

1. Security: requiresEmptyApiKey Implementation (src/providers/index.ts:290-291)

if (provider.requiresEmptyApiKey) {
  env.ANTHROPIC_API_KEY = '';

Issue: Setting ANTHROPIC_API_KEY to an empty string could cause authentication issues if Claude Code checks for empty strings vs undefined. Some auth libraries treat empty strings as "set but invalid."

Recommendation: Consider deleting the key entirely instead:

if (provider.requiresEmptyApiKey) {
  delete env.ANTHROPIC_API_KEY;
}

Or verify that Claude Code explicitly handles empty strings correctly for authToken-only providers.

2. Missing Type Safety (src/brands/index.ts)

The brand files export build functions but there's no central type checking that all providers have corresponding brands. If someone adds a provider without a brand, it would fail at runtime.

Recommendation: Add a compile-time check or at least validate at test time that every non-experimental provider has a brand theme.

3. Color Accessibility (src/brands/*.ts)

The custom color palettes are beautiful but there's no validation of contrast ratios for accessibility. Some color combinations (especially textDim on base backgrounds) may not meet WCAG AA standards.

Recommendation: Consider adding contrast ratio checks in tests or comments documenting the intended contrast ratios.

🐛 Potential Bugs

1. Vercel Gateway Empty API Key Handling (src/providers/index.ts:150)

Vercel is the only provider with requiresEmptyApiKey: true. This is a unique edge case that could break if:

• Claude Code later adds validation that rejects empty API keys
• The auth flow changes upstream

Recommendation: Add a comment explaining WHY Vercel requires this (token-only auth), and consider adding a test specifically for this edge case.

2. Missing Model Mapping Validation

GatewayZ and Vercel both have requiresModelMapping: true but there's no validation that model overrides were actually provided during creation.

Recommendation: Add validation in buildEnv to warn or error if requiresModelMapping is true but no model overrides are present.

📊 Performance Considerations

1. Wrapper Script Size: Each new provider adds ~10 lines of ASCII art to every wrapper script. With 8 providers, the scripts are getting large. Not a current issue, but consider lazy-loading splash art if this grows to 20+ providers.

2. Test Suite Growth: E2E tests now create 7 variants per test. Runtime is still acceptable but watch for slowdowns as more providers are added.

🔒 Security Concerns

1. Base URL Validation: None of the new provider base URLs are validated (e.g., https://api.gatewayz.ai). If these URLs change or are typo'd, variants will fail silently.

Recommendation: Consider adding validation or documentation links to official provider docs.

2. API Key Storage: API keys are stored in plaintext in settings.json. This is consistent with existing behavior, but worth documenting clearly for users.

🧪 Test Coverage

Good:

• E2E creation tests cover all providers
• ASCII art validation
• Theme ID validation

Missing:

• Integration test for requiresEmptyApiKey behavior with Vercel
• Test that model mapping requirement is enforced for GatewayZ/Vercel
• Validation that splash art renders correctly in actual TTY (current tests just check for presence)

📝 Documentation & Maintainability

1. Provider Documentation: The new providers lack documentation about where to get API keys or how to configure model mapping.

Recommendation: Add a section to README or docs/providers/ for each new provider with:

• Where to get API keys
• Available models
• Example model mapping configurations

2. Maintainer Context: Good update to .github/maintainer/context.md clarifying team mode removal and provider expansion focus.

🎨 Code Style

• Follows project conventions consistently
• TypeScript types are well-defined
• Color palette organization is clean and maintainable
• Naming conventions are consistent

✨ Suggestions for Follow-up

1. Add provider-specific documentation pages
2. Consider validation for requiresModelMapping providers
3. Test the Vercel empty API key behavior in real scenarios
4. Document contrast ratios for accessibility
5. Consider adding a provider health check command (npx cc-mirror doctor)

🎯 Verdict

This is a well-executed PR that follows project patterns consistently. The main concerns are:

1. Vercel's requiresEmptyApiKey behavior needs validation/testing
2. Missing validation for required model mappings
3. Lack of provider-specific user documentation

These are all addressable in follow-up work. The core implementation is solid and ready to merge after addressing the empty API key concern.

Recommendation: Approve with minor changes. Suggest either:

• Change line 291 to delete env.ANTHROPIC_API_KEY; instead of setting to empty string, OR
• Add test validating that empty string works correctly with Claude Code's auth flow

Great work overall! 🚀

[claude]

Pull Request Review

This is a solid PR that expands provider coverage with four new gateway providers and improves UX defaults. The code quality is generally high with good attention to consistency and test coverage. Below are my findings:

✅ Strengths

Architecture & Design

• Consistent provider pattern: All four new providers (GatewayZ, Vercel, NanoGPT, Ollama) follow the established provider template structure
• Clear auth mode handling: The new authTokenAlsoSetsApiKey and requiresEmptyApiKey flags elegantly handle edge cases like Vercel's empty API key requirement and Ollama's dual auth approach
• Complete theme implementation: Each provider includes full brand theme with ASCII art, color palettes, thinking verbs, and TweakCC config
• Good UX change: Defaulting dev-browser skill to opt-in reduces friction and aligns with user feedback

Code Quality

• Type safety: All new code properly typed with TypeScript interfaces
• Test coverage: E2E tests, ASCII art tests, and provider matrix tests all updated to include new providers
• Documentation: README, CLI help, and architecture docs all updated consistently
• No duplication: Brand theme files follow DRY principles with shared utility functions

Security

• Proper credential handling: Auth token/API key logic correctly implemented with appropriate env var cleanup
• No hardcoded secrets: All credentials properly externalized
• Wrapper script security: Auth token unsetting logic (CC_MIRROR_UNSET_AUTH_TOKEN) works correctly in both bash and Windows wrappers

⚠️ Issues Found

1. Potential Auth Logic Bug (Medium Priority)

Location: src/providers/index.ts:315-321

The auth cleanup logic at the end of buildEnv() may override earlier settings:

// Lines 280-282: Set both tokens for Ollama
if (provider.authTokenAlsoSetsApiKey) {
  env.ANTHROPIC_API_KEY = trimmed;
}

// Lines 315-320: This may delete what we just set!
if (authMode === 'authToken') {
  if (provider.requiresEmptyApiKey) {
    env.ANTHROPIC_API_KEY = '';  // Vercel case
  } else if (!provider.authTokenAlsoSetsApiKey && Object.hasOwn(env, 'ANTHROPIC_API_KEY')) {
    delete env.ANTHROPIC_API_KEY;  // This is safe due to the guard
  }
}

Analysis: The code is actually safe because of the !provider.authTokenAlsoSetsApiKey guard on line 318, but the logic flow is confusing. The cleanup logic appears twice (lines 289-291 and 318-320) which could cause maintenance issues.

Recommendation: Consolidate the API key cleanup logic or add a comment explaining why it appears twice.

2. Missing Provider Validation (Low Priority)

Location: src/cli/utils/modelOverrides.ts:42

Error message hardcodes provider list:

throw new Error(
  'This provider requires --model-sonnet/--model-opus/--model-haiku (OpenRouter, GatewayZ, Vercel AI Gateway, Ollama).'
);

Issue: If another provider with requiresModelMapping: true is added, this error message won't be updated automatically.

Recommendation: Make the error message dynamic or use a constant list that references the actual provider definitions.

3. Color Code Ambiguity (Low Priority)

Location: test/e2e/providers.ts:68

NanoGPT test defines color as "Neon cyan" but the code is \x1b[38;5;81m:

{
  key: 'nanogpt',
  colorCode: '\x1b[38;5;81m', // Neon cyan
}

Issue: Looking at src/brands/nanogpt.ts, the theme uses blues (#3b82f6, #60a5fa) not cyan. The comment/theme name "NanoGPT Neon" suggests blue.

Recommendation: Verify the ANSI color 81 matches the intended brand theme, or update the comment to match reality.

4. Incomplete Theme Documentation (Low Priority)

Location: Brand theme files

All four new brand files (gatewayz.ts, vercel.ts, nanogpt.ts, ollama.ts) are 190+ lines each with identical structure but minimal documentation.

Recommendation: Consider adding JSDoc comments to explain:

• What each palette color represents
• Why specific thinking verbs were chosen
• Any provider-specific theming decisions

🔍 Code Review Notes

Theme Consistency ✅

All themes properly implement the full Theme interface with all required color properties. The color mixing functions (mix, lighten) are implemented identically across files, which is good for consistency but suggests potential for extraction to a shared utility.

Wrapper Script Security ✅

The wrapper script correctly implements the CC_MIRROR_UNSET_AUTH_TOKEN check in both bash (line 473-475 in wrapper.ts) and Windows (line 252-254) versions. This ensures API key providers properly clean up auth tokens.

Model Override Logic ✅

The ensureModelMapping function correctly validates that providers requiring model mapping have the necessary overrides, with appropriate prompts in interactive mode and clear error messages in --yes mode.

ASCII Art ✅

All new providers have ASCII art added to the wrapper script with appropriate ANSI color codes and are properly tested in test/e2e/ascii-art.test.ts.

💡 Suggestions for Future Improvements

1. Extract shared theme utilities: The hexToRgb, rgb, mix, lighten functions are duplicated across all brand files. Consider extracting to src/brands/themeUtils.ts.

2. Provider configuration validation: Add runtime validation to ensure provider configs are valid (e.g., authToken providers don't set API keys in default env).

3. Provider documentation: Consider adding a PROVIDERS.md doc that explains each provider's auth requirements, model mapping needs, and any special configuration.

4. Test coverage for edge cases: Add tests for:

   • Vercel's requiresEmptyApiKey behavior
   • Ollama's authTokenAlsoSetsApiKey behavior
   • What happens if both requiresEmptyApiKey and authTokenAlsoSetsApiKey are set (should error?)

📊 Performance Considerations

No performance concerns. The provider lookup is O(1) hash map access, and theme configuration is done once at variant creation time.

🔐 Security Assessment

Overall: ✅ Secure

• No credential leaks
• Proper env var isolation per variant
• Auth token cleanup works correctly
• No command injection risks in wrapper scripts
• Settings.json loading has try-catch error handling

📝 Test Coverage Assessment

Coverage: ✅ Good

• All 4 new providers in E2E test matrix
• ASCII art tests updated
• Provider validation tests exist
• Model override tests exist

Missing tests:

• Integration test for requiresEmptyApiKey (Vercel)
• Integration test for authTokenAlsoSetsApiKey (Ollama)

Final Recommendation

Approve with minor suggestions. This is solid work that meaningfully expands provider support while maintaining code quality and consistency. The issues found are minor and mostly relate to code clarity rather than correctness.

The only potentially risky item is the auth cleanup logic duplication, but inspection shows it's currently safe due to proper guards. I recommend addressing that in a follow-up refactor to avoid future bugs.

Merge Readiness Checklist

• ✅ Code follows project style guidelines
• ✅ Self-review completed
• ✅ Documentation updated
• ✅ Tests pass (per PR description)
• ✅ No security vulnerabilities
• ⚠️ Minor refactoring suggested (non-blocking)

Great work on this PR! The addition of these gateway providers significantly expands cc-mirror's flexibility. 🎉

[claude]

Pull Request Review

This PR adds three new gateway providers (GatewayZ, Vercel AI Gateway, NanoGPT) and changes the dev-browser skill default to off. I've reviewed the code quality, architecture, and implementation details.

✅ Strengths

Code Quality & Architecture

• Excellent consistency: All three new providers follow the established pattern from existing providers (zai, minimax, openrouter)
• Well-structured brand files: Each provider has a complete brand theme file with:
  • Custom color palettes with semantic naming
  • Proper color utility functions (rgb, mix, lighten)
  • Provider-specific thinking verbs
  • Complete TweakCC configuration
• Good separation of concerns: Provider definitions in src/providers/index.ts properly separated from brand themes in src/brands/

Testing

• Comprehensive test coverage: All three providers added to:
  • test/e2e/providers.ts with expected theme IDs and color codes
  • test/provider-matrix.test.ts (via existing matrix tests)
  • test/e2e/ascii-art.test.ts for splash art verification
• Test data is accurate: Color codes match the palette definitions

Documentation

• Good updates: README.md, CLI help, and architecture docs updated
• Maintainer context updated: Reflects current priorities and out-of-scope items

🔍 Areas for Improvement

1. Provider URL Verification (Medium Priority)

The PR description mentions these are "verified auth/base URLs", but I don't see evidence of this in the code or tests:

GatewayZ (https://api.gatewayz.ai)

• No documentation reference or verification comment
• Requires model mapping but no guidance on model ID format

Vercel AI Gateway (https://ai-gateway.vercel.sh)

• This URL seems generic - typically Vercel AI Gateway uses custom URLs per project
• requiresEmptyApiKey: true is set, which forces empty ANTHROPIC_API_KEY - is this verified to work?
• Line 170 in providers/index.ts: This may cause auth issues if the gateway expects the API key

NanoGPT (https://nano-gpt.com/api)

• No requiresModelMapping flag set (unlike GatewayZ and Vercel)
• Is this intentional? Does NanoGPT not require model mapping?

Recommendation: Add inline comments with documentation links or verification notes for each provider's base URL.

2. Model Mapping Inconsistency (Medium Priority)

In src/tui/screens/ModelConfigScreen.tsx:58-89, the placeholder logic shows:

const placeholders: Record<string, Record<string, string>> = {
  openrouter: { ... },
  gatewayz: { ... },
  vercel: { ... },
  ollama: { ... },
  ccrouter: { ... },
};

const providerPlaceholders = placeholders[providerKey || ''] || placeholders.ccrouter;

Issues:

• GatewayZ uses Anthropic model IDs: claude-3-opus-20240229
• Vercel uses prefixed format: anthropic/claude-3-opus-20240229
• But both are "Anthropic-compatible" according to descriptions

Are these placeholder formats verified? Different gateway providers often have different model ID conventions.

Recommendation: Verify the actual model ID formats with each provider's documentation and add comments explaining the format differences.

3. Auth Mode Verification (High Priority - Vercel)

In src/providers/index.ts:156-171, Vercel has:

authMode: 'authToken',
requiresEmptyApiKey: true,

This forces ANTHROPIC_API_KEY to be empty string. Looking at the buildEnv function (lines 316-318):

if (provider.requiresEmptyApiKey) {
  env.ANTHROPIC_API_KEY = '';
}

Concern: Setting ANTHROPIC_API_KEY='' (empty string) is different from not setting it at all. Claude Code might validate this and reject empty strings. This needs verification.

Recommendation: Test that Vercel variant actually works with empty ANTHROPIC_API_KEY, or consider using delete env.ANTHROPIC_API_KEY instead if the empty string causes issues.

4. Missing Dev-Browser Default Change Documentation

The PR description says "defaults the dev-browser skill to off", but I don't see this change in the diff. Looking at the changed files list, I don't see:

• src/core/variant-builder/VariantBuilder.ts (only 1 line changed)
• Any skill-related configuration files

Recommendation: Verify this change is actually included in the PR, or update the PR description if it was already merged separately.

5. Code Duplication in Brand Files (Low Priority)

The three new brand files (gatewayz.ts, vercel.ts, nanogpt.ts) contain identical utility functions:

• clamp, hexToRgb, rgb, mix, lighten (lines 5-41 in each file)

These are duplicated across all brand files. While this follows the existing pattern, it creates maintenance burden.

Recommendation: Extract these color utilities to a shared module like src/brands/colorUtils.ts. This is not a blocker for this PR but should be refactored in a follow-up.

6. Wrapper Script Splash Art (Minor)

In src/core/wrapper.ts, substantial new splash art was added (lines 134-170+). The ASCII art looks good and follows the existing pattern.

Minor observations:

• GatewayZ: "DATEW" text doesn't spell the full name (appears truncated)
• NanoGPT: Using ngPrimary/ngSecondary etc which matches naming convention
• All color codes are properly defined at the top

No action needed, just noting the art looks consistent.

🔒 Security Review

No Security Concerns Identified

• No hardcoded secrets or credentials
• Test API keys use test-*-key prefix (appropriate for testing)
• Auth handling follows existing patterns
• No command injection or XSS vulnerabilities introduced

🎯 Performance Considerations

No Performance Issues

• Color utility functions are simple and fast
• No blocking operations added
• Test suite should not be significantly slower (3 more provider variants tested)

📋 Recommendations Summary

Before Merge:

1. Verify Vercel empty API key behavior (High Priority) - Test or clarify the requiresEmptyApiKey implementation
2. Verify provider URLs and model formats (Medium Priority) - Add documentation links or verification comments
3. Clarify dev-browser change (Medium Priority) - Verify this is included or update PR description

Future Improvements:

4. Extract color utilities (Low Priority) - Reduce code duplication in brand files
5. Add provider integration docs (Low Priority) - Document actual setup steps for each gateway

Final Assessment

This is a well-implemented PR that follows project conventions and adds meaningful functionality. The code quality is high and test coverage is comprehensive. The main concerns are around verification that the provider URLs and auth configurations actually work - I recommend manual testing of at least one new provider variant before merge.

Recommendation: Approve with minor changes requested (verify Vercel auth + add documentation links).

[claude]

Pull Request Review: Gateway Providers & Dev-Browser Default

Summary

This PR successfully expands provider coverage by adding three gateway providers (GatewayZ, Vercel AI Gateway, NanoGPT) plus Ollama, and improves UX by defaulting dev-browser skill to opt-in. The implementation is thorough, well-tested, and follows project conventions.

✅ Strengths

1. Code Quality & Architecture

• Excellent code organization: All three new providers follow the established pattern with dedicated brand theme files in src/brands/
• Consistent structure: Each brand file (gatewayz.ts, vercel.ts, nanogpt.ts) has identical structure with proper theme definition, color palettes, and TweakCC config
• Good abstraction: The requiresEmptyApiKey and authTokenAlsoSetsApiKey flags cleanly handle provider-specific auth requirements without special-casing in core logic
• Type safety: Proper TypeScript types throughout with no use of any

2. Authentication Handling

The PR correctly handles different auth modes:

• Vercel AI Gateway: Uses requiresEmptyApiKey: true to set empty ANTHROPIC_API_KEY (avoids auth conflicts)
• Ollama: Uses authTokenAlsoSetsApiKey: true to set both tokens (Anthropic compatibility layer)
• GatewayZ/NanoGPT: Standard authToken mode with proper cleanup

The logic in src/providers/index.ts:315-321 properly handles all edge cases:

if (authMode === 'authToken') {
  if (provider.requiresEmptyApiKey) {
    env.ANTHROPIC_API_KEY = '';
  } else if (\!provider.authTokenAlsoSetsApiKey && Object.hasOwn(env, 'ANTHROPIC_API_KEY')) {
    delete env.ANTHROPIC_API_KEY;
  }
}

3. UX Improvements

• Dev-browser default change: Changing shouldInstallSkills to always return false in both VariantBuilder and VariantUpdater is the right call - reduces friction for quick setups
• Beautiful splash art: Each provider gets custom ANSI art with unique color schemes (violet for GatewayZ, mono for Vercel, neon blue for NanoGPT, ember for Ollama)
• Provider-specific placeholders: ModelConfigScreen.tsx:58-89 provides helpful model name examples for each provider

4. Test Coverage

• E2E provider matrix: test/e2e/providers.ts adds all 4 new providers with expected theme IDs and splash styles
• ASCII art tests: test/e2e/ascii-art.test.ts updated for new splash styles
• Provider matrix test: test/provider-matrix.test.ts includes all new providers

5. Documentation

• Maintainer context updated with clear vision and priorities
• Standing rules and decision log properly documented
• README and CLI help updated with new provider info

🔍 Issues & Concerns

1. Missing Ollama Brand File (❗ BLOCKER)

The PR adds Ollama to:

• src/providers/index.ts (lines 123-140)
• src/brands/index.ts imports and preset definition (lines 6, 44-48)
• src/core/wrapper.ts splash art (lines 52-55, 173-186)
• test/e2e/providers.ts (lines 38-46)

However, the file src/brands/ollama.ts is listed in the diff output as created but I cannot verify its contents match the pattern. The grep shows it exists, but you should verify:

• It has a complete theme definition with all required color keys
• It exports buildOllamaTweakccConfig function
• The theme ID is ollama-ember (matching test expectations)

Action required: Verify src/brands/ollama.ts is complete and matches the structure of gatewayz.ts/vercel.ts/nanogpt.ts.

2. Vercel Base URL Concern (⚠️ MODERATE)

src/providers/index.ts:160 sets:

baseUrl: 'https://ai-gateway.vercel.sh'

Question: Is this the correct base URL? Vercel AI Gateway typically requires a project-specific URL format. Consider:

• Does this work without additional configuration?
• Should there be documentation about URL customization?
• Would https://ai-gateway.vercel.app or a customer-specific URL be more appropriate?

Recommendation: Verify the base URL works or add documentation explaining users need to customize it.

3. Model Mapping Requirements (⚠️ MINOR)

• GatewayZ and Vercel have requiresModelMapping: true
• NanoGPT has no requiresModelMapping flag (defaults to false?)

Question: Does NanoGPT actually not require model mapping? If it uses Anthropic-compatible model names, this is correct. Otherwise, consider adding requiresModelMapping: true.

4. Placeholder Consistency (💡 SUGGESTION)

In src/tui/screens/ModelConfigScreen.tsx:87, the fallback uses ccrouter placeholders:

const providerPlaceholders = placeholders[providerKey || ''] || placeholders.ccrouter;

Suggestion: Consider using more generic placeholders as fallback or adding placeholder entries for NanoGPT (currently missing).

🔒 Security Review

✅ No security concerns identified:

• No hardcoded credentials
• No command injection vulnerabilities
• Proper input validation via existing validation functions
• Auth tokens handled via environment variables (not persisted in code)
• Empty API key handling for Vercel is safe

⚡ Performance Considerations

✅ No performance concerns:

• All operations are synchronous where appropriate
• No N+1 queries or inefficient loops
• Theme/brand config is generated once at variant creation time

🧪 Testing

✅ Test coverage is comprehensive:

• E2E creation tests for all providers
• ASCII art verification tests
• Provider matrix tests
• TUI component tests updated

Note from PR description: Author checked manual testing is NOT done yet:

• [ ] Tested the TUI flow manually
• [ ] Tested CLI commands manually

Recommendation: Before merge, manually verify:

1. Each provider variant creates successfully via CLI
2. TUI wizard works for all 4 new providers
3. Wrapper scripts execute and show correct splash art
4. Model config screen shows correct placeholders

📋 Best Practices

✅ Follows project conventions:

• 2-space indent, single quotes, semicolons
• TypeScript + ESM
• Files placed in correct src/<area>/ folders
• Tests mirror source structure
• No CommonJS usage

🎯 Recommendations

Before Merge:

1. [BLOCKER] Verify src/brands/ollama.ts is complete with proper theme export
2. [MODERATE] Verify or document Vercel base URL correctness
3. [MINOR] Confirm NanoGPT model mapping requirements
4. [REQUIRED] Complete manual testing checklist (TUI + CLI flows)

Future Improvements (Not blocking):

1. Add integration tests that verify auth token handling for each provider
2. Consider adding provider-specific documentation pages (like docs/providers/vercel.md)
3. Document model naming conventions per provider

📊 Final Assessment

Overall: Excellent work! 🎉

This PR demonstrates strong understanding of the codebase architecture and follows established patterns meticulously. The addition of 4 providers with full theming, testing, and documentation is a significant contribution.

Recommendation: Approve with minor fixes - Address the ollama.ts verification and Vercel URL concerns, complete manual testing, then merge.

---

Code Review Checklist

• ✅ Code follows style guidelines
• ✅ No new warnings or errors
• ✅ Tests added and passing
• ✅ Documentation updated
• ✅ No security vulnerabilities
• ✅ No performance issues
• ⚠️ Manual testing needed
• ⚠️ Verify ollama.ts completeness
• ⚠️ Verify Vercel base URL

Great work on this PR! The gateway provider expansion will significantly improve cc-mirror's flexibility.

[claude]

Pull Request Review: Add Gateway Providers and Default Dev-Browser Off

Summary

This PR expands provider coverage by adding GatewayZ, Vercel AI Gateway, and NanoGPT providers with full integration across core, TUI, CLI, documentation, and tests. Additionally, it defaults the dev-browser skill to off and updates maintainer context.

---

Code Quality & Best Practices ✅

Strengths

1. Excellent Code Consistency: The three new brand theme files (gatewayz.ts, vercel.ts, nanogpt.ts) follow the exact same pattern as existing providers (zai.ts, minimax.ts), ensuring maintainability and predictability.

2. Proper TypeScript Usage: All new code uses proper TypeScript types with no any types. The provider definitions follow the established ProviderTemplate interface correctly.

3. DRY Principle: Color utility functions (hexToRgb, rgb, mix, lighten) are reused consistently across all brand files without duplication.

4. Documentation Updates: The PR includes comprehensive updates to README, CLI help text, architecture docs, and test files.

5. Test Coverage: New providers are added to the E2E test matrix (test/e2e/providers.ts) and ASCII art tests, ensuring they're covered by the existing test suite.

6. Follows Project Conventions: Adheres to the repository guidelines in AGENTS.md regarding file structure, naming conventions, and ESM usage.

---

Potential Issues & Concerns

1. Ollama Brand File May Be Misplaced ⚠️

• The diff shows src/brands/ollama.ts as a new file (+193 lines), but Ollama was already a supported provider
• This suggests either:
  • The file was moved/refactored (should be shown as modified, not new)
  • There was a previous issue with the file not being tracked
• Recommendation: Verify this file's history and ensure it's not accidentally replacing an existing implementation

2. Model Mapping Requirements Inconsistency

In src/providers/index.ts:

• GatewayZ: requiresModelMapping: true (line 154)
• Vercel: requiresModelMapping: true (line 169)
• NanoGPT: No requiresModelMapping field (line 172-185)

Question: Should NanoGPT also require model mapping? The PR description says GatewayZ and Vercel require it, but doesn't mention NanoGPT's approach. This should be clarified based on NanoGPT's API behavior.

3. Missing API Documentation References

None of the new provider definitions include comments linking to official API documentation. This makes it harder to verify:

• Correct base URLs
• Auth mechanisms
• Model naming conventions

Recommendation: Add brief comments with documentation links:

gatewayz: {
  // API docs: https://docs.gatewayz.ai/anthropic
  key: 'gatewayz',
  label: 'GatewayZ',
  // ...
}

4. Vercel Auth Token Special Handling

Line 170: requiresEmptyApiKey: true

This is unique to Vercel and forces ANTHROPIC_API_KEY to be empty. While the implementation looks correct (lines 316-318), this edge case should be:

• Documented in the provider description
• Tested specifically (not seeing a dedicated test for this edge case)

Recommendation: Add a test case verifying Vercel variants have empty ANTHROPIC_API_KEY in settings.json.

---

Security Concerns 🔒

No Critical Issues Found ✅

• No hardcoded credentials or secrets
• API keys are properly handled through environment variables
• No injection vulnerabilities in the wrapper script generation
• Proper input validation in hexToRgb function (lines 9-26 in brand files)

Minor Observation

The wrapper script (src/core/wrapper.ts) injects splash art as JSON strings. While this appears safe, ensure that any provider label or splash content cannot be user-controlled, as this could lead to injection if compromised.

---

Performance Considerations

No Performance Concerns ✅

• Theme color calculations are done once at variant creation time, not at runtime
• Wrapper scripts are generated statically, not dynamically on each invocation
• No expensive operations in hot paths

Memory Efficiency

The splash art ASCII strings are embedded in every wrapper script (~10KB overhead per variant). This is acceptable given the context, but could be optimized in the future by loading them from a shared file if variant count becomes very large.

---

Testing

Test Coverage Appears Adequate ✅

• E2E provider matrix updated (test/e2e/providers.ts)
• ASCII art tests updated (test/e2e/ascii-art.test.ts)
• Provider matrix test file updated (test/provider-matrix.test.ts)

Testing Gaps

1. No test for Vercel's requiresEmptyApiKey behavior - This is a unique edge case that should be explicitly tested
2. No test for NanoGPT's lack of requiresModelMapping - Should verify this works as intended
3. Manual testing checklist incomplete - PR checklist shows manual TUI/CLI testing was not completed

Recommendation: Before merging, complete manual testing:

# Test each new provider
npm run dev -- create --provider gatewayz --name test-gz --api-key test
npm run dev -- create --provider vercel --name test-vc --api-key test
npm run dev -- create --provider nanogpt --name test-ng --api-key test

# Verify wrapper scripts work
~/.local/bin/test-gz --help
~/.local/bin/test-vc --help
~/.local/bin/test-ng --help

# Verify splash art displays
~/.local/bin/test-gz (in a TTY)

---

Architecture & Design

Excellent Architectural Consistency ✅

• Follows the established step-based build pattern
• Proper separation of concerns (providers, brands, wrapper generation)
• No breaking changes to existing APIs

Dev-Browser Default Change

The decision to default dev-browser skill to off is well-justified in the PR description ("reduce friction for quick setups"). This is a good UX improvement.

Suggestion: Consider adding a brief note in the CLI help or docs explaining how to opt-in to dev-browser if users want it.

---

Documentation

Comprehensive Updates ✅

• README.md updated with new providers
• CLI help text updated
• Architecture overview updated
• Maintainer context updated

Missing Documentation

1. Provider-specific setup guides: No mention of how to obtain API keys for GatewayZ, Vercel AI Gateway, or NanoGPT
2. Model naming conventions: For providers requiring model mapping, users need clear guidance on correct model names

Recommendation: Add a brief "Getting Started" section for each new provider in the docs:

## GatewayZ Setup
1. Sign up at https://gatewayz.ai
2. Generate API key from dashboard
3. Create variant: `npx cc-mirror create --provider gatewayz --api-key YOUR_KEY`
4. Configure models: requires full model IDs like `claude-3-5-sonnet-20241022`

---

Specific Code Observations

Color Palette Quality

The new theme palettes are aesthetically well-designed:

• GatewayZ Violet: Nice gradient from light violet to deep purple
• Vercel Mono: Clean monochrome with subtle ink blacks (fitting Vercel's brand)
• NanoGPT Neon: Bright blue/pink neon aesthetic (modern, tech-forward)

Thinking Verbs

Creative and on-brand thinking verbs for each provider:

• GatewayZ: "Gatewaying", "Routing", "Multiplexing" (gateway-focused)
• Vercel: "Deploying", "Shipping", "Streaming" (deployment-focused)
• NanoGPT: "Nano-tuning", "Vectorizing", "Synthesizing" (ML-focused)

Model Placeholders

The ModelConfigScreen now includes smart placeholders for GatewayZ and Vercel (lines 64-73). This is a nice UX touch that will help users understand the expected format.

---

Recommendations Summary

Must Fix Before Merge

1. ⚠️ Clarify Ollama brand file status - Is this new or refactored?
2. ⚠️ Decide on NanoGPT model mapping requirement - Should it require mapping?
3. ⚠️ Complete manual testing - TUI and CLI flows for all three new providers

Should Fix Before Merge

1. Add test case for Vercel's requiresEmptyApiKey behavior
2. Add API documentation links in provider definitions
3. Add provider-specific setup documentation

Nice to Have (Can Be Follow-up PRs)

1. Document how to opt-in to dev-browser skill after it's been defaulted off
2. Add more comprehensive model naming guides for each gateway provider
3. Consider extracting shared color utility functions to reduce duplication across brand files

---

Final Verdict

APPROVE with Minor Revisions ✅

This is a high-quality PR that follows project conventions, maintains code consistency, and expands functionality meaningfully. The code is well-structured, properly tested, and includes comprehensive documentation updates.

The identified issues are relatively minor:

• No security vulnerabilities
• No performance problems
• No breaking changes
• Good test coverage (with minor gaps)

Suggested Merge Strategy:

1. Address the 3 "Must Fix" items above
2. Consider addressing "Should Fix" items
3. File follow-up issues for "Nice to Have" improvements
4. Merge with confidence

---

Additional Notes

The maintainer context updates show good project governance:

• Clear priorities and success metrics
• Updated contribution guidelines
• Documented decision to remove team mode from latest releases

This demonstrates thoughtful project management alongside the technical changes.

Great work overall! 🎉

[claude]

Code Review: Add gateway providers and default dev-browser off

Thanks for this comprehensive PR! I've reviewed the changes and have the following feedback:

---

✅ Strengths

1. Code Quality & Architecture

• Excellent consistency: All four new providers (GatewayZ, Vercel, NanoGPT, Ollama) follow the established pattern from existing providers
• Clean separation of concerns: Brand themes, provider configs, splash art, and TUI content are properly isolated
• Type safety: All new code properly typed with TypeScript interfaces
• Follows project conventions: Matches the coding style and structure outlined in AGENTS.md

2. Comprehensive Coverage

• Full provider stack: Each provider includes:
  • Provider template in src/providers/index.ts
  • Brand theme in src/brands/*.ts
  • Splash art with ANSI colors in src/core/wrapper.ts
  • TUI education content and haikus
  • E2E tests and ASCII art validation
• UX polish: Provider selection viewport limiting (6 visible items) is a nice touch for the growing provider list

3. Test Coverage

• E2E tests added for all new providers in test/e2e/providers.ts
• ASCII art tests updated to verify color codes for each provider
• Provider matrix tests confirm auth modes and configuration
• Tests follow existing patterns and are comprehensive

4. Documentation

• README updated with new provider table
• Architecture docs updated
• Maintainer context, decisions, and patterns updated thoughtfully
• TUI help text and education panels expanded

---

⚠️ Issues & Concerns

1. Critical: Inconsistent Auth Handling for Ollama

Location: src/providers/index.ts:126-137

The Ollama provider sets both ANTHROPIC_AUTH_TOKEN and ANTHROPIC_API_KEY to 'ollama':

ollama: {
  env: {
    ANTHROPIC_AUTH_TOKEN: 'ollama',
    ANTHROPIC_API_KEY: 'ollama',
    // ...
  },
  authMode: 'authToken',
  authTokenAlsoSetsApiKey: true,
}

Issues:

• This introduces a new pattern (authTokenAlsoSetsApiKey) that's only used for Ollama
• The hardcoded 'ollama' values in env contradict the note in ApiKeyScreen.tsx:44: "Local: set key to 'ollama' (values ignored). Cloud: set base URL to https://ollama.com and use your API key."
• If values are ignored locally, why hardcode them in env? If they're not ignored for cloud usage, this breaks cloud setups
• The auth handling logic in buildEnv (lines 318-322) becomes more complex with this exception

Recommendation:

• Either make Ollama purely local-first with clear defaults, OR
• Support both local/cloud but don't hardcode credentials in the provider template—let users configure via TUI
• Consider if credentialOptional: true (like CCRouter) is more appropriate for local Ollama

---

2. Security: Empty API Key Requirement Not Validated

Location: src/providers/index.ts:145 (Vercel provider)

The Vercel provider has requiresEmptyApiKey: true, which sets ANTHROPIC_API_KEY = '' to enforce token-only auth. However:

• There's no validation that prevents users from entering an API key in the TUI
• Users could manually edit settings.json and add an API key, breaking the auth
• The TUI flow doesn't communicate that API key should be left blank

Recommendation:

• Add validation in ApiKeyScreen.tsx to skip API key input or show a clear message when requiresEmptyApiKey: true
• Add a test case to verify ANTHROPIC_API_KEY is empty string for Vercel variants

---

3. Minor: Magic Numbers in TUI

Location: src/tui/screens/ProviderSelectScreen.tsx:28

const maxVisible = 6;

Issue: Hardcoded magic number without explanation

Recommendation: Extract to a named constant with a comment:

// Limit visible providers to prevent overflow on smaller terminals
const MAX_VISIBLE_PROVIDERS = 6;

---

4. Minor: Incomplete Model Override Defaults

Location: src/tui/screens/ModelConfigScreen.tsx:186-192

The Ollama model placeholders are generic and might confuse users:

ollama: {
  opus: 'glm-4.7:cloud',
  sonnet: 'qwen3-coder',
  haiku: 'gpt-oss:20b',
}

Issues:

• These aren't real Ollama models—they appear to be mixed examples
• glm-4.7:cloud suggests cloud usage but the default base URL is localhost:11434
• No guidance on how users find valid model names for local Ollama

Recommendation:

• Use actual Ollama model examples (e.g., llama3.2, qwen2.5-coder, phi3)
• Add a comment or note linking to Ollama's model library
• Consider making these match common Anthropic-compatible Ollama setups

---

5. Performance: Large Diff File Could Impact Review

The PR includes 1627 additions across 44 files. While comprehensive, this makes detailed review challenging.

Recommendation for future PRs: Consider breaking large features into smaller PRs:

1. Core provider additions (providers + brands)
2. TUI enhancements (viewport limiting)
3. Default changes (dev-browser off)
4. Maintainer context updates

---

🔍 Code-Specific Observations

Positive Patterns

• src/brands/gatewayz.ts: Color utility functions (hexToRgb, mix, lighten) are elegant and reusable
• src/core/wrapper.ts: Splash art ASCII is clean and visually appealing
• src/tui/components/ui/Menu.tsx: showDetails prop addition is backward-compatible

Potential Improvements

• DRY opportunity: The color utility functions in each brand file are duplicated. Consider extracting to src/brands/colorUtils.ts
• Type narrowing: The KNOWN_SPLASH_STYLES array in wrapper.ts:198-208 could be inferred from SplashArt keys instead of maintained separately

---

🧪 Test Coverage Assessment

Covered:

• ✅ Provider creation E2E tests
• ✅ ASCII art color validation
• ✅ Provider matrix auth modes
• ✅ TUI flow (updated for dev-browser default)

Missing:

• ❌ Test for requiresEmptyApiKey behavior
• ❌ Test for authTokenAlsoSetsApiKey (Ollama-specific)
• ❌ Test for viewport limiting logic in ProviderSelectScreen
• ❌ Integration test for model override placeholders

Recommendation: Add unit tests for new provider template flags before merge.

---

📊 Performance Considerations

• No concerns: The changes are primarily config-driven; no algorithmic complexity added
• Minor improvement needed: The getVisibleRange function in ProviderSelectScreen.tsx:64-75 could benefit from memoization if the provider list grows significantly (currently fine with ~10 providers)

---

🔒 Security Assessment

• No vulnerabilities introduced: No user input is directly executed
• API key handling: Follows existing patterns (env vars, no inline secrets)
• One concern: The Ollama hardcoded credentials ('ollama') might leak in logs—verify that credential masking still works

---

📝 Best Practices Compliance

Per AGENTS.md guidelines:

Guideline	Status	Notes
TypeScript + ESM	✅	All new code uses ES modules
2-space indent, single quotes	✅	Formatting consistent
Tests in test/ mirroring src/	✅	E2E tests properly placed
Avoid over-engineering	⚠️	authTokenAlsoSetsApiKey feels over-engineered for one provider

---

🎯 Recommendations Summary

Must Fix Before Merge (Blockers)

1. Resolve Ollama auth strategy: Clarify local vs cloud usage and remove hardcoded credentials from provider template
2. Add requiresEmptyApiKey validation: Prevent user confusion for Vercel provider

Should Fix (Non-blockers but important)

3. Extract magic number maxVisible to named constant
4. Use realistic Ollama model examples in placeholders
5. Add tests for new provider template flags

Nice to Have (Future improvements)

6. Extract color utilities to shared module
7. Consider splitting large PRs into focused chunks
8. Add viewport limiting tests

---

✨ Overall Assessment

Verdict: Approve with required changes ✅⚠️

This PR demonstrates strong technical execution and follows project conventions well. The main concerns are:

1. The Ollama auth pattern needs clarification
2. Vercel's empty API key requirement needs UX/validation support

Once these are addressed, this is a solid addition to cc-mirror's provider ecosystem.

Estimated rework: 30-60 minutes to address the two must-fix items.

---

💬 Questions for Discussion

1. Should Ollama support cloud by default, or focus purely on local-first workflows?
2. Is the authTokenAlsoSetsApiKey pattern something we expect other providers to need? If not, consider a provider-specific workaround.
3. Would you like me to help draft tests for the new flags?

Great work on this comprehensive provider expansion! 🚀

[claude]

PR Review: Add gateway providers and default dev-browser off

Summary

This PR successfully adds three new gateway providers (GatewayZ, Vercel AI Gateway, NanoGPT) with proper brand themes and changes the dev-browser skill default to opt-in. The implementation follows established patterns and includes comprehensive test coverage.

✅ Strengths

Architecture & Code Quality

• Consistent provider implementation: All three providers follow the existing pattern with proper authMode, requiresModelMapping, and base URL configuration (src/providers/index.ts:141-185)
• Complete brand themes: Each provider has a full theme implementation with custom color palettes, thinking verbs, and toolset configs (src/brands/gatewayz.ts, vercel.ts, nanogpt.ts)
• Test coverage: E2E tests updated to cover all new providers in the provider matrix (test/e2e/creation.test.ts, test/provider-matrix.test.ts)
• Documentation updates: README, help text, and architecture docs all updated to reflect new providers

Feature Implementation

• dev-browser default change: Properly implemented in useAppState.ts:87 (setInstallSkill(false)) and VariantBuilder.ts:44 (shouldInstallSkills returns false)
• Auth handling: Correct differentiation between providers:
  • GatewayZ & Vercel use authToken mode with model mapping required
  • Vercel correctly uses requiresEmptyApiKey: true (src/providers/index.ts:170)
  • NanoGPT uses authToken without model mapping requirement

🔍 Observations & Suggestions

1. Vercel Empty API Key Handling ⚠️

The Vercel provider sets requiresEmptyApiKey: true (line 170), but I don't see this flag being handled in buildEnv() or the wrapper script generation.

Issue: Lines 316-320 in src/providers/index.ts handle requiresEmptyApiKey by setting env.ANTHROPIC_API_KEY = '', but this happens AFTER model overrides and extraEnv are applied. If a user provides ANTHROPIC_API_KEY in extraEnv, it won't be cleared.

Recommendation: Move the requiresEmptyApiKey logic earlier or add explicit clearing after extraEnv processing to ensure it's enforced.

2. Model Mapping Error Message

Line 42 in src/cli/utils/modelOverrides.ts lists "OpenRouter, GatewayZ, Vercel AI Gateway, Ollama" but this is now missing from the error message context for NanoGPT users who might wonder why they don't need model mapping.

Recommendation: Consider updating the error message to be more generic: "This provider requires model mapping" or maintain the list but clarify NanoGPT doesn't require it in comments.

3. Provider Base URLs - Documentation

The base URLs for new providers should be verified:

• https://api.gatewayz.ai - ✓ Standard format
• https://ai-gateway.vercel.sh - ✓ Matches Vercel's gateway docs
• https://nano-gpt.com/api - ⚠️ Should be verified with actual NanoGPT documentation

Recommendation: Add a comment in AGENTS.md or provider docs with links to each provider's API documentation for future maintainers.

4. Theme Consistency

The themes are well-designed, but there are minor inconsistencies:

• GatewayZ uses updateInterval: 120 (line 157)
• Vercel uses updateInterval: 110 (line 154)
• NanoGPT uses updateInterval: 118 (line 154)

Question: Are these intentional variations, or should they be standardized? If intentional, consider adding comments explaining the rationale.

5. Missing Blocked Tools Configuration

Unlike zai and minimax, the new providers don't define blocked tools arrays in their brand files.

Recommendation:

• If these providers have no tool restrictions, this is fine
• If they do have restrictions (e.g., WebSearch conflicts), add them now to prevent issues later
• Consider adding a comment in each brand file noting "No blocked tools for this provider" for clarity

6. Test Coverage Gap

The ASCII art test (test/e2e/ascii-art.test.ts) and provider matrix tests are updated, but I don't see tests specifically for:

• Vercel's requiresEmptyApiKey behavior
• NanoGPT's lack of model mapping requirement
• GatewayZ's model mapping enforcement

Recommendation: Add unit tests in test/unit/ to verify these provider-specific behaviors.

🐛 Potential Issues

Minor Issue: Color Calculation

The mix() and lighten() functions in brand files use the same implementation across all files (copy-pasted code). While this works, it creates maintenance burden.

Recommendation: Consider extracting color utilities to a shared src/brands/colors.ts module in a follow-up PR.

🔒 Security Considerations

• ✅ No credentials exposed in code
• ✅ API keys properly handled through environment variables
• ✅ No injection vulnerabilities in the new provider configs
• ✅ Base URLs are HTTPS (except for localhost providers)

📊 Performance Considerations

• No performance concerns identified
• New providers don't add significant overhead
• Theme calculations are done at config generation time, not runtime

🎯 Best Practices

• ✅ Follows project conventions from AGENTS.md
• ✅ TypeScript types properly defined
• ✅ ESM imports used consistently
• ✅ 2-space indentation maintained
• ✅ Error handling consistent with existing code

Maintainer Context Updates

The changes to .github/maintainer/ files appropriately reflect:

• Updated project priorities (provider expansion over team mode)
• Clearer success metrics
• Better project vision statement

These align well with the PR's goals and provide good context for future contributors.

📝 Final Verdict

Recommendation: Approve with minor follow-ups

This is solid work that meaningfully expands cc-mirror's provider coverage. The implementation is clean, well-tested, and follows established patterns. The issues identified are minor and can be addressed in follow-up PRs or quick fixes.

Before Merge:

1. ✅ Verify NanoGPT base URL is correct
2. ✅ Confirm Vercel's empty API key handling works in practice (manual test)
3. ⚠️ Consider adding test for requiresEmptyApiKey enforcement

Follow-up PRs:

1. Extract shared color utilities from brand files
2. Add unit tests for provider-specific auth behaviors
3. Document provider API endpoints in a central location

Great work expanding the provider ecosystem! 🎉

[claude]

Code Review - PR #31: Add gateway providers and default dev-browser off

Thank you for this comprehensive PR! This is a well-structured expansion of provider coverage.

✅ Strengths

1. Excellent code consistency: All three new provider brand files follow the exact same pattern as existing providers
2. Comprehensive test coverage: Includes E2E tests for provider creation, themes, splash styles, colors, and ASCII art
3. Good separation of concerns: Provider definitions cleanly separated from brand themes
4. Documentation updates: README, CLI help, and architecture docs all updated
5. Sensible default change: Defaulting skillInstall to false reduces friction

🔍 Key Observations

Provider Configuration (src/providers/index.ts:141-185)

• ✅ Proper auth mode configuration
• ✅ Vercel correctly uses requiresEmptyApiKey
• ⚠️ Question: Why doesn't NanoGPT require model mapping while GatewayZ and Vercel do?

Color Schemes: All three providers have distinct, professional themes with provider-specific thinking verbs

Wrapper Script (src/core/wrapper.ts:256-276): Team mode logic looks correct but could use a comment explaining precedence when both teamMode and teamModifier are set

🐛 Potential Issues

1. NanoGPT Model Mapping: Consider adding requiresModelMapping or comment explaining why it's not needed
2. Missing Blocked Tools: New providers don't define blocked tools arrays - add comment clarifying this is intentional
3. Vercel Empty API Key: Well implemented but may need user-facing docs explaining why

🔒 Security: No concerns identified

⚡ Performance: No concerns identified

🧪 Test Coverage

Covered: Provider creation, ASCII art, themes
Missing: Model override behavior for new providers, Vercel empty API key verification, auth token handling tests

🎯 Verdict

APPROVE with minor recommendations

Production-ready code with excellent structure and test coverage. Suggested improvements are minor and can be addressed in follow-up PRs.

Recommendations Priority:

1. 🟡 Medium: Clarify NanoGPT model mapping requirement
2. 🟢 Low: Add test coverage for Vercel empty API key
3. 🟢 Low: Document blocked tools decision
4. 🟢 Low: Add team mode precedence comment

Great work maintaining quality and consistency! 🚀

[claude]

Code Review: PR #31 - Add Gateway Providers and Default dev-browser Off

I've reviewed this PR comprehensively. Overall, this is a well-structured and thorough implementation that significantly expands provider coverage while maintaining code quality. Here's my detailed feedback:

---

✅ Strengths

1. Excellent Code Consistency

• All four new brand files (gatewayz.ts, vercel.ts, nanogpt.ts, ollama.ts) follow the exact same pattern and structure
• Consistent use of helper functions (hexToRgb, rgb, mix, lighten)
• Theme color palettes are well-organized with clear naming conventions
• Each provider has complete theme coverage including all required color keys

2. Strong Provider Configuration

The provider definitions in src/providers/index.ts are clear and well-documented:

• Proper authMode settings for each provider
• Correct requiresModelMapping flags
• Special handling for edge cases (e.g., Vercel's requiresEmptyApiKey, Ollama's authTokenAlsoSetsApiKey)
• Good use of descriptive comments

3. Comprehensive Test Coverage

• Provider matrix tests updated for all new providers
• ASCII art tests ensure splash screens render correctly
• E2E tests cover the full creation flow
• Tests verify the dev-browser default behavior change

4. Documentation Updates

• README updated with new providers
• Architecture docs reflect the changes
• Maintainer context files properly updated with decisions

5. Clean dev-browser Default Change

The implementation at src/core/variant-builder/VariantBuilder.ts:44 is clean:

const shouldInstallSkills = (_providerKey: string) => false;

This correctly defaults all providers to opt-out, which aligns with the stated goal of reducing friction.

---

🔍 Areas for Improvement

1. Code Duplication in Brand Files (Medium Priority)

The four new brand files (gatewayz.ts, vercel.ts, nanogpt.ts, ollama.ts) contain significant code duplication:

• The color utility functions (clamp, hexToRgb, rgb, mix, lighten) are repeated in each file
• Theme structure is identical across all files

Recommendation: Extract these utilities to a shared module like src/brands/themeUtils.ts:

// src/brands/themeUtils.ts
export type Rgb = { r: number; g: number; b: number };
export const clamp = (value: number) => Math.max(0, Math.min(255, Math.round(value)));
export const hexToRgb = (hex: string): Rgb => { /* ... */ };
export const rgb = (hex: string) => { /* ... */ };
export const mix = (hexA: string, hexB: string, weight: number) => { /* ... */ };
export const lighten = (hex: string, weight: number) => mix(hex, '#ffffff', weight);

Then import in each brand file:

import { rgb, mix, lighten } from './themeUtils.js';

This would:

• Reduce code from ~1,695 additions to ~1,400 additions (saving ~300 lines)
• Make it easier to fix bugs or improve color utilities
• Follow DRY principles

2. Provider Base URL Verification (High Priority - Security/Correctness)

The PR adds several new base URLs but doesn't include verification that these are correct:

• GatewayZ: https://api.gatewayz.ai - Is this the correct production endpoint?
• Vercel AI Gateway: https://ai-gateway.vercel.sh - Verify this is the right URL
• NanoGPT: https://nano-gpt.com/api - Is this endpoint Anthropic-compatible?

Recommendation: Add comments in src/providers/index.ts with links to official documentation:

gatewayz: {
  key: 'gatewayz',
  label: 'GatewayZ',
  description: 'GatewayZ AI Gateway',
  // Docs: https://docs.gatewayz.ai/api/anthropic
  baseUrl: 'https://api.gatewayz.ai',
  // ...
},

3. Missing Auth Token Validation (Medium Priority)

For authToken providers, there's no validation that the token format is correct. Consider adding basic validation in src/providers/index.ts:buildEnv:

if (authMode === 'authToken') {
  const trimmed = normalizeModelValue(apiKey);
  if (trimmed) {
    // Optional: Add basic format validation
    if (trimmed.length < 10) {
      console.warn(`Warning: Auth token seems too short for ${providerKey}`);
    }
    env.ANTHROPIC_AUTH_TOKEN = trimmed;
    // ...
  }
}

4. Thinking Verbs Quality (Low Priority - Polish)

Some thinking verbs feel slightly off-brand or unclear:

Ollama:

• "Grazing", "Roaming", "Loping", "Foraging" - Creative but might confuse users
• Suggestion: Consider more technical verbs like "Inferring", "Embedding", "Generating"

GatewayZ:

• "Gatewaying" - Not a real verb
• Suggestion: Use "Routing" (already included) or "Proxying", "Forwarding"

5. DESIGN.md Outdated Reference (Low Priority)

DESIGN.md:110 still says dev-browser is installed "by default for Z.ai and MiniMax variants". This should be updated to reflect the new opt-in default:

-dev-browser is installed into `~/.cc-mirror/<variant>/config/skills/dev-browser` by default for Z.ai and MiniMax variants (opt out with `--no-skill-install`).
+dev-browser is opt-in for all variants via TUI or `--skill-install` flag.

6. Test Coverage Gap (Medium Priority)

While the PR updates tests, I don't see explicit tests for:

1. Vercel's requiresEmptyApiKey behavior - Does it correctly set ANTHROPIC_API_KEY = ''?
2. Ollama's authTokenAlsoSetsApiKey behavior - Does it set both env vars?
3. Provider-specific env var handling (e.g., Z.ai's Z_AI_API_KEY)

Recommendation: Add unit tests in test/unit/providers.test.ts (create if needed):

describe('Provider-specific auth handling', () => {
  it('should set empty API key for Vercel', () => {
    const env = buildEnv({
      providerKey: 'vercel',
      apiKey: 'test-token',
      baseUrl: 'https://ai-gateway.vercel.sh',
    });
    expect(env.ANTHROPIC_API_KEY).toBe('');
    expect(env.ANTHROPIC_AUTH_TOKEN).toBe('test-token');
  });

  it('should set both auth token and API key for Ollama', () => {
    const env = buildEnv({
      providerKey: 'ollama',
      apiKey: 'ollama',
      baseUrl: 'http://localhost:11434',
    });
    expect(env.ANTHROPIC_API_KEY).toBe('ollama');
    expect(env.ANTHROPIC_AUTH_TOKEN).toBe('ollama');
  });
});

---

🛡️ Security Considerations

1. API Key Exposure in Logs ✅

Good: The wrapper scripts properly handle API keys from settings.json without logging them.

2. Base URL Injection Risk ⚠️

The ANTHROPIC_BASE_URL env var is user-controllable. While this is by design for custom providers, ensure documentation warns users about:

• Only using trusted base URLs
• Risk of sending API keys to malicious endpoints

Recommendation: Add a security note to README.md:

## Security Notes

**Base URLs**: When using gateway providers or custom endpoints, ensure you trust the provider. Your API credentials and prompts will be sent to the configured base URL. Only use official provider URLs or your own infrastructure.

---

🎯 Performance Considerations

No performance issues identified. The changes are primarily configuration and don't introduce computational overhead.

---

📝 Best Practices & Maintainability

Positive:

✅ Follows existing code patterns
✅ Uses TypeScript types consistently
✅ Error handling is appropriate
✅ Git commit messages are descriptive

Could Improve:

• Reduce code duplication (see documentation: improve "switch" #1 above)
• Add JSDoc comments to new public functions
• Consider adding a provider validation script (npm run validate-providers) to check base URLs are reachable

---

🧪 Testing Recommendations

Before merging, please verify:

1. Manual Testing:

   • Create a variant for each new provider
   • Verify splash art displays correctly in terminal
   • Test model mapping flow for GatewayZ/Vercel
   • Confirm Ollama works with local and cloud endpoints
   • Test dev-browser opt-in flow in TUI

2. Cross-Platform:

   • Test on macOS, Linux, and Windows
   • Verify wrapper scripts work on all platforms
   • Check ANSI colors render correctly in different terminals

3. Regression Testing:

   • Existing providers (zai, minimax, openrouter) still work
   • Update command works for new providers
   • TweakCC integration still functions

---

🎨 UI/UX Notes

The provider haikus and splash art are creative and on-brand. The violet/mono/neon/ember color schemes are distinct and aesthetically pleasing.

Minor suggestion: The Ollama thinking verbs ("Grazing", "Loping") are quirky but might distract from professional use. Consider A/B testing with users or making verbs configurable.

---

📊 Summary Assessment

Category	Rating	Notes
Code Quality	⭐⭐⭐⭐☆	Solid, but has duplication
Test Coverage	⭐⭐⭐⭐☆	Good, missing some edge cases
Documentation	⭐⭐⭐⭐☆	Well-updated, minor gaps
Security	⭐⭐⭐⭐⭐	No issues found
Maintainability	⭐⭐⭐⭐☆	Could improve with DRY refactor

---

🚀 Recommendation

Approve with minor improvements. This PR is ready to merge with the following suggested follow-ups:

Pre-merge (recommended):

1. Extract theme utilities to reduce duplication
2. Update DESIGN.md to reflect new dev-browser default
3. Verify provider base URLs are correct

Post-merge (can be separate PRs):

1. Add unit tests for provider-specific auth handling
2. Add security note to README
3. Consider making thinking verbs configurable

---

Great work on this comprehensive provider expansion! The code is clean, well-tested, and aligns with the project's direction. 🎉

[claude]

Code Review - PR #31: Add gateway providers and default dev-browser off

Overview

This PR successfully expands provider coverage with GatewayZ, Vercel AI Gateway, NanoGPT, and Ollama. The implementation follows established patterns and includes comprehensive test coverage. The changes are well-structured and consistent with the project's architecture.

---

✅ Strengths

1. Excellent Code Organization

• New provider implementations follow the established pattern from zai/minimax
• Brand themes properly separated into individual files (src/brands/{gatewayz,vercel,nanogpt,ollama}.ts)
• Consistent structure: theme definitions + TweakCC config builders
• Tests updated comprehensively (test/e2e/providers.ts, test/provider-matrix.test.ts)

2. Auth Mode Flexibility

The new authTokenAlsoSetsApiKey and requiresEmptyApiKey flags are smart additions that handle edge cases:

// Ollama compatibility (src/providers/index.ts:138)
authTokenAlsoSetsApiKey: true,  // Sets both ANTHROPIC_AUTH_TOKEN and ANTHROPIC_API_KEY

// Vercel AI Gateway (src/providers/index.ts:170)
requiresEmptyApiKey: true,  // Forces empty ANTHROPIC_API_KEY

This handles gateway-specific auth requirements cleanly.

3. Brand-Accurate Theming

• Each provider has unique, brand-accurate color schemes
• ANSI color codes properly defined in src/core/wrapper.ts
• ASCII art designs are distinctive and visually appealing
• scripts/preview-splash.mjs utility added for easy preview

4. Test Coverage

• All 8 providers (including new ones) in test matrix
• E2E creation tests verify variant setup
• ASCII art verification tests ensure splash screens render correctly
• Provider config validation

---

🔍 Issues & Suggestions

1. Color Code Mismatch in Tests ⚠️

Location: test/e2e/providers.ts

There's a discrepancy between test expectations and actual implementation:

// test/e2e/providers.ts:28
{
  key: 'openrouter',
  colorCode: '\\x1b[38;5;43m', // Teal ❌
}

// BUT src/core/wrapper.ts:22-26 defines:
orPrimary: '\x1b[38;5;60m',    // Navy ✓
orSecondary: '\x1b[38;5;68m',  // Slate blue
orAccent: '\x1b[38;5;99m',     // Indigo

Similarly for Ollama:

// test/e2e/providers.ts:44
colorCode: '\\x1b[38;5;202m', // Deep orange ❌

// BUT src/core/wrapper.ts:52-56 defines:
olPrimary: '\x1b[38;5;180m',   // Tan/sorrel ✓

Impact: Tests will fail when validating splash art colors.

Fix: Update test expectations in test/e2e/providers.ts to match actual color codes:

{
  key: 'openrouter',
  colorCode: '\\x1b[38;5;60m', // Navy (matches wrapper.ts)
},
{
  key: 'ollama',
  colorCode: '\\x1b[38;5;180m', // Tan (matches wrapper.ts)
}

2. Vercel Auth Mode - Edge Case Handling 🤔

Location: src/providers/index.ts:316-320

The Vercel provider enforces requiresEmptyApiKey: true, but the logic has a subtle issue:

if (provider.requiresEmptyApiKey) {
  env.ANTHROPIC_API_KEY = '';  // Force empty string
} else if (!provider.authTokenAlsoSetsApiKey && Object.hasOwn(env, 'ANTHROPIC_API_KEY')) {
  delete env.ANTHROPIC_API_KEY;  // Delete the key
}

Question: Why set to empty string ('') instead of deleting the key? Some API clients differentiate between:

• Key not present (undefined)
• Key present but empty ('')

Suggestion: Document why Vercel needs empty string vs. deletion, or verify this is the correct behavior. If Claude Code treats empty string the same as undefined, this is fine. Otherwise, consider:

if (provider.requiresEmptyApiKey) {
  delete env.ANTHROPIC_API_KEY;  // Ensure key is not present
}

3. Model Mapping Placeholders 📝

Location: src/tui/screens/ModelConfigScreen.tsx:59-79

Good addition of provider-specific placeholders! Minor suggestions:

gatewayz: {
  opus: 'claude-3-opus-20240229',
  sonnet: 'claude-3-5-sonnet-20241022',
  haiku: 'claude-3-haiku-20240307',
},

Suggestion: Consider adding comments or documentation indicating:

1. Are these the only supported models?
2. Should users reference GatewayZ docs for the full model list?
3. Do these exact version strings work, or should users check for updates?

Same applies for Vercel and other gateways. This helps users who may not be familiar with gateway-specific model naming conventions.

4. NanoGPT Provider - No Model Mapping Requirement ❓

Location: src/providers/index.ts:172-185

NanoGPT is the only authToken provider that doesn't require model mapping:

nanogpt: {
  authMode: 'authToken',
  // No requiresModelMapping flag (defaults to false)
}

Question: Is this intentional? Does NanoGPT automatically map Claude model names? Or is this an oversight?

Impact: Users won't be prompted to configure model mappings, which may cause runtime errors if NanoGPT doesn't recognize Claude's default model names.

Suggestion: Verify NanoGPT's API behavior and either:

• Add requiresModelMapping: true if needed
• Document why it's not needed (e.g., "NanoGPT auto-detects Claude model names")

5. Dev-Browser Default Change ✅

Location: src/core/variant-builder/VariantBuilder.ts:1, src/core/variant-builder/VariantUpdater.ts:1

Great decision to default dev-browser skill to off! This reduces friction for users who don't need browser automation. No issues here.

---

🛡️ Security Considerations

No Security Issues Detected ✓

• API keys properly handled as environment variables
• No hardcoded credentials
• Auth token logic correctly implements token-based and API key-based auth
• No command injection risks in wrapper generation

---

🚀 Performance Considerations

Minimal Performance Impact ✓

• New providers don't add runtime overhead
• Theme configs are static (no dynamic computation)
• Splash art is simple ASCII (negligible render time)
• Test suite expansion is reasonable (~8 providers vs. 4 previously)

Note: The preview-splash.mjs script is a nice addition for development workflow.

---

📊 Test Coverage Assessment

Coverage: Good ✅

What's Covered:

• E2E variant creation for all 8 providers
• ASCII art color verification
• Provider matrix validation
• TUI integration tests updated

What's Missing:

• Model mapping validation tests - Verify that providers with requiresModelMapping: true correctly prompt users and store model overrides
• Auth mode edge case tests - Test authTokenAlsoSetsApiKey and requiresEmptyApiKey behavior
• Wrapper script tests - Verify auth token injection works correctly for each auth mode

Suggestion: Add a test like:

test('Vercel provider sets empty ANTHROPIC_API_KEY', () => {
  const env = buildEnv({
    providerKey: 'vercel',
    apiKey: 'test-token',
  });
  assert.strictEqual(env.ANTHROPIC_API_KEY, '');
  assert.strictEqual(env.ANTHROPIC_AUTH_TOKEN, 'test-token');
});

---

📚 Documentation Quality

Documentation: Good ✅

Updated Files:

• README.md - Provider list updated
• docs/README.md - Architecture overview updated
• AGENTS.md - Provider table expanded
• Maintainer docs updated with context/decisions

Suggestions:

1. Provider comparison table - Add a table showing auth mode, model mapping requirements, and use cases for each provider
2. Gateway setup guides - Consider adding docs/providers/gatewayz.md, docs/providers/vercel.md, etc. with:
   • Where to get API keys
   • Model naming conventions
   • Common troubleshooting
3. Auth mode documentation - Document the difference between apiKey, authToken, and none modes in architecture docs

---

🎨 Code Quality

Quality: Excellent ✅

• Consistent formatting and style
• TypeScript types properly defined
• No linter warnings expected
• Good use of constants and shared utilities
• Clear separation of concerns

Minor Nitpick:
The hex-to-RGB conversion logic in brand files is duplicated across all brand theme files. Consider extracting to a shared src/brands/utils.ts:

// src/brands/utils.ts
export const clamp = (value: number) => Math.max(0, Math.min(255, Math.round(value)));
export const hexToRgb = (hex: string): Rgb => { /* ... */ };
export const rgb = (hex: string) => { /* ... */ };
export const mix = (hexA: string, hexB: string, weight: number) => { /* ... */ };
export const lighten = (hex: string, weight: number) => mix(hex, '#ffffff', weight);

Then import in each brand file. This reduces duplication and makes color utility logic easier to maintain.

---

✅ Checklist Review

Based on the PR description checklist:

• ✅ Code follows style guidelines
• ✅ Self-review completed
• ⚠️ Comments sparse (but code is self-documenting, so acceptable)
• ✅ Documentation updated
• ✅ No new warnings expected
• ✅ Tests added
• ⚠️ Tests pass locally (blocked by color code mismatch issue above)

---

🎯 Recommendations

Before Merge:

1. Fix color code mismatch in test/e2e/providers.ts for OpenRouter and Ollama
2. Verify NanoGPT model mapping requirement - add requiresModelMapping: true if needed
3. Document Vercel empty API key behavior - add code comment explaining why empty string vs. deletion

Nice to Have (Follow-up PRs):

4. Extract color utility functions to src/brands/utils.ts
5. Add provider-specific setup guides in docs/providers/
6. Add tests for auth mode edge cases
7. Document auth mode differences in architecture docs

---

Final Verdict

Approval: Approve with Minor Fixes ✅

This is a solid PR that significantly expands cc-mirror's provider coverage. The implementation is clean, well-tested, and follows established patterns. The issues identified are minor and easily fixable:

1. Update test color codes (5-minute fix)
2. Verify NanoGPT model mapping requirement
3. Add clarifying comments for Vercel auth behavior

Great work on the brand theming and comprehensive test coverage! The new providers will be valuable additions to the project.

---

Reviewed by: Claude Sonnet 4.5
Files Changed: 47
Lines Added/Removed: +1,451 / -362

[claude]

Pull Request Review - Fresh Analysis

This PR adds four new gateway providers (GatewayZ, Vercel AI Gateway, NanoGPT, Ollama) and defaults the dev-browser skill to opt-in. I've conducted a fresh review focusing on areas not extensively covered in previous reviews.

---

Summary Assessment

Recommendation: APPROVE ✅

This is a well-executed PR that follows project conventions consistently and significantly expands provider coverage. The implementation is production-ready with only minor documentation gaps.

---

Key Findings

✅ Strengths

1. Consistent Architecture: All four providers follow the established pattern with proper brand themes, splash art, and test coverage
2. Smart Auth Handling: The new authTokenAlsoSetsApiKey (Ollama) and requiresEmptyApiKey (Vercel) flags elegantly handle edge cases
3. Comprehensive Testing: E2E tests, ASCII art validation, and provider matrix all updated correctly
4. UX Improvement: Defaulting dev-browser to opt-in reduces onboarding friction

🔍 Additional Observations

1. Provider URL Verification

The base URLs should be verified against official documentation:

• https://api.gatewayz.ai - Needs verification
• https://ai-gateway.vercel.sh - Appears correct for Vercel AI Gateway
• https://nano-gpt.com/api - Should confirm Anthropic API compatibility

Suggestion: Add inline comments with doc links in src/providers/index.ts

2. Model Mapping Inconsistency

NanoGPT uses authToken mode but lacks requiresModelMapping: true (unlike GatewayZ/Vercel). This should be intentional and documented.

Question: Does NanoGPT accept standard Claude model names without mapping?

3. Color Utility Duplication

The hexToRgb, rgb, mix, and lighten functions are duplicated across all brand files (~195 lines × 4 files).

Suggestion (non-blocking): Extract to src/brands/colorUtils.ts in a follow-up PR.

4. Dev-Browser Documentation

DESIGN.md:110 still references old dev-browser defaults. Should update to reflect opt-in behavior.

---

Security & Performance

• ✅ Security: No vulnerabilities identified. Auth handling is correct.
• ✅ Performance: No concerns. All changes are config-driven.

---

Test Coverage

Covered:

• ✅ Provider creation E2E tests
• ✅ ASCII art color verification
• ✅ Provider matrix validation

Suggested Additions (non-blocking):

• Test for requiresEmptyApiKey enforcement (Vercel)
• Test for authTokenAlsoSetsApiKey behavior (Ollama)
• Integration test with actual API calls (optional)

---

Pre-Merge Checklist

Must verify:

1. ⚠️ Confirm NanoGPT model mapping requirements
2. ⚠️ Verify provider base URLs are correct
3. ⚠️ Update DESIGN.md dev-browser references

Nice to have (can be follow-up):

• Extract shared color utilities
• Add provider-specific setup guides in docs
• Add more test coverage for auth edge cases

---

Final Notes

This PR represents significant progress on expanding provider support (#23). The code quality is high, tests are comprehensive, and the architecture is solid. The identified issues are minor and mostly relate to documentation/verification rather than code correctness.

Great work! 🚀

[claude]

Pull Request Review

This PR significantly expands provider coverage and removes deprecated features. Here's my detailed feedback:

---

✅ Strengths

Code Quality

• Consistent implementation: All three new providers (GatewayZ, Vercel, NanoGPT) follow the established pattern with proper theme definitions, splash art, and config builders
• Good test coverage: E2E tests properly updated to include new providers in the matrix (test/e2e/providers.ts)
• Clean architecture: Provider definitions in src/providers/index.ts are well-structured with clear auth modes and requirements
• Documentation updates: README and architecture docs reflect the new providers

Features

• Provider diversity: Adds gateway providers that fill important use cases (Vercel edge, GatewayZ routing, NanoGPT endpoint)
• Auth handling: Properly implements authToken mode for all three, with special handling for Vercel's requiresEmptyApiKey
• Brand themes: Each provider gets a distinct, well-thought-out color palette that matches their brand identity
• ASCII art: Creative and visually appealing splash screens for each provider

Cleanup

• Team mode removal: Clean removal of deprecated team mode code (~2000+ lines deleted)
• Skills consolidation: Removes orchestration and task-manager skills that were no longer needed
• CHANGELOG trimming: Reduces verbose changelog while preserving key information

---

⚠️ Issues & Concerns

1. Code Duplication (Medium Priority)

Each brand file (src/brands/*.ts) contains ~190 lines with significant duplication:

• Color utility functions (clamp, hexToRgb, rgb, mix, lighten) are copy-pasted across all brand files
• Theme structure is nearly identical, only palettes differ

Recommendation: Extract shared utilities to src/brands/utils.ts or src/brands/colors.ts:

// src/brands/utils.ts
export { clamp, hexToRgb, rgb, mix, lighten };
export const buildThemeFromPalette = (id: string, name: string, palette: Palette): Theme => { ... };

Then each brand file becomes ~50 lines (just palette + verbs).

2. Missing Validation (Low Priority)

src/providers/index.ts line 314-319: The requiresEmptyApiKey logic could cause issues:

if (provider.requiresEmptyApiKey) {
  env.ANTHROPIC_API_KEY = '';
} else if (!provider.authTokenAlsoSetsApiKey && Object.hasOwn(env, 'ANTHROPIC_API_KEY')) {
  delete env.ANTHROPIC_API_KEY;
}

Question: What happens if a user manually sets ANTHROPIC_API_KEY in extraEnv but uses Vercel? The empty string override might be confusing.

Recommendation: Add a warning or validation when requiresEmptyApiKey conflicts with user-provided env.

3. Default Behavior Change (Documentation Gap)

The PR description states: "Defaults the dev-browser skill to off (still opt-in)"

Finding:

• src/tui/state/useAppState.ts:27 sets skillInstall: false
• CLI commands respect --no-skill-install flag
• However, no documentation explains this default change

Recommendation: Add a section to README or DESIGN.md explaining:

• Why dev-browser is now opt-in by default
• How to enable it (--skill-install or via TUI)
• This aligns with "reduce friction for quick setups" mentioned in PR description

4. Test Coverage Gap (Low Priority)

While E2E tests cover variant creation for new providers, there are no specific tests for:

• requiresEmptyApiKey behavior (Vercel)
• authTokenAlsoSetsApiKey behavior (Ollama)
• Model mapping requirements for gateway providers

Recommendation: Add focused unit tests in test/provider-matrix.test.ts or similar.

5. Breaking Change Handling

Massive deletions (~15K lines) include:

• Team mode removal
• Task commands removal (src/cli/commands/tasks/*)
• Orchestration skill removal

Question: Are there existing users relying on these features? Consider:

• Adding a deprecation notice in a previous release
• Providing migration guidance in CHANGELOG
• Documenting what features were removed and why

---

🔍 Minor Observations

Positive

1. Splash art colors: Excellent use of ANSI 256-color codes that match brand identities
2. Thinking verbs: Creative per-provider verbs ("Gatewaying", "Deploying", "Nano-tuning")
3. Error handling: Proper validation for auth modes and model requirements

Nitpicks

1. src/brands/nanogpt.ts:43: Comment says "NanoGPT brand colors" but doesn't mention source of brand colors (unlike Vercel which cites #0070F3)
2. src/core/wrapper.ts:37-51: Color constants could benefit from inline comments explaining which ANSI 256-color each code represents
3. Provider descriptions in src/providers/index.ts: Some are vague ("NanoGPT endpoint") compared to others ("100+ models via OpenRouter gateway")

---

🎯 Security Review

✅ No security concerns found

• Auth token handling looks correct
• No credential leakage in splash art or logs
• Environment variable precedence properly managed
• Base URLs are validated against provider configs

---

📋 Final Recommendation

APPROVE with suggestions

This is solid work that meaningfully expands the tool's capabilities. The code quality is good and follows existing patterns. My main suggestion is to refactor the duplicated color utilities across brand files to improve maintainability.

The default behavior change (dev-browser off) is reasonable but needs documentation. Consider adding a brief note in README about skill installation being opt-in.

Great job on the comprehensive provider expansion! 🚀

---

Checklist for Merge

• Consider refactoring brand file duplication
• Add documentation for dev-browser default change
• Add validation warning for requiresEmptyApiKey conflicts
• (Optional) Add unit tests for new auth modes
• (Optional) Document removed features in CHANGELOG migration guide