Add GatewayConfig and expand AI provider support

[threepointone]

Introduces a new GatewayConfig component and updates dependencies to add support for multiple AI providers (OpenAI, Anthropic, Google, xAI). Updates app and server logic to integrate with the new providers and configuration options.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 75c6b8a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[claude]

Claude Code Review

Issues Found

1. Security: API Keys Stored in Agent State (server.ts:44-49)
Provider API keys, Cloudflare API keys, and Gateway credentials are stored in the agent's state without encryption. This is a security risk:

• providerApiKey (line 45) - Direct provider API keys
• gatewayApiKey (line 49) - Cloudflare API key

Recommendation: These sensitive credentials should be stored in environment variables or a secrets manager, not in agent state that could be logged/persisted.

2. Missing Input Validation (server.ts:116-127)
No validation that gatewayAccountId, gatewayId, or gatewayApiKey are well-formed before using them to create gateway connections. Malformed inputs could cause runtime errors.

Recommendation: Add validation before line 130:

if (!this.state.gatewayAccountId || !this.state.gatewayId || !this.state.gatewayApiKey) {
  throw new Error("Missing required gateway credentials");
}

3. Model Name Parsing Fragility (server.ts:118-121)
The model name parsing assumes a specific format:

if (modelName.includes("/")) {
  modelName = modelName.split("/")[1];
}

This is fragile - if the format changes to have multiple slashes (e.g., "provider/version/model"), this breaks. Consider using modelName.split("/").pop() or more robust parsing.

4. xAI Hardcoded Base URL (server.ts:183)
The xAI base URL is hardcoded: baseURL: "https://api.x.ai/v1". If this URL changes or needs to be environment-specific, it requires a code change.

Recommendation: Move to configuration or environment variable.

5. Silent Fallback Behavior (server.ts:193-196)
When external provider configuration is incomplete, the code silently falls back to Workers AI without user notification. Users expecting OpenAI/Anthropic responses will get Workers AI responses instead with no indication of why.

Recommendation: Throw an error or emit a warning when falling back, so users know their configuration is incomplete.

6. Hardcoded Model Lists (UnifiedModelSelector.tsx:10-135)
The external model lists are hardcoded in the component. When providers release new models, this requires a code update and deployment.

Recommendation: Consider fetching available models from an API or configuration file that can be updated without code changes.

Testing Coverage

No test files included in this PR. Given the complexity of multi-provider authentication logic with multiple failure modes, this needs test coverage for:

• Gateway auth flow
• Provider key auth flow
• Fallback behavior when credentials are missing
• Model name parsing edge cases

Architecture Alignment

The implementation is reasonable but mixing UI state (model selection) with security-sensitive data (API keys) in the same state object is concerning. Consider separating concerns.

Summary

The core functionality looks solid, but there are security and validation issues that should be addressed before merging. The lack of tests for the authentication logic is also a gap.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/cloudflare/agents@745

commit: 75c6b8a