fix(providers): restore 20 missing upstream providers + add icons for 28 gap providers

[oyi77]

Summary

• Restored 20 providers lost during v3.8.0 release merge — these providers existed in upstream but were accidentally dropped from src/shared/constants/providers.ts
• Added SVG icons for 24 providers that had no icon at all (showed generic circle fallback)
• Added 4 lobe icon aliases (Kluster, LeptonAI, Ollama, Automatic) for providers with @lobehub/icons support
• Restored related code: IDE_PROVIDER_IDS, expanded VIDEO_PROVIDER_IDS, supportsBulkApiKey(), hasFree flags, and providerAllowsOptionalApiKey entries

Providers Restored (20)

Category	Providers
Free	opencode
OAuth	zed, trae
Web Cookie	gemini-web, deepseek-web, copilot-web, veoaifree-web, t3-web
API Key	alibaba-cn, replicate, hackclub, github-models, haiper, leonardo, ideogram, suno, udio, gitlawb, gitlawb-gmi
Local	llama-cpp

Icons Added (24 SVGs)

bytez, cablyai, chutes, codex-cloud, completions, crof, datarobot, devin, devin-cli, enally, fenayai, freetheai, galadriel, getgoapi, glhf, jules, laozhang, llm7, oobabooga, petals, publicai, thebai, uncloseai, zai-search

Lobe Aliases Added (4)

kluster→Kluster, lepton→LeptonAI, ollama-search→Ollama, auto→Automatic

Test plan

• npm run lint — 0 errors (2073 warnings, all pre-existing)
• npm run typecheck:core — clean
• npm run build — production build succeeds
• Security tests pass (23/23)
• Plan3 tests pass (37/37)
• All 197 providers accounted for across 9 groups
• All 24 new SVG icons render (verified file creation)
• All 4 lobe aliases resolve (imports + ICON_COMPONENTS + LOBE_PROVIDER_ALIASES)

Root Cause

During the v3.8.0 release merge (release/v3.8.0 → main), provider definitions from several upstream PRs were lost due to merge conflicts. The providers were added in PRs #2314, #2339, #2340, #2344, #2364, #2366, #2369, #2380, and others, but the release merge resolution dropped them.

Closes #XXXX

[kilo-code-bot]

Code Review Summary

Status: 3 New Issues Found (1 WARNING + 2 SUGGESTION) | 5 Carried Forward | Recommendation: Address warning before merge

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	2 (new) + 5 (carried forward)

New Issues (Incremental: 9524a57 → e0c4bd3)

File	Line	Issue
open-sse/executors/veoaifree-web.ts	24	SUGGESTION: Nonce regex ([a-f0-9]+) only matches lowercase hex. WordPress nonces can be mixed-case or include -/_. Consider ([a-fA-F0-9_-]+).
open-sse/executors/veoaifree-web.ts	89	SUGGESTION: Video polling loop runs up to 10 min with no AbortSignal. If request is cancelled, timers and fetches leak. Consider accepting and checking an abort signal per iteration.
open-sse/executors/veoaifree-web.ts	257	WARNING: err.message from fetchNonce() exposed directly in response body. Could leak DNS errors, TLS details, or stack traces. Use generic message or sanitizeErrorMessage() per docs/security/ERROR_SANITIZATION.md.

Previous Review Findings (Carried Forward - 5 issues)

These issues were flagged in the previous review and remain unresolved:

File	Line	Issue
src/shared/constants/providers.ts	219	Provider claude-web is added with authHint: "Paste your session cookie from claude.ai" — same concern as copilot-web: users may not know which cookie to paste.
src/shared/constants/providers.ts	249	copilot-web authHint says "access_token" but also mentions .har export — unclear which is preferred.
src/shared/constants/providers.ts	986	hackclub authHint says "Sign in with your Hack Club account" but providerAllowsOptionalApiKey includes hackclub, suggesting no API key is needed.
src/shared/constants/providers.ts	997	github-models freeNote claims "Free GPT-5" — GPT-5 is unreleased.
src/shared/constants/providers.ts	2215	providerAllowsOptionalApiKey includes copilot-web and hackclub but the auth hints suggest auth is required (cookie/sign-in).

Other Observations (not in diff)

Issues found in PR metadata/description, outside the diff scope:

Area	Issue
veoaifree-web in providerAllowsOptionalApiKey	Provider has hasFree: true and "No auth required" but is NOT listed in providerAllowsOptionalApiKey(). Consider adding it to match pollinations/searxng-search pattern.
PR Title vs Files	Title says "add icons for 28 gap providers" but only 24 SVG files were added (4 lobe aliases are code-only). Consider updating title.
PR Summary vs Body	Summary says "add icons for all 52 gap providers" but body details 20 restored + 24 SVG + 4 lobe aliases = 48, not 52.

Files Reviewed (5 files)

• open-sse/executors/veoaifree-web.ts — New executor for Veo AI Free (279 LOC). Error sanitization and abort signal concerns.
• src/app/api/v1/combos/projectCombo.ts — New projection helper (56 LOC). Clean, well-tested.
• src/lib/guardrails/visionBridgeHelpers.ts — Vision bridge env override (updated). Clean implementation.
• src/lib/zed-oauth/dockerDetect.ts — Docker detection utility (38 LOC). Clean, good dependency injection for testing.
• open-sse/services/antigravityHeaders.ts — Updated metadata function. Breaking shape change (added platform + pluginType fields) but test updated accordingly.

Fix these issues in Kilo Cloud

---

_{Reviewed by qwen3.6-plus · 488,893 tokens}

[gemini-code-assist]

Code Review

This pull request significantly expands the platform's provider support by adding numerous SVG icons and registering new providers across various categories, including Free, OAuth, Web Cookie, API Key, Local, and IDE providers. Key additions include opencode, zed, trae, and llama-cpp. Review feedback identifies factual errors regarding unreleased models in the github-models description and highlights inconsistencies between the optional API key logic and user-facing hints for providers like copilot-web and hackclub. Additionally, the reviewer suggests including veoaifree-web and uncloseai in the optional API key list to align with their authentication requirements.

[gemini-code-assist]

The freeNote for github-models mentions "GPT-5", "Llama 4", and "Grok 3", which are not currently available or officially released. This appears to be incorrect information or placeholder text that should be updated to reflect currently available models (e.g., GPT-4o, Llama 3.3).

Suggested change

	freeNote: "Free GPT-5, o-series, DeepSeek-R1, Llama 4, Grok 3 — GitHub account only.",
	freeNote: "Free GPT-4o, o-series, DeepSeek-R1, Llama 3.3 — GitHub account only.",

[gemini-code-assist]

The providers veoaifree-web and uncloseai should be added to the providerAllowsOptionalApiKey list. Their authHint descriptions explicitly state that no authentication is required, but without being in this list, the UI will still enforce the presence of an API key or token.

Suggested change

	providerId === "copilot-web" ||
	providerId === "hackclub" ||
	providerId === "copilot-web" ||
	providerId === "hackclub" ||
	providerId === "veoaifree-web" ||
	providerId === "uncloseai" ||

[gemini-code-assist]

There is an inconsistency for copilot-web: it is marked as having an optional API key in providerAllowsOptionalApiKey (line 2233), but the authHint here instructs the user to paste an access_token. If it is truly optional, the hint should clarify that it's only needed for higher limits or specific features.

Suggested change

	authHint:
	"Paste your access_token from copilot.microsoft.com (or export a .har file from DevTools while logged in)",
	authHint:
	"Optional: Paste your access_token from copilot.microsoft.com (or export a .har file from DevTools while logged in) for higher limits.",

[gemini-code-assist]

Similar to copilot-web, hackclub is marked as optional in providerAllowsOptionalApiKey (line 2234), but the authHint here implies that signing in is required. The hint should be updated to reflect its optional status.

Suggested change

	authHint: "Sign in with your Hack Club account at ai.hackclub.com.",
	authHint: "Optional: Sign in with your Hack Club account at ai.hackclub.com for member-only models.",

[kilo-code-bot]

SUGGESTION: Provider claude-web is added in this diff but is not listed in the PR body's "Providers Restored" table. The PR body lists 20 providers (5 in Web Cookie row) but the diff actually adds 21 providers (6 in Web Cookie: claude-web, gemini-web, deepseek-web, copilot-web, veoaifree-web, t3-web). The PR body should be updated to include claude-web and reflect the correct count of 21.

[kilo-code-bot]

SUGGESTION: Provider count "198" does not match PR body ("197 providers") or actual code count (201 total provider IDs in src/shared/constants/providers.ts, 200 active + 1 deprecated). Verify the correct count and update both README and PR body consistently.

[oyi77]

You're right about the unreleased model names — those were placeholder text. Will update to currently available models and fix the optional API key inconsistencies.