Add Tavily, and Nemotron Ultra

[maggiezha]

Split NVIDIA Build (nvapi-) and Inference Hub (sk-) env vars, load keys from ~/.nemoclaw/secrets.env, route Ultra via inference-api, and fix Tavily on rebuild resume.

Summary

Related Issue

Changes

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Your Name your-email@example.com

Summary by CodeRabbit

Release Notes

• New Features

  • Added Tavily Search as an alternative web search provider alongside Brave.
  • Added local secrets file (~/.nemoclaw/secrets.env) for secure credential management outside git.
  • Updated default inference model to Nemotron Ultra 253B for improved performance.

• Documentation

  • Added guidance for Tavily Search integration and setup.
  • Added instructions for local credential storage best practices.

• Configuration

  • Updated inference endpoints and credential handling for multiple NVIDIA providers.
  • Added setup scripts for Tavily Search enablement in existing sandboxes.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 76623acc-6f12-4b10-8ea3-3b734012add3

📥 Commits

Reviewing files that changed from the base of the PR and between 1daf081 and ec4b921.

📒 Files selected for processing (51)

• .gitignore
• Dockerfile
• docs/network-policy/integration-policy-examples.mdx
• docs/security/credential-storage.mdx
• nemoclaw-blueprint/blueprint.yaml
• nemoclaw-blueprint/policies/presets/tavily.yaml
• nemoclaw-blueprint/router/pool-config.yaml
• nemoclaw/src/index.ts
• nemoclaw/src/register.test.ts
• scripts/checks/direct-credential-env.ts
• scripts/examples/nemotron-ultra-inference.py
• scripts/generate-openclaw-config.py
• scripts/setup-tavily-search.sh
• scripts/test-tavily-flow.sh
• scripts/verify-tavily-openclaw-config.py
• secrets.env.example
• src/commands/credentials/init-secrets.ts
• src/lib/cli/public-display-defaults.ts
• src/lib/credentials/command-support.ts
• src/lib/credentials/secrets-env.test.ts
• src/lib/credentials/secrets-env.ts
• src/lib/credentials/store.ts
• src/lib/inference/config.test.ts
• src/lib/inference/config.ts
• src/lib/inference/model-prompts.ts
• src/lib/inference/provider-models.ts
• src/lib/inference/web-search.ts
• src/lib/onboard.ts
• src/lib/onboard/dashboard.ts
• src/lib/onboard/dockerfile-patch.ts
• src/lib/onboard/machine/handlers/finalization.ts
• src/lib/onboard/machine/handlers/provider-inference.ts
• src/lib/onboard/machine/handlers/sandbox.ts
• src/lib/onboard/policy-presets.ts
• src/lib/onboard/policy-selection.ts
• src/lib/onboard/providers.test.ts
• src/lib/onboard/providers.ts
• src/lib/onboard/summary.test.ts
• src/lib/onboard/summary.ts
• src/lib/onboard/web-search-flow.ts
• src/lib/onboard/web-search-verify.test.ts
• src/lib/onboard/web-search-verify.ts
• src/lib/policy/index.ts
• src/lib/state/onboard-session.ts
• src/lib/validation.test.ts
• src/lib/validation.ts
• test/credentials.test.ts
• test/generate-openclaw-config.test.ts
• test/onboard-brave-validation.test.ts
• test/onboard-policy-suggestions.test.ts
• test/validate-blueprint.test.ts

---

📝 Walkthrough

Walkthrough

This PR migrates the default inference model from Nemotron 3 Super 120B to Nemotron Ultra 253B, adds Tavily as a web search provider alongside Brave, implements local ~/.nemoclaw/secrets.env credential management, and restructures NVIDIA credential routing to support separate Inference Hub vs Build API keys across CLI, onboarding, validation, and infrastructure configuration.

Changes

Nemotron Ultra & Tavily Integration

Layer / File(s)	Summary
Nemotron Ultra Model Migration & Configuration Dockerfile, nemoclaw-blueprint/blueprint.yaml, nemoclaw-blueprint/router/pool-config.yaml, nemoclaw/src/index.ts, src/lib/inference/config.ts, src/lib/onboard/providers.ts, test/validate-blueprint.test.ts	Updated default inference model from Nemotron 3 Super 120B to Nemotron Ultra 253B; added NVIDIA_INFERENCE_HUB_API_KEY credential env variable; updated API base URLs and model routing constants; reordered model catalog entries to prioritize Ultra variant.
NVIDIA Inference Hub Credential Routing System src/lib/credentials/store.ts, src/lib/inference/config.ts, src/lib/inference/model-prompts.ts, src/lib/onboard.ts, src/lib/validation.ts, test/credentials.test.ts, src/lib/validation.test.ts	Added resolveNvidiaCloudModelRoute to map models to endpoint-specific credential env and provider type; implemented resolveNvidiaEndpointCredential and ensureNvidiaEndpointCredential for endpoint-aware interactive credential prompting; enhanced validation to distinguish Build (nvapi-*) vs Inference Hub (sk-*) key prefixes with environment-specific error guidance.
Local Secrets File Management .gitignore, secrets.env.example, src/lib/credentials/secrets-env.ts, src/lib/credentials/secrets-env.test.ts, src/commands/credentials/init-secrets.ts, src/lib/cli/public-display-defaults.ts, docs/security/credential-storage.mdx	Added credentials:init-secrets CLI command to create ~/.nemoclaw/secrets.env; implemented dotenv parsing, allowlist filtering, and staged loading of credentials into process.env only when not already set; integrated secrets file staging into credential resolution pipeline; added restrictive file/directory permissions and symlink-safety checks; documented setup and usage.
Tavily Web Search Provider Integration nemoclaw-blueprint/policies/presets/tavily.yaml, src/lib/inference/web-search.ts, src/lib/onboard/web-search-flow.ts, scripts/setup-tavily-search.sh, scripts/test-tavily-flow.sh, scripts/verify-tavily-openclaw-config.py, scripts/generate-openclaw-config.py, docs/network-policy/integration-policy-examples.mdx	Added Tavily as a web search backend alongside Brave; extended WebSearchConfig with optional provider field; implemented provider-aware API key validation, interactive credential prompts, and recovery flows; added network policy preset for Tavily API access; created setup and validation scripts; updated config generation to emit provider-specific OpenClaw config blocks and AGENTS.md usage hints.
Onboarding Orchestration & Provider-Aware Routing src/lib/onboard.ts, src/lib/onboard/machine/handlers/{finalization,provider-inference,sandbox}.ts, src/lib/onboard/{policy-selection,policy-presets,summary,dashboard,dockerfile-patch}.ts, src/lib/state/onboard-session.ts, src/lib/policy/index.ts	Threaded NVIDIA endpoint routing, web search provider selection, and secrets file staging through onboarding state machine; updated provider-inference resume handler to resolve NVIDIA routes; extended policy selection and suggestion logic to be provider-aware and filter stale presets by provider; updated summary and dashboard display to show resolved provider; enhanced Dockerfile patching to set web search provider arg; extended session persistence to normalize and store provider selection.
Documentation, Examples & Infrastructure Scripts scripts/examples/nemotron-ultra-inference.py, scripts/checks/direct-credential-env.ts, test/{generate-openclaw-config,onboard-brave-validation,onboard-policy-suggestions}.test.ts	Added Python inference example for Nemotron Ultra via OpenAI-compatible API; updated credential env guard to flag NVIDIA_INFERENCE_HUB_API_KEY reads; updated test suites to verify provider-aware web search config generation, onboarding prompt wording changes, policy suggestions, and OpenClaw config validation for both Brave and Tavily providers.

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly Related PRs

• NVIDIA/NemoClaw#4225: Modifies Brave web-search onboarding/verification flow that is extended here to support provider-specific behavior and Tavily integration.
• NVIDIA/NemoClaw#3871: Updates onboarding provider-inference handler and web-search config typing that this PR extends with Nvidia route resolution.
• NVIDIA/NemoClaw#4096: Modifies scripts/generate-openclaw-config.py web-search config generation in overlapping code paths.

Suggested Labels

NemoClaw CLI, enhancement: feature, enhancement: inference, v0.0.53

Suggested Reviewers

• ericksoa
• cv
• jyaunches
• prekshivyas
• cjagwani

---

🐰 Ultras are here, with Tavily by their side,
Secrets stored safely, no more to hide,
Routes resolve smartly, credentials ring true,
Local, secure, and faster than a hare's hop too! 🔐✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch 2026-05-27-0hlj

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}