feat: NVIDIA NIM integration for local AI environment#1615
Conversation
…or windows host Replaced Unix-specific 'pnpm' reference with 'pnpm.cmd', injected shell: true to fix spawn EINVAL, and corrected UI copy syntax to resolve build crashes.
- Saved Abacus AI desktop workspace directory permissions and routing (.abacusai/config.json). - Locked in local Model Context Protocol (MCP) server parameters (mcp.config.json). - Staged package.json and pnpm-lock.yaml modifications required for the local Ollama and AI SDK integrations. - Preserved local build logs and customized TypeScript environment definitions for the active development workflow.
…A NIM integration
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Visual recap — skippedThe visual recap job did not run for this pull request. This is informational only and does not block the PR. Recap skipped for |
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| - | - | NVIDIA API Key | da877cf | HANDOFF.md | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
![builder-io-integration[bot]](https://avatars.githubusercontent.com/in/353721?s=60&v=4){kind=small}
There was a problem hiding this comment.
Builder reviewed your changes and found 5 potential issues 🔴
Review Details
This PR adds NVIDIA NIM/OpenAI-compatible gateway support by teaching the AI SDK engine to read OPENAI_BASE_URL / OPENAI_MODEL, plus a set of Windows-oriented local-environment changes and supporting docs/config updates. The direction of the engine override work is sound, but the current branch also bundles several local artifacts and introduces a few cross-platform/config-detection regressions in shared runtime paths.
Risk assessment: Standard (medium). The diff touches shared agent-engine selection, workspace startup scripts, dependency/build configuration, and committed configuration/docs rather than isolated UI code.
Key findings
- 🔴 High: a real API key was committed in
HANDOFF.md - 🔴 High: OpenAI optional overrides were added to
requiredEnvVars, which breaks normal OpenAI engine detection - 🔴 High:
dev-lazynow hardcodespnpm.cmd, breaking Linux/macOS startup - 🔴 High:
@agent-native/code-agents-uibuild now uses Windows-onlycopy - 🟡 Medium: machine-specific workspace config and local artifacts were committed
- 🟡 Medium: Ollama now incorrectly requires
OLLAMA_BASE_URLinstead of preserving the localhost default
Positive note: the actual createAISDKEngine() override pattern for injecting gateway-specific baseUrl / model is a reasonable approach once the required-env and portability issues are corrected.
🧪 Browser testing: Skipped — PR only modifies backend/config/docs/tooling, no user-facing UI impact.
| ### .env Configuration (in root, .gitignore excluded) | ||
| ``` | ||
| AGENT_ENGINE=ai-sdk:openai | ||
| OPENAI_BASE_URL=https://integrate.api.nvidia.com/v1 | ||
| OPENAI_API_KEY=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 |
There was a problem hiding this comment.
🔴 Committed handoff document contains a live API key
This file includes a real OPENAI_API_KEY value from a local .env, which exposes a usable credential in the PR and git history. Remove the secret from the repo and rotate the leaked key immediately.
Additional Info
Found by 3/4 review agents; confirmed directly from diff and repo security guidance.
| const PROVIDER_ENV_VARS: Record<AISDKProvider, string[]> = { | ||
| anthropic: ["ANTHROPIC_API_KEY"], | ||
| openai: ["OPENAI_API_KEY"], | ||
| openai: ["OPENAI_API_KEY", "OPENAI_BASE_URL", "OPENAI_MODEL"], |
There was a problem hiding this comment.
🔴 OpenAI gateway overrides are now treated as required credentials
OPENAI_BASE_URL and OPENAI_MODEL were added to PROVIDER_ENV_VARS, and that list feeds requiredEnvVars for engine detection. Standard OpenAI setups with only OPENAI_API_KEY will no longer be considered configured even though these overrides are supposed to stay optional.
Additional Info
Reported by 1/4 agents, then verified against builtin.ts and registry.ts detect/usable checks that require every env var.
| const child = spawn( | ||
| "pnpm.cmd", |
There was a problem hiding this comment.
🔴 dev-lazy now hardcodes the Windows pnpm executable
This swaps pnpm for pnpm.cmd in shared workspace startup code, and the same change is repeated for background processes later in the file. On Linux/macOS pnpm.cmd does not exist, so dev-lazy can no longer start apps or watchers.
Additional Info
Found by 3/4 review agents; confirmed locally with spawnSync returning `/bin/sh: 1: pnpm.cmd: not found` (exit 127).
| }, | ||
| "scripts": { | ||
| "build": "tsgo && cp src/styles.css dist/styles.css", | ||
| "build": "tsgo && copy src\\styles.css dist\\styles.css", |
There was a problem hiding this comment.
🔴 Package build script is now Windows-only
Changing the build step from cp to copy makes this package fail to build under the POSIX shells used by Linux/macOS CI and publish flows. Use a cross-platform copy command instead of the Windows shell builtin.
Additional Info
Found by 3/4 review agents; confirmed locally with `copy` failing under sh with exit 127.
| "servers": { | ||
| "codebase-memory": { | ||
| "command": "C:\\Users\\larry\\AppData\\Local\\Programs\\codebase-memory-mcp\\codebase-memory-mcp.exe", |
There was a problem hiding this comment.
🟡 Workspace MCP config hardcodes a machine-specific Windows path
This committed workspace config points at C:\Users\larry\...\codebase-memory-mcp.exe, so other checkouts will try to load a binary that only exists on one machine. Remove the local file or replace it with a portable example instead of committing a user-specific absolute path.
Additional Info
Found by 3/4 review agents; confirmed as workspace-root config that will be auto-loaded before per-user fallback.
|
We've been automatically notified and are looking into it. Push a new commit to re-trigger the review, or contact support@builder.io if this keeps happening. Error ID: |
There was a problem hiding this comment.
Builder reviewed your changes and found 4 potential issues 🟡
Review Details
I reviewed the latest incremental update for PR #1615. The only material change since the prior pass is the added changeset, but I re-checked the full diff because the branch still touches shared engine configuration, workspace startup, template contents, and local-environment files. Risk remains Standard (medium).
I also re-verified the five previously posted comments and did not resolve any of them: the live secret in HANDOFF.md, the OpenAI required-env regression, the pnpm.cmd cross-platform regression, the Windows-only copy build step, and the machine-specific mcp.config.json path all still appear present and unresolved.
New findings in this incremental pass
- 🟡
OLLAMA_BASE_URLis now routed through the generic API-key lookup path, so Ollama requests can send the base URL as a bogus bearer token - 🟡
ai-sdk-ollama@4.0.0is added while the workspace is still locked toai@6, which is outside that provider's declared peer range - 🟡 Additional local/generated artifacts are still being committed into the repo/template (
.abacusai/config.json,templates/dispatch/build.log)
The core NIM baseUrl / model override idea is still reasonable, but the PR remains blocking due to the unresolved prior comments plus these additional runtime/repo-hygiene regressions.
🧪 Browser testing: Skipped — PR only modifies backend/config/docs/tooling, no user-facing UI impact.
| mistral: ["MISTRAL_API_KEY"], | ||
| cohere: ["COHERE_API_KEY"], | ||
| ollama: [], // runs locally | ||
| ollama: ["OLLAMA_BASE_URL"], |
There was a problem hiding this comment.
🟡 Ollama base URL now flows through the API key path
Adding OLLAMA_BASE_URL to PROVIDER_ENV_VARS makes getProviderApiKey() return the base URL string, so the Ollama provider can receive http://... as its bearer token whenever env fallback is used. Keep base-URL overrides separate from API-key lookup instead of putting them in the generic credential list.
Additional Info
Confirmed in ai-sdk-engine.ts: constructor falls back to getProviderApiKey(), createProviderModel forwards apiKey, and getProviderApiKey iterates PROVIDER_ENV_VARS.
| "@radix-ui/react-tooltip": "^1.2.7", | ||
| "@tabler/icons-react": "catalog:", | ||
| "@tanstack/react-query": "^5.99.2", | ||
| "ai-sdk-ollama": "^4.0.0", |
There was a problem hiding this comment.
🟡 Ollama provider package is outside the workspace AI SDK major
This adds ai-sdk-ollama@^4.0.0, but the lockfile still resolves ai@6.0.209 while ai-sdk-ollama@4.0.0 declares ai: ^7.0.0 as its peer range. That leaves the new provider wired against an unsupported SDK major.
Additional Info
Confirmed from pnpm-lock.yaml: ai-sdk-ollama@4.0.0 peerDependencies ai ^7.0.0, snapshot resolved with ai 6.0.209.
| "additionalDirectories": [ | ||
| "C:\\Users\\larry\\.abacusai\\tmp\\codellm-prompt-N69pQe", |
There was a problem hiding this comment.
🟡 Committed Abacus config is machine-specific and carries local permissions
This repo-level config hardcodes C:\Users\larry\... temp directories and checks in a local command allowlist (pnpm add, powershell, taskkill, etc.). It should stay user-local rather than shipping another developer's workstation paths and trust policy in the repo.
Additional Info
Confirmed directly from committed .abacusai/config.json absolute Windows paths and permissions.allow entries.
| @@ -0,0 +1,1290 @@ | |||
|
|
|||
There was a problem hiding this comment.
🟡 Dispatch template includes a generated local build transcript
Because template scaffolding copies files verbatim unless they match the explicit skip list, this committed build.log will get shipped into newly scaffolded Dispatch apps. Remove the generated log from the template (or add *.log artifacts to the scaffold skip rules) so new apps do not inherit a 1,290-line local Windows build dump.
Additional Info
Confirmed against templates/dispatch/build.log plus packages/core/src/cli/create.ts shouldSkipScaffoldEntry(), which skips build/ and dist/ but not build.log.
|
thanks for sending @micronox - some feedback here and CI failures to fix in order to merge |
2 participants
Phase 10 complete: NVIDIA Nemotron 3 Ultra 550B model integration