fix: load SDK key from .env for AI Gateway in dev mode

[jhaynie]

Summary

Fixes #348: AI gateway not injecting API key

Problem

When running agentuity dev, the AI SDK patches check for AGENTUITY_SDK_KEY and AGENTUITY_TRANSPORT_URL at runtime to inject API keys for the AI Gateway. However, only AGENTUITY_TRANSPORT_URL was being set - AGENTUITY_SDK_KEY was never loaded from the project's .env file.

This caused the AI SDK patches to fail, resulting in errors like:

LoadAPIKeyError [AI_LoadAPIKeyError]: OpenAI API key is missing. 
Pass it using the 'apiKey' parameter or the OPENAI_API_KEY environment variable.

Solution

• Load SDK key from .env files using loadProjectSDKKey() before starting the dev server
• Add warning message when SDK key is missing but a project is configured
• The warning provides actionable guidance: "Run 'agentuity env pull' to sync your SDK key"

Changes

• packages/cli/src/cmd/dev/index.ts: Load SDK key before starting dev server
• packages/cli/test/build/ai-sdk-env-injection.test.ts: Unit tests for AI SDK env injection
• apps/testing/integration-suite/src/agent/ai-sdk/gateway-check.ts: Integration test agent
• apps/testing/integration-suite/src/test/ai-sdk-gateway.ts: Integration test suite

Testing

• ✅ All 1292 unit tests pass
• ✅ Build, typecheck, and lint pass
• ✅ Integration suite builds successfully

How to Verify

1. Create a fresh Agentuity project with agentuity new
2. Ensure .env contains AGENTUITY_SDK_KEY=<your-key>
3. Add an agent that uses @ai-sdk/openai with generateText()
4. Run agentuity dev
5. The agent should work without "API key is missing" errors

Summary by CodeRabbit

Release Notes

• New Features

  • Dev command now automatically loads and injects SDK credentials from project configuration.
  • Added AI Gateway Check agent to validate gateway readiness and environment setup.

• Tests

  • Introduced integration test suite for AI SDK gateway functionality, including environment variable injection validation and credential injection flow verification.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR adds AI Gateway API key injection by introducing an agent-based gateway check, test suite for gateway functionality, CLI integration to load project SDK keys at runtime, and comprehensive build-time patching tests ensuring API key and transport URL injection during bundling.

Changes

Cohort / File(s)	Summary
AI SDK Gateway Check Agent apps/testing/integration-suite/app.ts, apps/testing/integration-suite/src/agent/ai-sdk/gateway-check.ts	Registers new gateway check agent and introduces aiSdkGatewayCheckAgent that validates AI Gateway readiness through three operations: check-env (reports SDK key and transport URL presence), create-provider (tests OpenAI provider creation without explicit apiKey to verify gateway injection), and create-model (validates model creation flow). Returns structured output with success status, environment flags, and error details.
AI SDK Gateway Integration Tests apps/testing/integration-suite/src/test/ai-sdk-gateway.ts	Adds four integration tests validating gateway behavior: environment variable loading, provider creation without apiKey, model instance creation, and environment consistency checks. Tests verify API key injection and structure validation with debug logging for non-cloud environments.
CLI Dev Mode SDK Key Loading packages/cli/src/cmd/dev/index.ts	Imports loadProjectSDKKey from config and adds runtime logic to load AGENTUITY_SDK_KEY from project-specific environment sources when not already set. Inserts loading calls before dev server startup and LLM patching, with user warnings if key cannot be found.
Build-time API Key Injection Tests packages/cli/test/build/ai-sdk-env-injection.test.ts	Introduces comprehensive integration test suite verifying bundling and patching behavior: creates temporary project with TypeScript source using @ai-sdk/openai, verifies bundled output contains injected environment variables and gateway URL placeholders, validates runtime patch application with env vars present, and ensures patch logic guards against missing environment variables.

Sequence Diagram(s)

sequenceDiagram
    participant CLI as CLI Dev Command
    participant Config as Project Config
    participant Build as Build System
    participant Bundle as Bundled Output
    participant Runtime as Runtime

    CLI->>Config: loadProjectSDKKey()
    Config-->>CLI: AGENTUITY_SDK_KEY
    Note over CLI: Set process.env.AGENTUITY_SDK_KEY
    
    CLI->>Build: Trigger build with env vars set
    Build->>Build: Apply patching plugin
    Build->>Bundle: Inject AGENTUITY_SDK_KEY<br/>AGENTUITY_TRANSPORT_URL<br/>Gateway URL
    Build-->>CLI: Bundled output with patches
    
    Note over Runtime: Application starts
    Runtime->>Runtime: Load bundled module
    Runtime->>Runtime: createOpenAI() called
    rect rgb(220, 240, 255)
        Note over Runtime: Patched createOpenAI
        Runtime->>Runtime: Check env vars present
        Runtime->>Runtime: Inject apiKey from AGENTUITY_SDK_KEY
        Runtime->>Runtime: Inject baseURL from AGENTUITY_TRANSPORT_URL
    end
    Runtime->>Runtime: Model creation succeeds

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	PR comprehensively addresses issue #348 by loading AGENTUITY_SDK_KEY from .env in dev mode, preventing API key injection failures and providing user guidance.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the SDK key loading issue: dev mode loader, integration tests, and related test infrastructure.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch task/fix-issue-with-sdk-not-getting-set

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

packages/cli/test/build/ai-sdk-env-injection.test.ts (1)

174-185: Consider explicit env var exclusion pattern.

Setting env vars to undefined in the spawn env object should work, but behavior can vary. For more explicit clearing, consider filtering the env:

🔎 Alternative pattern

 const proc = Bun.spawn(['bun', 'run', testScriptPath], {
   cwd: tempDir,
   stdout: 'pipe',
   stderr: 'pipe',
   env: {
-    ...process.env,
-    // Clear any existing env vars to ensure clean test
-    AGENTUITY_SDK_KEY: undefined,
-    AGENTUITY_TRANSPORT_URL: undefined,
-    OPENAI_API_KEY: undefined,
+    ...Object.fromEntries(
+      Object.entries(process.env).filter(
+        ([k]) => !['AGENTUITY_SDK_KEY', 'AGENTUITY_TRANSPORT_URL', 'OPENAI_API_KEY'].includes(k)
+      )
+    ),
   },
 });

apps/testing/integration-suite/src/agent/ai-sdk/gateway-check.ts (1)

88-113: Unused variable may trigger lint warning.

The model variable on line 92 is intentionally unused (verifying creation doesn't throw). Per coding guidelines, ensure all warnings are zero before committing. Consider prefixing with underscore to indicate intentional non-use:

🔎 Suggested fix

 case 'create-model': {
   // Test creating a model instance (doesn't make API call)
   try {
     const openai = createOpenAI({});
-    const model = openai('gpt-4o-mini');
+    const _model = openai('gpt-4o-mini');

     // Model created successfully
     return {

apps/testing/integration-suite/src/test/ai-sdk-gateway.ts (1)

12-14: Consider using path aliases for consistency.

Per coding guidelines, prefer @test/* path aliases instead of relative paths for imports within the integration suite:

🔎 Suggested change

-import { test } from './suite';
-import { assert, assertEqual, assertTruthy } from './helpers';
+import { test } from '@test/suite';
+import { assert, assertEqual, assertTruthy } from '@test/helpers';
 import aiSdkGatewayCheckAgent from '@agents/ai-sdk/gateway-check';

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b564fdb and 7149954.

⛔ Files ignored due to path filters (1)

• apps/testing/integration-suite/src/generated/registry.ts is excluded by !**/generated/**

📒 Files selected for processing (5)

• apps/testing/integration-suite/app.ts
• apps/testing/integration-suite/src/agent/ai-sdk/gateway-check.ts
• apps/testing/integration-suite/src/test/ai-sdk-gateway.ts
• packages/cli/src/cmd/dev/index.ts
• packages/cli/test/build/ai-sdk-env-injection.test.ts

🧰 Additional context used

📓 Path-based instructions (11)

apps/testing/integration-suite/src/**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (apps/testing/integration-suite/AGENTS.md)

Use path aliases for imports: @agents/* and @test/* instead of relative paths

Files:

• apps/testing/integration-suite/src/agent/ai-sdk/gateway-check.ts
• apps/testing/integration-suite/src/test/ai-sdk-gateway.ts

apps/testing/integration-suite/src/agent/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/testing/integration-suite/AGENTS.md)

apps/testing/integration-suite/src/agent/**/*.{ts,tsx}: Schema definitions must use s.record(keyType, valueType) with two arguments, not one
Schema definitions must use s.union(typeA, typeB) with arguments, not array s.union([typeA, typeB])
Agent schema pattern must include input and output objects with operation field for multi-operation agents
Session state uses ctx.session.state.set(key, value) and ctx.session.state.get(key) for request-scoped state
Thread state uses ctx.thread.state.set(key, value) and ctx.thread.state.get(key) for conversation-scoped persistent state
StructuredError uses pattern StructuredError(tag, message)<{ shape }>() with properties accessed directly on error instance
Error handling in agent handlers must use try-catch blocks and can transform errors into success responses
Agent eval creation uses agent.createEval(name, config) with handler returning success:true and metadata:{reason}
Agent eval results use passed:boolean for binary pass/fail or score:number (0.0-1.0) for scored results
Background tasks use ctx.waitUntil() with async function or promise, executing after response is sent
Session event listeners use ctx.session.addEventListener(eventName, callback) for 'completed' event
Thread event listeners use ctx.thread.addEventListener(eventName, callback) for 'destroyed' event
Each agent export must have a unique variable name to prevent naming collisions

Files:

• apps/testing/integration-suite/src/agent/ai-sdk/gateway-check.ts

**/*.{ts,tsx,js,jsx,json}

📄 CodeRabbit inference engine (AGENTS.md)

Use Prettier for code formatting with tabs (width 3), single quotes, and semicolons

Files:

• apps/testing/integration-suite/src/agent/ai-sdk/gateway-check.ts
• apps/testing/integration-suite/app.ts
• packages/cli/src/cmd/dev/index.ts
• apps/testing/integration-suite/src/test/ai-sdk-gateway.ts
• packages/cli/test/build/ai-sdk-env-injection.test.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use TypeScript strict mode with ESNext target and bundler moduleResolution

Files:

• apps/testing/integration-suite/src/agent/ai-sdk/gateway-check.ts
• apps/testing/integration-suite/app.ts
• packages/cli/src/cmd/dev/index.ts
• apps/testing/integration-suite/src/test/ai-sdk-gateway.ts
• packages/cli/test/build/ai-sdk-env-injection.test.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx,js,jsx}: Use StructuredError from @agentuity/core for error handling
Ensure all errors AND warnings must be zero before committing

Files:

• apps/testing/integration-suite/src/agent/ai-sdk/gateway-check.ts
• apps/testing/integration-suite/app.ts
• packages/cli/src/cmd/dev/index.ts
• apps/testing/integration-suite/src/test/ai-sdk-gateway.ts
• packages/cli/test/build/ai-sdk-env-injection.test.ts

apps/testing/integration-suite/**/app.ts

📄 CodeRabbit inference engine (apps/testing/integration-suite/AGENTS.md)

Test files must be imported in app.ts to register tests with the test suite

Files:

• apps/testing/integration-suite/app.ts

packages/cli/src/cmd/*/index.ts

📄 CodeRabbit inference engine (packages/cli/AGENTS.md)

packages/cli/src/cmd/*/index.ts: Each command must be a directory in src/cmd/ with an index.ts file as the main entry point
Always define interfaces for command options instead of using any type

Files:

• packages/cli/src/cmd/dev/index.ts

packages/cli/src/cmd/**/*.ts

📄 CodeRabbit inference engine (packages/cli/AGENTS.md)

packages/cli/src/cmd/**/*.ts: Use tui.* helpers for formatted output instead of raw console logs
Use ctx.logger for logging; call logger.fatal() to log and exit with code 1

Files:

• packages/cli/src/cmd/dev/index.ts

packages/cli/src/**/*.ts

📄 CodeRabbit inference engine (packages/cli/AGENTS.md)

Use Bun.file(f).exists() instead of existsSync(f) for file existence checks

Files:

• packages/cli/src/cmd/dev/index.ts

apps/testing/integration-suite/src/test/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/testing/integration-suite/AGENTS.md)

apps/testing/integration-suite/src/test/**/*.{ts,tsx}: Use uniqueId() helper for all keys, namespaces, and identifiers in tests to ensure test isolation
Test files must follow the pattern: setup section with uniqueId(), execute section calling agent.run(), and assert section with assertion helpers
Import test registration function and assertion helpers from @test/suite and @test/helpers
Use decodeKVValue() helper from @test/helpers/kv to decode stringified Uint8Arrays when reading KV values
Tests must be registered by calling test() function from @test/suite, not just defined

Files:

• apps/testing/integration-suite/src/test/ai-sdk-gateway.ts

packages/*/test/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

packages/*/test/**/*.{ts,tsx}: Place tests in test/ folder (never in src/ or __tests__/)
Import from ../src/ in test files
Use @agentuity/test-utils for mocks in tests

Files:

• packages/cli/test/build/ai-sdk-env-injection.test.ts

🧠 Learnings (1)

📚 Learning: 2025-12-21T00:31:41.858Z

Learnt from: jhaynie
Repo: agentuity/sdk PR: 274
File: packages/cli/src/cmd/build/vite/server-bundler.ts:12-41
Timestamp: 2025-12-21T00:31:41.858Z
Learning: In Bun runtime, BuildMessage and ResolveMessage are global types and are not exported from the bun module. Do not import { BuildMessage } from 'bun' or similar; these types are available globally and should be used without import. This applies to all TypeScript files that target the Bun runtime within the repository.

Applied to files:

• apps/testing/integration-suite/src/agent/ai-sdk/gateway-check.ts
• apps/testing/integration-suite/app.ts
• packages/cli/src/cmd/dev/index.ts
• apps/testing/integration-suite/src/test/ai-sdk-gateway.ts
• packages/cli/test/build/ai-sdk-env-injection.test.ts

🧬 Code graph analysis (2)

packages/cli/src/cmd/dev/index.ts (1)

packages/cli/src/config.ts (1)

• loadProjectSDKKey (618-655)

packages/cli/test/build/ai-sdk-env-injection.test.ts (1)

packages/cli/src/cmd/build/patch/index.ts (1)

• applyPatch (16-101)

🪛 ast-grep (0.40.3)

packages/cli/test/build/ai-sdk-env-injection.test.ts

[warning] 81-81: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(modulePath)
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

---

[warning] 131-131: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(modulePath)
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

🔇 Additional comments (10)

packages/cli/src/cmd/dev/index.ts (1)

15-15: Import addition is correct.

The loadProjectSDKKey function is properly imported alongside existing config utilities.

packages/cli/test/build/ai-sdk-env-injection.test.ts (4)

1-6: Good test structure with appropriate imports.

The test file correctly imports from bun:test and uses the project's patch utilities for integration testing.

---

21-61: Test setup is well-structured.

The beforeAll properly:

• Creates an isolated temp directory
• Sets up a realistic project structure with package.json and source files
• Installs dependencies using bun install --quiet

Good isolation pattern for integration testing.

---

72-92: Static analysis ReDoS warning is a false positive.

The modulePath is constructed from internal patch definitions (patch.module, patch.filename), not user input. The resulting regex pattern (e.g., node_modules/@ai-sdk/openai/.*) is simple without nested quantifiers, so there's no ReDoS risk here.

---

198-218: Effective patch structure validation.

This test verifies the patch logic guards against missing env vars by inspecting the actual patch code structure. This is a valuable safeguard against regressions in the patch template.

apps/testing/integration-suite/app.ts (1)

34-34: Test module registration follows the established pattern.

The import correctly registers the AI SDK gateway tests with the test suite, as per coding guidelines.

apps/testing/integration-suite/src/agent/ai-sdk/gateway-check.ts (2)

17-31: Agent schema correctly follows multi-operation pattern.

The schema properly defines:

• Input with operation field for operation dispatch
• Output with structured fields including optional error

As per coding guidelines, the agent uses a unique variable name (aiSdkGatewayCheckAgent) to prevent naming collisions.

---

52-86: Create-provider operation correctly tests issue #348 scenario.

The operation:

• Calls createOpenAI({}) without explicit apiKey
• Correctly identifies the specific API key missing error pattern
• Returns clear regression message if gateway injection fails

Good regression test design.

apps/testing/integration-suite/src/test/ai-sdk-gateway.ts (2)

17-35: Graceful handling of unconfigured environments.

The test correctly:

• Asserts success when env vars are present
• Logs diagnostic info when not configured (helpful for debugging)
• Doesn't fail the test in unconfigured environments

This is good test design for CI environments that may not have gateway credentials.

---

79-93: Good invariant validation test.

The consistency test properly validates:

• Result field types are correct
• Logical invariant: success implies both hasSDKKey and hasTransportUrl are true

This catches potential schema or logic inconsistencies early.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, check if the file exists and view the relevant lines
wc -l packages/cli/src/cmd/dev/index.ts

Repository: agentuity/sdk

Length of output: 94

---

🏁 Script executed:

# View the code at lines 712-726
sed -n '712,726p' packages/cli/src/cmd/dev/index.ts

Repository: agentuity/sdk

Length of output: 664

---

🏁 Script executed:

# Check for the loadProjectSDKKey import
head -50 packages/cli/src/cmd/dev/index.ts | grep -n "loadProjectSDKKey"

Repository: agentuity/sdk

Length of output: 142

---

🏁 Script executed:

# Search for all imports in the file
head -30 packages/cli/src/cmd/dev/index.ts

Repository: agentuity/sdk

Length of output: 1370

---

🏁 Script executed:

# Check context around lines 712-726 (view broader range)
sed -n '705,730p' packages/cli/src/cmd/dev/index.ts

Repository: agentuity/sdk

Length of output: 1044

---

🏁 Script executed:

# Search for existsSync usage to check guideline compliance
rg "existsSync" packages/cli/src/cmd/dev/index.ts -n

Repository: agentuity/sdk

Length of output: 207

---

🏁 Script executed:

# Verify loadProjectSDKKey is exported from config
rg "loadProjectSDKKey" packages/cli/src/config -A 3

Repository: agentuity/sdk

Length of output: 120

---

🏁 Script executed:

# Check the logger context - verify it's available in this scope
sed -n '700,715p' packages/cli/src/cmd/dev/index.ts

Repository: agentuity/sdk

Length of output: 607

---

🏁 Script executed:

# Find the config file
fd "config" packages/cli/src --type f -e ts

Repository: agentuity/sdk

Length of output: 192

---

🏁 Script executed:

# Search for loadProjectSDKKey definition
rg "loadProjectSDKKey" packages/cli/src -A 5 -B 1

Repository: agentuity/sdk

Length of output: 5881

---

🏁 Script executed:

# Check the broader function context to see if logger is available
sed -n '650,680p' packages/cli/src/cmd/dev/index.ts

Repository: agentuity/sdk

Length of output: 797

---

🏁 Script executed:

# Check for logger availability in the function scope
sed -n '550,580p' packages/cli/src/cmd/dev/index.ts | head -20

Repository: agentuity/sdk

Length of output: 544

---

🏁 Script executed:

# Verify the function signature/context where SDK key loading happens
sed -n '560,575p' packages/cli/src/cmd/dev/index.ts

Repository: agentuity/sdk

Length of output: 449

---

🏁 Script executed:

# Check the actual function definition to see if logger is defined
rg "const handler = " packages/cli/src/cmd/dev/index.ts -A 10

Repository: agentuity/sdk

Length of output: 39

---

🏁 Script executed:

# Search for where this code block is - find the function that contains it
rg "Load SDK key from project" packages/cli/src/cmd/dev/index.ts -B 50 | head -100

Repository: agentuity/sdk

Length of output: 1425

---

🏁 Script executed:

# Check the command handler structure
sed -n '200,250p' packages/cli/src/cmd/dev/index.ts

Repository: agentuity/sdk

Length of output: 1699

---

🏁 Script executed:

# Look for the main export and handler
tail -300 packages/cli/src/cmd/dev/index.ts | head -100

Repository: agentuity/sdk

Length of output: 3412

---

🏁 Script executed:

# Get the full context of the function containing the SDK key loading
sed -n '150,170p' packages/cli/src/cmd/dev/index.ts

Repository: agentuity/sdk

Length of output: 742

---

🏁 Script executed:

# Check logger parameter in the function signature
rg "export const handler" packages/cli/src/cmd/dev/index.ts -A 5

Repository: agentuity/sdk

Length of output: 39

---

🏁 Script executed:

# Check line 193 to see the existsSync usage context
sed -n '188,198p' packages/cli/src/cmd/dev/index.ts

Repository: agentuity/sdk

Length of output: 262

---

🏁 Script executed:

# Check line 262 existsSync usage context
sed -n '258,268p' packages/cli/src/cmd/dev/index.ts

Repository: agentuity/sdk

Length of output: 385

---

🏁 Script executed:

# Check the full loadProjectSDKKey implementation
sed -n '/export async function loadProjectSDKKey/,/^}/p' packages/cli/src/config.ts | head -40

Repository: agentuity/sdk

Length of output: 1437

---

🏁 Script executed:

# Verify the logger is properly available in the handler context
rg "handler = async \(ctx" packages/cli/src/cmd/dev/index.ts -A 3

Repository: agentuity/sdk

Length of output: 39

---

🏁 Script executed:

# Check if ctx.logger is used elsewhere in this handler
sed -n '150,250p' packages/cli/src/cmd/dev/index.ts | grep -n "ctx.logger\|logger"

Repository: agentuity/sdk

Length of output: 346

---

LGTM but fix existsSync violations before committing.

The SDK key loading logic correctly addresses the issue:

• Guards against overwriting an already-set AGENTUITY_SDK_KEY
• Loads from project-specific .env files via loadProjectSDKKey
• Provides actionable guidance when the key is missing

However, the code uses existsSync() on lines 193 and 262, which violates the coding guideline requiring Bun.file(f).exists() for file existence checks in packages/cli/src/**/*.ts. Replace these usages and also update the existsSync() call in loadProjectSDKKey() in packages/cli/src/config.ts.