NVIDIA · lakshyaag-tavily · Apr 20, 2026 · Apr 20, 2026 · Apr 20, 2026 · Apr 20, 2026
diff --git a/Dockerfile b/Dockerfile
@@ -305,6 +305,10 @@ ARG NEMOCLAW_PROXY_PORT=3128
 # The actual API key is injected at runtime via openshell:resolve:env, never
 # baked into the image.
 ARG NEMOCLAW_WEB_SEARCH_ENABLED=0
+# Web search provider selected during onboard ("brave" or "tavily"). The
+# Python script falls back to "brave" if unset or unrecognized; the env var
+# is patched to the user's choice by the CLI before docker build.
+ARG NEMOCLAW_WEB_SEARCH_PROVIDER=brave
 
 # SECURITY: Promote build-args to env vars so the Python script reads them
 # via os.environ, never via string interpolation into Python source code.
@@ -329,7 +333,8 @@ ENV NEMOCLAW_MODEL=${NEMOCLAW_MODEL} \
     NEMOCLAW_DISABLE_DEVICE_AUTH=${NEMOCLAW_DISABLE_DEVICE_AUTH} \
     NEMOCLAW_PROXY_HOST=${NEMOCLAW_PROXY_HOST} \
     NEMOCLAW_PROXY_PORT=${NEMOCLAW_PROXY_PORT} \
-    NEMOCLAW_WEB_SEARCH_ENABLED=${NEMOCLAW_WEB_SEARCH_ENABLED}
+    NEMOCLAW_WEB_SEARCH_ENABLED=${NEMOCLAW_WEB_SEARCH_ENABLED} \
+    NEMOCLAW_WEB_SEARCH_PROVIDER=${NEMOCLAW_WEB_SEARCH_PROVIDER}
 
 WORKDIR /sandbox
 USER sandbox

diff --git a/nemoclaw-blueprint/policies/presets/tavily.yaml b/nemoclaw-blueprint/policies/presets/tavily.yaml
@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+preset:
+  name: tavily
+  description: "Tavily Search API access"
+
+network_policies:
+  tavily:
+    name: tavily
+    endpoints:
+      - host: api.tavily.com
+        port: 443
+        protocol: rest
+        enforcement: enforce
+        rules:
+          - allow: { method: GET, path: "/**" }
+          - allow: { method: POST, path: "/**" }
+    binaries:
+      - { path: /usr/local/bin/node }
+      - { path: /usr/bin/node }
diff --git a/nemoclaw-blueprint/policies/tiers.yaml b/nemoclaw-blueprint/policies/tiers.yaml
@@ -26,6 +26,7 @@ tiers:
       - { name: huggingface,  access: read-write }
       - { name: brew,         access: read-write }
       - { name: brave,        access: read-write }
+      - { name: tavily,       access: read-write }
 
   - name: open
     label: Open
@@ -36,6 +37,7 @@ tiers:
       - { name: huggingface,  access: read-write }
       - { name: brew,         access: read-write }
       - { name: brave,        access: read-write }
+      - { name: tavily,       access: read-write }
       - { name: slack,        access: read-write }
       - { name: discord,      access: read-write }
       - { name: telegram,     access: read-write }

diff --git a/scripts/generate-openclaw-config.py b/scripts/generate-openclaw-config.py
@@ -608,14 +608,24 @@ def _placeholder(channel: str, env_key: str) -> str:
     }
 
     if env.get("NEMOCLAW_WEB_SEARCH_ENABLED", "") == "1":
+        _ws_provider = env.get("NEMOCLAW_WEB_SEARCH_PROVIDER", "brave")
+        if _ws_provider not in ("brave", "tavily"):
+            _ws_provider = "brave"
+        _ws_env_key = {"brave": "BRAVE_API_KEY", "tavily": "TAVILY_API_KEY"}[
+            _ws_provider
+        ]
+        # Route web_fetch through Tavily Extract when Tavily is the search provider.
+        fetch_cfg: dict = {"enabled": True}
+        if _ws_provider == "tavily":
+            fetch_cfg["provider"] = "tavily"
         config["tools"] = {
             "web": {
                 "search": {
                     "enabled": True,
-                    "provider": "brave",
-                    "apiKey": "openshell:resolve:env:BRAVE_API_KEY",
+                    "provider": _ws_provider,
+                    "apiKey": f"openshell:resolve:env:{_ws_env_key}",
                 },
-                "fetch": {"enabled": True},
+                "fetch": fetch_cfg,
             }
         }
 

diff --git a/src/lib/inference/web-search.test.ts b/src/lib/inference/web-search.test.ts
@@ -3,10 +3,19 @@
 
 import { describe, expect, it } from "vitest";
 
-import { BRAVE_API_KEY_ENV } from "./web-search";
+import { BRAVE_API_KEY_ENV, TAVILY_API_KEY_ENV, webSearchEnvFor } from "./web-search";
 
 describe("web-search module", () => {
   it("exports BRAVE_API_KEY_ENV constant", () => {
     expect(BRAVE_API_KEY_ENV).toBe("BRAVE_API_KEY");
   });
+
+  it("exports TAVILY_API_KEY_ENV constant", () => {
+    expect(TAVILY_API_KEY_ENV).toBe("TAVILY_API_KEY");
+  });
+
+  it("webSearchEnvFor maps providers to env var names", () => {
+    expect(webSearchEnvFor("brave")).toBe("BRAVE_API_KEY");
+    expect(webSearchEnvFor("tavily")).toBe("TAVILY_API_KEY");
+  });
 });
diff --git a/src/lib/inference/web-search.ts b/src/lib/inference/web-search.ts
@@ -1,8 +1,16 @@
 // SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
+export type WebSearchProvider = "brave" | "tavily";
+
 export interface WebSearchConfig {
   fetchEnabled: boolean;
+  provider: WebSearchProvider;
 }
 
 export const BRAVE_API_KEY_ENV = "BRAVE_API_KEY";
+export const TAVILY_API_KEY_ENV = "TAVILY_API_KEY";
+
+export function webSearchEnvFor(provider: WebSearchProvider): string {
+  return provider === "tavily" ? TAVILY_API_KEY_ENV : BRAVE_API_KEY_ENV;
+}