Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From truefoundry
Integrates codebase with TrueFoundry AI Gateway: scans LLM calls, MCP configs, credentials; diffs against gateway config; generates migration plan; applies changes; verifies routing end-to-end.
npx claudepluginhub truefoundry/skills --plugin truefoundryHow this skill is triggered — by the user, by Claude, or both
Slash command
/truefoundry:integrate-gatewayThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
<objective>
install.mdreferences/api-endpoints.mdreferences/cli-fallback.mdreferences/cli-reference.mdreferences/intent-clarification.mdreferences/migration-code-patterns.mdreferences/migration-patterns.mdreferences/prerequisites.mdreferences/provider-manifests.mdreferences/tfy-api-setup.mdscripts/scan.shscripts/tfy-api.shscripts/tfy-version.shscripts/verify-gateway.shConfigures TrueFoundry AI Gateway for unified OpenAI-compatible LLM access, provider account integrations, content safety guardrails, and request observability (traces, costs, errors).
Provides expert guidance for Vercel AI Gateway configuration: model routing, provider failover, cost tracking, unified API for multiple AI providers like OpenAI, Anthropic, Gemini.
Connects AgentCore agents to external APIs, MCP servers, Lambda functions, or OpenAPI specs via Gateway. Configures outbound auth (OAuth, API keys, IAM), credentials, and Cedar policies for tool access control.
Share bugs, ideas, or general feedback.
Integrate the current codebase with TrueFoundry AI Gateway. This skill runs inside the customer's repo and has full filesystem access — use it for deep analysis, not surface scanning.
onboard skill firstgateway skillgateway skillThis skill has the codebase. It can:
.env files and docker-compose configs.env is gitignored before any key operations1. PREFLIGHT 2. SCAN 3. DIFF 4. PLAN 5. APPLY 6. VERIFY
Check login → Find all AI → Compare with → Present → Make changes → Smoke test
& .env safety call sites gateway state migration (with conf) each model
Models in the gateway use {provider_account_name}/{model_name}:
openai-main/gpt-4o (not gpt-4o)anthropic-main/claude-sonnet-4-20250514 (not claude-sonnet-4-20250514)Virtual models allow keeping original names — gateway handles the mapping.
Before touching anything, verify safety:
# 1. Check TFY login exists
python3 -c "
import json; from pathlib import Path
d = json.loads((Path.home()/'.truefoundry'/'credentials.json').read_text())
host = d.get('host') or d.get('base_url') or ''
token = d.get('access_token') or d.get('refresh_token') or ''
print(f'tfy login: {\"ok (\" + host + \")\" if host and token else \"missing\"}')" 2>/dev/null || echo "tfy login: missing"
# 2. Check .env is gitignored (CRITICAL — before any key operations)
if [ -f .env ]; then
git check-ignore .env >/dev/null 2>&1 && echo ".env: gitignored (safe)" || echo ".env: NOT GITIGNORED — fix this first"
fi
# 3. Check TFY env vars
echo "TFY_BASE_URL: ${TFY_BASE_URL:-(not set)}"
echo "TFY_API_KEY: ${TFY_API_KEY:+(set)}${TFY_API_KEY:-(not set)}"
Stop if:
tfy login: missing -> use onboard skill.env: NOT GITIGNORED -> fix .gitignore before proceedingTFY_API_KEY: (not set) -> user needs a PAT from dashboardRun the scanner script for structured output:
scripts/scan.sh . --skip-tests
Then go deeper — read the actual files to understand patterns:
For each LLM call site found, read the surrounding code to classify:
| Pattern | Effort | Migration |
|---|---|---|
OpenAI() — no args, reads env | None | Just update env vars |
OpenAI(api_key=os.environ["X"]) — key from env, no base_url | Low | Add OPENAI_BASE_URL to env |
OpenAI(api_key="sk-...", base_url="...") — hardcoded | Medium | Rewrite to use env vars |
ChatOpenAI(model="gpt-4o") — framework with params | Medium | Add base_url or set env |
| Multiple providers with different keys | High | Consolidate to single TFY PAT |
# Where do env vars get set?
rg -rn 'OPENAI_API_KEY|OPENAI_BASE_URL' --include='*.env*' --include='docker-compose*' --include='*.yaml' --include='*.yml' .
# CI/CD pipeline env injection?
find . -name '*.yml' -path '*/.github/*' -exec grep -l 'OPENAI\|ANTHROPIC\|LLM' {} \;
find . -name 'Dockerfile*' -exec grep -l 'OPENAI\|ANTHROPIC\|API_KEY' {} \;
# Package manager files reveal the stack
cat package.json 2>/dev/null | python3 -c "import sys,json; d=json.load(sys.stdin).get('dependencies',{}); [print(k) for k in d if 'openai' in k or 'anthropic' in k or 'ai-sdk' in k or 'langchain' in k]" 2>/dev/null
cat requirements.txt 2>/dev/null | grep -i 'openai\|anthropic\|langchain\|llama.index\|litellm' 2>/dev/null
cat pyproject.toml 2>/dev/null | grep -i 'openai\|anthropic\|langchain\|llama.index\|litellm' 2>/dev/null
Compare what the codebase uses against what's already configured:
TFY_API_SH="$(find ~/.claude/skills ~/.cursor/skills ~/.codex/skills -name tfy-api.sh 2>/dev/null | head -1)"
# What's already in the gateway?
$TFY_API_SH GET /api/svc/v1/provider-accounts
# What models are callable?
curl -s "${TFY_BASE_URL}/api/llm/models" -H "Authorization: Bearer ${TFY_API_KEY}" | python3 -c "import sys,json; [print(m['id']) for m in json.load(sys.stdin).get('data',[])]"
Produce a gap analysis:
.env but NOT in TFY Secrets -> need secret creationPresent findings as an actionable report. Format:
## Integration Summary
| Metric | Count |
|--------|-------|
| LLM call sites found | X |
| Already routed through TFY | Y |
| Need migration | Z |
| Hardcoded credentials (CRITICAL) | N |
| Models missing from gateway | M |
## Call Sites (by migration effort)
### No changes needed (env-var driven)
| File | Line | SDK | Why it works already |
...
### Low effort (add env var)
| File | Line | SDK | What to add |
...
### Medium effort (code change)
| File | Line | SDK | Current → Required change |
...
## Gateway Gaps
| Model | Provider | Status | Action |
...
## Recommended approach:
- [ ] Strategy A or B for model names? (ask user)
- [ ] N env files to update
- [ ] M provider accounts to create
- [ ] Estimated: X minutes
Ask for confirmation before proceeding to Phase 5.
Never handle raw keys. Tell the user:
"Set your provider keys as environment variables, then I'll store them in TFY Secrets:
! export OPENAI_API_KEY=<your-key>"
Then create secret group:
$TFY_API_SH POST /api/svc/v1/secret-groups "$payload"
For templates, see references/provider-manifests.md.
tfy apply -f provider-account.yaml --dry-run --show-diff
tfy apply -f provider-account.yaml
If user chose "keep existing model names", create virtual model routing config. See gateway skill [references/calling-models.md] for gateway-load-balancing-config manifest.
Replace provider keys with TFY PAT and add base URL:
# .env — always use TFY_BASE_URL, never hardcode gateway.truefoundry.ai
OPENAI_API_KEY=<tfy-pat>
OPENAI_BASE_URL=${TFY_BASE_URL}/api/llm
Safety: Keep original .env backed up. Original provider keys are now in TFY Secrets — confirm they're accessible before removing from .env.
For complete before/after patterns per framework, see references/migration-code-patterns.md.
Always ask for confirmation before modifying source files.
grep -q '^\.env$' .gitignore 2>/dev/null || echo '.env' >> .gitignore
grep -q '^\.env\.local$' .gitignore 2>/dev/null || echo '.env.local' >> .gitignore
Test each model found in the codebase:
scripts/verify-gateway.sh "openai-main/gpt-4o-mini"
Or if using virtual models (Strategy B):
scripts/verify-gateway.sh "gpt-4o-mini"
Present final status:
## Integration Complete
| Model | Status | Latency |
|-------|--------|---------|
| openai-main/gpt-4o | OK | 1.2s |
| anthropic-main/claude-sonnet | OK | 0.8s |
What's now active:
- Cost tracking in TFY dashboard → AI Gateway → Observability
- Request traces with latency, tokens, cost per call
- Budget controls and rate limiting available
Next steps:
- [ ] Set up budget alerts (gateway skill)
- [ ] Add guardrails for content safety
- [ ] Create production VAT for deployed services
- [ ] Configure CI/CD to use TFY_API_KEY secret
<success_criteria>
</success_criteria>
tfy apply, tfy login)scripts/scan.sh [dir] [--skip-tests] — Structured codebase scan (run first)scripts/verify-gateway.sh [model_id] — Smoke test a model through the gatewaygateway skill for routing, rate limits, guardrails, virtual modelsplatform skill (Secrets section) for advanced secret managementmcp-servers skill to register discovered MCP configs in the registryonboard skill if customer has no TFY accountSTOP. Fix this before any key operations: echo '.env' >> .gitignore && git add .gitignore
Use onboard skill. Do not proceed with integration.
Check: correct project root? Code in subdirectory? Try scripts/scan.sh ./src. Ask if framework isn't covered.
Verify: integration has correct model_types, collaborators include team:everyone, provider account status is active.
Check: TFY_API_KEY set to valid PAT/VAT, OPENAI_BASE_URL points to ${TFY_BASE_URL}/api/llm (not hardcoded gateway URL).
Keys should remain in TFY Secrets. Check: $TFY_API_SH GET /api/svc/v1/secret-groups and verify the group exists.
Ask which services to scan. Scope: scripts/scan.sh ./services/api --skip-tests
Options: (1) replace with TFY Gateway, (2) point LiteLLM at gateway for observability, (3) keep LiteLLM for dev only.