Skip to main content

Providers and models

Aegis persists the provider shape and stores runtime secrets in the local encrypted vault when you provide an override directly. The profile keeps the provider identity, base URL, default model, reasoning-effort setting, and context-window settings, but never exports the secret value.

Aegis can also discover reusable credentials from local operator state:

  • environment variables such as OPENAI_API_KEY, COPILOT_GITHUB_TOKEN, or provider-specific API key aliases
  • Codex credentials from CODEX_HOME/auth.json or ~/.codex/auth.json
  • Hermes provider auth state from HERMES_HOME/auth.json or ~/.hermes/auth.json
  • Qwen OAuth credentials from ~/.qwen/oauth_creds.json
  • GitHub Copilot credentials from gh auth token
  • GitHub Copilot ACP process availability from COPILOT_ACP_BASE_URL or a local copilot CLI
  • local provider probes for ollama and vllm

Configure during init

The normal path is to choose the provider during aegis init.

If you want to script it:

aegis init --non-interactive \
  --initial-goal "Carry the first durable thread" \
  --provider-id openai-compatible \
  --base-url https://api.example.com/v1 \
  --strong-model example/model \
  --api-key sk-live-...

You can also open aegis init, aegis provider, /providers, or /models interactively and:

  • reuse a discovered OAuth session without being forced through an API-key prompt
  • paste a provider key or override token into the hidden input once when you do need to pin one
  • reuse a credential source that Aegis already discovered locally
  • choose from the live provider catalog path, whether that provider exposes /models, /v1/models, or a provider-specific equivalent
  • set reasoning effort when the selected model supports it
  • keep the context window on auto-detect or override it manually

Keep secrets out of repo files

Do this:

  • let Aegis keep runtime provider secrets in the encrypted local vault
  • rotate provider keys through aegis provider or /providers

Do not do this:

  • do not paste provider secrets into profile.json
  • do not commit secrets into repo files
  • do not copy live keys into support bundles or screenshots

Re-check after changes

Whenever you change provider settings, rerun:

aegis status

That is the supported way to confirm the active profile is ready for wake.

Current provider catalog

Aegis already ships these provider surfaces in the shared runtime:

  • openai-compatible
  • openai
  • openai-codex
  • openrouter
  • copilot
  • anthropic
  • google
  • groq
  • deepseek
  • xai
  • mistral
  • together
  • fireworks
  • moonshot
  • qwen-oauth
  • minimax
  • minimax-cn
  • zai
  • alibaba
  • huggingface
  • ai-gateway
  • opencode-zen
  • opencode-go
  • kilocode
  • ollama
  • vllm

The product surface stays provider-neutral: init stores the provider id, base URL, default model, reasoning-effort choice, context-window configuration, and an encrypted local secret reference or discovered credential path, then status checks whether that profile is ready to drive wake.

Discovery-only providers such as copilot-acp are tracked in the provider inventory even when runtime execution is intentionally disabled. That keeps the operator view aligned with the local machine state without claiming a runtime path that Aegis cannot execute yet.