LLM Providers
How providers work and how to add your own.
Overview
A Nemesis8 provider is a TOML file that describes an AI CLI — its binary, flags, config format, auth, and hooks. The provider system is fully data-driven: no code changes are required to add a new provider. Drop a .toml file in the right directory and it's immediately available.
Providers are loaded from two locations:
- Builtins —
/opt/defaults/providers/inside the Docker image (shipped with each build) - User-defined —
~/.nemesis8/providers/on the host (checked at session start)
Built-in providers
| Provider | CLI | Auth | Notes |
|---|---|---|---|
| claude | claude | ANTHROPIC_API_KEY | Claude Code CLI — full MCP support |
| codex | codex | OPENAI_API_KEY | OpenAI Codex CLI — supports sessions |
| gemini | gemini | GEMINI_API_KEY | Google Gemini CLI |
| openclaw | openclaw | ANTHROPIC_API_KEY | TUI interface via openclaw tui |
| ollama | codex | none (local) / ollama signin (cloud) | Local or cloud Ollama models via OpenAI-compat API |
Provider TOML format
Each provider is described by a TOML file. Here's a minimal example:
[provider]
name = "myprovider"
binary = "myprovider-cli"
install_package = "@myorg/myprovider-cli"
[provider.config_dir]
path = ".myprovider"
format = "json" # "json" or "toml"
filename = "settings.json"
mcp_key = "mcpServers"
[provider.prompt]
flag = "-p" # flag used to pass a prompt non-interactively
[provider.danger]
flag = "--yes" # bypass approval prompts
[provider.model]
flag = "--model"
[provider.api_keys]
target = "MYPROVIDER_API_KEY"
chain = ["MYPROVIDER_API_KEY", "OPENAI_API_KEY"]
[provider.hooks]
requires_git_init = false
supports_sessions = false
[provider.env_overrides]
HOME = "/opt/codex-home"Field reference
[provider]
| Field | Type | Description |
|---|---|---|
| name | string | Provider name — must match the filename stem |
| aliases | string[] | Alternative names accepted by --provider |
| binary | string | Executable name (must be on PATH inside the container) |
| install_package | string? | npm package installed at image build time |
| env_overrides | map | Environment variables set before exec-ing the binary |
[provider.config_dir]
Describes where the provider reads its config file and how Nemesis8 should write MCP server entries into it.
| Field | Description |
|---|---|
| path | Directory relative to the provider home (/opt/codex-home) |
| format | "json" or "toml" — determines how the config is serialized |
| filename | Config file name (e.g. settings.json, config.toml) |
| mcp_key | Key under which MCP server entries are written (e.g. mcpServers, mcp_servers) |
Ollama provider
The Ollama provider lets you run any Ollama-compatible model against the Codex CLI. Local Ollama models need no API key. Cloud models (the -cloud suffix) stream from ollama.com and require signing in on the host.
# Local model (Ollama must be running on the host)
nemisis8 --provider ollama interactive
# Specify a different local model
nemisis8 --provider ollama --model llama3.3:70b interactive
# Cloud model (run 'ollama signin' on the host first)
nemisis8 --provider ollama --model qwen3.5:397b-cloud interactiveOllama is reached from inside the container at http://host.docker.internal:11434. This resolves to the host machine on both Docker Desktop (macOS/Windows) and Docker on Linux with --add-host.
For cloud Ollama models, run ollama signin on the host before starting a session. The credential file is picked up automatically by the Ollama daemon.
Adding a custom provider
To add a provider without modifying the image, write a TOML file to ~/.nemesis8/providers/:
mkdir -p ~/.nemesis8/providers
cat > ~/.nemesis8/providers/myprovider.toml <<'EOF'
[provider]
name = "myprovider"
binary = "myprovider-cli"
[provider.config_dir]
path = ".myprovider"
format = "json"
filename = "config.json"
mcp_key = "mcpServers"
[provider.api_keys]
target = "MYPROVIDER_KEY"
chain = ["MYPROVIDER_KEY"]
EOFVerify it loaded:
nemisis8 doctorThe binary must be available inside the container. If it's not in the image, you can install it in the container's PATH and use a custom NEMESIS8_IMAGE.
User-defined providers override builtin providers with the same name. Use this to customize a builtin without patching the image — create ~/.nemesis8/providers/claude.toml and it takes precedence.
Agent-created providers
Because providers are plain TOML files, a running agent can create or modify them. An agent that has shell access inside a container can write to /opt/codex-home/../providers/ (host-mounted) to register a new provider for the next session — no recompile, no redeploy.
This is the intended extensibility path: agents discover new CLIs, write their TOML spec, and make themselves available via --provider <new-name>.