Providers
Kenaz brokers AI requests through whichever provider you configure. You can have any number of providers configured at once and switch between them per-session via the model picker in the chat header.
How keys are stored
API keys never touch a Kenaz server — there isn't one to send them to. When you save a provider:
- The plaintext key is written to your OS keychain via the platform-native API:
- macOS — Keychain Access (
securityframework) - Windows — Credential Manager
- Linux — Secret Service (
libsecret, e.g. GNOME Keyring or KWallet)
- macOS — Keychain Access (
- The plaintext is zeroed in memory.
- Provider config (kind, region, model list, a reference to the keychain entry) is written to a single JSON file at
$XDG_CONFIG_HOME/kaneaz-harness/providers.json.
The on-disk file is plain text but contains no secret material — only the keychain locator.
Supported providers
| Provider | Connection | Best for | Setup |
|---|---|---|---|
| Anthropic | Direct REST | Reasoning, tool use, long context | API key |
| OpenAI | Direct REST | Broad model selection, vision, audio | API key |
| OpenRouter | Direct REST (gateway) | Trying many models behind one key | API key |
| AWS Bedrock | AWS SDK | Enterprises that need data to stay in AWS | AWS credentials |
| Ollama | Local HTTP | Offline / self-hosted models | None — runs locally |
| Custom | Any OpenAI-compatible endpoint | vLLM, LiteLLM, enterprise gateway | URL + (optional) key |
Picking a model
Kenaz pulls each provider's model list at save time. Some notes:
- Anthropic and OpenAI auto-discover everything your key has access to.
- OpenRouter lists every model on the gateway — the picker is searchable.
- Bedrock only shows what's granted to your AWS account in your selected region. Request access via the Bedrock console first.
- Ollama lists whatever you've
ollama pulled locally. - Custom can't discover — you tell it which model identifier to send.
Capability hints
Some features (vision, tool use, long context) don't work on every model. Kenaz reads each provider's capability metadata when available and disables UI affordances that won't work — e.g. the attachment paperclip is greyed out for text-only models.
You can override hints in Settings → Providers → Edit → Capabilities if Kenaz guessed wrong.
What gets sent to the provider
For each turn:
- The conversation history scoped to the current session.
- The system prompt (default + any per-session edits).
- The tool catalog for any MCP servers + built-in tools enabled in the session.
- Attachments as inline content blocks (images, PDFs, plaintext) per the provider's content-block format.
What does not get sent:
- The audit log.
- Any data from a session you didn't open.
- Telemetry — we don't collect any.
Each provider's privacy posture is documented in their own page.