docs(research): refresh OneCLI competitor entry + product verdict
OneCLI (onecli.sh) was already tracked in the credential-proxy landscape but the entry was stale (May 2026). Correct it: it uses the phantom-token pattern this note recommends (not "Bitwarden integration"), and it's now GA, Rust, YC-backed (~2.5k stars, 300k+ downloads). Add build-vs-adopt + competitor commentary, and a product-side entry in the containerized-claude landscape with a verdict on how close a competitor it is and where bot-bottle's edge lies (isolation as the product, fleet/manifest layer, self-hosted trust posture). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01LhiafsABCr46bu3oHUm7wa
This commit is contained in:
@@ -36,6 +36,24 @@ small bot-bottle-specific reverse proxy modeled on the
|
||||
phantom-token shape is probably the right call. For Gitea / GitHub /
|
||||
GitLab, the same proxy generalizes by config.
|
||||
|
||||
**Updated 2026-07-14:** OneCLI ([onecli.sh](https://onecli.sh/)) —
|
||||
already listed below — has matured into a GA, YC-backed Rust
|
||||
credential gateway ("The Identity Gateway for AI Agents", ~2.5k⭐,
|
||||
300k+ downloads) that implements the **same phantom-token pattern**
|
||||
this note recommends: the agent holds a placeholder token, the
|
||||
gateway swaps it for the real (AES-256-GCM-encrypted) credential at
|
||||
request time. It's now the most mature open-source realization of the
|
||||
exact design proposed here — a production-ready alternative to
|
||||
alpha-stage nono — at the cost of being a broader product (built-in
|
||||
vault + management dashboard + hosted cloud tier + 50+ app
|
||||
integrations) rather than a minimal proxy. Its managed/cloud tier and
|
||||
per-agent dashboard also overlap bot-bottle's own planned paid control
|
||||
plane (bot-bottle-console, issue #327), so it's worth tracking as both
|
||||
a build-vs-adopt option *and* a product-level competitor. The
|
||||
build-first recommendation still stands (see synthesis below), but
|
||||
adopting OneCLI's OSS core is now a credible alternative where nono was
|
||||
too green.
|
||||
|
||||
## The shared problem
|
||||
|
||||
Linux has no per-env-var ACL. Once a var is in a process's
|
||||
@@ -223,7 +241,7 @@ Two categories:
|
||||
| **Infisical Agent Vault** | B | MIT (EE carve-out) | In-process HTTPS_PROXY forward proxy | TLS MITM, dummy-to-real swap | No — HTTPS_PROXY model | Service-level | Active; v0.19.0 May 2026, ~1k⭐ |
|
||||
| **nono** | B | Apache-2.0 | In-process reverse proxy | Phantom token, explicit URL routing | **Yes** — `BASE_URL=http://127.0.0.1:PORT/…` | Host + endpoint | Early alpha; v0.53.0 May 2026, 2.4k⭐ |
|
||||
| **Aegis** | B | Apache-2.0 | In-process reverse proxy | Path routing (`localhost:3100/{svc}/…`) | Configurable, undocumented for Anthropic | Method/path/rate/time | Very new, 10⭐ |
|
||||
| **OneCLI** | B | Apache-2.0 | Reverse proxy + management UI | Host/path matching, Bitwarden integration | Configurable | Per-agent scoping | Active; v1.23.0 May 2026, 2.1k⭐ |
|
||||
| **OneCLI** | B | Apache-2.0 | Reverse proxy + built-in vault + dashboard | **Phantom token** (placeholder→real swap at request time), AES-256-GCM vault | Yes (host match) | Per-agent + endpoint/method + rate limits | GA; Rust; YC-backed; ~2.5k⭐, 300k+ downloads (Jul 2026) |
|
||||
| **Aembit** | B | Proprietary | Sidecar + cloud control plane | TLS intercept, SPIFFE, JIT creds | No — intercepts by destination | Policy-based | GA (Apr 2026) |
|
||||
| **LiteLLM Proxy** | A | MIT | Reverse proxy | Virtual key → upstream key | Yes — set base URL to LiteLLM | Route-level | 45k⭐; **CVE-2026-42208 exploited Apr 2026**, patch v1.83.7 |
|
||||
| **Portkey Gateway** | A | MIT (OSS core) | Reverse proxy | Virtual key vault (cloud or Enterprise self-host) | Yes — documented for Claude Code | Config-based | Production; virtual-key vault needs Enterprise for self-host |
|
||||
@@ -242,6 +260,18 @@ Two categories:
|
||||
`ANTHROPIC_BASE_URL`. **Blocker:** nono is explicitly
|
||||
"early alpha, not security audited."
|
||||
|
||||
**Update (2026-07-14):** OneCLI ([onecli.sh](https://onecli.sh/))
|
||||
ships the same phantom-token shape but is GA and YC-backed (Rust,
|
||||
~2.5k⭐, 300k+ downloads) — the maturity nono lacks. Trade-offs: it's
|
||||
a full identity-gateway *product* (encrypted vault, management
|
||||
dashboard, 50+ one-click app integrations, hosted cloud tier), much
|
||||
heavier than the ~100-line proxy proposed below, and its hosted tier
|
||||
is a third-party credential custodian — precisely the trust
|
||||
dependency bot-bottle's isolation model exists to avoid. So: its
|
||||
Apache-2.0 OSS core is a credible *adopt* candidate for the
|
||||
phantom-token slice; its managed offering is a *competitor*, not a
|
||||
dependency to lean on.
|
||||
|
||||
- **TLS-MITM forward proxies** (Infisical Agent Vault, Cloudflare
|
||||
Sandbox Auth, Aembit, the existing pipelock) all double up on
|
||||
the CA-trust machinery PRD 0006 already built for pipelock.
|
||||
@@ -273,6 +303,15 @@ routing matches the design recommended here exactly; zero TLS
|
||||
work. But "not security audited" + "early alpha" means adopting it
|
||||
is a bet on the project rather than a buy-vs-build win.
|
||||
|
||||
**Mature phantom-token option (added 2026-07-14):** OneCLI — same
|
||||
architecture as nono, but GA, Rust, and YC-backed. Its Apache-2.0 OSS
|
||||
core is now the strongest *adopt* candidate for the phantom-token slice
|
||||
if building is undesirable; the caveats are product surface you don't
|
||||
need (bundled vault + dashboard) and that its hosted tier is a
|
||||
competitor rather than a dependency. Doesn't change the build-first
|
||||
recommendation for the narrow Anthropic-token slice, but it does mean
|
||||
"is there a mature drop-in?" now has a real answer.
|
||||
|
||||
**Most mature OSS purpose-built:** Infisical Agent Vault. MIT,
|
||||
v0.19.0 active, v0.17.0 added a containerized agent mode that
|
||||
maps directly to bot-bottle. Friction is the TLS-MITM topology
|
||||
@@ -376,6 +415,9 @@ already gives us for upstream push credentials.
|
||||
- [nono — phantom token blog](https://nono.sh/blog/blog-credential-injection)
|
||||
- [Aegis — GitHub](https://github.com/getaegis/aegis)
|
||||
- [OneCLI — GitHub](https://github.com/onecli/onecli)
|
||||
- [OneCLI — homepage](https://onecli.sh/)
|
||||
- [OneCLI — Y Combinator company page](https://www.ycombinator.com/companies/onecli)
|
||||
- [Show HN: OneCLI – Vault for AI Agents in Rust](https://news.ycombinator.com/item?id=47353558)
|
||||
- [Sandbox0 — GitHub](https://github.com/sandbox0-ai/sandbox0)
|
||||
- [Buildkite Cleanroom — GitHub](https://github.com/buildkite/cleanroom)
|
||||
- [Aembit IAM for Agentic AI — GA](https://aembit.io/blog/aembit-iam-for-agentic-ai-is-now-generally-available/)
|
||||
|
||||
@@ -71,6 +71,44 @@ manifest merge.
|
||||
network egress is logged by pipelock/mitmproxy, and per-run op-log/audit state
|
||||
is persisted to SQLite.
|
||||
|
||||
- **OneCLI** ([onecli.sh](https://onecli.sh/)) — YC-backed, GA, open-source
|
||||
(Apache-2.0, Rust) "identity gateway for AI agents": a credential/secret
|
||||
broker that holds API keys and OAuth tokens out of the agent's reach and
|
||||
injects them at the network layer (phantom-token — the agent sees a
|
||||
placeholder, the gateway swaps in the real, AES-256-GCM-encrypted credential
|
||||
at request time). Framework-agnostic and drop-in for any HTTP-calling agent,
|
||||
50+ app integrations, plus a hosted cloud tier with a per-agent dashboard and
|
||||
audit logs. Full technical breakdown in
|
||||
[`agent-credential-proxy-landscape.md`](agent-credential-proxy-landscape.md).
|
||||
|
||||
**How close a competitor:** near-exact on the *single axis of agent secret
|
||||
custody* — the exact thing bot-bottle sells as "the agent never sees real
|
||||
credentials, even via `printenv`." OneCLI does that one job well, is mature
|
||||
and funded, and is *more portable* (it sits in front of anything; bot-bottle
|
||||
only helps agents launched through bot-bottle). Takeaway: bot-bottle should
|
||||
stop treating secret custody as a *unique* differentiator. But OneCLI is
|
||||
**not** a competitor to bot-bottle's actual product — it does no agent
|
||||
sandboxing (containers/microVMs), no fleet/manifest layer, no named agents /
|
||||
skills / per-agent system prompts, no multi-provider launching, no egress
|
||||
firewall.
|
||||
|
||||
**Our edge:** (1) *Isolation is the product, not a proxy.* OneCLI keeps the
|
||||
key out of reach at the network layer, but the agent itself still runs
|
||||
unsandboxed — a hijacked agent behind OneCLI has full run of its host and can
|
||||
exfil captured data through any allowed host. bot-bottle runs the agent inside
|
||||
a kernel/VM-enforced sandbox, injects credentials across that same
|
||||
out-of-process boundary, *and* clamps egress with pipelock — defense in depth
|
||||
vs. a single network layer. (2) *Fleet + manifest model* with named agents,
|
||||
skills, per-agent system prompts, multi-provider and multi-backend — OneCLI
|
||||
has no equivalent. (3) *Trust posture:* OneCLI's managed tier reintroduces a
|
||||
third-party credential custodian, whereas bot-bottle's OSS-runtime +
|
||||
paid-control-plane split keeps custody inside the operator's own boundary —
|
||||
the stronger story for the security-minded self-hoster. **Tactical read:**
|
||||
adopt OneCLI's OSS core for the credential slice if building is undesirable
|
||||
(it's mature now); don't build atop its managed tier (competitor, not
|
||||
dependency); re-position bot-bottle on isolation + fleet + self-hosted custody
|
||||
rather than "we hide your secrets."
|
||||
|
||||
## What no found project does
|
||||
|
||||
None combine:
|
||||
|
||||
Reference in New Issue
Block a user