From ce440fabc4b7f499b1c2a4133f65b98619066026 Mon Sep 17 00:00:00 2001 From: didericis Date: Tue, 14 Jul 2026 01:21:04 -0400 Subject: [PATCH] docs(research): refresh OneCLI competitor entry + product verdict OneCLI (onecli.sh) was already tracked in the credential-proxy landscape but the entry was stale (May 2026). Correct it: it uses the phantom-token pattern this note recommends (not "Bitwarden integration"), and it's now GA, Rust, YC-backed (~2.5k stars, 300k+ downloads). Add build-vs-adopt + competitor commentary, and a product-side entry in the containerized-claude landscape with a verdict on how close a competitor it is and where bot-bottle's edge lies (isolation as the product, fleet/manifest layer, self-hosted trust posture). Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01LhiafsABCr46bu3oHUm7wa --- .../agent-credential-proxy-landscape.md | 44 ++++++++++++++++++- .../landscape-containerized-claude.md | 38 ++++++++++++++++ 2 files changed, 81 insertions(+), 1 deletion(-) diff --git a/docs/research/agent-credential-proxy-landscape.md b/docs/research/agent-credential-proxy-landscape.md index d96dea4..38af5c7 100644 --- a/docs/research/agent-credential-proxy-landscape.md +++ b/docs/research/agent-credential-proxy-landscape.md @@ -36,6 +36,24 @@ small bot-bottle-specific reverse proxy modeled on the phantom-token shape is probably the right call. For Gitea / GitHub / GitLab, the same proxy generalizes by config. +**Updated 2026-07-14:** OneCLI ([onecli.sh](https://onecli.sh/)) — +already listed below — has matured into a GA, YC-backed Rust +credential gateway ("The Identity Gateway for AI Agents", ~2.5k⭐, +300k+ downloads) that implements the **same phantom-token pattern** +this note recommends: the agent holds a placeholder token, the +gateway swaps it for the real (AES-256-GCM-encrypted) credential at +request time. It's now the most mature open-source realization of the +exact design proposed here — a production-ready alternative to +alpha-stage nono — at the cost of being a broader product (built-in +vault + management dashboard + hosted cloud tier + 50+ app +integrations) rather than a minimal proxy. Its managed/cloud tier and +per-agent dashboard also overlap bot-bottle's own planned paid control +plane (bot-bottle-console, issue #327), so it's worth tracking as both +a build-vs-adopt option *and* a product-level competitor. The +build-first recommendation still stands (see synthesis below), but +adopting OneCLI's OSS core is now a credible alternative where nono was +too green. + ## The shared problem Linux has no per-env-var ACL. Once a var is in a process's @@ -223,7 +241,7 @@ Two categories: | **Infisical Agent Vault** | B | MIT (EE carve-out) | In-process HTTPS_PROXY forward proxy | TLS MITM, dummy-to-real swap | No — HTTPS_PROXY model | Service-level | Active; v0.19.0 May 2026, ~1k⭐ | | **nono** | B | Apache-2.0 | In-process reverse proxy | Phantom token, explicit URL routing | **Yes** — `BASE_URL=http://127.0.0.1:PORT/…` | Host + endpoint | Early alpha; v0.53.0 May 2026, 2.4k⭐ | | **Aegis** | B | Apache-2.0 | In-process reverse proxy | Path routing (`localhost:3100/{svc}/…`) | Configurable, undocumented for Anthropic | Method/path/rate/time | Very new, 10⭐ | -| **OneCLI** | B | Apache-2.0 | Reverse proxy + management UI | Host/path matching, Bitwarden integration | Configurable | Per-agent scoping | Active; v1.23.0 May 2026, 2.1k⭐ | +| **OneCLI** | B | Apache-2.0 | Reverse proxy + built-in vault + dashboard | **Phantom token** (placeholder→real swap at request time), AES-256-GCM vault | Yes (host match) | Per-agent + endpoint/method + rate limits | GA; Rust; YC-backed; ~2.5k⭐, 300k+ downloads (Jul 2026) | | **Aembit** | B | Proprietary | Sidecar + cloud control plane | TLS intercept, SPIFFE, JIT creds | No — intercepts by destination | Policy-based | GA (Apr 2026) | | **LiteLLM Proxy** | A | MIT | Reverse proxy | Virtual key → upstream key | Yes — set base URL to LiteLLM | Route-level | 45k⭐; **CVE-2026-42208 exploited Apr 2026**, patch v1.83.7 | | **Portkey Gateway** | A | MIT (OSS core) | Reverse proxy | Virtual key vault (cloud or Enterprise self-host) | Yes — documented for Claude Code | Config-based | Production; virtual-key vault needs Enterprise for self-host | @@ -242,6 +260,18 @@ Two categories: `ANTHROPIC_BASE_URL`. **Blocker:** nono is explicitly "early alpha, not security audited." + **Update (2026-07-14):** OneCLI ([onecli.sh](https://onecli.sh/)) + ships the same phantom-token shape but is GA and YC-backed (Rust, + ~2.5k⭐, 300k+ downloads) — the maturity nono lacks. Trade-offs: it's + a full identity-gateway *product* (encrypted vault, management + dashboard, 50+ one-click app integrations, hosted cloud tier), much + heavier than the ~100-line proxy proposed below, and its hosted tier + is a third-party credential custodian — precisely the trust + dependency bot-bottle's isolation model exists to avoid. So: its + Apache-2.0 OSS core is a credible *adopt* candidate for the + phantom-token slice; its managed offering is a *competitor*, not a + dependency to lean on. + - **TLS-MITM forward proxies** (Infisical Agent Vault, Cloudflare Sandbox Auth, Aembit, the existing pipelock) all double up on the CA-trust machinery PRD 0006 already built for pipelock. @@ -273,6 +303,15 @@ routing matches the design recommended here exactly; zero TLS work. But "not security audited" + "early alpha" means adopting it is a bet on the project rather than a buy-vs-build win. +**Mature phantom-token option (added 2026-07-14):** OneCLI — same +architecture as nono, but GA, Rust, and YC-backed. Its Apache-2.0 OSS +core is now the strongest *adopt* candidate for the phantom-token slice +if building is undesirable; the caveats are product surface you don't +need (bundled vault + dashboard) and that its hosted tier is a +competitor rather than a dependency. Doesn't change the build-first +recommendation for the narrow Anthropic-token slice, but it does mean +"is there a mature drop-in?" now has a real answer. + **Most mature OSS purpose-built:** Infisical Agent Vault. MIT, v0.19.0 active, v0.17.0 added a containerized agent mode that maps directly to bot-bottle. Friction is the TLS-MITM topology @@ -376,6 +415,9 @@ already gives us for upstream push credentials. - [nono — phantom token blog](https://nono.sh/blog/blog-credential-injection) - [Aegis — GitHub](https://github.com/getaegis/aegis) - [OneCLI — GitHub](https://github.com/onecli/onecli) +- [OneCLI — homepage](https://onecli.sh/) +- [OneCLI — Y Combinator company page](https://www.ycombinator.com/companies/onecli) +- [Show HN: OneCLI – Vault for AI Agents in Rust](https://news.ycombinator.com/item?id=47353558) - [Sandbox0 — GitHub](https://github.com/sandbox0-ai/sandbox0) - [Buildkite Cleanroom — GitHub](https://github.com/buildkite/cleanroom) - [Aembit IAM for Agentic AI — GA](https://aembit.io/blog/aembit-iam-for-agentic-ai-is-now-generally-available/) diff --git a/docs/research/landscape-containerized-claude.md b/docs/research/landscape-containerized-claude.md index e72a60a..6a317ab 100644 --- a/docs/research/landscape-containerized-claude.md +++ b/docs/research/landscape-containerized-claude.md @@ -71,6 +71,44 @@ manifest merge. network egress is logged by pipelock/mitmproxy, and per-run op-log/audit state is persisted to SQLite. +- **OneCLI** ([onecli.sh](https://onecli.sh/)) — YC-backed, GA, open-source + (Apache-2.0, Rust) "identity gateway for AI agents": a credential/secret + broker that holds API keys and OAuth tokens out of the agent's reach and + injects them at the network layer (phantom-token — the agent sees a + placeholder, the gateway swaps in the real, AES-256-GCM-encrypted credential + at request time). Framework-agnostic and drop-in for any HTTP-calling agent, + 50+ app integrations, plus a hosted cloud tier with a per-agent dashboard and + audit logs. Full technical breakdown in + [`agent-credential-proxy-landscape.md`](agent-credential-proxy-landscape.md). + + **How close a competitor:** near-exact on the *single axis of agent secret + custody* — the exact thing bot-bottle sells as "the agent never sees real + credentials, even via `printenv`." OneCLI does that one job well, is mature + and funded, and is *more portable* (it sits in front of anything; bot-bottle + only helps agents launched through bot-bottle). Takeaway: bot-bottle should + stop treating secret custody as a *unique* differentiator. But OneCLI is + **not** a competitor to bot-bottle's actual product — it does no agent + sandboxing (containers/microVMs), no fleet/manifest layer, no named agents / + skills / per-agent system prompts, no multi-provider launching, no egress + firewall. + + **Our edge:** (1) *Isolation is the product, not a proxy.* OneCLI keeps the + key out of reach at the network layer, but the agent itself still runs + unsandboxed — a hijacked agent behind OneCLI has full run of its host and can + exfil captured data through any allowed host. bot-bottle runs the agent inside + a kernel/VM-enforced sandbox, injects credentials across that same + out-of-process boundary, *and* clamps egress with pipelock — defense in depth + vs. a single network layer. (2) *Fleet + manifest model* with named agents, + skills, per-agent system prompts, multi-provider and multi-backend — OneCLI + has no equivalent. (3) *Trust posture:* OneCLI's managed tier reintroduces a + third-party credential custodian, whereas bot-bottle's OSS-runtime + + paid-control-plane split keeps custody inside the operator's own boundary — + the stronger story for the security-minded self-hoster. **Tactical read:** + adopt OneCLI's OSS core for the credential slice if building is undesirable + (it's mature now); don't build atop its managed tier (competitor, not + dependency); re-position bot-bottle on isolation + fleet + self-hosted custody + rather than "we hide your secrets." + ## What no found project does None combine: