docs(research): refresh OneCLI competitor entry + product verdict
OneCLI (onecli.sh) was already tracked in the credential-proxy landscape but the entry was stale (May 2026). Correct it: it uses the phantom-token pattern this note recommends (not "Bitwarden integration"), and it's now GA, Rust, YC-backed (~2.5k stars, 300k+ downloads). Add build-vs-adopt + competitor commentary, and a product-side entry in the containerized-claude landscape with a verdict on how close a competitor it is and where bot-bottle's edge lies (isolation as the product, fleet/manifest layer, self-hosted trust posture). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01LhiafsABCr46bu3oHUm7wa
This commit is contained in:
@@ -71,6 +71,44 @@ manifest merge.
|
||||
network egress is logged by pipelock/mitmproxy, and per-run op-log/audit state
|
||||
is persisted to SQLite.
|
||||
|
||||
- **OneCLI** ([onecli.sh](https://onecli.sh/)) — YC-backed, GA, open-source
|
||||
(Apache-2.0, Rust) "identity gateway for AI agents": a credential/secret
|
||||
broker that holds API keys and OAuth tokens out of the agent's reach and
|
||||
injects them at the network layer (phantom-token — the agent sees a
|
||||
placeholder, the gateway swaps in the real, AES-256-GCM-encrypted credential
|
||||
at request time). Framework-agnostic and drop-in for any HTTP-calling agent,
|
||||
50+ app integrations, plus a hosted cloud tier with a per-agent dashboard and
|
||||
audit logs. Full technical breakdown in
|
||||
[`agent-credential-proxy-landscape.md`](agent-credential-proxy-landscape.md).
|
||||
|
||||
**How close a competitor:** near-exact on the *single axis of agent secret
|
||||
custody* — the exact thing bot-bottle sells as "the agent never sees real
|
||||
credentials, even via `printenv`." OneCLI does that one job well, is mature
|
||||
and funded, and is *more portable* (it sits in front of anything; bot-bottle
|
||||
only helps agents launched through bot-bottle). Takeaway: bot-bottle should
|
||||
stop treating secret custody as a *unique* differentiator. But OneCLI is
|
||||
**not** a competitor to bot-bottle's actual product — it does no agent
|
||||
sandboxing (containers/microVMs), no fleet/manifest layer, no named agents /
|
||||
skills / per-agent system prompts, no multi-provider launching, no egress
|
||||
firewall.
|
||||
|
||||
**Our edge:** (1) *Isolation is the product, not a proxy.* OneCLI keeps the
|
||||
key out of reach at the network layer, but the agent itself still runs
|
||||
unsandboxed — a hijacked agent behind OneCLI has full run of its host and can
|
||||
exfil captured data through any allowed host. bot-bottle runs the agent inside
|
||||
a kernel/VM-enforced sandbox, injects credentials across that same
|
||||
out-of-process boundary, *and* clamps egress with pipelock — defense in depth
|
||||
vs. a single network layer. (2) *Fleet + manifest model* with named agents,
|
||||
skills, per-agent system prompts, multi-provider and multi-backend — OneCLI
|
||||
has no equivalent. (3) *Trust posture:* OneCLI's managed tier reintroduces a
|
||||
third-party credential custodian, whereas bot-bottle's OSS-runtime +
|
||||
paid-control-plane split keeps custody inside the operator's own boundary —
|
||||
the stronger story for the security-minded self-hoster. **Tactical read:**
|
||||
adopt OneCLI's OSS core for the credential slice if building is undesirable
|
||||
(it's mature now); don't build atop its managed tier (competitor, not
|
||||
dependency); re-position bot-bottle on isolation + fleet + self-hosted custody
|
||||
rather than "we hide your secrets."
|
||||
|
||||
## What no found project does
|
||||
|
||||
None combine:
|
||||
|
||||
Reference in New Issue
Block a user