Compare commits

...

3 Commits

Author SHA1 Message Date
didericis 4d89ffce8b docs(research): add local/internal-reach edge to the OneCLI comparison
Self-hosting means the agent runs inside your own network boundary (homelab,
corporate LAN, Tailnet), so scoping it to internal resources is just an
egress-route line — a reach advantage distinct from the isolation ones, which a
cloud-first credential broker / agent product can't match.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LhiafsABCr46bu3oHUm7wa
2026-07-14 01:48:48 -04:00
didericis 822cff48ad docs(research): mark credential-proxy note as implemented (agents get placeholders)
The note still described the pre-gateway state as "today" — raw provider
tokens env-injected into the agent, readable via printenv — which is no longer
true and was actively misleading. Add a dated Status banner and flag the stale
"today's wiring" / "recommended path forward" passages: the agent now holds only
a placeholder (e.g. CLAUDE_CODE_OAUTH_TOKEN=egress-placeholder) and the real
token is injected as the upstream Authorization header by the existing
pipelock/mitmproxy egress sidecar (EgressRoute auth_scheme + token_ref, one MITM
not two), generalized across Claude/Codex/Pi and git-host tokens. Reasoning
preserved per the research-note convention.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LhiafsABCr46bu3oHUm7wa
2026-07-14 01:42:05 -04:00
didericis ce440fabc4 docs(research): refresh OneCLI competitor entry + product verdict
OneCLI (onecli.sh) was already tracked in the credential-proxy landscape but
the entry was stale (May 2026). Correct it: it uses the phantom-token pattern
this note recommends (not "Bitwarden integration"), and it's now GA, Rust,
YC-backed (~2.5k stars, 300k+ downloads). Add build-vs-adopt + competitor
commentary, and a product-side entry in the containerized-claude landscape with
a verdict on how close a competitor it is and where bot-bottle's edge lies
(isolation as the product, fleet/manifest layer, self-hosted trust posture).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LhiafsABCr46bu3oHUm7wa
2026-07-14 01:23:32 -04:00
2 changed files with 121 additions and 2 deletions
@@ -15,6 +15,25 @@ the biggest credential risk).
## Summary
> **Status — implemented (2026-07-14).** This note's recommendation
> shipped, so the "today" / "in-flight" tenses below are now historical
> (kept as the reasoning that led here). Current reality: bot-bottle no
> longer injects raw provider tokens into the agent. The agent's environ
> carries only a **placeholder** (e.g.
> `CLAUDE_CODE_OAUTH_TOKEN=egress-placeholder`); the real token is held
> in the egress sidecar and injected as the upstream `Authorization`
> header. Rather than adding a *separate* in-container reverse proxy (as
> proposed below), credential injection was folded into the **existing
> pipelock/mitmproxy egress firewall**: an `EgressRoute` carries
> `auth_scheme` + `token_ref`, the host token is forwarded into the
> sidecar addon under an `EGRESS_TOKEN_N` slot, and the addon rewrites
> `Authorization` on matching routes — **one MITM, not two** (this
> resolves the Infisical-doubling concern noted later). The same
> mechanism now covers Codex and Pi provider tokens and git-host PATs.
> A `printenv` inside the bottle yields the placeholder, not the secret.
> For current wiring see `bot_bottle/egress.py` and
> `bot_bottle/contrib/*/agent_provider.py`.
Today every bot-bottle agent gets `CLAUDE_CODE_OAUTH_TOKEN` (and
any `bottle.env` secrets like a Gitea PAT) injected as env vars,
which means the agent process can read them with `printenv` or
@@ -36,6 +55,24 @@ small bot-bottle-specific reverse proxy modeled on the
phantom-token shape is probably the right call. For Gitea / GitHub /
GitLab, the same proxy generalizes by config.
**Updated 2026-07-14:** OneCLI ([onecli.sh](https://onecli.sh/)) —
already listed below — has matured into a GA, YC-backed Rust
credential gateway ("The Identity Gateway for AI Agents", ~2.5k⭐,
300k+ downloads) that implements the **same phantom-token pattern**
this note recommends: the agent holds a placeholder token, the
gateway swaps it for the real (AES-256-GCM-encrypted) credential at
request time. It's now the most mature open-source realization of the
exact design proposed here — a production-ready alternative to
alpha-stage nono — at the cost of being a broader product (built-in
vault + management dashboard + hosted cloud tier + 50+ app
integrations) rather than a minimal proxy. Its managed/cloud tier and
per-agent dashboard also overlap bot-bottle's own planned paid control
plane (bot-bottle-console, issue #327), so it's worth tracking as both
a build-vs-adopt option *and* a product-level competitor. The
build-first recommendation still stands (see synthesis below), but
adopting OneCLI's OSS core is now a credible alternative where nono was
too green.
## The shared problem
Linux has no per-env-var ACL. Once a var is in a process's
@@ -77,7 +114,9 @@ The remaining credible designs reduce to three:
### Anthropic / Claude Code
**Today's wiring** (`bot_bottle/cli/start.py`): the host's
**Original wiring** (pre-gateway; **superseded 2026-07-14** — see the
Status note in the Summary; the token now lives in the egress sidecar
and the agent gets a placeholder): the host's
`BOT_BOTTLE_CLAUDE_OAUTH_TOKEN` is forwarded into the bottle as
`CLAUDE_CODE_OAUTH_TOKEN` via `docker run -e CLAUDE_CODE_OAUTH_TOKEN`
(no `=value`, so the value never lands on argv — good). Inside the
@@ -223,7 +262,7 @@ Two categories:
| **Infisical Agent Vault** | B | MIT (EE carve-out) | In-process HTTPS_PROXY forward proxy | TLS MITM, dummy-to-real swap | No — HTTPS_PROXY model | Service-level | Active; v0.19.0 May 2026, ~1k⭐ |
| **nono** | B | Apache-2.0 | In-process reverse proxy | Phantom token, explicit URL routing | **Yes**`BASE_URL=http://127.0.0.1:PORT/…` | Host + endpoint | Early alpha; v0.53.0 May 2026, 2.4k⭐ |
| **Aegis** | B | Apache-2.0 | In-process reverse proxy | Path routing (`localhost:3100/{svc}/…`) | Configurable, undocumented for Anthropic | Method/path/rate/time | Very new, 10⭐ |
| **OneCLI** | B | Apache-2.0 | Reverse proxy + management UI | Host/path matching, Bitwarden integration | Configurable | Per-agent scoping | Active; v1.23.0 May 2026, 2.1k⭐ |
| **OneCLI** | B | Apache-2.0 | Reverse proxy + built-in vault + dashboard | **Phantom token** (placeholder→real swap at request time), AES-256-GCM vault | Yes (host match) | Per-agent + endpoint/method + rate limits | GA; Rust; YC-backed; ~2.5k⭐, 300k+ downloads (Jul 2026) |
| **Aembit** | B | Proprietary | Sidecar + cloud control plane | TLS intercept, SPIFFE, JIT creds | No — intercepts by destination | Policy-based | GA (Apr 2026) |
| **LiteLLM Proxy** | A | MIT | Reverse proxy | Virtual key → upstream key | Yes — set base URL to LiteLLM | Route-level | 45k⭐; **CVE-2026-42208 exploited Apr 2026**, patch v1.83.7 |
| **Portkey Gateway** | A | MIT (OSS core) | Reverse proxy | Virtual key vault (cloud or Enterprise self-host) | Yes — documented for Claude Code | Config-based | Production; virtual-key vault needs Enterprise for self-host |
@@ -242,6 +281,18 @@ Two categories:
`ANTHROPIC_BASE_URL`. **Blocker:** nono is explicitly
"early alpha, not security audited."
**Update (2026-07-14):** OneCLI ([onecli.sh](https://onecli.sh/))
ships the same phantom-token shape but is GA and YC-backed (Rust,
~2.5k⭐, 300k+ downloads) — the maturity nono lacks. Trade-offs: it's
a full identity-gateway *product* (encrypted vault, management
dashboard, 50+ one-click app integrations, hosted cloud tier), much
heavier than the ~100-line proxy proposed below, and its hosted tier
is a third-party credential custodian — precisely the trust
dependency bot-bottle's isolation model exists to avoid. So: its
Apache-2.0 OSS core is a credible *adopt* candidate for the
phantom-token slice; its managed offering is a *competitor*, not a
dependency to lean on.
- **TLS-MITM forward proxies** (Infisical Agent Vault, Cloudflare
Sandbox Auth, Aembit, the existing pipelock) all double up on
the CA-trust machinery PRD 0006 already built for pipelock.
@@ -273,6 +324,15 @@ routing matches the design recommended here exactly; zero TLS
work. But "not security audited" + "early alpha" means adopting it
is a bet on the project rather than a buy-vs-build win.
**Mature phantom-token option (added 2026-07-14):** OneCLI — same
architecture as nono, but GA, Rust, and YC-backed. Its Apache-2.0 OSS
core is now the strongest *adopt* candidate for the phantom-token slice
if building is undesirable; the caveats are product surface you don't
need (bundled vault + dashboard) and that its hosted tier is a
competitor rather than a dependency. Doesn't change the build-first
recommendation for the narrow Anthropic-token slice, but it does mean
"is there a mature drop-in?" now has a real answer.
**Most mature OSS purpose-built:** Infisical Agent Vault. MIT,
v0.19.0 active, v0.17.0 added a containerized agent mode that
maps directly to bot-bottle. Friction is the TLS-MITM topology
@@ -293,6 +353,12 @@ exposed.
## Recommended path forward
> **Mostly implemented (2026-07-14).** Steps 13 shipped — the token
> injection moved into the egress sidecar (folded into pipelock rather
> than a standalone reverse proxy) and generalized to Codex/Pi/git-host
> tokens. Steps 45 (issuance-side scope narrowing, per-route allowlists)
> remain good hygiene. See the Status note in the Summary.
In priority order:
1. **In-container reverse proxy holding `CLAUDE_CODE_OAUTH_TOKEN`.**
@@ -376,6 +442,9 @@ already gives us for upstream push credentials.
- [nono — phantom token blog](https://nono.sh/blog/blog-credential-injection)
- [Aegis — GitHub](https://github.com/getaegis/aegis)
- [OneCLI — GitHub](https://github.com/onecli/onecli)
- [OneCLI — homepage](https://onecli.sh/)
- [OneCLI — Y Combinator company page](https://www.ycombinator.com/companies/onecli)
- [Show HN: OneCLI Vault for AI Agents in Rust](https://news.ycombinator.com/item?id=47353558)
- [Sandbox0 — GitHub](https://github.com/sandbox0-ai/sandbox0)
- [Buildkite Cleanroom — GitHub](https://github.com/buildkite/cleanroom)
- [Aembit IAM for Agentic AI — GA](https://aembit.io/blog/aembit-iam-for-agentic-ai-is-now-generally-available/)
@@ -71,6 +71,56 @@ manifest merge.
network egress is logged by pipelock/mitmproxy, and per-run op-log/audit state
is persisted to SQLite.
- **OneCLI** ([onecli.sh](https://onecli.sh/)) — YC-backed, GA, open-source
(Apache-2.0, Rust) "identity gateway for AI agents": a credential/secret
broker that holds API keys and OAuth tokens out of the agent's reach and
injects them at the network layer (phantom-token — the agent sees a
placeholder, the gateway swaps in the real, AES-256-GCM-encrypted credential
at request time). Framework-agnostic and drop-in for any HTTP-calling agent,
50+ app integrations, plus a hosted cloud tier with a per-agent dashboard and
audit logs. Full technical breakdown in
[`agent-credential-proxy-landscape.md`](agent-credential-proxy-landscape.md).
**How close a competitor:** near-exact on the *single axis of agent secret
custody* — the exact thing bot-bottle sells as "the agent never sees real
credentials, even via `printenv`." OneCLI does that one job well, is mature
and funded, and is *more portable* (it sits in front of anything; bot-bottle
only helps agents launched through bot-bottle). Takeaway: bot-bottle should
stop treating secret custody as a *unique* differentiator. But OneCLI is
**not** a competitor to bot-bottle's actual product — it does no agent
sandboxing (containers/microVMs), no fleet/manifest layer, no named agents /
skills / per-agent system prompts, no multi-provider launching, no egress
firewall.
**Our edge:** (1) *Isolation is the product, not a proxy.* OneCLI keeps the
key out of reach at the network layer, but the agent itself still runs
unsandboxed — a hijacked agent behind OneCLI has full run of its host and can
exfil captured data through any allowed host. bot-bottle runs the agent inside
a kernel/VM-enforced sandbox, injects credentials across that same
out-of-process boundary, *and* clamps egress with pipelock — defense in depth
vs. a single network layer. (2) *Fleet + manifest model* with named agents,
skills, per-agent system prompts, multi-provider and multi-backend — OneCLI
has no equivalent. (3) *Trust posture:* OneCLI's managed tier reintroduces a
third-party credential custodian, whereas bot-bottle's OSS-runtime +
paid-control-plane split keeps custody inside the operator's own boundary —
the stronger story for the security-minded self-hoster. (4) *Runs inside your
network boundary — local/internal reach.* Because bot-bottle executes the
agent on your own host (homelab, corporate LAN, a Tailnet) and egress is a
manifest field, giving an agent *scoped* access to **internal** resources — a
private Gitea, a LAN database, a Tailscale node — is just another egress-route
line, not a networking project (the same move an operator already makes to
reach their Tailscale services). OneCLI's OSS core can self-host too, but it's
a credential *broker* for outbound API calls, not an agent runtime, and its
managed tier + 50+ integrations are oriented at public SaaS — it doesn't put
the agent behind your firewall for you. This is a reach advantage, distinct
from the isolation ones above, and it's a wedge cloud-first agent products
(Devin, Copilot Workspace, OneCLI Cloud) structurally can't match. **Tactical
read:**
adopt OneCLI's OSS core for the credential slice if building is undesirable
(it's mature now); don't build atop its managed tier (competitor, not
dependency); re-position bot-bottle on isolation + fleet + self-hosted custody
rather than "we hide your secrets."
## What no found project does
None combine: