ce440fabc4
OneCLI (onecli.sh) was already tracked in the credential-proxy landscape but the entry was stale (May 2026). Correct it: it uses the phantom-token pattern this note recommends (not "Bitwarden integration"), and it's now GA, Rust, YC-backed (~2.5k stars, 300k+ downloads). Add build-vs-adopt + competitor commentary, and a product-side entry in the containerized-claude landscape with a verdict on how close a competitor it is and where bot-bottle's edge lies (isolation as the product, fleet/manifest layer, self-hosted trust posture). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01LhiafsABCr46bu3oHUm7wa
171 lines
9.4 KiB
Markdown
171 lines
9.4 KiB
Markdown
# Landscape: containerized AI coding agent tools
|
|
|
|
Research into whether bot-bottle is redundant with existing projects, and
|
|
whether it's worth publishing.
|
|
|
|
## Summary
|
|
|
|
The "AI coding agents in isolated sandboxes" space is active but not saturated.
|
|
bot-bottle occupies a distinct position: no surveyed project combines all five
|
|
of its defining features. Publishing is likely worthwhile, with the main risk
|
|
being claudebox expanding to absorb the same niche.
|
|
|
|
**Updated 2026-07-09:** bot-bottle now supports three isolation backends
|
|
(Docker, Apple `container`, smolmachines/libkrun microVMs) and three built-in
|
|
agent providers (Claude Code, OpenAI Codex, Pi) with an open plugin system for
|
|
arbitrary providers. This meaningfully strengthens the differentiation against
|
|
all surveyed competitors.
|
|
|
|
## Closest competitor: claudebox
|
|
|
|
[RchGrav/claudebox](https://github.com/RchGrav/claudebox) is the most
|
|
feature-complete analog. It runs Claude Code in Docker with per-project
|
|
isolated images, 15+ pre-configured dev-language profiles, and per-project
|
|
network firewall allowlists. Actively maintained with multiple forks.
|
|
|
|
What it lacks: manifest-driven named agents, per-agent env resolution modes
|
|
(prompt / host-forward / literal), skill directory injection, per-agent system
|
|
prompts, SSH-agent forwarding without copying private keys, home+project
|
|
manifest merge.
|
|
|
|
## Other surveyed projects
|
|
|
|
- **textcortex/claude-code-sandbox → spritz** — evolved toward
|
|
Kubernetes-native multi-agent infra; not stdlib-first or local-Docker.
|
|
Original sandbox repo is archived.
|
|
- **trailofbits/claude-code-devcontainer** — devcontainer config for security
|
|
audits; not a general agent launcher.
|
|
- **Several small solo repos** (arezi/claude-sandbox, nkrefman/claude-sandbox,
|
|
VishalJ99/claude-docker) — lightweight Docker wrappers with no multi-agent
|
|
config layer.
|
|
- **Docker's official sandbox templates** — launch-and-run Dockerfiles plus an
|
|
npm-based runtime; not a manifest-driven fleet manager.
|
|
|
|
## Adjacent (different model)
|
|
|
|
- **dagger/container-use** (mid-2025) — exposes an MCP server so the *agent*
|
|
spins up its own containers with Git worktrees. Inverted model vs. bot-bottle
|
|
(agent controls container rather than being launched into one by a manifest).
|
|
Still marked early-development.
|
|
- **E2B, Northflank, Cloudflare Sandbox SDK** — cloud-hosted SaaS sandbox
|
|
runtimes; fundamentally different architecture.
|
|
- **superhq.ai / SuperHQ** (v0.4.4, April 2026) — macOS desktop app (Rust/GPUI)
|
|
that runs Claude Code, Codex, and Pi inside microVMs via Apple's
|
|
Virtualization.framework (their own shuru-sdk / libkrun). Auth gateway
|
|
injects API keys on the wire so the sandbox never sees them; tmpfs overlay
|
|
stages agent writes for diff-and-accept review; mobile remote access via
|
|
remote.superhq.ai. Early alpha, free on launch, Apple Silicon only.
|
|
|
|
Overlap: both projects cover agent isolation, credential proxying, and
|
|
multi-provider support (Claude Code / Codex / Pi). Differences: SuperHQ is a
|
|
GUI desktop app with no manifest layer; bot-bottle is a CLI fleet manager with
|
|
named agents, skills injection, per-agent system prompts, and cross-platform
|
|
backends (Docker, Apple `container`, smolmachines). SuperHQ's microVM
|
|
isolation story is now partially matched by bot-bottle's `macos_container` and
|
|
smolmachines backends. Worth watching — it targets the same security-minded
|
|
power-user audience and moves fast.
|
|
|
|
**Known gap in SuperHQ (user-requested, as of 2026-07-09):** A named user
|
|
(Brian Cheong, Founder, Dunialabs.io) explicitly called out the absence of
|
|
per-run audit logging: tool calls and network egress. Bot-bottle covers both:
|
|
network egress is logged by pipelock/mitmproxy, and per-run op-log/audit state
|
|
is persisted to SQLite.
|
|
|
|
- **OneCLI** ([onecli.sh](https://onecli.sh/)) — YC-backed, GA, open-source
|
|
(Apache-2.0, Rust) "identity gateway for AI agents": a credential/secret
|
|
broker that holds API keys and OAuth tokens out of the agent's reach and
|
|
injects them at the network layer (phantom-token — the agent sees a
|
|
placeholder, the gateway swaps in the real, AES-256-GCM-encrypted credential
|
|
at request time). Framework-agnostic and drop-in for any HTTP-calling agent,
|
|
50+ app integrations, plus a hosted cloud tier with a per-agent dashboard and
|
|
audit logs. Full technical breakdown in
|
|
[`agent-credential-proxy-landscape.md`](agent-credential-proxy-landscape.md).
|
|
|
|
**How close a competitor:** near-exact on the *single axis of agent secret
|
|
custody* — the exact thing bot-bottle sells as "the agent never sees real
|
|
credentials, even via `printenv`." OneCLI does that one job well, is mature
|
|
and funded, and is *more portable* (it sits in front of anything; bot-bottle
|
|
only helps agents launched through bot-bottle). Takeaway: bot-bottle should
|
|
stop treating secret custody as a *unique* differentiator. But OneCLI is
|
|
**not** a competitor to bot-bottle's actual product — it does no agent
|
|
sandboxing (containers/microVMs), no fleet/manifest layer, no named agents /
|
|
skills / per-agent system prompts, no multi-provider launching, no egress
|
|
firewall.
|
|
|
|
**Our edge:** (1) *Isolation is the product, not a proxy.* OneCLI keeps the
|
|
key out of reach at the network layer, but the agent itself still runs
|
|
unsandboxed — a hijacked agent behind OneCLI has full run of its host and can
|
|
exfil captured data through any allowed host. bot-bottle runs the agent inside
|
|
a kernel/VM-enforced sandbox, injects credentials across that same
|
|
out-of-process boundary, *and* clamps egress with pipelock — defense in depth
|
|
vs. a single network layer. (2) *Fleet + manifest model* with named agents,
|
|
skills, per-agent system prompts, multi-provider and multi-backend — OneCLI
|
|
has no equivalent. (3) *Trust posture:* OneCLI's managed tier reintroduces a
|
|
third-party credential custodian, whereas bot-bottle's OSS-runtime +
|
|
paid-control-plane split keeps custody inside the operator's own boundary —
|
|
the stronger story for the security-minded self-hoster. **Tactical read:**
|
|
adopt OneCLI's OSS core for the credential slice if building is undesirable
|
|
(it's mature now); don't build atop its managed tier (competitor, not
|
|
dependency); re-position bot-bottle on isolation + fleet + self-hosted custody
|
|
rather than "we hide your secrets."
|
|
|
|
## What no found project does
|
|
|
|
None combine:
|
|
1. Named-agent manifest with per-agent env resolution (prompt / host-forward / literal), supporting multiple providers (Claude Code, Codex, Pi, arbitrary plugins)
|
|
2. Skills directory injection
|
|
3. Per-agent system prompts
|
|
4. SSH-agent key forwarding without copying private keys into the container
|
|
5. Home + project manifest merge
|
|
6. Pluggable isolation backends: Docker (Linux/macOS), Apple `container` (macOS microVMs), smolmachines/libkrun microVMs
|
|
7. Per-run audit log: network egress via pipelock/mitmproxy + op-log persisted to SQLite
|
|
|
|
**In-flight directions (not yet shipped):**
|
|
|
|
- **Forge-native dispatch (issue #317):** Gitea webhook → orchestrator spins up a bottle
|
|
with the issue body as prompt → agent works → bottle freezes awaiting review comment →
|
|
rehydrates on comment → tears down on PR close. The issue-to-PR lifecycle concept is not
|
|
novel (Devin, Copilot Workspace, SWE-agent all do this as cloud services); what's
|
|
distinct is doing it self-hosted, manifest-driven, inside bot-bottle's isolation
|
|
primitives.
|
|
- **Paid web control plane (issue #327):** Browser-based multi-host agent launch and
|
|
monitoring; account-scoped bottle and agent definitions; secret custody (encrypted at
|
|
rest, injected into the sidecar at launch, never exposed to the agent or returned by any
|
|
read API). Monetization model: OSS runtime free, control plane paid — a standard split
|
|
(HashiCorp, Grafana) applied to a self-hosted agent sandbox. The principled secret
|
|
custody model (agent never sees real credentials, even via printenv) is more rigorous
|
|
than most surveyed tools but not unprecedented.
|
|
|
|
## Publishing verdict
|
|
|
|
Worth publishing. Differentiators that matter to the target audience (power
|
|
users running parallel AI coding agent sessions with distinct personas/tooling):
|
|
|
|
- The Python-stdlib-first, low-dependency design — competitors are npm-based,
|
|
Rust/GUI, or Kubernetes-native.
|
|
- Named agents with distinct skills and system prompts, not just language profiles.
|
|
- Multi-backend isolation: Docker, Apple `container` microVMs, and
|
|
smolmachines/libkrun — single manifest works across all three.
|
|
- Multi-provider: Claude Code, Codex, Pi, plus an open plugin system for
|
|
arbitrary providers.
|
|
- SSH forwarding without key copying.
|
|
- Per-run audit log (tool calls + network egress) — an explicitly requested gap
|
|
in SuperHQ as of 2026-07-09.
|
|
- Forge-native dispatch and a paid control plane (in flight) bring bot-bottle
|
|
into the same product category as cloud services like Devin and Copilot
|
|
Workspace — but self-hosted, with stronger isolation guarantees and a
|
|
manifest-driven fleet model those services don't have.
|
|
|
|
Main risk: claudebox adds manifest/agent config; SuperHQ is moving fast on the
|
|
GUI / microVM side. The space is moving fast enough that publishing sooner is
|
|
better if establishing prior art matters.
|
|
|
|
Discovery will be slow without active promotion; an Anthropic Discord post or
|
|
HN "Show HN" would do most of the work.
|
|
|
|
## Caveats
|
|
|
|
- GitHub search cannot surface private or very new repos comprehensively.
|
|
- Counts (stars, forks) were not confirmed for every project.
|
|
- Initial research conducted 2026-05-07; SuperHQ entry added 2026-07-09; the space moves fast.
|