frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Show HN: OneCLI – Vault for AI Agents in Rust

https://github.com/onecli/onecli
52•guyb3•1h ago
We built OneCLI because AI agents are being given raw API keys. And it's going about as well as you'd expect. We figured the answer isn't "don't give agents access," it's "give them access without giving them secrets."

OneCLI is an open-source gateway that sits between your AI agents and the services they call. You store your real credentials once in OneCLI's encrypted vault, and give your agents placeholder keys. When an agent makes an HTTP call through the proxy, OneCLI matches the request by host/path, verifies the agent should have access, swaps the placeholder for the real credential, and forwards the request. The agent never touches the actual secret. It just uses CLI or MCP tools as normal.

Try it in one line: docker run --pull always -p 10254:10254 -p 10255:10255 -v onecli-data:/app/data ghcr.io/onecli/onecli

The proxy is written in Rust, the dashboard is Next.js, and secrets are AES-256-GCM encrypted at rest. Everything runs in a single Docker container with an embedded Postgres (PGlite), no external dependencies. Works with any agent framework (OpenClaw, NanoClaw, IronClaw, or anything that can set an HTTPS_PROXY).

We started with what felt most urgent: agents shouldn't be holding raw credentials. The next layer is access policies and audit, defining what each agent can call, logging everything, and requiring human approval before sensitive actions go through.

It's Apache-2.0 licensed. We'd love feedback on the approach, and we're especially curious how people are handling agent auth today.

GitHub: https://github.com/onecli/onecli Site: https://onecli.sh

Comments

anthonyskipper•1h ago
The fake key for real key thing seems like a problem. A lot of enterprise scanning tools look for keys in repos and other locations and you will get a lot of false positives.

Otherwise this is cool, we need more competition here.

guyb3•1h ago
It's a good point, I don't think the placeholders we use will trigger a secret scanner, but we can adjust if it's an issue.

https://github.com/onecli/onecli/blob/942cfc6c6fd6e184504e01...

atonse•1h ago
IronClaw seems to do this natively, I like the idea in general, so it's good too see this pulled out.

I have few questions:

- How can a proxy inject stuff if it's TLS encrypted? (same for IronClaw and others)

- Any adapters for existing secret stores? like maybe my fake credential can be a 1Password entry path (like 1Password:vault-name/entry/field and it would pull from 1P instead of having to have yet another place for me to store secrets?

inssein•27m ago
You use a forward proxy that can MITM.
debarshri•1h ago
Does it act like an auth proxy?
hardsnow•1h ago
This is the right approach. I built a similar system to https://github.com/airutorg/airut - couple of learnings to share:

1) Not all systems respect HTTP_PROXY. Node in particular is very uncooperative in this regard.

2) AWS access keys can’t be handled by simple credential swap; the requests need to be resigned with the real keys. Replicating the SigV4 and SigV4A exactly was bit of a pain.

3) To be secure, this system needs to run outside of the execution sandbox so that the agent can’t just read the keys from the proxy process.

For Airut I settled on a transparent (mitm)proxy, running in a separate container, and injecting proxy cert to the cert store in the container where the agent runs. This solved 1 and 3.

lancetipton•38m ago
Im literally working on the exact same solution. Difference is I'm running the system in a Kubernetes cluster.

I essentially run a sidecar container that sets up ip tables that redirect all requests through my mitm proxy. This was specifically required because of Node not respecting HTTP_PROXY.

Also had to inject a self signed cert to ensure SSL could be proxied and terminated by the mitm proxy, which then injects the secrets, and forwards the request on.

Have you run into any issues with this setup? I'm trying to figure out if there's anything I'm missing that might come back to bite me?

hardsnow•23m ago
I’ve been running this with workloads accessing Anthropic, GitHub, Gemini, and AWS & CF R2 APIs for a while now, and have not ran into issues. I’m sure there’s an API out there that won’t work out of the box but I’m positive that support could be added.

Another thing I did was to allow configuring which hosts each credential is scoped to. Replacement /resigning doesn’t happen unless host matches. That way it is not possible to leak keys by making requests to malicious hosts.

inssein•28m ago
This is basically what https://www.verygoodsecurity.com/ (their main product), but it's heavily focused on credit card data.
semanticc•56s ago
Node 24+ does respect HTTP_PROXY when NODE_USE_ENV_PROXY=1 is set.
sathish316•1h ago
This can also be done using existing Vaults or Secrets manager. Hashicorp Vault can do this and agents can be instructed to get secrets, which are set without the agent's knowledge. I use these 2 simple scripts with OpenClaw to achieve this, along with time-scoped expiration. The call to vault_get.sh is inside the agent's skill script so that the secrets are not leaked to LLMs or in any trace logs:

vault_get.sh: https://gist.github.com/sathish316/1ca3fe1b124577d1354ee254a...

vault_set.sh: https://gist.github.com/sathish316/1f4e6549a8f85ac5c5ac8a088...

Blog about the full setup for OpenClaw: https://x.com/sathish316/status/2019496552419717390

rgbrgb•1h ago
It seems that the architecture you describe still gives the key to the agent (who could email it to red team or perform nefarious actions with it). The advantage of OP's architecture is that the agent never sees the key and you could inspect the request before proxying it. Is that right or do I misunderstand something?
jpbryan•1h ago
Why not just use AWS Secrets Manager?
stevekemp•38m ago
A program making a call to github.com needs an authentication token.

What are you suggesting? The program makes a call to retrieve the secret from AWS? Then has full access to do with it what they want? That's exactly the risk and the problem this, and related solutions mentioned in this thread, is trying to solve.

empath75•1h ago
Don't see any reason to use this over vault.
captn3m0•59m ago
This problem+solution, like many others in the agentic-space, have nothing agent-specific. Giving a "box" API keys was always considered a risk, and auth-proxying has existed as a solution forever. See tokenizer[0] by the fly.io team, which makes it a stateless service for eg - no database or dashboard. Or the buzzfeed SSO proxy, which lets you do the same via an OAuth2-dance at the frontend, and a upstream config at the backend which injects secrets: https://github.com/buzzfeed/sso/blob/549155a64d6c5f8916ed909....

[0]: https://github.com/superfly/tokenizer

RhodesianHunter•53m ago
Just because it's been done before for a different use-case doesn't mean that building exclusively for this use-case doesn't remove friction.
Olshansky•58m ago
tl;dr "scrt [set|get|list|....]" is also a great option

---

If this is of interest, I also recommend looking into: https://github.com/loderunner/scrt.

To me, it's a compliment to 1password.

I use it to save every new secret/api key I get via the CLI.

It's intentionally very feature limited.

Haven't tried it with agents, but wouldn't be surprised if the CLI (as is) would be enough.

paxys•27m ago
You don't want to give the agent a raw key, so you give it a dummy one which will automatically be converted into the real key in the proxy.

So how does that help exactly? The agent can still do exactly what it could have done if it had the real key.

brabel•16m ago
For one thing, it cannot leak secrets between services.
paxys•6m ago
Is that really a problem? All the examples on the repo page themselves show LLMs running unintended operations and messing up your data. And that is very much still going to happen with this wrapper. If anything it is going to provide a false sense of security.
wuweiaxin•22m ago
Secret and credential sprawl is a real problem in agent pipelines specifically -- each agent needs its own scoped access and the blast radius of a leaked credential is much larger when an agent can act autonomously. We ended up with a tiered secret model: agents get short-lived derived tokens scoped to exactly the tools they need for a given task, not broad API keys. Revocation on task completion, not on schedule. More ops overhead upfront but caught two misuse cases that would have been invisible otherwise.
miki_ships•6m ago
wuweiaxin's short-lived-tokens-per-task is the right model, but it hits a ceiling: AWS IAM makes it native; most SaaS APIs don't. GitHub hands you a bearer token, Stripe too, Notion too. The proxy fills that gap. You get per-request scope enforcement without depending on the upstream service supporting fine-grained auth. That's the actual answer to paxys's question -- it's not about preventing the agent from making the same calls, it's about enforcing which calls it's allowed to make when the credential issuer won't.

Malus – Clean Room as a Service

https://malus.sh
592•microflash•4h ago•215 comments

Bubble Sorted Amen Break

https://parametricavocado.itch.io/amen-sorting
66•eieio•1h ago•30 comments

Show HN: OneCLI – Vault for AI Agents in Rust

https://github.com/onecli/onecli
52•guyb3•1h ago•23 comments

The Met Releases High-Def 3D Scans of 140 Famous Art Objects

https://www.openculture.com/2026/03/the-met-releases-high-definition-3d-scans-of-140-famous-art-o...
102•coloneltcb•2h ago•21 comments

ATMs didn't kill bank teller jobs, but the iPhone did

https://davidoks.blog/p/why-the-atm-didnt-kill-bank-teller
148•colinprince•3h ago•188 comments

Reversing memory loss via gut-brain communication

https://med.stanford.edu/news/all-news/2026/03/gut-brain-cognitive-decline.html
52•mustaphah•1h ago•10 comments

US banks' exposure to private credit hits $300B (2025)

https://alternativecreditinvestor.com/2025/10/22/us-banks-exposure-to-private-credit-hits-300bn/
185•JumpCrisscross•5h ago•109 comments

Show HN: Understudy – Teach a desktop agent by demonstrating a task once

https://github.com/understudy-ai/understudy
24•bayes-song•1h ago•4 comments

Converge (YC S23) Is Hiring a Founding Platform Engineer (NYC, Onsite)

https://www.runconverge.com/careers/founding-platform-engineer
1•thomashlvt•1h ago

Kotlin creator's new language: a formal way to talk to LLMs instead of English

https://codespeak.dev/
189•souvlakee•4h ago•157 comments

Asia rolls out 4-day weeks, WFH to solve fuel crisis caused by Iran war

https://fortune.com/2026/03/11/iran-war-fuel-crisis-asia-work-from-home-closed-schools-price-caps/
246•speckx•2h ago•147 comments

The Cost of Indirection in Rust

https://blog.sebastiansastre.co/posts/cost-of-indirection-in-rust/
50•sebastianconcpt•3d ago•10 comments

Dolphin Progress Release 2603

https://dolphin-emu.org/blog/2026/03/12/dolphin-progress-report-release-2603/
235•BitPirate•9h ago•38 comments

Scrt: A CLI secret manager for developers, sysadmins and DevOps

https://github.com/loderunner/scrt
5•Olshansky•57m ago•2 comments

Italian prosecutors seek trial for Amazon, 4 execs in alleged $1.4B tax evasion

https://www.reuters.com/world/italian-prosecutors-seek-trial-amazon-four-execs-over-alleged-14-bl...
133•amarcheschi•2h ago•24 comments

Contextual commits – An open standard for capturing the why in Git history

https://vidimitrov.substack.com/p/contextual-commits-an-open-standard
5•vidimitrov•1h ago•0 comments

Full Spectrum and Infrared Photography

https://timstr.website/blog/fullspectrumphotography.html
16•alter_igel•4d ago•2 comments

Apple's MacBook Neo makes repairs easier and cheaper than other MacBooks

https://arstechnica.com/gadgets/2026/03/more-modular-design-makes-macbook-neo-easier-to-fix-than-...
54•GeekyBear•1h ago•14 comments

Long Overlooked as Crucial to Life, Fungi Start to Get Their Due

https://e360.yale.edu/features/fungi-kingdom
33•speckx•5h ago•1 comments

WolfIP: Lightweight TCP/IP stack with no dynamic memory allocations

https://github.com/wolfssl/wolfip
17•789c789c789c•2h ago•1 comments

DDR4 Sdram – Initialization, Training and Calibration

https://www.systemverilog.io/design/ddr4-initialization-and-calibration/
8•todsacerdoti•2d ago•0 comments

Claude now creates interactive charts, diagrams and visualizations

https://claude.com/blog/claude-builds-visuals
89•adocomplete•2h ago•47 comments

Avoiding Trigonometry (2013)

https://iquilezles.org/articles/noacos/
184•WithinReason•9h ago•50 comments

Show HN: Web-based ANSI art viewer

https://sure.is/ansi/
9•lubujackson•2d ago•3 comments

Emacs internals: Tagged pointers vs. C++ std:variant and LLVM (Part 3)

https://thecloudlet.github.io/blog/project/emacs-03/
50•thecloudlet•5h ago•20 comments

3D-Knitting: The Ultimate Guide

https://www.oliver-charles.com/pages/3d-knitting
197•ChadNauseam•10h ago•73 comments

The Road Not Taken: A World Where IPv4 Evolved

https://owl.billpg.com/ipv4x/
19•billpg•2h ago•16 comments

Lf-lean: The frontier of verified software engineering

https://theorem.dev/blog/lf-lean/
12•alpaylan•2h ago•3 comments

Linux Page Faults, MMAP, and userfaultfd for fast sandbox boot times

https://www.shayon.dev/post/2026/65/linux-page-faults-mmap-and-userfaultfd/
4•shayonj•1h ago•0 comments

Show HN: LogClaw – Open-source AI SRE that auto-creates tickets from logs

https://logclaw.ai
15•Robelkidin•1h ago•10 comments