~/hackyfeed
> cat /dev/github | grep security-tools
discovered 30 Mar 2026

onecli

TypeScript ★ 1474 via github-topic
→ View on GitHub

AI Summary: OneCLI is an open-source credential management gateway designed for AI agents, providing a secure method to store and inject API keys without exposing them to the agents themselves. It offers features such as AES-256-GCM encrypted secret storage, transparent credential injection, host and path matching for secret routing, and support for multiple agents with scoped permissions. The system enables easy setup via Docker and integrates with external vaults like Bitwarden for on-demand credential access, enhancing security and manageability in API interactions.

README

OneCLI

The secret vault for AI agents.
Store once. Inject anywhere. Agents never see the keys.

Website · Docs · Discord

How OneCLI works

What is OneCLI?

OneCLI is an open-source gateway that sits between your AI agents and the services they call. Instead of baking API keys into every agent, you store credentials once in OneCLI and the gateway injects them transparently. Agents never see the secrets.

Why we built it: AI agents need to call dozens of APIs, but giving each agent raw credentials is a security risk. OneCLI solves this with a single gateway that handles auth, so you get one place to manage access, rotate keys, and see what every agent is doing.

How it works: You store your real API credentials in OneCLI and give your agents placeholder keys (e.g. FAKE_KEY). When an agent makes an HTTP call through the gateway, the OneCLI gateway matches the request to the right credentials, swaps the FAKE_KEY for the REAL_KEY, decrypts them, and injects them into the outbound request. The agent never touches the real secrets. It just makes normal HTTP calls and the gateway handles the swap.

Architecture

OneCLI Architecture
  • Rust Gateway: fast HTTP gateway that intercepts outbound requests and injects credentials. Agents authenticate with access tokens via Proxy-Authorization headers.
  • Web Dashboard: Next.js app for managing agents, secrets, and permissions. Provides the API the gateway uses to resolve which credentials to inject for each request.
  • Secret Store: AES-256-GCM encrypted credential storage. Secrets are decrypted only at request time, matched by host and path patterns, and injected by the gateway as headers.

Quick Start

The fastest way to run OneCLI locally:

git clone https://github.com/onecli/onecli.git
cd onecli
docker compose -f docker/docker-compose.yml up

Open http://localhost:10254, create an agent, add your secrets, and point your agent’s HTTP gateway to localhost:10255.

Features

  • Transparent credential injection: agents make normal HTTP calls, the gateway handles auth
  • Encrypted secret storage: AES-256-GCM encryption at rest, decrypted only at request time
  • Host & path matching: route secrets to the right API endpoints with pattern matching
  • Multi-agent support: each agent gets its own access token with scoped permissions
  • Easy setup: docker compose -f docker/docker-compose.yml up starts everything (app + PostgreSQL)
  • Two auth modes: single-user (no login) for local use, or Google OAuth for teams
  • Rust gateway: fast, memory-safe HTTP gateway with MITM interception for HTTPS
  • Vault integration: connect Bitwarden (or other password managers) for on-demand credential injection without storing secrets on the server

Project Structure

apps/
  web/            # Next.js app (dashboard + API, port 10254)
  gateway/        # Rust gateway (credential injection, port 10255)
packages/
  db/             # Prisma ORM + migrations
  ui/             # Shared UI components (shadcn/ui)
docker/
  Dockerfile      # App image (gateway + web)
  docker-compose.yml

Local Development

Prerequisites

  • mise (installs Node.js, pnpm, and other tools)
  • Rust (for the gateway)
  • Docker (for PostgreSQL)

Setup

mise install
pnpm install
cp .env.example .env
pnpm db:generate
pnpm db:up          # Start PostgreSQL
pnpm db:migrate     # Apply migrations
pnpm dev

Dashboard at http://localhost:10254, gateway at http://localhost:10255.

Commands

CommandDescription
pnpm devStart web + gateway in dev mode
pnpm buildProduction build
pnpm checkLint + types + format
pnpm db:upStart PostgreSQL (Docker)
pnpm db:downStop PostgreSQL
pnpm db:generateGenerate Prisma client
pnpm db:migrateRun database migrations
pnpm db:studioOpen Prisma Studio

Configuration

All environment variables are optional for local development:

VariableDescriptionDefault
DATABASE_URLPostgreSQL connection stringSee .env.example
NEXTAUTH_SECRETEnables Google OAuth (multi-user)Single-user mode
GOOGLE_CLIENT_IDGoogle OAuth client ID
GOOGLE_CLIENT_SECRETGoogle OAuth client secret
SECRET_ENCRYPTION_KEYAES-256-GCM encryption keyAuto-generated

Contributing

We welcome contributions! Please read our Contributing Guide and Code of Conduct before getting started.

License

Apache-2.0

security-tools typescript