{"id":47358667,"url":"https://github.com/onecli/onecli","last_synced_at":"2026-04-27T16:00:50.058Z","repository":{"id":343973721,"uuid":"1175900220","full_name":"onecli/onecli","owner":"onecli","description":"Open-source credential vault, give your AI agents access to services without exposing keys.","archived":false,"fork":false,"pushed_at":"2026-04-22T10:38:05.000Z","size":5164,"stargazers_count":1852,"open_issues_count":18,"forks_count":92,"subscribers_count":8,"default_branch":"main","last_synced_at":"2026-04-22T12:34:13.488Z","etag":null,"topics":["ai-agents","cli","mcp","nanoclaw","nodejs","openclaw","postgres","rust","secret-management","security","security-tools","vault"],"latest_commit_sha":null,"homepage":"https://onecli.sh","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/onecli.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-08T10:38:52.000Z","updated_at":"2026-04-22T11:37:51.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/onecli/onecli","commit_stats":null,"previous_names":["onecli/onecli"],"tags_count":44,"template":false,"template_full_name":null,"purl":"pkg:github/onecli/onecli","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/onecli%2Fonecli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/onecli%2Fonecli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/onecli%2Fonecli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/onecli%2Fonecli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/onecli","download_url":"https://codeload.github.com/onecli/onecli/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/onecli%2Fonecli/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32343571,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T23:26:28.701Z","status":"online","status_checked_at":"2026-04-27T02:00:06.769Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","cli","mcp","nanoclaw","nodejs","openclaw","postgres","rust","secret-management","security","security-tools","vault"],"created_at":"2026-03-18T11:00:40.771Z","updated_at":"2026-04-27T16:00:50.053Z","avatar_url":"https://github.com/onecli.png","language":"TypeScript","readme":"\u003cpicture\u003e\n  \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"assets/onecli-logo-dark.gif\"\u003e\n  \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"assets/onecli-logo-light.gif\"\u003e\n  \u003cimg alt=\"OneCLI\" src=\"assets/onecli-logo-light.gif\" width=\"100%\"\u003e\n\u003c/picture\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cb\u003eThe secret vault for AI agents.\u003c/b\u003e\u003cbr/\u003e\n  Store once. Inject anywhere. Agents never see the keys.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://onecli.sh\"\u003eWebsite\u003c/a\u003e \u0026middot;\n  \u003ca href=\"https://onecli.sh/docs\"\u003eDocs\u003c/a\u003e \u0026middot;\n  \u003ca href=\"https://discord.gg/PSztzsQB3g\"\u003eDiscord\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n\u003cpicture\u003e\n  \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"assets/onecli-flow-dark.gif\"\u003e\n  \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"assets/onecli-flow-light.gif\"\u003e\n  \u003cimg alt=\"How OneCLI works\" src=\"assets/onecli-flow-light.gif\" width=\"100%\"\u003e\n\u003c/picture\u003e\n\n## What is OneCLI?\n\nOneCLI is an open-source gateway that sits between your AI agents and the services they call. Instead of baking API keys into every agent, you store credentials once in OneCLI and the gateway injects them transparently. Agents never see the secrets.\n\n**Why we built it:** AI agents need to call dozens of APIs, but giving each agent raw credentials is a security risk. OneCLI solves this with a single gateway that handles auth, so you get one place to manage access, rotate keys, and see what every agent is doing.\n\n**How it works:** You store your real API credentials in OneCLI and give your agents placeholder keys (e.g. `FAKE_KEY`). When an agent makes an HTTP call through the gateway, the OneCLI gateway matches the request to the right credentials, swaps the `FAKE_KEY` for the `REAL_KEY`, decrypts them, and injects them into the outbound request. The agent never touches the real secrets. It just makes normal HTTP calls and the gateway handles the swap.\n\n## Architecture\n\n\u003cpicture\u003e\n  \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"assets/onecli-architecture-dark.svg\"\u003e\n  \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"assets/onecli-architecture-light.svg\"\u003e\n  \u003cimg alt=\"OneCLI Architecture\" src=\"assets/onecli-architecture-dark.svg\" width=\"100%\"\u003e\n\u003c/picture\u003e\n\n- **[Rust Gateway](apps/gateway)**: fast HTTP gateway that intercepts outbound requests and injects credentials. Agents authenticate with access tokens via `Proxy-Authorization` headers.\n- **[Web Dashboard](apps/web)**: Next.js app for managing agents, secrets, and permissions. Provides the API the gateway uses to resolve which credentials to inject for each request.\n- **Secret Store**: AES-256-GCM encrypted credential storage. Secrets are decrypted only at request time, matched by host and path patterns, and injected by the gateway as headers.\n\n## Quick Start\n\nThe fastest way to run OneCLI locally:\n\n```bash\ncurl -fsSL https://onecli.sh/install | sh\n```\n\nOr, if you prefer to run it manually:\n\n```bash\ngit clone https://github.com/onecli/onecli.git\ncd onecli\ndocker compose -f docker/docker-compose.yml up -d --wait\n```\n\nOpen **http://localhost:10254**, create an agent, add your secrets, and point your agent's HTTP gateway to `localhost:10255`.\n\n## Features\n\n- **Transparent credential injection**: agents make normal HTTP calls, the gateway handles auth\n- **Encrypted secret storage**: AES-256-GCM encryption at rest, decrypted only at request time\n- **Host \u0026 path matching**: route secrets to the right API endpoints with pattern matching\n- **Multi-agent support**: each agent gets its own access token with scoped permissions\n- **Easy setup**: `curl -fsSL https://onecli.sh/install | sh` starts everything (app + PostgreSQL)\n- **Two auth modes**: single-user (no login) for local use, or Google OAuth for teams\n- **Rust gateway**: fast, memory-safe HTTP gateway with MITM interception for HTTPS\n- **[Vault integration](docs/vault-integration.md)**: connect Bitwarden (or other password managers) for on-demand credential injection without storing secrets on the server\n\n## Project Structure\n\n```\napps/\n  web/            # Next.js app (dashboard + API, port 10254)\n  gateway/        # Rust gateway (credential injection, port 10255)\npackages/\n  db/             # Prisma ORM + migrations\n  ui/             # Shared UI components (shadcn/ui)\ndocker/\n  Dockerfile      # App image (gateway + web)\n  docker-compose.yml\n```\n\n## Local Development\n\n### Prerequisites\n\n- **[mise](https://mise.jdx.dev)** (installs Node.js, pnpm, and other tools)\n- **Rust** (for the gateway)\n- **Docker** (for PostgreSQL)\n\n### Setup\n\n```bash\nmise install\npnpm install\ncp .env.example .env\npnpm db:generate\npnpm db:up          # Start PostgreSQL\npnpm db:migrate     # Apply migrations\npnpm dev\n```\n\nDashboard at **http://localhost:10254**, gateway at **http://localhost:10255**.\n\n### Commands\n\n| Command            | Description                     |\n| ------------------ | ------------------------------- |\n| `pnpm dev`         | Start web + gateway in dev mode |\n| `pnpm build`       | Production build                |\n| `pnpm check`       | Lint + types + format           |\n| `pnpm db:up`       | Start PostgreSQL (Docker)       |\n| `pnpm db:down`     | Stop PostgreSQL                 |\n| `pnpm db:generate` | Generate Prisma client          |\n| `pnpm db:migrate`  | Run database migrations         |\n| `pnpm db:studio`   | Open Prisma Studio              |\n\n## Configuration\n\nAll environment variables are optional for local development:\n\n| Variable                | Description                       | Default            |\n| ----------------------- | --------------------------------- | ------------------ |\n| `DATABASE_URL`          | PostgreSQL connection string      | See `.env.example` |\n| `NEXTAUTH_SECRET`       | Enables Google OAuth (multi-user) | Single-user mode   |\n| `GOOGLE_CLIENT_ID`      | Google OAuth client ID            | —                  |\n| `GOOGLE_CLIENT_SECRET`  | Google OAuth client secret        | —                  |\n| `SECRET_ENCRYPTION_KEY` | AES-256-GCM encryption key        | Auto-generated     |\n\n## Contributing\n\nWe welcome contributions! Please read our [Contributing Guide](CONTRIBUTING.md) and [Code of Conduct](CODE_OF_CONDUCT.md) before getting started.\n\n## License\n\n[Apache-2.0](LICENSE)\n","funding_links":[],"categories":["Securing AI SaaS","Trending Repos — 19 March 2026","[↑](#table-of-contents)Tools \u003ca name=\"tools\"\u003e\u003c/a\u003e","Security","Defense \u0026 Security Controls","Building","Harnesses \u0026 orchestration"],"sub_categories":["Tools","Credential Isolation \u0026 Agent Access Control","Security Tools","Agent Runtime Security \u0026 Sandboxing","Security","Agent infrastructure"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fonecli%2Fonecli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fonecli%2Fonecli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fonecli%2Fonecli/lists"}