What it does

OneCLI sits between your AI agents and the outside world. You store real API credentials in its encrypted vault, hand your agents placeholder keys like FAKE_KEY, and the Rust gateway swaps them for the real thing at request time. Agents make normal HTTP calls; the gateway handles auth via Proxy-Authorization headers and injects secrets matched by host and path patterns.

The interesting bit

The architecture is split: a Next.js dashboard for managing agents and permissions, and a Rust gateway for the actual interception and injection. The README notes MITM interception for HTTPS, which is doing the heavy lifting to make this transparent — and the Bitwarden integration means you can avoid storing secrets on the server entirely if you prefer.

Key highlights

• AES-256-GCM encryption at rest, decrypted only at request time
• Host and path pattern matching routes credentials to specific endpoints
• Per-agent access tokens with scoped permissions
• Single-user mode for local dev, Google OAuth for teams
• One-liner install via curl -fsSL https://onecli.sh/install | sh

Caveats

• Requires running PostgreSQL and two ports (10254 for web, 10255 for gateway)
• The “fast” and “memory-safe” claims for the Rust gateway are in the README but no benchmarks are provided
• HTTPS MITM interception is mentioned but not deeply explained; operational details are unclear

Verdict

Worth a look if you’re running multiple AI agents against paid APIs and tired of key sprawl. Skip it if your agents are internal-only or you already have a secrets manager with proxy support.