johan
/
clavitor
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clavitor/docs/COMPETITIVE-ONECLI.md

242 lines
10 KiB
Markdown
Raw Permalink Blame History

# Competitive Analysis: OneCLI vs Clavitor
*Analyzed: March 25, 2026*
---
## What is OneCLI?
OneCLI is an open-source credential proxy for AI agents, launched March 2026. It gained quick traction (600+ GitHub stars, Hacker News front page) by positioning itself as "easier than HashiCorp Vault."
**Core mechanic:** Agents set `HTTP_PROXY=http://localhost:10255`. OneCLI intercepts HTTPS traffic via MITM (installs a local CA cert), detects the destination host, injects the stored credential as a header, and forwards the request. The agent never sees the raw API key.
**Example:**
```bash
# Agent does this (no auth header):
curl --proxy http://localhost:10255 \
"https://api.cloudflare.com/client/v4/accounts/.../tokens/verify"
# OneCLI intercepts, adds:
# Authorization: Bearer <stored-cloudflare-token>
# Then forwards to Cloudflare
```
---
## Architecture
| Component | Technology |
|-----------|------------|
| Gateway/Proxy | Rust (Tokio, Hyper, rustls) |
| Dashboard | Next.js 15 + TypeScript |
| Database | PostgreSQL / PGlite (embedded) |
| ORM | Prisma |
| Encryption | AES-256-GCM (ring crate) |
| Bitwarden Integration | Official Agent Access SDK, Noise protocol |
**Two-port design:**
- Port 10254: Web dashboard
- Port 10255: HTTPS proxy gateway
**Bitwarden integration (well-designed):**
- Fetches credentials on-demand by hostname — NOT a full vault sync
- Decryption happens in the Bitwarden desktop app
- Credentials flow via Noise-encrypted channel (end-to-end encrypted)
- OneCLI never stores the master password or vault contents
- Individual credentials cached in memory for 60 seconds, then evicted
- Sessions idle-evict after 30 minutes
---
## What OneCLI Does Well
1. **Zero-code integration**`HTTP_PROXY` works with any agent framework immediately
2. **Bitwarden integration** — genuinely well-engineered using official SDK + Noise protocol
3. **Fast onboarding**`docker run` and operational quickly
4. **Host/path scoped credentials** — blast radius limiting per credential
5. **MITM TLS with dynamic cert generation** — technically solid Rust implementation
6. **Open source (Apache-2.0)** — community trust, auditability
---
## The Fundamental Problem OneCLI Cannot Solve
### The LLM doesn't know what the proxy will do
OneCLI has no mechanism to inform the LLM what credentials are available, what services they cover, or what the proxy will inject. For a truly autonomous agent this breaks completely:
- The agent has no way to discover "I have Cloudflare credentials available"
- The LLM must already know to make unauthenticated requests to specific hosts
- In practice, only works for hardcoded API calls — not autonomous agents
### Credential theft prevention ≠ access control
OneCLI prevents an agent from *seeing* the raw API key. It does **not** prevent the agent from *using* it. A compromised or prompt-injected agent can still:
- Delete DNS records
- Charge your credit card via Stripe
- Send emails
- Purge your CDN cache
- Call any API endpoint the credential allows
The agent has full account access. It just can't exfiltrate the key string. **This is security theater for the actual threat model of 2026 AI agents.**
### Regex cannot solve intent
OneCLI's policy rules are host/path pattern matching. "Is this agent allowed to delete DNS records or just read them?" cannot be answered by matching URL patterns. You need to understand what the request *does* in context, against a policy written in plain language.
Solving this properly requires an LLM inside the policy engine — which OneCLI is not designed for and cannot add without a fundamental architectural overhaul.
---
## Gaps and Weaknesses
| Gap | Impact |
|-----|--------|
| No FIPS 140-3 validation | Cannot sell to government, healthcare, finance |
| No HSM support | Keys are software-only, no hardware protection |
| No dynamic secrets | Static credentials only, no rotation, no TTL |
| No OAuth 2.0 management | Cannot handle expiring service tokens |
| No audit logging | No compliance trail (open GitHub issue #54) |
| No secret versioning | Overwrite only, no rollback |
| No CLI | Web-only management, no infrastructure-as-code |
| No HA/replication | Single point of failure |
| No native apps | Web dashboard only — no iOS, Android, macOS, Windows, browser extension |
| Requires CA cert installation | Operational burden in every agent container |
| Requires Docker | Not truly dead-simple for individual developers |
| No agent discovery | LLM cannot learn what credentials are available |
| No intent-based policy | Pattern matching cannot understand semantic meaning of API calls |
| Single encryption key | No key hierarchy, no envelope encryption, no rotation |
**Security notes from code review:**
- `SECRET_ENCRYPTION_KEY` is a single env var — no key hierarchy
- CA private key stored on disk at `~/.local/share/onecli/gateway/ca.key`
- No key rotation mechanism
---
## Where Clavitor Wins
### Architecture
Clavitor is a **vault**, not a proxy. Agents query for credentials explicitly via authenticated API calls. No traffic interception, no CA cert installation, no MITM. Standard HTTPS.
```bash
# Clavitor: agent explicitly requests what it needs
curl -H "Authorization: Bearer <agent-token>" \
"https://vault.clavitor.com/v1/secret/cloudflare-token"
```
### The MCP angle — agent discovery
Expose the vault as an MCP server. Agent calls `list_credentials` and receives: "you have access to: Cloudflare (DNS, zones), Gemini (text generation), GitHub (repos)." The agent knows what tools it has. This is what OneCLI fundamentally cannot offer.
### LLM-in-the-proxy for intent-based policy
The future of credential security is semantic policy evaluation:
- "This agent may read DNS records but not modify them"
- "This agent may send emails but only to addresses in the approved list"
- "This agent may charge up to $50/day via Stripe"
This requires an LLM evaluating intent at request time. Nobody has built this. Clavitor should.
### Feature comparison
| Feature | OneCLI | Clavitor |
|---------|--------|----------|
| FIPS 140-3 | ❌ | ✅ |
| HSM support | ❌ | ✅ |
| Dynamic secrets | ❌ | ✅ |
| OAuth 2.0 management | ❌ | ✅ |
| Audit logging | ❌ | ✅ |
| iOS / Android app | ❌ | ✅ |
| macOS / Windows app | ❌ | ✅ |
| Browser extension | ❌ | ✅ |
| Single binary, no Docker | ❌ | ✅ |
| MCP server (agent discovery) | ❌ | ✅ |
| Intent-based policy (LLM) | ❌ | ✅ (roadmap) |
| SSH keys | ❌ | ✅ |
| TOTP | ❌ | ✅ |
| Secure notes | ❌ | ✅ |
| Secret versioning | ❌ | ✅ |
| No CA cert required | ❌ | ✅ |
---
## Competitive Positioning
**OneCLI owns:** "Easier than Vault for developers who just want to stop putting API keys in .env files"
**Clavitor owns:** "The credential infrastructure for agentic systems that actually controls what agents can do"
**The handoff moment:** When a team using OneCLI hits SOC2, ISO 27001, a healthcare customer, or their first prompt-injection incident — they need Clavitor.
---
## Threat Assessment
**Threat level: MEDIUM**
**Why not higher:**
- Single founder + 1 contributor — bus factor risk
- No enterprise sales motion, no security certifications
- MITM architecture is fundamentally wrong for security-conscious enterprises
- Cannot solve the LLM-awareness problem without architectural overhaul
**Why not lower:**
- Fast developer traction, capturing mindshare
- Bitwarden partnership is a real differentiator for their target market
- Apache-2.0 means Bitwarden, 1Password, or a cloud provider could fork and bundle it
- 600 stars in weeks — community is forming
**Watch for:** Bitwarden acquisition interest. If Bitwarden buys OneCLI and bundles it into their product, they instantly have distribution to millions of users.
---
## Where Clavitor is Ahead of OneCLI
### Credential Types
OneCLI supports **API keys only** — injected as HTTP headers. Nothing else.
Clavitor supports:
- **API keys** — stored, versioned, rotatable
- **SSH keys** — ed25519/RSA keypairs, agent-forwarded auth
- **Secure notes** — encrypted freeform text (passwords, connection strings, anything)
- **TOTP** — generate 2FA codes on demand for agents authenticating to human-facing services
An agent that needs to SSH into a server, authenticate to a 2FA-protected admin panel, or retrieve a database connection string — OneCLI cannot help. Clavitor can.
### Security Model
OneCLI prevents credential **theft**. A compromised agent cannot steal the raw API key.
Clavitor prevents credential **abuse**. A compromised agent cannot use a credential it wasn't explicitly granted. Every access is authenticated, authorized, and audited.
### No CA Cert Required
OneCLI requires installing a custom CA certificate in every agent container to enable MITM. This breaks standard TLS trust chains and adds operational burden at every deployment.
Clavitor uses standard HTTPS. No CA cert. No trust chain modification. Works with any HTTP client out of the box.
### Single Binary
OneCLI requires Docker (or a Node.js + Rust build environment). Clavitor ships as a single Go binary — download, `chmod +x`, run. No container runtime, no compose files, no dependencies.
### FIPS 140-3
OneCLI uses AES-256-GCM via the Rust `ring` crate — not FIPS validated. Cannot be deployed in government, healthcare (HIPAA), or financial (PCI-DSS) environments.
Clavitor is built FIPS-first. This unlocks entire regulated market segments OneCLI cannot touch.
### Agent Discoverability (MCP)
OneCLI has no mechanism for an LLM to discover what credentials are available. The agent must already know what APIs it has access to.
Clavitor exposes credentials as an MCP server — agents call `list_credentials` and receive structured capability information. Autonomous agents can self-configure based on what the vault grants them.
### Intent-Based Policy (Roadmap)
OneCLI policies are regex pattern matching on host/path/method. Cannot distinguish "read DNS record" from "delete DNS record" without explicit path enumeration.
Clavitor's policy engine evaluates semantic intent using an embedded LLM. Plain-language policies: *"this agent may read but not modify"*, *"charge up to $50/day"*. This is the architectural moat nobody else has.
---
## Related Competitors to Analyze
- **Aembit** — enterprise agent identity platform (blended human+agent identity)
- **HashiCorp Vault** — enterprise secret management (complex, expensive)
- **1Password Secrets Automation** — credential injection for CI/CD
- **Infisical** — open-source secret management
- **Doppler** — developer-focused secret management
Reference in New Issue View Git Blame Copy Permalink