johan
/
clavitor
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clavitor/docs/COMPETITIVE-ONECLI.md

10 KiB
Raw Blame History

Competitive Analysis: OneCLI vs Clavitor

Analyzed: March 25, 2026

What is OneCLI?

OneCLI is an open-source credential proxy for AI agents, launched March 2026. It gained quick traction (600+ GitHub stars, Hacker News front page) by positioning itself as "easier than HashiCorp Vault."

Core mechanic: Agents set HTTP_PROXY=http://localhost:10255. OneCLI intercepts HTTPS traffic via MITM (installs a local CA cert), detects the destination host, injects the stored credential as a header, and forwards the request. The agent never sees the raw API key.

Example:

# Agent does this (no auth header):
curl --proxy http://localhost:10255 \
  "https://api.cloudflare.com/client/v4/accounts/.../tokens/verify"

# OneCLI intercepts, adds:
# Authorization: Bearer <stored-cloudflare-token>
# Then forwards to Cloudflare

Architecture

Component Technology
Gateway/Proxy Rust (Tokio, Hyper, rustls)
Dashboard Next.js 15 + TypeScript
Database PostgreSQL / PGlite (embedded)
ORM Prisma
Encryption AES-256-GCM (ring crate)
Bitwarden Integration Official Agent Access SDK, Noise protocol

Two-port design:

  • Port 10254: Web dashboard
  • Port 10255: HTTPS proxy gateway

Bitwarden integration (well-designed):

  • Fetches credentials on-demand by hostname — NOT a full vault sync
  • Decryption happens in the Bitwarden desktop app
  • Credentials flow via Noise-encrypted channel (end-to-end encrypted)
  • OneCLI never stores the master password or vault contents
  • Individual credentials cached in memory for 60 seconds, then evicted
  • Sessions idle-evict after 30 minutes

What OneCLI Does Well

  1. Zero-code integrationHTTP_PROXY works with any agent framework immediately
  2. Bitwarden integration — genuinely well-engineered using official SDK + Noise protocol
  3. Fast onboardingdocker run and operational quickly
  4. Host/path scoped credentials — blast radius limiting per credential
  5. MITM TLS with dynamic cert generation — technically solid Rust implementation
  6. Open source (Apache-2.0) — community trust, auditability

The Fundamental Problem OneCLI Cannot Solve

The LLM doesn't know what the proxy will do

OneCLI has no mechanism to inform the LLM what credentials are available, what services they cover, or what the proxy will inject. For a truly autonomous agent this breaks completely:

  • The agent has no way to discover "I have Cloudflare credentials available"
  • The LLM must already know to make unauthenticated requests to specific hosts
  • In practice, only works for hardcoded API calls — not autonomous agents

Credential theft prevention ≠ access control

OneCLI prevents an agent from seeing the raw API key. It does not prevent the agent from using it. A compromised or prompt-injected agent can still:

  • Delete DNS records
  • Charge your credit card via Stripe
  • Send emails
  • Purge your CDN cache
  • Call any API endpoint the credential allows

The agent has full account access. It just can't exfiltrate the key string. This is security theater for the actual threat model of 2026 AI agents.

Regex cannot solve intent

OneCLI's policy rules are host/path pattern matching. "Is this agent allowed to delete DNS records or just read them?" cannot be answered by matching URL patterns. You need to understand what the request does in context, against a policy written in plain language.

Solving this properly requires an LLM inside the policy engine — which OneCLI is not designed for and cannot add without a fundamental architectural overhaul.

Gaps and Weaknesses

Gap Impact
No FIPS 140-3 validation Cannot sell to government, healthcare, finance
No HSM support Keys are software-only, no hardware protection
No dynamic secrets Static credentials only, no rotation, no TTL
No OAuth 2.0 management Cannot handle expiring service tokens
No audit logging No compliance trail (open GitHub issue #54)
No secret versioning Overwrite only, no rollback
No CLI Web-only management, no infrastructure-as-code
No HA/replication Single point of failure
No native apps Web dashboard only — no iOS, Android, macOS, Windows, browser extension
Requires CA cert installation Operational burden in every agent container
Requires Docker Not truly dead-simple for individual developers
No agent discovery LLM cannot learn what credentials are available
No intent-based policy Pattern matching cannot understand semantic meaning of API calls
Single encryption key No key hierarchy, no envelope encryption, no rotation

Security notes from code review:

  • SECRET_ENCRYPTION_KEY is a single env var — no key hierarchy
  • CA private key stored on disk at ~/.local/share/onecli/gateway/ca.key
  • No key rotation mechanism

Where Clavitor Wins

Architecture

Clavitor is a vault, not a proxy. Agents query for credentials explicitly via authenticated API calls. No traffic interception, no CA cert installation, no MITM. Standard HTTPS.

# Clavitor: agent explicitly requests what it needs
curl -H "Authorization: Bearer <agent-token>" \
  "https://vault.clavitor.com/v1/secret/cloudflare-token"

The MCP angle — agent discovery

Expose the vault as an MCP server. Agent calls list_credentials and receives: "you have access to: Cloudflare (DNS, zones), Gemini (text generation), GitHub (repos)." The agent knows what tools it has. This is what OneCLI fundamentally cannot offer.

LLM-in-the-proxy for intent-based policy

The future of credential security is semantic policy evaluation:

  • "This agent may read DNS records but not modify them"
  • "This agent may send emails but only to addresses in the approved list"
  • "This agent may charge up to $50/day via Stripe"

This requires an LLM evaluating intent at request time. Nobody has built this. Clavitor should.

Feature comparison

Feature OneCLI Clavitor
FIPS 140-3
HSM support
Dynamic secrets
OAuth 2.0 management
Audit logging
iOS / Android app
macOS / Windows app
Browser extension
Single binary, no Docker
MCP server (agent discovery)
Intent-based policy (LLM) (roadmap)
SSH keys
TOTP
Secure notes
Secret versioning
No CA cert required

Competitive Positioning

OneCLI owns: "Easier than Vault for developers who just want to stop putting API keys in .env files"

Clavitor owns: "The credential infrastructure for agentic systems that actually controls what agents can do"

The handoff moment: When a team using OneCLI hits SOC2, ISO 27001, a healthcare customer, or their first prompt-injection incident — they need Clavitor.

Threat Assessment

Threat level: MEDIUM

Why not higher:

  • Single founder + 1 contributor — bus factor risk
  • No enterprise sales motion, no security certifications
  • MITM architecture is fundamentally wrong for security-conscious enterprises
  • Cannot solve the LLM-awareness problem without architectural overhaul

Why not lower:

  • Fast developer traction, capturing mindshare
  • Bitwarden partnership is a real differentiator for their target market
  • Apache-2.0 means Bitwarden, 1Password, or a cloud provider could fork and bundle it
  • 600 stars in weeks — community is forming

Watch for: Bitwarden acquisition interest. If Bitwarden buys OneCLI and bundles it into their product, they instantly have distribution to millions of users.

Where Clavitor is Ahead of OneCLI

Credential Types

OneCLI supports API keys only — injected as HTTP headers. Nothing else.

Clavitor supports:

  • API keys — stored, versioned, rotatable
  • SSH keys — ed25519/RSA keypairs, agent-forwarded auth
  • Secure notes — encrypted freeform text (passwords, connection strings, anything)
  • TOTP — generate 2FA codes on demand for agents authenticating to human-facing services

An agent that needs to SSH into a server, authenticate to a 2FA-protected admin panel, or retrieve a database connection string — OneCLI cannot help. Clavitor can.

Security Model

OneCLI prevents credential theft. A compromised agent cannot steal the raw API key.

Clavitor prevents credential abuse. A compromised agent cannot use a credential it wasn't explicitly granted. Every access is authenticated, authorized, and audited.

No CA Cert Required

OneCLI requires installing a custom CA certificate in every agent container to enable MITM. This breaks standard TLS trust chains and adds operational burden at every deployment.

Clavitor uses standard HTTPS. No CA cert. No trust chain modification. Works with any HTTP client out of the box.

Single Binary

OneCLI requires Docker (or a Node.js + Rust build environment). Clavitor ships as a single Go binary — download, chmod +x, run. No container runtime, no compose files, no dependencies.

FIPS 140-3

OneCLI uses AES-256-GCM via the Rust ring crate — not FIPS validated. Cannot be deployed in government, healthcare (HIPAA), or financial (PCI-DSS) environments.

Clavitor is built FIPS-first. This unlocks entire regulated market segments OneCLI cannot touch.

Agent Discoverability (MCP)

OneCLI has no mechanism for an LLM to discover what credentials are available. The agent must already know what APIs it has access to.

Clavitor exposes credentials as an MCP server — agents call list_credentials and receive structured capability information. Autonomous agents can self-configure based on what the vault grants them.

Intent-Based Policy (Roadmap)

OneCLI policies are regex pattern matching on host/path/method. Cannot distinguish "read DNS record" from "delete DNS record" without explicit path enumeration.

Clavitor's policy engine evaluates semantic intent using an embedded LLM. Plain-language policies: "this agent may read but not modify", "charge up to $50/day". This is the architectural moat nobody else has.

Related Competitors to Analyze

  • Aembit — enterprise agent identity platform (blended human+agent identity)
  • HashiCorp Vault — enterprise secret management (complex, expensive)
  • 1Password Secrets Automation — credential injection for CI/CD
  • Infisical — open-source secret management
  • Doppler — developer-focused secret management