OneCLI

OneCLI is an open-source secret vault and transparent MITM proxy designed for AI agents. It stores credentials once in an encrypted vault and injects them into outgoing HTTP requests at runtime, so agents can call external services without ever handling raw API keys. It runs as a single Docker container and requires zero code changes to integrate with any agent framework.

• Encrypted Vault: Credentials are stored with AES-256-GCM encryption and never written to disk in plain text; get started by running docker run ghcr.io/onecli/onecli.
• Transparent Proxy: Set HTTPS_PROXY to point your agent's HTTP traffic through OneCLI; credentials are injected automatically without modifying agent code.
• Web Dashboard: Manage agents, secrets, and permissions from a local web UI at localhost:10254.
• Full Audit Trail: Every API call is logged with agent identity and timestamp, enabling real-time approval or denial of actions.
• Human-in-the-Loop Policies: Define per-action policies so a human can approve or deny agent actions before they execute.
• One-Command Setup: The entire proxy, vault, and dashboard stack runs from a single docker run command.
• Framework Agnostic: Works with any agent framework including OpenClaw, NanoClaw, IronClaw, Dify, n8n, OpenHands, and more.
• Revocation: Revoke credentials once from the vault and access is removed everywhere instantly.
• Language SDKs: Programmatic integration available via language SDKs for developers who need deeper control.