显示 HN：OneCLI – Rust 中 AI 代理的 Vault

OneCLI 简介：保护 AI 代理工作流程

人工智能代理的兴起预示着自动化的新时代，智能助手可以代表我们执行复杂的工作流程、管理数据并与无数的 API 进行交互。但这种强大的新范式引入了一个严重的漏洞：秘密管理。如何安全地向 AI 代理提供 API 密钥、数据库密码和其他敏感凭证，而不将它们硬编码到脚本中或将它们留在不安全的位置？对于在 Mewayz 等模块化平台上构建的开发人员和企业来说，这一挑战尤其严峻，灵活性和安全性必须齐头并进。今天，我们很高兴与大家分享我们内部构建的解决方案：OneCLI，这是一个专为 AI 代理设计的安全保险库，用 Rust 编写。

核心问题：自治系统中的信任和安全

当 AI 代理需要通过 SendGrid 发送电子邮件、查询数据库或在 Mewayz 等工具中更新项目时，它需要访问敏感机密。将这些设置为环境变量的传统方法既脆弱又不安全，尤其是当代理跨不同环境进行扩展时。硬编码是行不通的。我们需要一个能够集中管理机密、提供严格访问控制并与代理执行流程无缝集成的系统。我们的目标是创建一个充当可信看门人的工具，确保代理仅在需要时才收到明确允许他们使用的凭据。

“OneCLI 不仅仅是一个钥匙串；它是人工智能意图与其行为之间的信任层，确保安全是一项功能，而不是事后的想法。”

为什么我们用 Rust 构建 OneCLI

我们选择 Rust 作为 OneCLI 的基础，因为这对于以安全为中心的应用程序至关重要：性能、内存安全和强大的生态系统。人工智能代理实时运行，任何秘密检索都必须快如闪电，以避免成为瓶颈。 Rust 的零成本抽象提供了我们所需的速度。更重要的是，Rust 的编译时内存安全保证可以帮助我们防止整个类别的漏洞，例如缓冲区溢出，这些漏洞可能被利用来泄漏敏感数据。在构建自动化基础设施的基石时，这种固有的安全性至关重要。对于像 Mewayz 这样强调可靠性的平台，使用专为安全性和性能而设计的语言是显而易见的选择。

OneCLI Vault 的主要功能

OneCLI 的设计采用了一种简单的 Unix 哲学方法：做一件事并把它做好。它作为人工智能代理可以调用​​的命令行接口运行，将请求的秘密安全地返回到标准输出。它提供以下功能：

集中秘密管理：将所有 API 密钥、令牌和密码存储在一个加密保管库中，可通过简单的 CLI 命令进行访问。

范围访问令牌：为各个代理生成短暂的、权限范围的令牌，从而最大限度地降低凭证泄漏的风险。

审核日志记录：记录每个秘密访问，提供有关哪个代理在何时访问什么秘密的清晰线索，这对于调试和安全审核至关重要。

无缝 Mewayz 集成：OneCLI 可以轻松集成到 Mewayz 模块中，允许在业务操作系统中运行的代理安全地检索内部或外部服务的凭据，而无需任何自定义代码。

将 OneCLI 集成到您的代理工作流程中

使用 OneCLI 非常简单。 AI 代理，无论是编排 Mewayz 工作流程的 Python 脚本还是专用代理框架，只需调用 OneCLI 命令即可。例如，负责获取数据的代理可能会执行 onecli get database-password-prod。 CLI 处理身份验证和授权，如果允许，将秘密直接返回到代理的进程。这可以将秘密保留在源代码、环境变量和代理内存之外，直到需要它们的那一刻为止。这种模块化方法完全符合 Mewayz 的理念，

Frequently Asked Questions

Introducing OneCLI: Securing the AI Agent Workflow

The rise of AI agents promises a new era of automation, where intelligent assistants can execute complex workflows, manage data, and interact with myriad APIs on our behalf. But this powerful new paradigm introduces a critical vulnerability: secrets management. How do you securely provide an AI agent with API keys, database passwords, and other sensitive credentials without hardcoding them into scripts or leaving them in insecure locations? This challenge is especially acute for developers and businesses building on modular platforms like Mewayz, where flexibility and security must go hand-in-hand. Today, we’re excited to share a solution we built in-house: OneCLI, a secure vault designed specifically for AI agents, written in Rust.

The Core Problem: Trust and Security in Autonomous Systems

When an AI agent needs to send an email via SendGrid, query a database, or update a project in a tool like Mewayz, it requires access to sensitive secrets. The traditional method of setting these as environment variables is brittle and insecure, especially when agents are scaled across different environments. Hardcoding is a non-starter. We needed a system that could centrally manage secrets, provide strict access control, and seamlessly integrate with agent execution flows. Our goal was to create a tool that acts as a trusted gatekeeper, ensuring that agents only receive the credentials they are explicitly permitted to use, and only at the moment they are needed.

Why We Built OneCLI in Rust

We chose Rust as the foundation for OneCLI for reasons critical to a security-focused application: performance, memory safety, and a robust ecosystem. AI agents operate in real-time, and any secret retrieval must be lightning-fast to avoid becoming a bottleneck. Rust’s zero-cost abstractions deliver the speed we need. More importantly, Rust’s compile-time memory safety guarantees help us prevent entire classes of vulnerabilities, such as buffer overflows, that could be exploited to leak sensitive data. This inherent safety is paramount when building the bedrock of your automation infrastructure. For a platform like Mewayz that emphasizes reliability, using a language engineered for safety and performance was the obvious choice.

Key Features of the OneCLI Vault

OneCLI is designed with a simple, Unix-philosophy approach: do one thing and do it well. It operates as a command-line interface that AI agents can call, returning the requested secret securely to stdout. Here’s what it offers:

Integrating OneCLI into Your Agentic Workflows

Using OneCLI is straightforward. An AI agent, whether it’s a Python script orchestrating a Mewayz workflow or a dedicated agent framework, simply makes a call to the OneCLI command. For example, an agent tasked with fetching data might execute onecli get database-password-prod. The CLI handles authentication and authorization, and if permitted, returns the secret directly to the agent’s process. This keeps secrets out of source code, environment variables, and agent memory until the very second they are required. This modular approach fits perfectly within the Mewayz philosophy, allowing you to compose secure, powerful business processes from discrete, reliable components.