You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .claude/skills/init-onecli/SKILL.md
+45-39Lines changed: 45 additions & 39 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,32 +1,36 @@
1
1
---
2
2
name: init-onecli
3
-
description: Install and initialize OneCLI Agent Vault. Migrates existing .env credentials to the vault. Use after /update-nanoclaw brings in OneCLI as a breaking change, or for first-time OneCLI setup.
3
+
description: Configure OneCLI Cloud Agent Vault. Migrates existing .env credentials to the cloud vault. Use after /update-nanoclaw brings in OneCLI as a breaking change, or for first-time OneCLI Cloud setup.
4
4
---
5
5
6
-
# Initialize OneCLI Agent Vault
6
+
# Initialize OneCLI Cloud Agent Vault
7
7
8
-
This skill installs OneCLI, configures the Agent Vault gateway, and migrates any existing `.env` credentials into it. Run this after `/update-nanoclaw` introduces OneCLI as a breaking change, or any time OneCLI needs to be set up from scratch.
8
+
This skill configures the OneCLI Cloud Agent Vault gateway and migrates any existing `.env` credentials into it. Run this after `/update-nanoclaw` introduces OneCLI as a breaking change, or any time OneCLI Cloud needs to be set up.
9
9
10
10
**Principle:** When something is broken or missing, fix it. Don't tell the user to go fix it themselves unless it genuinely requires their manual action (e.g. pasting a token).
If an Anthropic secret exists, tell the user OneCLI Cloud is already configured and working. Use AskUserQuestion:
31
+
32
+
1.**Keep current setup** — description: "OneCLI Cloud is configured and has credentials. Nothing to do."
33
+
2.**Reconfigure** — description: "Start fresh — re-register credentials in the cloud."
30
34
31
35
If they choose to keep, skip to Phase 5 (Verify). If they choose to reconfigure, continue.
32
36
@@ -36,10 +40,10 @@ If they choose to keep, skip to Phase 5 (Verify). If they choose to reconfigure,
36
40
grep "credential-proxy" src/index.ts 2>/dev/null
37
41
```
38
42
39
-
If `startCredentialProxy` is imported, the native credential proxy skill is active. Tell the user: "You're currently using the native credential proxy (`.env`-based). This skill will switch you to OneCLI's Agent Vault, which adds per-agent policies and rate limits. Your `.env` credentials will be migrated to the vault."
43
+
If `startCredentialProxy` is imported, the native credential proxy skill is active. Tell the user: "You're currently using the native credential proxy (`.env`-based). This skill will switch you to OneCLI Cloud's Agent Vault, which adds per-agent policies and rate limits. Your `.env` credentials will be migrated to the cloud vault."
40
44
41
45
Use AskUserQuestion:
42
-
1.**Continue** — description: "Switch to OneCLI Agent Vault."
46
+
1.**Continue** — description: "Switch to OneCLI Cloud Agent Vault."
43
47
2.**Cancel** — description: "Keep the native credential proxy."
If `@onecli-sh/sdk` is NOT in package.json, the codebase hasn't been updated to use OneCLI yet. Tell the user to run `/update-nanoclaw` first to get the OneCLI integration, then retry `/init-onecli`. Stop here.
54
58
55
-
## Phase 2: Install OneCLI
59
+
## Phase 2: Install & Configure OneCLI CLI
56
60
57
-
### Install the gateway and CLI
61
+
### Install the CLI
58
62
59
63
```bash
60
-
curl -fsSL onecli.sh/install | sh
61
64
curl -fsSL onecli.sh/cli/install | sh
62
65
```
63
66
@@ -75,36 +78,41 @@ Re-verify with `onecli version`.
75
78
76
79
### Configure the CLI
77
80
78
-
Point the CLI at the local OneCLI instance, the ONECLI_URL was output from the install script above:
81
+
Point the CLI at OneCLI Cloud (reads ONECLI_URL from `.env`, defaults to `https://app.onecli.sh`):
79
82
80
83
```bash
81
-
onecli config set api-host ${ONECLI_URL}
84
+
source .env 2>/dev/null
85
+
onecli config set api-host "${ONECLI_URL:-https://app.onecli.sh}"
If `ONECLI_API_KEY` is not already in `.env`, ask the user for their API key from the OneCLI Cloud dashboard (Settings → API Keys) and add it:
91
97
92
-
The gateway may take a moment to start after installation. Poll for up to 15 seconds:
98
+
```bash
99
+
echo'ONECLI_API_KEY=<their-key>'>> .env
100
+
```
101
+
102
+
### Authenticate the CLI
93
103
94
104
```bash
95
-
foriin$(seq 1 15);do
96
-
curl -sf ${ONECLI_URL}/health &&break
97
-
sleep 1
98
-
done
105
+
source .env 2>/dev/null
106
+
onecli auth login --api-key "$ONECLI_API_KEY"
99
107
```
100
108
101
-
If it never becomes healthy, check if the gateway process is running:
109
+
### Verify cloud gateway is reachable
102
110
103
111
```bash
104
-
ps aux | grep -i onecli | grep -v grep
112
+
source .env && curl -sf "${ONECLI_URL}/health"
105
113
```
106
114
107
-
If it's not running, try starting it manually: `onecli start`. If that fails, show the error and stop — the user needs to debug their OneCLI installation.
115
+
If the gateway is not reachable, verify the `ONECLI_URL` value in `.env` is correct and that the user has an active OneCLI Cloud account.
108
116
109
117
## Phase 3: Migrate existing credentials
110
118
@@ -128,7 +136,7 @@ Parse the file for any of the credential variables listed above.
128
136
129
137
### If credentials found in .env
130
138
131
-
For each credential found, migrate it to OneCLI:
139
+
For each credential found, migrate it to OneCLI Cloud:
132
140
133
141
**Anthropic API key** (`ANTHROPIC_API_KEY=sk-ant-...`):
After successful migration, remove the credential lines from `.env`. Use the Edit tool to remove only the credential variable lines (`ANTHROPIC_API_KEY`, `CLAUDE_CODE_OAUTH_TOKEN`, `ANTHROPIC_AUTH_TOKEN`). Keep all other `.env` entries intact (e.g. `ONECLI_URL`, `TELEGRAM_BOT_TOKEN`, channel tokens).
151
+
After successful migration, remove the credential lines from `.env`. Use the Edit tool to remove only the credential variable lines (`ANTHROPIC_API_KEY`, `CLAUDE_CODE_OAUTH_TOKEN`, `ANTHROPIC_AUTH_TOKEN`). Keep all other `.env` entries intact (e.g. `ONECLI_URL`, `ONECLI_API_KEY`, `TELEGRAM_BOT_TOKEN`, channel tokens).
144
152
145
153
Verify the secret was registered:
146
154
```bash
147
155
onecli secrets list
148
156
```
149
157
150
-
Tell the user: "Migrated your Anthropic credentials from `.env` to the OneCLI Agent Vault. The raw keys have been removed from `.env` — they're now managed by OneCLI and will be injected at request time without entering containers."
158
+
Tell the user: "Migrated your Anthropic credentials from `.env` to the OneCLI Cloud Agent Vault. The raw keys have been removed from `.env` — they're now managed by OneCLI Cloud and will be injected at request time without entering containers."
151
159
152
160
### Offer to migrate other container-facing credentials
153
161
@@ -188,7 +196,7 @@ onecli secrets list
188
196
189
197
No migration needed. Proceed to register credentials fresh.
190
198
191
-
Check if OneCLI already has an Anthropic secret:
199
+
Check if OneCLI Cloud already has an Anthropic secret:
192
200
```bash
193
201
onecli secrets list
194
202
```
@@ -208,7 +216,7 @@ Tell the user to run `claude setup-token` in another terminal and copy the token
208
216
209
217
Once they have the token, AskUserQuestion with two options:
210
218
211
-
1.**Dashboard** — description: "Best if you have a browser on this machine. Open ${ONECLI_URL} and add the secret in the UI. Use type 'anthropic' and paste your token as the value."
219
+
1.**Dashboard** — description: "Open the dashboard at `${ONECLI_URL}/connections/secrets`, click '+ Add Secret', choose type 'anthropic', and paste your token as the value."
@@ -217,7 +225,7 @@ Tell the user to get an API key from https://console.anthropic.com/settings/keys
217
225
218
226
AskUserQuestion with two options:
219
227
220
-
1.**Dashboard** — description: "Best if you have a browser on this machine. Open ${ONECLI_URL} and add the secret in the UI."
228
+
1.**Dashboard** — description: "Open the dashboard at `${ONECLI_URL}/connections/secrets`, click '+ Add Secret', choose type 'anthropic', and paste your key as the value."
If the service is running and a channel is configured, tell the user to send a test message to verify the agent responds.
255
263
256
264
Tell the user:
257
-
- OneCLI Agent Vault is now managing credentials
265
+
- OneCLI Cloud Agent Vault is now managing credentials
258
266
- Agents never see raw API keys — credentials are injected at the gateway level
259
-
- To manage secrets: `onecli secrets list`, or open ${ONECLI_URL}
267
+
- To manage secrets: `onecli secrets list`, or open the OneCLI Cloud dashboard
260
268
- To add rate limits or policies: `onecli rules create --help`
261
269
262
270
## Troubleshooting
263
271
264
-
**"OneCLI gateway not reachable" in logs:** The gateway isn't running. Check with `curl -sf ${ONECLI_URL}/health`. Start it with `onecli start` if needed.
272
+
**"OneCLI gateway not reachable" in logs:** The cloud gateway isn't reachable. Check with `source .env && curl -sf "${ONECLI_URL}/health"`. Verify `ONECLI_URL` and `ONECLI_API_KEY` are correctly set in `.env`.
265
273
266
-
**Container gets no credentials:** Verify `ONECLI_URL`is set in `.env` and the gateway has an Anthropic secret (`onecli secrets list`).
274
+
**Container gets no credentials:** Verify `ONECLI_URL`and `ONECLI_API_KEY` are set in `.env` and the gateway has an Anthropic secret (`onecli secrets list`).
267
275
268
276
**Old .env credentials still present:** This skill should have removed them. Double-check `.env` for `ANTHROPIC_API_KEY`, `CLAUDE_CODE_OAUTH_TOKEN`, or `ANTHROPIC_AUTH_TOKEN` and remove them manually if still present.
269
-
270
-
**Port 10254 already in use:** Another OneCLI instance may be running. Check with `lsof -i :10254` and kill the old process, or configure a different port.
0 commit comments