一键在 Manus 中运行任何 Skill

onecli

星标1

分支0

更新时间2026年6月19日 19:58

Diagnose and fix OneCLI gateway issues — Docker not running, 407 proxy auth, 401 from API (MITM not active), stale aoc_ token, CA cert refresh, secret setup, version pinning. Use when onecliStart fails, update-fathom-db fails, proxy returns 407 or 401, mode=tunnel in logs, or after OneCLI container recreation.

安装

用 Codex 或 Claude 帮你安装复制这段 Prompt，粘贴到 Codex、Claude 或其他助手里，让它检查 Skill 页面并帮你完成安装。

在 Manus 中运行

来源

opsMachine

opsMachine/OM-Agency

打开 GitHub 仓库查看创作者相关仓库

下载

在 Manus 中运行

SKILL.md

readonly

name	onecli
description	Diagnose and fix OneCLI gateway issues — Docker not running, 407 proxy auth, 401 from API (MITM not active), stale aoc_ token, CA cert refresh, secret setup, version pinning. Use when onecliStart fails, update-fathom-db fails, proxy returns 407 or 401, mode=tunnel in logs, or after OneCLI container recreation.

OneCLI Skill

OneCLI is a self-hosted credential proxy. Agents route HTTPS traffic through it; the gateway injects real API keys from an encrypted vault so agents never hold raw credentials.

Stack: Docker Compose at ~/.onecli/docker-compose.yml · App: 127.0.0.1:10254 · Gateway: 127.0.0.1:10255 · Alias: onecliStart

Failure modes and fixes

Docker not running

Symptom: onecliStart → dial unix /var/run/docker.sock: no such file

sudo systemctl start docker
onecliStart

407 Proxy Authentication Required

Symptom: Proxy response (407) !== 200 when HTTP Tunneling

Cause: Stale aoc_ agent token. Happens whenever the OneCLI container is recreated (new :latest image pulled). The aoc_ token in env files is from the old container.

Fix: Get fresh token from the live container's API:

curl -sS http://127.0.0.1:10254/api/agents \
  -H "Authorization: Bearer <oc_token_from_env>" \
  | python3 -m json.tool

Copy the accessToken field (aoc_...) → update ONECLI_AOC_TOKEN in the relevant .env file(s).

Auth method: OneCLI requires aoc_ token as basic auth in proxy URL — NOT HTTP_PROXY_AUTH=Bearer. The correct pattern:

PROXY_URL="http://x:${AOC_TOKEN}@127.0.0.1:10255"
export HTTP_PROXY="$PROXY_URL"
export HTTPS_PROXY="$PROXY_URL"

The oc_ management token only gets plain tunnel mode (no header injection). Only aoc_ activates MITM.

401 from target API / MITM not active

Symptom: API returns 401 even though proxy auth passes. Docker logs show mode="tunnel" (not mode="mitm").

Root cause: OneCLI is tunneling without header injection. Check Docker logs:

docker logs onecli --tail 20

mode="tunnel" + agent="-" → agent not authenticated → stale aoc_ token (see 407 fix above)
mode="tunnel" + agent populated → secret not assigned to agent in dashboard
mode="mitm" but still 401 → wrong API key value in vault secret

Dashboard checklist at http://127.0.0.1:10254:

Agents → confirm agent exists, copy fresh aoc_ token
Secrets → secret must be assigned to that agent
Secret config: correct Host pattern, Header name, value format {value} (not Bearer {value} unless the API requires Bearer)

Stale CA cert after container recreation

Symptom: TLS errors or MITM not working despite correct token.

The gateway CA cert is regenerated each time volumes are recreated. Re-extract:

docker cp onecli:/app/data/gateway/ca.pem ~/.onecli/gateway-ca.pem

Verify it matches:

docker cp onecli:/app/data/gateway/ca.pem /tmp/onecli-ca-current.pem
diff <(openssl x509 -in ~/.onecli/gateway-ca.pem -noout -fingerprint) \
     <(openssl x509 -in /tmp/onecli-ca-current.pem -noout -fingerprint) \
  && echo "MATCH" || echo "STALE — re-extract"

Preventing surprise wipes

OneCLI uses :latest by default — a new image pull recreates containers and invalidates the aoc_ token and vault secrets.

Pin the image version in ~/.onecli/.env:

# Get current digest
docker inspect ghcr.io/onecli/onecli:latest --format '{{index .RepoDigests 0}}'
# Pin it
echo 'ONECLI_VERSION=@sha256:<digest>' >> ~/.onecli/.env

The docker-compose.yml reads ${ONECLI_VERSION:-latest}, so this pins without editing the compose file.

After any intentional upgrade: re-enter vault secrets in dashboard, re-extract CA cert, get fresh aoc_ token.

Health check

If a project has a check-onecli-*.sh script, run it first. It probes both the proxy auth and the target API end-to-end.

Manual probe pattern:

# 1. Gateway reachable?
curl -sS -o /dev/null -w "%{http_code}" --max-time 5 \
  -x http://127.0.0.1:10255 \
  -H "Proxy-Authorization: Bearer <oc_token>" \
  "https://example.com/"
# Expect: 200/301/302/404 = reachable; 407 = token wrong; 000 = Docker down

# 2. MITM + secret injection working?
curl -sS -o /dev/null -w "%{http_code}" \
  --proxy "http://x:<aoc_token>@127.0.0.1:10255" \
  --cacert ~/.onecli/gateway-ca.pem \
  -H "X-Api-Key: <secret-name-placeholder>" \
  "https://target-api.example.com/endpoint"
# Expect: 200 = working; 401 = MITM not active or wrong secret; 407 = stale aoc_ token

Checklist after container recreation

docker cp onecli:/app/data/gateway/ca.pem ~/.onecli/gateway-ca.pem
GET /api/agents with oc_ token → copy fresh aoc_ token → update .env
Dashboard → Secrets → re-enter any vault secrets
Run health check

同仓库更多 Skills

同仓库

grumpy-dev-code-review

opsMachine/OM-Agency

Performs comprehensive, brutally honest full-codebase review as a grumpy but fair senior developer with 20+ years of experience. Use when the user asks for a grumpy dev code review, brutal code review, senior dev review, comprehensive codebase audit, hall-of-shame code smells, or a gut-check on the entire project (not just a PR diff).

2026-06-191

ops-machine-crm

opsMachine/OM-Agency

ANY CRM or progress.md write, log call, add contact, pipeline lookup, paste transcript/email. Runs lifecycle routing in Step 0 — delivery work goes to progress.md not Won CRM Next Action. Query before create. For week view use week-scan not this skill. OM-Repo SKILLS-MAP.md.

2026-06-191

advisor-panel

opsMachine/OM-Agency

Convenes a short virtual panel of 2–3 named advisers (verbatim bios below) for questions that merit deeper examination—strategy, ethics, shipping tradeoffs, growth, or inner alignment. Use when the user asks for a board of advisers, adviser panel, stress-test a decision, simulate a debate between perspectives, or when a question is multi-stakeholder and benefits from distinct lenses (not simple factual lookups). Supports two modes: (1) user questions the panel in turns, (2) advisers simulate a conversation with each other. Trigger phrases: adviser panel, board of advisers, simulate the advisers, council of advisers, who should weigh in on this.

2026-06-051

comedy-db

opsMachine/OM-Agency

Manages Mitch's Notion comedy writing database. Use this skill whenever Mitch wants to interact with his comedy material — creating new bit entries, updating existing bits as material develops, reading what's in the database, changing status, or adding notes. Trigger on phrases like: "add this to my comedy database", "save this bit", "update the vasectomy bit", "what bits do I have", "mark this as ready", "add these lines to that bit about X", "create a new entry for this premise", "what's in my comedy DB", or any time Mitch is developing stand-up material and wants it captured or retrieved. Also trigger when Mitch pastes raw material mid-conversation and wants it saved. Always fuzzy-search before creating — never assume a bit doesn't exist.

2026-06-051

linkedin-comment-engine

opsMachine/OM-Agency

LinkedIn organic lead generation system based on the "comment keyword + DM" mechanic. Use this skill whenever Mitch wants to: write a LinkedIn post designed to generate leads, build a resource (checklist, template, list) to use as a CTA, research what topics are getting engagement in a niche, write a DM sequence for comment-based leads, or plan a weekly LinkedIn content cadence. Also trigger when Mitch says things like "write a LinkedIn post", "what should I post about", "make a lead magnet", "build a resource for LinkedIn", "DM sequence", or "keyword CTA". Source: https://www.reddit.com/r/EntrepreneurRideAlong/comments/1shgq8u/i_stopped_chasing_clients_and_let_linkedin_do_it/

2026-06-051

mental-model-recipes

opsMachine/OM-Agency

Applies the Cognitive Operations Architecture — structured thinking recipes built from lenses (what to notice), operations (what to do), and recipes (specific sequences for specific problems) — to user queries. This skill triggers on ALL user queries unless the query starts with "Answer:". Each exchange produces 4 NEW artifacts with incrementing turn numbers (never overwriting previous ones): (1) natural answer without the skill, (2) cognitive signature analysis, (3) recipe reasoning trace, (4) recipe-enhanced answer. Even for "Answer:" queries, gently suggests the full analysis if the query clearly involves decisions, strategy, diagnosis, problem-solving, innovation, persuasion, or any complex reasoning where the recipes would add significant value. Use this skill extremely broadly — when in doubt, use it.

2026-06-051

name	onecli
description	Diagnose and fix OneCLI gateway issues — Docker not running, 407 proxy auth, 401 from API (MITM not active), stale aoc_ token, CA cert refresh, secret setup, version pinning. Use when onecliStart fails, update-fathom-db fails, proxy returns 407 or 401, mode=tunnel in logs, or after OneCLI container recreation.

OneCLI Skill

OneCLI is a self-hosted credential proxy. Agents route HTTPS traffic through it; the gateway injects real API keys from an encrypted vault so agents never hold raw credentials.

Stack: Docker Compose at ~/.onecli/docker-compose.yml · App: 127.0.0.1:10254 · Gateway: 127.0.0.1:10255 · Alias: onecliStart

Failure modes and fixes

Docker not running

Symptom: onecliStart → dial unix /var/run/docker.sock: no such file

sudo systemctl start docker
onecliStart

407 Proxy Authentication Required

Symptom: Proxy response (407) !== 200 when HTTP Tunneling

Cause: Stale aoc_ agent token. Happens whenever the OneCLI container is recreated (new :latest image pulled). The aoc_ token in env files is from the old container.

Fix: Get fresh token from the live container's API:

curl -sS http://127.0.0.1:10254/api/agents \
  -H "Authorization: Bearer <oc_token_from_env>" \
  | python3 -m json.tool

Copy the accessToken field (aoc_...) → update ONECLI_AOC_TOKEN in the relevant .env file(s).

Auth method: OneCLI requires aoc_ token as basic auth in proxy URL — NOT HTTP_PROXY_AUTH=Bearer. The correct pattern:

PROXY_URL="http://x:${AOC_TOKEN}@127.0.0.1:10255"
export HTTP_PROXY="$PROXY_URL"
export HTTPS_PROXY="$PROXY_URL"

The oc_ management token only gets plain tunnel mode (no header injection). Only aoc_ activates MITM.

401 from target API / MITM not active

Symptom: API returns 401 even though proxy auth passes. Docker logs show mode="tunnel" (not mode="mitm").

Root cause: OneCLI is tunneling without header injection. Check Docker logs:

docker logs onecli --tail 20

mode="tunnel" + agent="-" → agent not authenticated → stale aoc_ token (see 407 fix above)
mode="tunnel" + agent populated → secret not assigned to agent in dashboard
mode="mitm" but still 401 → wrong API key value in vault secret

Dashboard checklist at http://127.0.0.1:10254:

Agents → confirm agent exists, copy fresh aoc_ token
Secrets → secret must be assigned to that agent
Secret config: correct Host pattern, Header name, value format {value} (not Bearer {value} unless the API requires Bearer)

Stale CA cert after container recreation

Symptom: TLS errors or MITM not working despite correct token.

The gateway CA cert is regenerated each time volumes are recreated. Re-extract:

docker cp onecli:/app/data/gateway/ca.pem ~/.onecli/gateway-ca.pem

Verify it matches:

docker cp onecli:/app/data/gateway/ca.pem /tmp/onecli-ca-current.pem
diff <(openssl x509 -in ~/.onecli/gateway-ca.pem -noout -fingerprint) \
     <(openssl x509 -in /tmp/onecli-ca-current.pem -noout -fingerprint) \
  && echo "MATCH" || echo "STALE — re-extract"

Preventing surprise wipes

OneCLI uses :latest by default — a new image pull recreates containers and invalidates the aoc_ token and vault secrets.

Pin the image version in ~/.onecli/.env:

# Get current digest
docker inspect ghcr.io/onecli/onecli:latest --format '{{index .RepoDigests 0}}'
# Pin it
echo 'ONECLI_VERSION=@sha256:<digest>' >> ~/.onecli/.env

The docker-compose.yml reads ${ONECLI_VERSION:-latest}, so this pins without editing the compose file.

After any intentional upgrade: re-enter vault secrets in dashboard, re-extract CA cert, get fresh aoc_ token.

Health check

If a project has a check-onecli-*.sh script, run it first. It probes both the proxy auth and the target API end-to-end.

Manual probe pattern:

# 1. Gateway reachable?
curl -sS -o /dev/null -w "%{http_code}" --max-time 5 \
  -x http://127.0.0.1:10255 \
  -H "Proxy-Authorization: Bearer <oc_token>" \
  "https://example.com/"
# Expect: 200/301/302/404 = reachable; 407 = token wrong; 000 = Docker down

# 2. MITM + secret injection working?
curl -sS -o /dev/null -w "%{http_code}" \
  --proxy "http://x:<aoc_token>@127.0.0.1:10255" \
  --cacert ~/.onecli/gateway-ca.pem \
  -H "X-Api-Key: <secret-name-placeholder>" \
  "https://target-api.example.com/endpoint"
# Expect: 200 = working; 401 = MITM not active or wrong secret; 407 = stale aoc_ token

Checklist after container recreation

docker cp onecli:/app/data/gateway/ca.pem ~/.onecli/gateway-ca.pem
GET /api/agents with oc_ token → copy fresh aoc_ token → update .env
Dashboard → Secrets → re-enter any vault secrets
Run health check