credbroker 0.1.0

Standalone, pip-installable credential resolver for credentialed agent skills (env -> OS keyring -> dotfile, with an optional encrypted-at-rest vault).

credbroker

A standalone, pip-installable credential resolver for credentialed agent skills. Resolves secrets in-process through three tiers — environment variable → OS keyring → a 0600 dotfile floor — and never lets a cleartext value cross a process boundary to the LLM.

Status: Phase 1 (RFC-0023). Developed in-tree at packages/credbroker/, installed via repo path (pip install -e ./packages/credbroker). PyPI publication is Phase 2 (deferred — see docs/backlog.md#credbroker-phase-2).

Install

pip install -e ./packages/credbroker            # stdlib-only core
pip install -e './packages/credbroker[crypto]'  # + encrypted-at-rest vault

The core has no third-party dependency. The [crypto] extra adds cryptography + argon2-cffi for an encrypted-at-rest vault at the floor tier; without it, resolution degrades to the keyring/plaintext-dotfile floor.

Use

from credbroker import load_credentials

# Keys are used verbatim; only the namespace is upper-cased to compose the
# env / dotfile name (here: JIRA_BASE_URL, JIRA_API_TOKEN). Use upper-case keys.
creds = load_credentials("jira", required_keys=["BASE_URL", "API_TOKEN"])

See docs/specs/credbroker/spec.md for the full contract and RFC-0023 for the rationale.