Standalone, pip-installable credential resolver for credentialed agent skills (env -> OS keyring -> dotfile, with an optional encrypted-at-rest vault).
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
credbroker
Resolve secrets for agent skills without leaking them to the model.
credbroker is a standalone, pip-installable credential resolver. It reads a secret in-process, walks three tiers, and never lets a cleartext value cross a process boundary to the LLM. The core is stdlib-only, with no third-party dependency.
Install
pip install credbroker # stdlib-only core
pip install 'credbroker[crypto]' # + encrypted-at-rest vault
Use
credbroker is a plain Python library. It works in any program, agent, or skill — no framework and no agent-ready-repo install required.
Resolve a namespace's credentials in one call:
from credbroker import load_credentials
# Keys are used verbatim. The namespace is upper-cased to compose the
# env / dotfile name: here, JIRA_BASE_URL and JIRA_API_TOKEN.
creds = load_credentials("jira", required_keys=["BASE_URL", "API_TOKEN"])
connect(creds.BASE_URL, token=creds.API_TOKEN) # attribute access returns the value
A typical agent skill resolves its namespace once, up front, and fails loud if a secret is missing — so the agent surfaces a setup prompt instead of firing a half-filled request:
from credbroker import load_credentials, CredentialsMissingError
def jira_session():
try:
creds = load_credentials("jira", required_keys=["BASE_URL", "API_TOKEN"])
except CredentialsMissingError as exc:
raise SystemExit(str(exc)) # clear setup guidance, no broken call
return Session(creds.BASE_URL, token=creds.API_TOKEN)
The returned object is immutable, and its repr lists key names only. A stray print(creds) can't echo token bytes.
How it resolves
credbroker walks three tiers and returns the first hit:
- Environment variable —
JIRA_API_TOKEN. Good for CI and ephemeral shells. - OS keyring — the platform's native secret store. macOS uses the Keychain. Windows uses Credential Manager. The backend is chosen at import time from
sys.platform. - Dotfile floor — a
0600dotfile, or an encrypted-at-rest vault with the[crypto]extra (Argon2id, then AES-256-GCM).
Linux and other platforms have no keyring tier. Resolution skips straight from the environment variable to the dotfile floor. Without [crypto], that floor is the plaintext 0600 dotfile.
Learn more
For local development, install from a repo clone: pip install -e ./packages/credbroker.
See the full contract and RFC-0023 for the rationale.
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file credbroker-0.1.1.tar.gz.
File metadata
- Download URL: credbroker-0.1.1.tar.gz
- Upload date:
- Size: 26.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5cf37dc4deae40c69b515e639aa43caaf543a5e4187fef80d6ac4a3a6ab93241
|
|
| MD5 |
404fab69ca963fec24c6c04caea997f6
|
|
| BLAKE2b-256 |
df26ce628bce4edcd58523a330d17b774b448be348b0f7f1c2c5243a58848735
|
Provenance
The following attestation bundles were made for credbroker-0.1.1.tar.gz:
Publisher:
release-credbroker.yml on eugenelim/agent-ready-repo
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
credbroker-0.1.1.tar.gz -
Subject digest:
5cf37dc4deae40c69b515e639aa43caaf543a5e4187fef80d6ac4a3a6ab93241 - Sigstore transparency entry: 1806527561
- Sigstore integration time:
-
Permalink:
eugenelim/agent-ready-repo@fd9a971e82f61d5674e198488694ef3cc34cfc01 -
Branch / Tag:
refs/tags/credbroker-v0.1.1 - Owner: https://github.com/eugenelim
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release-credbroker.yml@fd9a971e82f61d5674e198488694ef3cc34cfc01 -
Trigger Event:
push
-
Statement type:
File details
Details for the file credbroker-0.1.1-py3-none-any.whl.
File metadata
- Download URL: credbroker-0.1.1-py3-none-any.whl
- Upload date:
- Size: 27.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9e25d567997b9c5b916f821023c1343db058142c55e73d28191b38a234a0b9ea
|
|
| MD5 |
fd7c7638ba9970a441fa012ab0c33a40
|
|
| BLAKE2b-256 |
1685f2af1f17c9e8b813eb7a53ccaa1508e020c7ad062db72f0e22f3e2772f72
|
Provenance
The following attestation bundles were made for credbroker-0.1.1-py3-none-any.whl:
Publisher:
release-credbroker.yml on eugenelim/agent-ready-repo
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
credbroker-0.1.1-py3-none-any.whl -
Subject digest:
9e25d567997b9c5b916f821023c1343db058142c55e73d28191b38a234a0b9ea - Sigstore transparency entry: 1806527650
- Sigstore integration time:
-
Permalink:
eugenelim/agent-ready-repo@fd9a971e82f61d5674e198488694ef3cc34cfc01 -
Branch / Tag:
refs/tags/credbroker-v0.1.1 - Owner: https://github.com/eugenelim
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release-credbroker.yml@fd9a971e82f61d5674e198488694ef3cc34cfc01 -
Trigger Event:
push
-
Statement type:
