Metadata-Version: 2.4
Name: credbroker
Version: 0.1.0
Summary: Standalone, pip-installable credential resolver for credentialed agent skills (env -> OS keyring -> dotfile, with an optional encrypted-at-rest vault).
Author-email: eugenelim <eugenelim@users.noreply.github.com>
License: Apache-2.0 OR MIT
Project-URL: Homepage, https://github.com/eugenelim/agent-ready-repo
Project-URL: Source, https://github.com/eugenelim/agent-ready-repo
Classifier: Development Status :: 3 - Alpha
Classifier: License :: OSI Approved :: Apache Software License
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Requires-Python: >=3.11
Description-Content-Type: text/markdown
Provides-Extra: crypto
Requires-Dist: cryptography>=42; extra == "crypto"
Requires-Dist: argon2-cffi>=23; extra == "crypto"

# credbroker

A standalone, pip-installable credential resolver for credentialed agent
skills. Resolves secrets **in-process** through three tiers —
environment variable → OS keyring → a `0600` dotfile floor — and never lets a
cleartext value cross a process boundary to the LLM.

> Status: **Phase 1** (RFC-0023). Developed in-tree at `packages/credbroker/`,
> installed via repo path (`pip install -e ./packages/credbroker`). PyPI
> publication is Phase 2 (deferred — see `docs/backlog.md#credbroker-phase-2`).

## Install

```bash
pip install -e ./packages/credbroker            # stdlib-only core
pip install -e './packages/credbroker[crypto]'  # + encrypted-at-rest vault
```

The core has **no third-party dependency**. The `[crypto]` extra adds
`cryptography` + `argon2-cffi` for an encrypted-at-rest vault at the floor tier;
without it, resolution degrades to the keyring/plaintext-dotfile floor.

## Use

```python
from credbroker import load_credentials

# Keys are used verbatim; only the namespace is upper-cased to compose the
# env / dotfile name (here: JIRA_BASE_URL, JIRA_API_TOKEN). Use upper-case keys.
creds = load_credentials("jira", required_keys=["BASE_URL", "API_TOKEN"])
```

See [`docs/specs/credbroker/spec.md`](../../docs/specs/credbroker/spec.md) for
the full contract and [RFC-0023](../../docs/rfc/0023-credential-manager-broker.md)
for the rationale.
