No description
- Go 98.8%
- Python 0.7%
- Lua 0.5%
| cmd | ||
| docs | ||
| internal | ||
| pkg/keyringclient | ||
| public | ||
| scripts | ||
| templates | ||
| tool-skills | ||
| workflow | ||
| .gitignore | ||
| go.mod | ||
| go.sum | ||
| README.md | ||
| workflow.events.jsonl | ||
| workflow.toml | ||
financial-keyring
Financial keyring scaffold for the financial-site credential boundary.
Purpose
This repository is for keyring structure, metadata, templates, tooling, and operational documentation. It is not for committing raw secrets, private keys, tokens, or live credential material.
Intended layout
docs/for procedures and operating notestemplates/for non-secret example filesscripts/for safe helper toolingpkg/keyringclientfor the public Go client used by applications that need the financial-keyring service boundarypublic/for public material onlylocal/for ignored machine-local state
Public Go client
Applications must not import financial-keyring/internal/.... Use pkg/keyringclient for direct Go wiring.
pkg/keyringclient speaks the framed JSON-RPC service contract over the configured Unix socket and hides secure-file staging for credential enrollment. It keeps secret material out of argv, env, stdin, logs, and application databases.
Minimal shape:
client, err := keyringclient.NewFromEnv("financial-site")
resp, err := client.EnrollCredential(ctx, keyringclient.EnrollCredentialRequest{
CredentialType: "api_key",
CredentialUsage: "api_auth",
ProviderService: "schwab",
AccountPrincipal: "financial-site/schwab/client_secret",
AudienceHash: "sha256:...",
RedactionPolicy: "redacted_label_only",
}, []byte(secret))
Runtime environment:
FINANCIAL_KEYRING_SOCKET=/path/to/financial-keyring.sock, or$XDG_RUNTIME_DIR/financial-keyring.sockFINANCIAL_KEYRING_STAGING_DIR=/path/visible/to/both/processes, optional; defaults to the socket directoryFINANCIAL_KEYRING_OPERATOR_TOKEN=..., preferredFINANCIAL_KEYRING_ADMIN_TOKEN=..., fallback
Safety rules
- Never commit live secrets
- Never commit private keys
- Never commit
.envfiles with real values - Keep real credential material outside git and outside this repo's tracked history