No description
  • Go 98.8%
  • Python 0.7%
  • Lua 0.5%
Find a file
2026-05-30 16:29:36 -05:00
cmd keyring: add socket service deployment path 2026-05-27 14:26:59 -05:00
docs keyring: rename fork for financial site 2026-05-27 13:54:59 -05:00
internal Allow option symbols for Schwab quotes 2026-05-30 16:29:36 -05:00
pkg/keyringclient Expose Schwab option chain contract count 2026-05-30 16:04:23 -05:00
public Initialize agent-keyring scaffold 2026-04-28 10:33:54 -05:00
scripts workflow: add checked manifest baseline 2026-05-13 21:16:25 -05:00
templates keyring: add socket service deployment path 2026-05-27 14:26:59 -05:00
tool-skills keyring: rename fork for financial site 2026-05-27 13:54:59 -05:00
workflow keyring: rename fork for financial site 2026-05-27 13:54:59 -05:00
.gitignore workflow: ignore local feature worktrees 2026-05-15 12:16:05 -05:00
go.mod service: add schwab level one stream rpc 2026-05-28 20:22:48 -05:00
go.sum service: add schwab level one stream rpc 2026-05-28 20:22:48 -05:00
README.md keyring: add socket service deployment path 2026-05-27 14:26:59 -05:00
workflow.events.jsonl keyring: rename fork for financial site 2026-05-27 13:54:59 -05:00
workflow.toml keyring: rename fork for financial site 2026-05-27 13:54:59 -05:00

financial-keyring

Financial keyring scaffold for the financial-site credential boundary.

Purpose

This repository is for keyring structure, metadata, templates, tooling, and operational documentation. It is not for committing raw secrets, private keys, tokens, or live credential material.

Intended layout

  • docs/ for procedures and operating notes
  • templates/ for non-secret example files
  • scripts/ for safe helper tooling
  • pkg/keyringclient for the public Go client used by applications that need the financial-keyring service boundary
  • public/ for public material only
  • local/ for ignored machine-local state

Public Go client

Applications must not import financial-keyring/internal/.... Use pkg/keyringclient for direct Go wiring.

pkg/keyringclient speaks the framed JSON-RPC service contract over the configured Unix socket and hides secure-file staging for credential enrollment. It keeps secret material out of argv, env, stdin, logs, and application databases.

Minimal shape:

client, err := keyringclient.NewFromEnv("financial-site")
resp, err := client.EnrollCredential(ctx, keyringclient.EnrollCredentialRequest{
    CredentialType:   "api_key",
    CredentialUsage:  "api_auth",
    ProviderService:  "schwab",
    AccountPrincipal: "financial-site/schwab/client_secret",
    AudienceHash:     "sha256:...",
    RedactionPolicy:  "redacted_label_only",
}, []byte(secret))

Runtime environment:

  • FINANCIAL_KEYRING_SOCKET=/path/to/financial-keyring.sock, or $XDG_RUNTIME_DIR/financial-keyring.sock
  • FINANCIAL_KEYRING_STAGING_DIR=/path/visible/to/both/processes, optional; defaults to the socket directory
  • FINANCIAL_KEYRING_OPERATOR_TOKEN=..., preferred
  • FINANCIAL_KEYRING_ADMIN_TOKEN=..., fallback

Safety rules

  • Never commit live secrets
  • Never commit private keys
  • Never commit .env files with real values
  • Keep real credential material outside git and outside this repo's tracked history