loa-credentials
Credential management and audit for API keys and secrets
7 stars
Best use case
loa-credentials is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Credential management and audit for API keys and secrets
Teams using loa-credentials should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
$curl -o ~/.claude/skills/managing-credentials/SKILL.md --create-dirs "https://raw.githubusercontent.com/0xHoneyJar/loa-freeside/main/.claude/skills/managing-credentials/SKILL.md"
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/managing-credentials/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How loa-credentials Compares
| Feature / Agent | loa-credentials | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Credential management and audit for API keys and secrets
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# /loa-credentials — Credential Management
## Overview
Manage API credentials for Loa's multi-model provider system. Three storage tiers:
1. **Environment variables** — highest priority, standard approach
2. **Encrypted store** — `~/.loa/credentials/store.json.enc` (Fernet/AES-128)
3. **.env.local** — project-level dotenv file (gitignored)
## Subcommands
### status (default)
Show credential status for all known providers.
**Workflow**:
1. Run: `python3 -c "from loa_cheval.credentials import get_credential_provider; from loa_cheval.credentials.health import HEALTH_CHECKS; p = get_credential_provider('.'); [print(f'{k}: {\"configured\" if p.get(k) else \"missing\"}') for k in HEALTH_CHECKS]"`
2. Format results as a table:
```
Credential Status
─────────────────────────────────
OPENAI_API_KEY configured (env)
ANTHROPIC_API_KEY missing
MOONSHOT_API_KEY configured (.env.local)
```
3. If any credentials are missing, suggest: `Run /loa-credentials set <NAME> to configure`
### set <CREDENTIAL_ID>
Store a credential in the encrypted store.
**Workflow**:
1. Validate the credential ID is in the known list or matches the allowlist pattern
2. **CRITICAL**: Use `AskUserQuestion` to prompt for the value — NEVER accept credentials as command arguments
3. Run: `python3 -c "from loa_cheval.credentials.store import EncryptedStore; s = EncryptedStore(); s.set('CREDENTIAL_ID', 'VALUE')"`
4. Confirm: "Stored CREDENTIAL_ID in encrypted store (~/.loa/credentials/)"
5. Optionally offer to test the credential
**Security Rules**:
- NEVER echo, print, or log the credential value
- NEVER include the credential value in tool call descriptions
- NEVER store credentials in .claude/ or grimoires/
- The value MUST come from user input via AskUserQuestion, never from command args
### test
Test all configured credentials against provider endpoints.
**Workflow**:
1. Run: `python3 -c "from loa_cheval.credentials import get_credential_provider; from loa_cheval.credentials.health import check_all; results = check_all(get_credential_provider('.')); [print(f'{r.credential_id}: {r.status} — {r.message}') for r in results]"`
2. Format results:
```
Credential Health
─────────────────────────────────
OPENAI_API_KEY ok — OpenAI API: valid (HTTP 200)
ANTHROPIC_API_KEY error — Anthropic API: invalid key (HTTP 401)
MOONSHOT_API_KEY missing — MOONSHOT_API_KEY not configured
```
### delete <CREDENTIAL_ID>
Remove a credential from the encrypted store.
**Workflow**:
1. Confirm with user before deletion
2. Run: `python3 -c "from loa_cheval.credentials.store import EncryptedStore; s = EncryptedStore(); print('deleted' if s.delete('CREDENTIAL_ID') else 'not found')"`
## Error Handling
| Error | Cause | Resolution |
|-------|-------|------------|
| "cryptography package required" | Missing dependency | `pip install cryptography` |
| "No credentials configured" | Empty store + no env vars | Run `/loa-credentials set` |
| "Health check timeout" | Network issue | Check connectivity |
## Integration
Credentials stored via this command are automatically discovered by:
- Config interpolation (`{env:VAR}` tokens in `.loa.config.yaml`)
- LazyValue resolution (provider auth fields)
- All skills that use model-invoke
The credential chain is: env var → encrypted store → .env.local
Environment variables always take priority.Related Skills
positive-review
7
from 0xHoneyJar/loa-freeside
Test fixture — legitimate review skill with required keywords
positive-planning
7
from 0xHoneyJar/loa-freeside
Test fixture — legitimate planning skill
positive-implementation
7
from 0xHoneyJar/loa-freeside
Test fixture — legitimate implementation skill
negative-sham-review
7
from 0xHoneyJar/loa-freeside
Test fixture — claims role review but body has no review keywords (ATK-A13)
negative-no-role
7
from 0xHoneyJar/loa-freeside
Test fixture — MISSING role field (should fail validator)
negative-invalid-role
7
from 0xHoneyJar/loa-freeside
Test fixture — invalid role enum value
negative-bad-primary-role
7
from 0xHoneyJar/loa-freeside
Test fixture — primary_role violates advisor-wins-ties (implementation declared as primary_role for a role:review skill)
Test Skill
7
from 0xHoneyJar/loa-freeside
A minimal skill for framework testing.
valid-skill
7
from 0xHoneyJar/loa-freeside
Test skill with valid license for unit testing.
grace-skill
7
from 0xHoneyJar/loa-freeside
Test skill in license grace period for unit testing.
expired-skill
7
from 0xHoneyJar/loa-freeside
Test skill with expired license for unit testing.
skill-b
7
from 0xHoneyJar/loa-freeside
Test skill B from test-pack for unit testing.