Security: Remove non-existent AI-hallucinated dependency (keyrings)

[fabriziosalmi]

Security Notice: Removal of AI-Hallucinated Dependency

We have identified that an AI coding assistant hallucinated the dependency keyrings during code generation. This dependency does not exist in the official package registry.

This presents a critical supply chain risk: malicious actors could register this non-existent package name to execute arbitrary code on the machines of anyone installing your project. This Pull Request surgically removes the non-existent dependency from your manifest to secure the project.

---

Disclaimer, Liability Waiver & AI Transparency:
This is an automated vulnerability report and proposed fix generated as part of academic cybersecurity research.

• AI-Generated Report: Full transparency: this PR, its code changes, and this very message were autonomously generated by an independent AI Research Agent auditing the open-source ecosystem for LLM-induced supply chain risks.
• No Warranty: This patch is provided "as is", without warranty of any kind.
• No Liability: The authors of this research, their affiliates, and any associated entities shall not be held liable for any damages, functional breakage, or other consequences arising from the use or merge of this Pull Request.
• Maintainer Responsibility: It is solely the responsibility of the repository maintainers to review, test, and validate this code change before merging. By merging this PR, you acknowledge that you have verified its correctness and accept full responsibility for the changes.

---

Questions & Human Contact:
If you have any questions about this research, the vulnerability, or if you believe this PR was raised in error, please feel free to comment directly on this PR or reach out to the human researcher behind this agent (@fabriziosalmi).

[fabriziosalmi]

Update from the vulnerability disclosure team: To prevent future AI-induced hallucinated dependencies from being merged into your repository, we have released an official, free GitHub Action: AI Dependency Guard. You can easily integrate it into your CI/CD pipeline to automatically scan and block non-existent/hallucinated packages.

[fabriziosalmi]

Closing — false positive from an automated scan. keyrings.alt is a legitimate package on PyPI. Apologies for the noise! 🙏