Skip to main content

Context-Isolated Secret Management for Autonomous AI Software Engineering Agents

Project description

nvenv (No-View Env)

License: MIT Platform Security

nvenv is a local-first cryptographic proxy tool designed to decouple raw credentials from the viewable workspace of autonomous AI software engineering agents (e.g., Cursor, Claude Code, Windsurf, Devin).

By replacing filesystem .env credentials with secure cryptographic URI placeholders and substituting the actual keys dynamically at the OS socket boundary in volatile memory during TLS handshakes, nvenv ensures your runtime applications execute flawlessly while leaving the autonomous LLM agent mathematically blind to the underlying credentials.


How It Works (The Core Mechanism)

[Application Process] (Reads env containing placeholder "nv://STRIPE_SECRET_KEY")
       |
       | 1. Dispatches HTTP POST packet
       |    Authorization Header: "Bearer nv://STRIPE_SECRET_KEY"
       v
[Local nvenv Proxy Loopback Engine]
       |
       | 2. Intercepts outbound TLS request via Local CA
       | 3. Queries volatile memory for the real credentials
       | 4. Substitutes "nv://STRIPE_SECRET_KEY" with "sk_live_51Nx..."
       v
[External Target API Endpoint] (e.g., api.stripe.com)

Core Security Features

  • Contextual Blindness ($I(C_{\text{text}}; S) = 0$): Your code files, terminal logs, and system variables contain only hollow placeholders (e.g., nv://STRIPE_KEY). Secrets never enter the LLM's context window.
  • Hardware-Backed Vault: On Windows, secrets are stored in a local SQLite database (~/.nv/vault.db) and encrypted using the Windows Data Protection API (DPAPI), binding them to your operating system user identity and TPM.
  • Active TLS Interception: Spawns a transient, local Man-in-the-Middle (MITM) loopback proxy that signs dynamic certificates on-the-fly, swapping placeholders in request headers and payloads during execution.
  • AI Agent Anti-Scraping Defense: Prevents AI agents from scraping plaintext keys via shell commands (e.g., nvenv get). It blocks decryption in piped or redirected environments (isatty check) and requires interactive, low-level OS keyboard confirmation (msvcrt console read) to print keys.
  • Git Credential Helper: Plugs directly into Git (credential.helper) to intercept remote authentication commands, injecting GitHub Personal Access Tokens (PATs) at the OS socket pipe level without checking tokens into files.

Installation Options

1. Developer Python Source Installation (Recommended for testing)

Ensure you have pyinstaller and cryptography installed:

pip install -e .

This registers the global CLI script nvenv in your environment PATH.

2. NPM Distribution (Language-Agnostic JS Wrapper)

For developers using Node/NPM globally:

npm install -g nv-protocol

Note: This utilizes a global Node.js redirector script that routes requests directly to the precompiled platform-specific executable.

3. Windows Package Manager (Winget)

winget install OpenSourceSecurity.nv

4. Linux & macOS (Bash Installer)

curl -fsSL https://raw.githubusercontent.com/oss-security/nv-protocol/main/install.sh | bash

Quickstart Guide

Step 1: Initialize Vault

Create your secure database:

nvenv init

Step 2: Store Your Secrets

Save your API keys securely:

nvenv set STRIPE_KEY

(You will be securely prompted for the value. The CLI will output a copy-pasteable configuration line).

Step 3: Populate Your .env File

Replace the plaintext secrets in your project's .env with the placeholders generated:

STRIPE_KEY=nv://STRIPE_KEY
DATABASE_URL=nv://DATABASE_URL

Step 4: Run Your Code Wrapped in the Sandbox

Instead of booting your compiler or runtime directly, wrap the command in nvenv run --:

# Node.js Example
nvenv run -- npm run dev

# Python Example
nvenv run -- python main.py

# Curl Example
nvenv run -- curl -X GET https://httpbin.org/headers -H "Authorization: Bearer nv://STRIPE_KEY"

The application will run with the correct keys, but the shell, output logs, and system environment table will only see nv://STRIPE_KEY.


Git Integration Setup

Protect your repository push/pull pipelines from token scraping:

  1. Save your Personal Access Token (PAT) under the name GITHUB_TOKEN:
    nvenv set GITHUB_TOKEN
    
  2. Enable the local Git Credential Helper for your repository:
    git config --local credential.helper "!nvenv git-helper"
    

Now, Git will verify remote write operations by securely piping tokens from the hardware store, keeping files clean of credential details.


Troubleshooting & Verification

To verify that your installation is working correctly, run the internal test suite:

python test_nv.py

This tests:

  1. Native Windows DPAPI encryption stability.
  2. Local vault schema CRUD.
  3. Socket payload replacement over mock HTTP interception streams.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

nv_protocol-0.1.0.tar.gz (4.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

nv_protocol-0.1.0-py3-none-any.whl (4.7 kB view details)

Uploaded Python 3

File details

Details for the file nv_protocol-0.1.0.tar.gz.

File metadata

  • Download URL: nv_protocol-0.1.0.tar.gz
  • Upload date:
  • Size: 4.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for nv_protocol-0.1.0.tar.gz
Algorithm Hash digest
SHA256 437872dbce0d678b7bea9e7260c18fe1ea3ba1f8c2014337bd40f6026847170e
MD5 a41a7291c7018dea4a4275f27467a7b8
BLAKE2b-256 6c18e64c8503af51be664b4e59c6649c28354bf39e4858db5c1f96c2dcc28655

See more details on using hashes here.

File details

Details for the file nv_protocol-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: nv_protocol-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 4.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for nv_protocol-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 3f829565e333a6ac5cbfe28c62f8bc837d545676d8438fe8623d02d89135841f
MD5 d6cb11a78d5ecf828b428f0a5ae87497
BLAKE2b-256 1aa593abb1bc7893305d25a0b84d5411276926576f4e90ddb86ec9e207a97dac

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page