Skip to main content

Context-Isolated Secret Management for Autonomous AI Software Engineering Agents

Project description

๐Ÿ”’ nv-protocol (nvenv)

License: MIT Platform Security

nvenv is a local-first cryptographic proxy designed to decouple raw credentials from the viewable workspace of autonomous AI software engineering agents such as Cursor, Claude Code, Windsurf, and Devin.

Instead of exposing secrets through .env files or shell environment variables, nvenv replaces them with secure cryptographic URI placeholders. During outbound network communication, the proxy dynamically substitutes placeholders with real credentials only in volatile memory at the OS socket boundary during TLS handshakes.

This allows applications to execute normally while keeping autonomous AI agents mathematically blind to the underlying credentials.


โšก Quick Start

Install globally using your preferred ecosystem.

Node.js

npm install -g nv-protocol

Python

pip install nv-protocol

Windows (Planned)

Validation Pending

winget install SarveshSonkusre.nv-protocol

โ“ Why nvenv?

Traditional .env files and shell environment variables inject plaintext secrets directly into:

  • process.env
  • os.environ

This exposes credentials to:

  • AI coding agents
  • Third-party dependencies
  • Build scripts
  • Prompt injection attacks
  • Memory scraping

nvenv moves secret injection to the network layer, preventing untrusted processes from ever seeing the real credentials.


Security Comparison

Security Vector Legacy .env / Shell Export nvenv
Process Environment โŒ Plaintext keys visible ๐Ÿ›ก๏ธ Empty placeholders only
Prompt Injection โŒ AI can print secrets ๐Ÿ›ก๏ธ Agent never possesses secrets
Dependency Scraping โŒ Malicious packages can read env ๐Ÿ›ก๏ธ No credentials available
Authentication Scope โŒ Every process inherits credentials ๐Ÿ›ก๏ธ Injected only for authorized outbound requests

How It Works

Application
Reads:

Authorization: Bearer nv://STRIPE_KEY

            โ”‚
            โ”‚ HTTP Request
            โ–ผ

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚      Local nvenv Proxy           โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ โ€ข Intercepts outbound request    โ”‚
โ”‚ โ€ข Queries encrypted vault        โ”‚
โ”‚ โ€ข Decrypts secret in memory      โ”‚
โ”‚ โ€ข Replaces placeholder           โ”‚
โ”‚ โ€ข Continues TLS connection       โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
            โ”‚
            โ–ผ

api.stripe.com

Receives:

Authorization: Bearer sk_live_xxxxxxxxx

Core Security Features

๐Ÿ›ก๏ธ Contextual Blindness

Your:

  • source code
  • .env
  • terminal output
  • logs
  • shell variables

contain only placeholders such as

nv://STRIPE_KEY

Secrets never enter the LLM context window.


๐Ÿ” Hardware-Backed Vault

On Windows, credentials are stored inside

~/.nv/vault.db

using:

  • SQLite
  • Windows DPAPI encryption

Secrets are cryptographically bound to the current Windows user.


๐Ÿ”„ Active TLS Interception

The runtime launches a local loopback MITM proxy that:

  • generates certificates dynamically
  • intercepts outbound HTTPS
  • swaps placeholders
  • forwards requests transparently

Applications remain unaware of the substitution.


๐Ÿค– AI Agent Anti-Scraping Protection

Commands such as

nvenv get STRIPE_KEY

cannot be abused through:

  • pipes
  • redirected output
  • automation

Protections include:

  • isatty() verification
  • interactive console detection
  • low-level keyboard confirmation

Only a real interactive user may reveal secrets.


๐Ÿ”‘ Git Credential Helper

nvenv integrates with Git using:

credential.helper

GitHub Personal Access Tokens (PATs) are injected directly into Git's authentication pipeline without storing them in:

  • .gitconfig
  • environment variables
  • repository files

Installation

1. NPM Distribution

npm install -g nv-protocol

2. Python Distribution

pip install nv-protocol

3. Source Installation

Clone the repository and install locally.

pip install -e .

This registers the global CLI command:

nvenv

Quickstart

Step 1 โ€” Initialize Vault

Create your encrypted credential database.

nvenv init

Step 2 โ€” Store Secrets

nvenv set STRIPE_KEY

The CLI securely prompts for the value and prints a placeholder.


Step 3 โ€” Replace .env

Instead of:

STRIPE_KEY=sk_live_xxxxxxxxx
DATABASE_URL=postgres://...

Use:

STRIPE_KEY=nv://STRIPE_KEY
DATABASE_URL=nv://DATABASE_URL

Step 4 โ€” Run Through nvenv

Instead of launching your application directly, wrap it.

Node.js

nvenv run -- npm run dev

Python

nvenv run -- python main.py

Curl

nvenv run -- curl \
  -H "Authorization: Bearer nv://STRIPE_KEY" \
  https://httpbin.org/headers

Applications receive real credentials transparently while every visible environment still contains only placeholders.


Git Integration

Store your GitHub Personal Access Token.

nvenv set GITHUB_TOKEN

Configure Git.

git config --local credential.helper "!nvenv git-helper"

Git authentication now occurs using credentials retrieved directly from the secure vault.

No tokens appear inside:

  • repository files
  • shell history
  • environment variables

Verification

Run the internal test suite.

python test_nv.py

Tests include:

  • โœ… Windows DPAPI encryption
  • โœ… Vault CRUD operations
  • โœ… Socket payload replacement
  • โœ… HTTP interception
  • โœ… Placeholder substitution
  • โœ… End-to-end runtime verification

Example Workflow

Developer

โ”‚

โ”œโ”€โ”€ Stores API Key
โ”‚      โ”‚
โ”‚      โ–ผ
โ”‚   nvenv set STRIPE_KEY
โ”‚
โ”œโ”€โ”€ .env
โ”‚      โ”‚
โ”‚      โ–ผ
โ”‚ STRIPE_KEY=nv://STRIPE_KEY
โ”‚
โ”œโ”€โ”€ Launch
โ”‚      โ”‚
โ”‚      โ–ผ
โ”‚ nvenv run -- npm run dev
โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บ Local Proxy
                    โ”‚
                    โ–ผ
           Placeholder Replacement
                    โ”‚
                    โ–ผ
             External API Service

Philosophy

Traditional secret managers focus on protecting secrets at rest.

nvenv focuses on protecting secrets during execution, ensuring autonomous AI systems, third-party packages, and prompt injection attacks never gain access to plaintext credentials while applications continue to operate normally.


License

Released under the MIT License.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

nv_protocol-2.0.0b1.tar.gz (5.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

nv_protocol-2.0.0b1-py3-none-any.whl (5.1 kB view details)

Uploaded Python 3

File details

Details for the file nv_protocol-2.0.0b1.tar.gz.

File metadata

  • Download URL: nv_protocol-2.0.0b1.tar.gz
  • Upload date:
  • Size: 5.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for nv_protocol-2.0.0b1.tar.gz
Algorithm Hash digest
SHA256 e9d5d87f09f216b854a4d4e6e9655655081f46e4f0e497eadfe7b12792a46876
MD5 c6422e39bbd8c9ce60c98a9e101e7101
BLAKE2b-256 63497b526d42e58c5f1343cbc49d7de616e8bd265d2d7b30677a7c99f7f8cb65

See more details on using hashes here.

File details

Details for the file nv_protocol-2.0.0b1-py3-none-any.whl.

File metadata

  • Download URL: nv_protocol-2.0.0b1-py3-none-any.whl
  • Upload date:
  • Size: 5.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for nv_protocol-2.0.0b1-py3-none-any.whl
Algorithm Hash digest
SHA256 7f52b670ea9a444820db5e03c6ba282ec92cb79d84c5f1edd5a48c3c07a15141
MD5 26b035d777630abab68672efe6e9545e
BLAKE2b-256 a87aefe7d09b8b2c4d349734e11bef3057b9b32dd556fcbe8a2941bafa1023ab

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page