Context-Isolated Secret Management for Autonomous AI Software Engineering Agents
Project description
๐ nv-protocol (nvenv)
nvenv is a local-first cryptographic proxy designed to decouple raw credentials from the viewable workspace of autonomous AI software engineering agents such as Cursor, Claude Code, Windsurf, and Devin.
Instead of exposing secrets through .env files or shell environment variables, nvenv replaces them with secure cryptographic URI placeholders. During outbound network communication, the proxy dynamically substitutes placeholders with real credentials only in volatile memory at the OS socket boundary during TLS handshakes.
This allows applications to execute normally while keeping autonomous AI agents mathematically blind to the underlying credentials.
โก Quick Start
Install globally using your preferred ecosystem.
Node.js
npm install -g nv-protocol
Python
pip install nv-protocol
Windows (Planned)
Validation Pending
winget install SarveshSonkusre.nv-protocol
โ Why nvenv?
Traditional .env files and shell environment variables inject plaintext secrets directly into:
process.envos.environ
This exposes credentials to:
- AI coding agents
- Third-party dependencies
- Build scripts
- Prompt injection attacks
- Memory scraping
nvenv moves secret injection to the network layer, preventing untrusted processes from ever seeing the real credentials.
Security Comparison
| Security Vector | Legacy .env / Shell Export |
nvenv |
|---|---|---|
| Process Environment | โ Plaintext keys visible | ๐ก๏ธ Empty placeholders only |
| Prompt Injection | โ AI can print secrets | ๐ก๏ธ Agent never possesses secrets |
| Dependency Scraping | โ Malicious packages can read env | ๐ก๏ธ No credentials available |
| Authentication Scope | โ Every process inherits credentials | ๐ก๏ธ Injected only for authorized outbound requests |
How It Works
Application
Reads:
Authorization: Bearer nv://STRIPE_KEY
โ
โ HTTP Request
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Local nvenv Proxy โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โข Intercepts outbound request โ
โ โข Queries encrypted vault โ
โ โข Decrypts secret in memory โ
โ โข Replaces placeholder โ
โ โข Continues TLS connection โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
api.stripe.com
Receives:
Authorization: Bearer sk_live_xxxxxxxxx
Core Security Features
๐ก๏ธ Contextual Blindness
Your:
- source code
.env- terminal output
- logs
- shell variables
contain only placeholders such as
nv://STRIPE_KEY
Secrets never enter the LLM context window.
๐ Hardware-Backed Vault
On Windows, credentials are stored inside
~/.nv/vault.db
using:
- SQLite
- Windows DPAPI encryption
Secrets are cryptographically bound to the current Windows user.
๐ Active TLS Interception
The runtime launches a local loopback MITM proxy that:
- generates certificates dynamically
- intercepts outbound HTTPS
- swaps placeholders
- forwards requests transparently
Applications remain unaware of the substitution.
๐ค AI Agent Anti-Scraping Protection
Commands such as
nvenv get STRIPE_KEY
cannot be abused through:
- pipes
- redirected output
- automation
Protections include:
isatty()verification- interactive console detection
- low-level keyboard confirmation
Only a real interactive user may reveal secrets.
๐ Git Credential Helper
nvenv integrates with Git using:
credential.helper
GitHub Personal Access Tokens (PATs) are injected directly into Git's authentication pipeline without storing them in:
.gitconfig- environment variables
- repository files
Installation
1. NPM Distribution
npm install -g nv-protocol
2. Python Distribution
pip install nv-protocol
3. Source Installation
Clone the repository and install locally.
pip install -e .
This registers the global CLI command:
nvenv
Quickstart
Step 1 โ Initialize Vault
Create your encrypted credential database.
nvenv init
Step 2 โ Store Secrets
nvenv set STRIPE_KEY
The CLI securely prompts for the value and prints a placeholder.
Step 3 โ Replace .env
Instead of:
STRIPE_KEY=sk_live_xxxxxxxxx
DATABASE_URL=postgres://...
Use:
STRIPE_KEY=nv://STRIPE_KEY
DATABASE_URL=nv://DATABASE_URL
Step 4 โ Run Through nvenv
Instead of launching your application directly, wrap it.
Node.js
nvenv run -- npm run dev
Python
nvenv run -- python main.py
Curl
nvenv run -- curl \
-H "Authorization: Bearer nv://STRIPE_KEY" \
https://httpbin.org/headers
Applications receive real credentials transparently while every visible environment still contains only placeholders.
Git Integration
Store your GitHub Personal Access Token.
nvenv set GITHUB_TOKEN
Configure Git.
git config --local credential.helper "!nvenv git-helper"
Git authentication now occurs using credentials retrieved directly from the secure vault.
No tokens appear inside:
- repository files
- shell history
- environment variables
Verification
Run the internal test suite.
python test_nv.py
Tests include:
- โ Windows DPAPI encryption
- โ Vault CRUD operations
- โ Socket payload replacement
- โ HTTP interception
- โ Placeholder substitution
- โ End-to-end runtime verification
Example Workflow
Developer
โ
โโโ Stores API Key
โ โ
โ โผ
โ nvenv set STRIPE_KEY
โ
โโโ .env
โ โ
โ โผ
โ STRIPE_KEY=nv://STRIPE_KEY
โ
โโโ Launch
โ โ
โ โผ
โ nvenv run -- npm run dev
โ
โโโโโโโโโโโโโโโโบ Local Proxy
โ
โผ
Placeholder Replacement
โ
โผ
External API Service
Philosophy
Traditional secret managers focus on protecting secrets at rest.
nvenv focuses on protecting secrets during execution, ensuring autonomous AI systems, third-party packages, and prompt injection attacks never gain access to plaintext credentials while applications continue to operate normally.
License
Released under the MIT License.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file nv_protocol-2.0.1.tar.gz.
File metadata
- Download URL: nv_protocol-2.0.1.tar.gz
- Upload date:
- Size: 5.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
99e375f57010becc41014b7b95452399a9b5e1e957d2f7de0267e9bae8d06215
|
|
| MD5 |
28ac5be795f9a8a440ac3a50e52ec855
|
|
| BLAKE2b-256 |
cdd74d12f19c9930b92f7b5bdb34b493b0e5fe9542c91aec320d0165fdabea81
|
File details
Details for the file nv_protocol-2.0.1-py3-none-any.whl.
File metadata
- Download URL: nv_protocol-2.0.1-py3-none-any.whl
- Upload date:
- Size: 6.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6d15d86cf36a6b7d253f388c89d875b56027355e2520808f407bf5bad49aa2c4
|
|
| MD5 |
8cbf93539d5c1334859fa3eaa038ca05
|
|
| BLAKE2b-256 |
7a55f4a0a51c0a3adc3884e8cd0574cc8b2a870146a44a28a1e4e583dbe7415a
|