Skip to main content

Context-Isolated Secret Management for Autonomous AI Software Engineering Agents

Project description

๐Ÿ”’ nv-protocol (nvenv)

License: MIT Platform Security

nvenv is a local-first cryptographic proxy designed to decouple raw credentials from the viewable workspace of autonomous AI software engineering agents such as Cursor, Claude Code, Windsurf, and Devin.

Instead of exposing secrets through .env files or shell environment variables, nvenv replaces them with secure cryptographic URI placeholders. During outbound network communication, the proxy dynamically substitutes placeholders with real credentials only in volatile memory at the OS socket boundary during TLS handshakes.

This allows applications to execute normally while keeping autonomous AI agents mathematically blind to the underlying credentials.


โšก Quick Start

Install globally using your preferred ecosystem.

Node.js

npm install -g nv-protocol

Python

pip install nv-protocol

Windows (Planned)

Validation Pending

winget install SarveshSonkusre.nv-protocol

โ“ Why nvenv?

Traditional .env files and shell environment variables inject plaintext secrets directly into:

  • process.env
  • os.environ

This exposes credentials to:

  • AI coding agents
  • Third-party dependencies
  • Build scripts
  • Prompt injection attacks
  • Memory scraping

nvenv moves secret injection to the network layer, preventing untrusted processes from ever seeing the real credentials.


Security Comparison

Security Vector Legacy .env / Shell Export nvenv
Process Environment โŒ Plaintext keys visible ๐Ÿ›ก๏ธ Empty placeholders only
Prompt Injection โŒ AI can print secrets ๐Ÿ›ก๏ธ Agent never possesses secrets
Dependency Scraping โŒ Malicious packages can read env ๐Ÿ›ก๏ธ No credentials available
Authentication Scope โŒ Every process inherits credentials ๐Ÿ›ก๏ธ Injected only for authorized outbound requests

How It Works

Application
Reads:

Authorization: Bearer nv://STRIPE_KEY

            โ”‚
            โ”‚ HTTP Request
            โ–ผ

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚      Local nvenv Proxy           โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ โ€ข Intercepts outbound request    โ”‚
โ”‚ โ€ข Queries encrypted vault        โ”‚
โ”‚ โ€ข Decrypts secret in memory      โ”‚
โ”‚ โ€ข Replaces placeholder           โ”‚
โ”‚ โ€ข Continues TLS connection       โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
            โ”‚
            โ–ผ

api.stripe.com

Receives:

Authorization: Bearer sk_live_xxxxxxxxx

Core Security Features

๐Ÿ›ก๏ธ Contextual Blindness

Your:

  • source code
  • .env
  • terminal output
  • logs
  • shell variables

contain only placeholders such as

nv://STRIPE_KEY

Secrets never enter the LLM context window.


๐Ÿ” Hardware-Backed Vault

On Windows, credentials are stored inside

~/.nv/vault.db

using:

  • SQLite
  • Windows DPAPI encryption

Secrets are cryptographically bound to the current Windows user.


๐Ÿ”„ Active TLS Interception

The runtime launches a local loopback MITM proxy that:

  • generates certificates dynamically
  • intercepts outbound HTTPS
  • swaps placeholders
  • forwards requests transparently

Applications remain unaware of the substitution.


๐Ÿค– AI Agent Anti-Scraping Protection

Commands such as

nvenv get STRIPE_KEY

cannot be abused through:

  • pipes
  • redirected output
  • automation

Protections include:

  • isatty() verification
  • interactive console detection
  • low-level keyboard confirmation

Only a real interactive user may reveal secrets.


๐Ÿ”‘ Git Credential Helper

nvenv integrates with Git using:

credential.helper

GitHub Personal Access Tokens (PATs) are injected directly into Git's authentication pipeline without storing them in:

  • .gitconfig
  • environment variables
  • repository files

Installation

1. NPM Distribution

npm install -g nv-protocol

2. Python Distribution

pip install nv-protocol

3. Source Installation

Clone the repository and install locally.

pip install -e .

This registers the global CLI command:

nvenv

Quickstart

Step 1 โ€” Initialize Vault

Create your encrypted credential database.

nvenv init

Step 2 โ€” Store Secrets

nvenv set STRIPE_KEY

The CLI securely prompts for the value and prints a placeholder.


Step 3 โ€” Replace .env

Instead of:

STRIPE_KEY=sk_live_xxxxxxxxx
DATABASE_URL=postgres://...

Use:

STRIPE_KEY=nv://STRIPE_KEY
DATABASE_URL=nv://DATABASE_URL

Step 4 โ€” Run Through nvenv

Instead of launching your application directly, wrap it.

Node.js

nvenv run -- npm run dev

Python

nvenv run -- python main.py

Curl

nvenv run -- curl \
  -H "Authorization: Bearer nv://STRIPE_KEY" \
  https://httpbin.org/headers

Applications receive real credentials transparently while every visible environment still contains only placeholders.


Git Integration

Store your GitHub Personal Access Token.

nvenv set GITHUB_TOKEN

Configure Git.

git config --local credential.helper "!nvenv git-helper"

Git authentication now occurs using credentials retrieved directly from the secure vault.

No tokens appear inside:

  • repository files
  • shell history
  • environment variables

Verification

Run the internal test suite.

python test_nv.py

Tests include:

  • โœ… Windows DPAPI encryption
  • โœ… Vault CRUD operations
  • โœ… Socket payload replacement
  • โœ… HTTP interception
  • โœ… Placeholder substitution
  • โœ… End-to-end runtime verification

Example Workflow

Developer

โ”‚

โ”œโ”€โ”€ Stores API Key
โ”‚      โ”‚
โ”‚      โ–ผ
โ”‚   nvenv set STRIPE_KEY
โ”‚
โ”œโ”€โ”€ .env
โ”‚      โ”‚
โ”‚      โ–ผ
โ”‚ STRIPE_KEY=nv://STRIPE_KEY
โ”‚
โ”œโ”€โ”€ Launch
โ”‚      โ”‚
โ”‚      โ–ผ
โ”‚ nvenv run -- npm run dev
โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บ Local Proxy
                    โ”‚
                    โ–ผ
           Placeholder Replacement
                    โ”‚
                    โ–ผ
             External API Service

Philosophy

Traditional secret managers focus on protecting secrets at rest.

nvenv focuses on protecting secrets during execution, ensuring autonomous AI systems, third-party packages, and prompt injection attacks never gain access to plaintext credentials while applications continue to operate normally.


License

Released under the MIT License.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

nv_protocol-2.0.1.tar.gz (5.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

nv_protocol-2.0.1-py3-none-any.whl (6.2 kB view details)

Uploaded Python 3

File details

Details for the file nv_protocol-2.0.1.tar.gz.

File metadata

  • Download URL: nv_protocol-2.0.1.tar.gz
  • Upload date:
  • Size: 5.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for nv_protocol-2.0.1.tar.gz
Algorithm Hash digest
SHA256 99e375f57010becc41014b7b95452399a9b5e1e957d2f7de0267e9bae8d06215
MD5 28ac5be795f9a8a440ac3a50e52ec855
BLAKE2b-256 cdd74d12f19c9930b92f7b5bdb34b493b0e5fe9542c91aec320d0165fdabea81

See more details on using hashes here.

File details

Details for the file nv_protocol-2.0.1-py3-none-any.whl.

File metadata

  • Download URL: nv_protocol-2.0.1-py3-none-any.whl
  • Upload date:
  • Size: 6.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for nv_protocol-2.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 6d15d86cf36a6b7d253f388c89d875b56027355e2520808f407bf5bad49aa2c4
MD5 8cbf93539d5c1334859fa3eaa038ca05
BLAKE2b-256 7a55f4a0a51c0a3adc3884e8cd0574cc8b2a870146a44a28a1e4e583dbe7415a

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page