Skip to main content

Context-Isolated Secret Management for Autonomous AI Software Engineering Agents

Project description

๐Ÿ”’ nv-protocol (nvenv)

License: MIT Platform Security

nvenv is a local-first cryptographic proxy designed to decouple raw credentials from the viewable workspace of autonomous AI software engineering agents such as Cursor, Claude Code, Windsurf, and Devin.

Instead of exposing secrets through .env files or shell environment variables, nvenv replaces them with secure cryptographic URI placeholders. During outbound network communication, the proxy dynamically substitutes placeholders with real credentials only in volatile memory at the OS socket boundary during TLS handshakes.

This allows applications to execute normally while keeping autonomous AI agents mathematically blind to the underlying credentials.


โšก Quick Start

Install globally using your preferred ecosystem.

Node.js

npm install -g nv-protocol

Python

pip install nv-protocol

Windows (Planned)

Validation Pending

winget install SarveshSonkusre.nv-protocol

โ“ Why nvenv?

Traditional .env files and shell environment variables inject plaintext secrets directly into:

  • process.env
  • os.environ

This exposes credentials to:

  • AI coding agents
  • Third-party dependencies
  • Build scripts
  • Prompt injection attacks
  • Memory scraping

nvenv moves secret injection to the network layer, preventing untrusted processes from ever seeing the real credentials.


Security Comparison

Security Vector Legacy .env / Shell Export nvenv
Process Environment โŒ Plaintext keys visible ๐Ÿ›ก๏ธ Empty placeholders only
Prompt Injection โŒ AI can print secrets ๐Ÿ›ก๏ธ Agent never possesses secrets
Dependency Scraping โŒ Malicious packages can read env ๐Ÿ›ก๏ธ No credentials available
Authentication Scope โŒ Every process inherits credentials ๐Ÿ›ก๏ธ Injected only for authorized outbound requests

How It Works

Application
Reads:

Authorization: Bearer nv://STRIPE_KEY

            โ”‚
            โ”‚ HTTP Request
            โ–ผ

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚      Local nvenv Proxy           โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ โ€ข Intercepts outbound request    โ”‚
โ”‚ โ€ข Queries encrypted vault        โ”‚
โ”‚ โ€ข Decrypts secret in memory      โ”‚
โ”‚ โ€ข Replaces placeholder           โ”‚
โ”‚ โ€ข Continues TLS connection       โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
            โ”‚
            โ–ผ

api.stripe.com

Receives:

Authorization: Bearer sk_live_xxxxxxxxx

Core Security Features

๐Ÿ›ก๏ธ Contextual Blindness

Your:

  • source code
  • .env
  • terminal output
  • logs
  • shell variables

contain only placeholders such as

nv://STRIPE_KEY

Secrets never enter the LLM context window.


๐Ÿ” Hardware-Backed Vault

On Windows, credentials are stored inside

~/.nv/vault.db

using:

  • SQLite
  • Windows DPAPI encryption

Secrets are cryptographically bound to the current Windows user.


๐Ÿ”„ Active TLS Interception

The runtime launches a local loopback MITM proxy that:

  • generates certificates dynamically
  • intercepts outbound HTTPS
  • swaps placeholders
  • forwards requests transparently

Applications remain unaware of the substitution.


๐Ÿค– AI Agent Anti-Scraping Protection

Commands such as

nvenv get STRIPE_KEY

cannot be abused through:

  • pipes
  • redirected output
  • automation

Protections include:

  • isatty() verification
  • interactive console detection
  • low-level keyboard confirmation

Only a real interactive user may reveal secrets.


๐Ÿ”‘ Git Credential Helper

nvenv integrates with Git using:

credential.helper

GitHub Personal Access Tokens (PATs) are injected directly into Git's authentication pipeline without storing them in:

  • .gitconfig
  • environment variables
  • repository files

Installation

1. NPM Distribution

npm install -g nv-protocol

2. Python Distribution

pip install nv-protocol

3. Source Installation

Clone the repository and install locally.

pip install -e .

This registers the global CLI command:

nvenv

Quickstart

Step 1 โ€” Initialize Vault

Create your encrypted credential database.

nvenv init

Step 2 โ€” Store Secrets

nvenv set STRIPE_KEY

The CLI securely prompts for the value and prints a placeholder.


Step 3 โ€” Replace .env

Instead of:

STRIPE_KEY=sk_live_xxxxxxxxx
DATABASE_URL=postgres://...

Use:

STRIPE_KEY=nv://STRIPE_KEY
DATABASE_URL=nv://DATABASE_URL

Step 4 โ€” Run Through nvenv

Instead of launching your application directly, wrap it.

Node.js

nvenv run -- npm run dev

Python

nvenv run -- python main.py

Curl

nvenv run -- curl \
  -H "Authorization: Bearer nv://STRIPE_KEY" \
  https://httpbin.org/headers

Applications receive real credentials transparently while every visible environment still contains only placeholders.


Git Integration

Store your GitHub Personal Access Token.

nvenv set GITHUB_TOKEN

Configure Git.

git config --local credential.helper "!nvenv git-helper"

Git authentication now occurs using credentials retrieved directly from the secure vault.

No tokens appear inside:

  • repository files
  • shell history
  • environment variables

Verification

Run the internal test suite.

python test_nv.py

Tests include:

  • โœ… Windows DPAPI encryption
  • โœ… Vault CRUD operations
  • โœ… Socket payload replacement
  • โœ… HTTP interception
  • โœ… Placeholder substitution
  • โœ… End-to-end runtime verification

Example Workflow

Developer

โ”‚

โ”œโ”€โ”€ Stores API Key
โ”‚      โ”‚
โ”‚      โ–ผ
โ”‚   nvenv set STRIPE_KEY
โ”‚
โ”œโ”€โ”€ .env
โ”‚      โ”‚
โ”‚      โ–ผ
โ”‚ STRIPE_KEY=nv://STRIPE_KEY
โ”‚
โ”œโ”€โ”€ Launch
โ”‚      โ”‚
โ”‚      โ–ผ
โ”‚ nvenv run -- npm run dev
โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บ Local Proxy
                    โ”‚
                    โ–ผ
           Placeholder Replacement
                    โ”‚
                    โ–ผ
             External API Service

Philosophy

Traditional secret managers focus on protecting secrets at rest.

nvenv focuses on protecting secrets during execution, ensuring autonomous AI systems, third-party packages, and prompt injection attacks never gain access to plaintext credentials while applications continue to operate normally.


License

Released under the MIT License.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

nv_protocol-2.0.2.tar.gz (17.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

nv_protocol-2.0.2-py3-none-any.whl (20.4 kB view details)

Uploaded Python 3

File details

Details for the file nv_protocol-2.0.2.tar.gz.

File metadata

  • Download URL: nv_protocol-2.0.2.tar.gz
  • Upload date:
  • Size: 17.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for nv_protocol-2.0.2.tar.gz
Algorithm Hash digest
SHA256 d69cd899821d2cd706ec272ba9b2a79e835dd5bf463ae3902cdbfeea7e24679b
MD5 e8c8bb9f061a6d702bf2d2768e8fccb4
BLAKE2b-256 92fb96cfcbb106cb1740693985bcc25cff570e5139e473a12459142e4e979aa8

See more details on using hashes here.

File details

Details for the file nv_protocol-2.0.2-py3-none-any.whl.

File metadata

  • Download URL: nv_protocol-2.0.2-py3-none-any.whl
  • Upload date:
  • Size: 20.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for nv_protocol-2.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 5cf48a0cf3cfa9a18a10c6ca6c200ab235c8497a34bab04d281540864b024795
MD5 0f743bf5abb93125614070ea995e98d3
BLAKE2b-256 88a48593fd23e320f9c341be17e727290059d14e41488aa4ed3f6e6cf8895445

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page