Agents request actions, not secrets.
$ pip install nl-protocol # Agent requests an action — never sees the secret request = ActionRequest( agent_uri="nl://acme/deployer/1.0.0", action=ActionPayload( type=ActionType.HTTP, template="curl -H 'Auth: Bearer {{nl:api/TOKEN}}' https://api.example.com/deploy", purpose="Trigger production deployment", ), ) # System: verify → resolve → isolate → execute → sanitize response = await provider.process_action(request) response.status # → "success" response.result # → {exit_code: 0, stdout: "deployed!"} response.audit_ref # → "sha256:a1b2c3..."
Watch how the NL Protocol protects secrets across multi-agent pipelines. Agents delegate, execute, and audit — without ever seeing a secret value.
Agents use opaque handles {{nl:...}}, never see secret values. Prompt injection can't exfiltrate what isn't there.
Secrets resolved inside sandboxed subprocesses. Memory wiped on exit. No shell expansion, no core dumps.
Every action hash-chained with SHA-256. HMAC-signed, tamper-evident. Cryptographically verifiable by anyone.
// The agent sees a handle, never the secret value action_request({ "type": "exec", "template": "curl -H 'Authorization: Bearer {{nl:api-key}}' https://api.example.com", "purpose": "Fetch user profile" }) // The system resolves, injects, executes in isolation // Agent receives only the result — never the secret action_response({ "status": "success", "stdout": "{\"user\": \"alice\", \"plan\": \"enterprise\"}" })
AI agents are gaining the ability to read files, execute code, call APIs, and manage infrastructure. Each capability requires secrets.
Current practice treats agents like human users: secrets are retrieved and placed into the agent's working memory. This is fundamentally unsafe.
NL Protocol shifts the paradigm: agents work with opaque handles ({{nl:...}}), never values.
The system resolves, injects, and executes inside an isolation boundary. The agent gets only the result.
The first open-source implementation. Local-first secret manager with MCP server.
Select your role for a tailored introduction to the Never-Leak Protocol.
Implementation guides, code examples, and API references for building NL-compliant systems.
→Threat models, compliance mapping, and audit verification for security teams.
→Integration patterns, attestation, and transport binding for agent framework builders.
→Business value, competitive landscape, and adoption strategy for product leaders.
→Deployment guides, operational runbooks, and compliance for enterprise teams.
→Each level addresses a distinct threat surface. Adopt incrementally — a failure at one layer does not compromise the system if other layers are intact.
Cryptographic identity with attestation, lifecycle management, and trust levels (L0-L3).
Agents request actions, not secrets. Scoped grants with time bounds, usage limits, and conditions.
Secrets live only inside isolated subprocesses. No shell expansion, no core dumps, memory wiped on exit.
Command interception, pattern analysis, and anomaly detection before any secret is resolved.
SHA-256 hash-chained, HMAC-signed, tamper-evident audit records for every agent-secret interaction.
Real-time behavioral analysis, prompt injection detection, and automated response to threats.
Delegation tokens, trust federation, and result-only propagation across multi-agent pipelines.
Three conformance tiers let implementations start simple and grow. Each tier is a strict superset of the previous.
Identity, action-based access, and execution isolation. The foundation for any NL-compliant system.
Adds pre-execution defense and immutable audit trails. Required for production environments.
Full protocol with attack detection and cross-agent trust. For enterprise and multi-agent orchestration.
The wire protocol uses JSON over standard transports (HTTP, stdio, WebSocket). Every message is structured, typed, and carries the agent's identity context.
Template contains opaque handles ({{nl:...}}), typed action, purpose string, and scope context.
Identity verified, scope evaluated, secrets resolved inside isolation boundary, output sanitized.
stdout, stderr, exit code — never secret values. Audit record written to hash chain.
{
"version": "1.0",
"type": "action_request",
"agent_id": "nl://anthropic/claude-code/4.0",
"action": {
"type": "exec",
"template": "psql postgresql://{{nl:db/user}}:{{nl:db/pass}}@host/mydb -c 'SELECT 1'",
"purpose": "Health check on production database"
},
"scope": {
"project": "myapp",
"environment": "production"
}
} {
"version": "1.0",
"type": "action_response",
"status": "success",
"result": {
"exit_code": 0,
"stdout": "(1 row)\\n 1",
"stderr": ""
},
"audit_ref": "sha256:a1b2c3..."
} No agent, tool, or message is trusted without explicit verification.
Agents interact with references, never values. The handle carries no information.
Agents receive only the permissions necessary to complete a specific task.
Security at seven independent layers. One failure doesn't compromise the system.
Every action produces an immutable, cryptographically chained record.
Who can do what, when, under what conditions — as a first-class concern.
Works across frameworks, model providers, cloud platforms, and topologies.
Secure behavior is default. Insecure configurations require explicit opt-in.
NL Protocol is open-source under Apache 2.0. Read the specification, build a conformant implementation, or contribute to the standard.