Frequently Asked Questions

AI agents increasingly need access to secrets (API keys, database passwords, tokens) to perform tasks. Current practice puts these secrets directly into the agent's context window, where they can be memorized, leaked via prompt injection, or accidentally included in outputs. NL Protocol ensures agents NEVER see secret values — they work with opaque handles, and the system executes actions in isolation.

Traditional secret managers solve storage and rotation, but they still deliver secret values to the requesting application. NL Protocol goes further: the secret value never leaves the isolation boundary. The agent receives only the result of using the secret, not the secret itself. NL Protocol and traditional secret managers are complementary — you'd use Vault to STORE secrets and NL Protocol to GOVERN how agents use them.

NL Protocol doesn't prevent prompt injection attacks from occurring, but it dramatically reduces the IMPACT. Even if an attacker successfully injects a prompt, the agent doesn't have access to secret values — only opaque handles like {{nl:api-key}}. The attacker can't exfiltrate what the agent doesn't have. Additionally, Level 4 (Pre-Execution Defense) includes pattern matching that can detect common injection attempts before they execute.

Start with Basic (Levels 1-3). This gives you agent identity, action-based access, and execution isolation — the core security guarantees. Most applications should target Standard (Levels 1-5) for production, which adds pre-execution defense and tamper-evident audit trails. Advanced (Levels 1-7) is for enterprise multi-agent orchestration with delegation and federation.

The primary overhead is subprocess execution for action isolation (Level 3). For most use cases, this adds 10-50ms per action — negligible compared to LLM inference times (typically 1-10 seconds). Output sanitization adds minimal overhead for outputs under 64KB. The security guarantees are worth the small latency cost.

Yes, that's exactly what the conformance tiers are designed for. Implement Basic (L1-3) first — this can be done in a few days. Then add Standard features (L4-5) as needed. Advanced features (L6-7) are only required for multi-agent orchestration with delegation.

No. NL Protocol is provider-agnostic and model-agnostic. It works with any AI agent system — Claude, GPT, Gemini, Llama, or custom models. The wire protocol uses standard JSON over HTTP, stdio, or WebSocket. The specification includes MCP (Model Context Protocol) integration but supports any transport.

The protocol explicitly documents this trust assumption (Chapter 00, Trust Model Assumptions). A compromised NL Provider could bypass all protections. Mitigations include: immutable external audit backends, separation of key custody, regular cryptographic audits, and HSMs for signing key protection. These are recommended but not required by the spec.

Transparently. Since agents use opaque handles (e.g., {{nl:api-key}}), the underlying secret value can be rotated without any agent changes. The handle stays the same; only the resolved value changes. The NL Provider manages rotation according to its own policies, and agents are unaffected.

Yes. The specification is licensed under Apache 2.0 and hosted on GitHub. Contributions are welcome — you can open issues, propose changes, or submit implementations. Visit the GitHub repository at github.com/braincol/never-leak-protocol.