Never-Leak Protocol

The open standard for
AI agent secret governance.

Agents request actions, not secrets.

Read the Spec Explore 7 Levels
How it works
// The agent sees a handle, never the secret value
action_request({
  "type": "exec",
  "template": "curl -H 'Authorization: Bearer {{nl:api-key}}' https://api.example.com",
  "purpose": "Fetch user profile"
})

// The system resolves, injects, executes in isolation
// Agent receives only the result — never the secret
action_response({
  "status": "success",
  "stdout": "{\"user\": \"alice\", \"plan\": \"enterprise\"}"
})
The Problem

The agent's context is
adversarial territory.

AI agents are gaining the ability to read files, execute code, call APIs, and manage infrastructure. Each capability requires secrets.

Current practice treats agents like human users: secrets are retrieved and placed into the agent's working memory. This is fundamentally unsafe.

  • Any data in an LLM context can be memorized or exfiltrated via prompt injection
  • Agents inherit ambient authority with no per-task scoping
  • Multi-agent delegation multiplies the exfiltration surface
  • Audit trails are mutable, unsigned, and missing agent metadata
The Solution

A protocol where secrets are
architecturally invisible.

NL Protocol shifts the paradigm: agents work with opaque handles ({{nl:...}}), never values.

The system resolves, injects, and executes inside an isolation boundary. The agent gets only the result.

  • Zero-knowledge: secrets never enter the context window
  • Per-agent, per-secret, time-bounded scope grants
  • Delegation tokens with bounded lifetime and use count
  • SHA-256 hash-chained, HMAC-signed, tamper-evident audit
Defense in Depth

Seven independent layers of protection

Each level addresses a distinct threat surface. Adopt incrementally — a failure at one layer does not compromise the system if other layers are intact.

1
Agent Identity
Level 1

Cryptographic identity with attestation, lifecycle management, and trust levels (L0-L3).

2
Action-Based Access
Level 2

Agents request actions, not secrets. Scoped grants with time bounds, usage limits, and conditions.

3
Execution Isolation
Level 3

Secrets live only inside isolated subprocesses. No shell expansion, no core dumps, memory wiped on exit.

4
Pre-Execution Defense
Level 4

Command interception, pattern analysis, and anomaly detection before any secret is resolved.

5
Audit Integrity
Level 5

SHA-256 hash-chained, HMAC-signed, tamper-evident audit records for every agent-secret interaction.

6
Attack Detection
Level 6

Real-time behavioral analysis, prompt injection detection, and automated response to threats.

7
Cross-Agent Trust
Level 7

Delegation tokens, trust federation, and result-only propagation across multi-agent pipelines.

Conformance

Adopt incrementally, certify progressively

Three conformance tiers let implementations start simple and grow. Each tier is a strict superset of the previous.

Basic

Levels 1 – 3

Identity, action-based access, and execution isolation. The foundation for any NL-compliant system.

  • Agent Identity Documents (AID)
  • Opaque handle resolution
  • Scope grants with conditions
  • Isolated subprocess execution
  • Result sanitization
Recommended

Standard

Levels 1 – 5

Adds pre-execution defense and immutable audit trails. Required for production environments.

  • Everything in Basic
  • Command interception & analysis
  • Pattern-based anomaly detection
  • SHA-256 hash-chained audit log
  • HMAC-signed audit records
  • Tamper-evident verification

Advanced

Levels 1 – 7

Full protocol with attack detection and cross-agent trust. For enterprise and multi-agent orchestration.

  • Everything in Standard
  • Real-time behavioral analysis
  • Prompt injection detection
  • Delegation tokens
  • Trust federation
  • Result-only propagation
Aligned with OWASP Top 10OWASP LLM Top 10OWASP MCP Top 10OWASP Agentic Top 10RFC 2119RFC 7519 (JWT)RFC 9180 (HPKE)
Wire Protocol

Simple JSON messages,
powerful guarantees

The wire protocol uses JSON over standard transports (HTTP, stdio, WebSocket). Every message is structured, typed, and carries the agent's identity context.

1
Agent sends action request

Template contains opaque handles ({{nl:...}}), typed action, purpose string, and scope context.

2
System resolves and executes

Identity verified, scope evaluated, secrets resolved inside isolation boundary, output sanitized.

3
Agent receives result only

stdout, stderr, exit code — never secret values. Audit record written to hash chain.

Action Request
{
  "version": "1.0",
  "type": "action_request",
  "agent_id": "nl://anthropic/claude-code/4.0",
  "action": {
    "type": "exec",
    "template": "psql postgresql://{{nl:db/user}}:{{nl:db/pass}}@host/mydb -c 'SELECT 1'",
    "purpose": "Health check on production database"
  },
  "scope": {
    "project": "myapp",
    "environment": "production"
  }
}
Action Response
{
  "version": "1.0",
  "type": "action_response",
  "status": "success",
  "result": {
    "exit_code": 0,
    "stdout": "(1 row)\\n 1",
    "stderr": ""
  },
  "audit_ref": "sha256:a1b2c3..."
}
Principles

Built on eight design principles

Zero Trust

No agent, tool, or message is trusted without explicit verification.

Secrets Are Opaque

Agents interact with references, never values. The handle carries no information.

Least Privilege

Agents receive only the permissions necessary to complete a specific task.

Defense in Depth

Security at seven independent layers. One failure doesn't compromise the system.

Auditability

Every action produces an immutable, cryptographically chained record.

Governance First

Who can do what, when, under what conditions — as a first-class concern.

Interoperability

Works across frameworks, model providers, cloud platforms, and topologies.

Correct by Default

Secure behavior is default. Insecure configurations require explicit opt-in.

Ecosystem

Reference Implementation

NL Protocol is an open standard. Anyone can build a conformant implementation. Here's who's building today.

Braincol Vault

NL Standard (L1-L5)

The first and reference implementation of the NL Protocol. Local-first secret manager with MCP server integration, supporting 7 AI agents out of the box. X25519 + ChaCha20-Poly1305 encryption, hash-chained audit, and multi-user RBAC.

Python MCP 1,051 tests Apache 2.0 + BSAL
vault.braincol.com →

Building an NL-compliant system? Open an issue to get listed.

Join the standard.

NL Protocol is open-source under Apache 2.0. Read the specification, build a conformant implementation, or contribute to the standard.

View on GitHub Read Specification