Get Started

Introduction

AI agents can read and call functions. The moment they must act on the systems that run a business — charge a card, refund an order, issue an invoice — three gaps open at once that no existing standard closes together. NILScript closes them.

Why agents need a safe contract

The last two years solved conversation. Tool-calling and MCP gave models a clean way to read the world and call functions. But the moment an agent has to change a business, the problem stops being about language and starts being about consequences.

The three gaps

Every backend is a bespoke API. Shopify’s GraphQL, WooCommerce’s REST, Stripe’s payment intents, ERPNext’s documents. An agent that works across systems must learn, and re-learn, N incompatible surfaces and state machines.
The agent is probabilistic; the business is not. A model can hallucinate an amount, an identifier, or a customer.
There is no safe contract. Today you either hardcode workflows in the backend, or hand a stateless chatbot unbounded power and zero human visibility. Neither is auditable; neither scales past one integration.

The cost of a wrong guess

A hallucinated amount in chat is a typo. Against a ledger it is a loss.

NILScript at a glance

NILScript is a neutral, open standard — not a product, SaaS, or framework — that sits between the agent that decides and the system that owns the truth, making every action proposed, previewed, approved, and auditable before anything irreversible occurs.

The USB-C of agent ↔ system operations. One protocol. Any agent. Any backend. No lock-in.

The two layers

NILScript is two layers plus a neutral spec, both deliberately constrained to stay safe:

NIL — the Network Intent Layer. A closed wire protocol: seven speaker-plane performatives (plus DECIDE on the owner plane). The kernel is SEQRD-PC.
The NILScript DSL. A declarative JSON DAG of typed nodes that an agent writes at runtime. A validator admits or rejects the whole plan before any side effect.

plan.nil.json

{
  "wosool": "0.1",
  "workspace": "ws_demo",
  "locale": "ar",
  "entry": "step_1",
  "pipeline": [
    { "id": "step_1", "type": "query",  "verb": "commerce.product",
      "args": { "sku": "TSHIRT-01" }, "next": "step_2" },
    { "id": "step_2", "type": "condition",
      "expression": "$.step_1.output.stock < 10",
      "on_true": "step_3", "on_false": "step_4" },
    { "id": "step_3", "type": "action", "skill": "product",
      "verb": "commerce.create_purchase_order",
      "args": { "sku": "TSHIRT-01", "qty": "100" }, "next": "step_4" }
  ]
}

The ceiling is the guarantee

The DSL is deliberately incomplete — no unbounded loops, no file access, no eval, no user-defined functions. It can express any business automation a merchant can describe in words, and nothing else.

Safe by construction

Safety is structural, not bolted on after the fact:

Hallucinations die at the server. Previews come from system-resolved facts, never from agent-supplied values.
Tiered approval. LOW executes immediately, MEDIUM notifies, HIGH parks for approval, CRITICAL adds a 300-second cooling delay.
Refusals are answers. Ambiguous requests return up to eight candidates for a human to choose — not a guess.

Proof it works

A standard is only worth the reality it survives contact with.

Calibrated against 18 production platforms across e-commerce, ERP, billing, and scheduling — 90 documented rows, each backed by a vendor’s own API docs.
Proven self-adoptable. An independent ERPNext adapter was built from the published standard and CLI alone — no privileged knowledge of the reference implementation.
Running in production. The reference implementation operates the standard today. The spec is extracted from running code, never the reverse.

Where to go next

What is NILScript? — the full overview of the standard.
Quickstart — install, explore the CLI, and write your first plan.
Architecture — the Generation → Validation → Runtime machine.
Safety Model — grants, tiers, previews, refusals, and audit.