Open-source agent firewall

Pipelock: Open Source AI Agent Firewall

Pipelock sits between AI agents and the internet, scanning mediated HTTP, MCP, and WebSocket traffic for secret leaks, prompt injection, and tool poisoning, and emitting signed action receipts you can verify offline.

v2.6.0 Audit packets · Containment lifecycle

Install Pricing GitHub
Pipelock architecture: Agent → Pipelock → Internet with Detect, Enforce, Prove runtime capabilities

Pipelock gives you one enforcement point between the agent and the network. The agent keeps the secrets. Pipelock sees the traffic. If the agent gets compromised through prompt injection or a malicious MCP server, the request still has to cross the boundary.

Public methodology. Public attack cases. Public Pipelock results. See the gauntlet.

New replay gallery: watch recorded lab scenarios and verify the signed Audit Packets. Open the playground replay gallery.

Latency, cold-start, and memory overhead are measured in the Pipelock performance benchmark.

New in v2.6.0: operation-level API policy for agent traffic (REST, GraphQL, WebSocket frames), file-borne injection detection, Hermes hook integration, and NSA MCP hardening. Read the release notes.

Detect

Find threats before they leave the wire

11-layer scanner pipeline across HTTP, WebSocket, and MCP. Every request scanned for credentials, injection, SSRF, and encoded evasion before it reaches the network.

Data Loss Prevention

62 credential patterns covering API keys, tokens, secrets, financial account numbers, and cryptocurrency private keys. Four checksum validators (Luhn, mod-97, ABA, WIF) eliminate 90-99% of false positives. Handles base64, hex, URL-encoding, and Unicode evasion.

Response Scanning

29 injection detection patterns covering prompt injection, state manipulation, control flow hijacking, and authority assertion. Six normalization passes catch obfuscated payloads including zero-width chars, homoglyphs, and leetspeak. Keyword pre-filter skips expensive normalization on clean content.

Media Policy

Blocks audio and video by default, strips EXIF/XMP/IPTC metadata from JPEG and PNG, and hardens SVG active content before it reaches the agent. Stops covert exfil hiding in media files and tool results.

A2A Protocol Scanning

Inspects Google A2A (Agent-to-Agent) protocol messages for injection payloads and DLP violations in task descriptions, artifact content, and agent metadata. Catches threats hiding in inter-agent communication.

Canary Tokens

Plant synthetic credentials in your environment and configure Pipelock to watch for them. If an agent tries to exfiltrate a canary value, Pipelock catches it regardless of encoding. Full normalization pipeline applies.

Cross-Transport DLP

The same DLP engine scans URLs, headers, request bodies, WebSocket frames, and MCP tool arguments. Cross-request detection catches secrets split across multiple requests and slow-drip exfiltration via cumulative entropy tracking. See the AI agent DLP guide for the full threat model.

Encoded Payload Handling

Iterative URL decoding, base64, hex (6 delimiter formats), and base32 decoding before pattern matching. Every decoded layer gets the full normalization pipeline. Delimiter-separated hex strips colons, dashes, spaces, commas, and hex prefixes.

Enforce

Act on what you find

Detection without enforcement is a logging exercise. Pipelock blocks, contains, and escalates in real time. Fail-closed on every code path.

Kill Switch

Four independent activation sources (config, SIGUSR1, sentinel file, HTTP API), OR-composed so any single source blocks all proxy traffic. Port isolation prevents agents from self-deactivation. Checked per-read/frame/message on long-lived transports.

Adaptive Enforcement

Per-session threat scoring with automatic escalation through three levels. Clean requests decay the score. At critical, all traffic denied until recovery. Auto de-escalation after 5 minutes of clean traffic. Operators can inspect, explain, release, or terminate sessions with pipelock session or the session admin API.

Process Sandbox

OS-level containment for any agent process. Linux: Landlock filesystem restriction, seccomp syscall filtering, network namespace isolation. macOS: sandbox-exec with dynamic SBPL profiles. Per-agent profiles with named configurations and strict mode.

MCP Tool Policy

Pre-execution allow/deny/redirect rules with 17 built-in patterns covering dangerous commands, persistence mechanisms, and audit log tampering. Shell obfuscation detection resolves variable insertion and backtick substitution before matching.

Session Binding

SHA256 baseline tracks tool definitions per session. Mid-session description changes (rug-pulls) trigger alerts or blocks. Full-schema scanning extracts text from nested inputSchema objects for injection detection. 10,000 tool cap per session.

Learn-and-Lock Contracts

Observe real agent traffic, compile a signed behavioral contract, replay it in shadow mode, then ratify and promote it with lifecycle receipts. Normal behavior becomes policy without hand-writing every host, path, and method rule.

Tool Chain Detection

Subsequence matching on MCP tool call sequences with 10 built-in attack patterns (recon, credential theft, data staging, exfiltration). Configurable window size, time-based eviction, and argument-aware reclassification.

Denial-of-Wallet Detection

Catches runaway agent spending: loop detection, retry storms, fan-out explosions, concurrent tool call limits, and wall-clock session budgets. Configurable thresholds per session.

MCP Binary Integrity

Pre-spawn hash verification for MCP subprocess servers. Resolves symlinks and interpreter shebangs, hashes the actual binary, and compares against a trusted manifest. Detects symlink swaps between hash-time and exec-time.

Pipelock Grafana dashboard showing fleet-wide agent traffic monitoring

Fleet monitoring via Grafana. 83 Prometheus metric families. Click to enlarge.

Prove

Evidence, not just claims

When auditors, customers, or regulators ask "how do you secure your AI agents?", you need cryptographic proof and compliance mappings.

Flight Recorder

Hash-chained, tamper-evident audit log. Every scanner decision, policy action, and session event recorded with SHA-256 chain links. Configurable checkpoint intervals with optional Ed25519 signatures. Redaction mode preserves chain integrity.

Signed Assessments

pipelock assess orchestrates simulate, audit score, verify-install, and discover into a reproducible, signed evidence bundle. HTML and JSON reports with Ed25519 signatures. Includes risk rating, exposure analysis, and remediation guidance. The signed bundle is the evidence half of verifiable egress control.

Compliance Evidence

Built-in mappings to OWASP MCP Top 10, Agentic AI Top 10, MITRE ATLAS, MITRE ATT&CK technique IDs in audit events, EU AI Act runtime controls, SOC 2 control families, and NIST 800-53 across 7 control families. SARIF v2.1.0 output for GitHub Code Scanning.

Trust Attestation

pipelock verify-install runs 10 deterministic checks verifying the scanning pipeline and network containment. pipelock posture verify evaluates signed posture capsules as a CI gate. pipelock assess verify validates assessment bundles, and RFC 9421-signed mediation envelopes can now verify inbound peer requests with replay protection. AARP v0.1 appraises signed receipts into verified-versus-claimed assurance axes.

Session Manifests

Versioned session snapshots capture policy state (config hash, mode, active features), tool inventory, and verdict summaries with behavioral fingerprints. Signed decision records provide cryptographic proof of each enforcement action.

Attack Simulation

pipelock simulate runs 24 built-in attack scenarios against your config (plus 6 per canary token): DLP, injection, tool poisoning, SSRF, URL evasion. Scanner attribution verifies the correct layer detected each attack. --json for CI.

Agent Bill of Materials

CycloneDX 1.6 runtime inventory with declared vs observed views and confidence scoring. Lists MCP servers, transports, active security features, and dormant/unexpected component detection.

Config Security Scoring

pipelock audit score evaluates your configuration across 12 security categories. 0-100 score with letter grade. Flags overpermissive policies, missing DLP patterns, disabled scanners. JSON output for CI.

Block Reason Headers

Every HTTP block path emits a machine-readable reason, severity, retry hint, optional scanner layer, and optional receipt pointer. WebSocket blocks carry the same taxonomy in the close-frame payload.

Public Benchmark

177 adversarial test cases from the public Agent Egress Bench corpus run against the production binary before every release. Pipelock publishes its own containment, false positive, and category scores publicly. View Gauntlet results.

Pipelock security assessment report

Signed assessment report

Pipelock kill switch activated via Telegram bot

Kill switch via Telegram

See Assess Reports View Demo Report

Architecture

How It Works

Capability separation: the agent holds secrets but has no network access. Pipelock has network access but holds no agent secrets. All traffic flows through the scanning proxy.

Fetch Proxy

Agent sends URLs to /fetch?url=.... Pipelock fetches, scans through the 11-layer pipeline, extracts readable text, returns the result.

Forward Proxy

Standard HTTPS_PROXY mode via CONNECT + absolute-URI. Optional TLS interception for full request and response body inspection.

WebSocket Proxy

Bidirectional frame scanning via /ws?url=.... DLP on headers, fragment reassembly across frames, compressed frame rejection.

MCP Proxy

Wraps any MCP server (stdio, Streamable HTTP, WebSocket). Scans tool arguments, responses, and descriptions. Bidirectional scanning.

The 11-Layer Scanner Pipeline

scanner pipeline: request evaluation order
Scheme Enforcement
HTTP/HTTPS only
CRLF Injection
Block header injection via %0D%0A in URLs
Path Traversal
Catch /../ directory escape attempts
Domain Blocklist
Configurable deny/allow lists per mode
DLP
62 credential patterns, 4 checksum validators, encoding-aware
Path Entropy
Flag high-entropy URL segments (exfiltrated data)
Subdomain Entropy
Flag DNS exfiltration attempts
SSRF Protection
Block private IPs, link-local, metadata endpoints, DNS rebinding
Rate Limiting
Per-domain sliding window
URL Length
Configurable max URL length
Data Budgets
Per-domain byte limits prevent slow-drip exfiltration
Layers 01–05 run before DNS resolution. Layer 08 runs after. This ordering prevents DNS-based exfiltration.

Security Model

Capability separation is deployed, not assumed. Pipelock’s architecture depends on the agent being unable to reach the network directly. The binary enforces scanning, but network isolation requires deployment-level controls (network namespaces, iptables, Docker internal: true, or Kubernetes NetworkPolicy). Sandbox mode handles this automatically for local setups.

Fail-closed everywhere. Timeouts, parse errors, non-terminal HITL prompts, context cancellation, oversized responses, compressed bodies that can’t be scanned: all default to block. If Pipelock can’t verify something is safe, it doesn’t pass.

See the security assurance case for the full threat model, trust boundaries, and documented limitations.

Deploy

Seven ways to run it

Single binary, every deployment mode. Pick the one that fits your stack.

Running agents inside Cloudflare Sandboxes? Pair Pipelock's content inspection with Cloudflare's infrastructure isolation and credential injection. See Cloudflare Sandboxes + Pipelock.

Deploying Sure with Helm? Sure's chart ships Pipelock as an optional deployment for the external AI assistant path. See Self-Hosted Sure + Pipelock.

Local Binary

pipelock run --config pipelock.yaml starts all transports on a single port.

Kubernetes Companion Proxy

pipelock init sidecar --inject-spec deployment.yaml generates an enforced companion proxy topology with a Deployment, Service, NetworkPolicies, and bound workload identity for Deployment, StatefulSet, Job, and CronJob workloads.

Forward Proxy

Set HTTPS_PROXY=http://127.0.0.1:8888 and all agent HTTP traffic flows through the scanner.

MCP Proxy

pipelock mcp proxy --config cfg.yaml -- npx server wraps any MCP server with bidirectional scanning.

Reverse Proxy

pipelock run --reverse-proxy --reverse-upstream http://upstream:8080 scans traffic to any HTTP service.

CI / GitHub Action

Scans diffs for exposed credentials, injection patterns, and security misconfigurations on every pull request.

Scan API

POST /api/v1/scan evaluates URLs, text, or tool calls out-of-band. Bearer token auth, rate limiting. Docs.

<30MB
Single Binary
23
Dependencies
20,000+
Tests
>85%
Test Coverage
62
DLP Patterns
7
Presets

GitHub Action

Static scan of PR diffs for leaked credentials and injection patterns.

.github/workflows/pipelock.yml
- name: Pipelock Scan
  uses: luckyPipewrench/pipelock@v2.6.0
  with:
    scan-diff: 'true'
    fail-on-findings: 'true'

View on GitHub Marketplace.

Agent Egress Control

Run an agent script through Pipelock with kernel-enforced network containment and a signed Audit Packet.

.github/workflows/agent-job.yml
- name: Pipelock Agent Egress Control
  uses: luckyPipewrench/pipelock-agent-egress-action@v0.1.0
  with:
    script-path: ./scripts/agent.sh
    config: .pipelock/ci.yaml
    audit-packet-dir: pipelock-audit-packet

View on GitHub Marketplace · v0.1.0 release notes.

Install

install
# Homebrew (macOS / Linux)
$ brew install luckyPipewrench/tap/pipelock
# Go
$ go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest
# Docker
$ docker pull ghcr.io/luckypipewrench/pipelock:2.6.0

Quick Start

Claude Code

claude-code
$ pipelock claude setup
# Restart Claude Code. Done.

Every security-relevant tool call passes through Pipelock's scanner. See the full Claude Code guide for MCP proxy wrapping and advanced options.

Cursor

cursor
$ pipelock cursor install
# Restart Cursor.

See the Cursor guide for details.

VS Code

vscode
$ pipelock vscode install
# Restart VS Code. All MCP traffic scanned.

Use pipelock vscode remove to unwrap. See the VS Code guide.

Zed

zed
$ pipelock zed install
# Restart Zed. All MCP context_servers scanned.

Default discovery covers project, native, and Flatpak settings. See the Zed guide.

Any Agent

any-agent
$ pipelock generate config --preset balanced > pipelock.yaml
$ pipelock run --config pipelock.yaml
# Point your agent at the proxy
$ HTTPS_PROXY=http://127.0.0.1:8888 your-agent

Pipelock Pro

The full security engine is free and always will be. Pro adds multi-agent coordination for teams running more than one agent from a single deployment. Founding Pro is live now at $49/mo or $490/yr.

  • Unlimited named security profiles with per-profile DLP, allowlists, and rate limits
  • Per-profile mode overrides and usage budgets
  • Per-profile identity and config isolation
  • Coordinate many profiles from one deployment
Claim Founding Pro See full pricing

After subscribing, your license token arrives by email. See License Setup to install and verify it.

How Pipelock Compares

vs NemoClaw vs DefenseClaw vs Runlayer vs Prisma AIRS vs Backslash vs Docker MCP GW vs MCP Gateways vs LlamaFirewall vs Agent Wall vs iron-proxy vs WAF vs Guardrails

See all comparisons at Compare.

Deep Dives

LLM Security Learn-and-Lock MCP Security MCP Proxy Tool Poisoning Shadow MCP OWASP MCP Top 10 MCP Authorization Agent Firewall AI Runtime Security Gen AI Firewall

See all guides at Learn.

Frequently asked questions

What is Pipelock?
Pipelock is an open-source agent firewall. It sits between an AI agent and the internet as a local proxy and scans every HTTP, WebSocket, and MCP message the agent sends or receives. It blocks credential leaks, prompt injection, SSRF, and MCP tool poisoning before they cross the network boundary. Pipelock is a single Go binary under Apache 2.0, with a Pro tier for multi-agent coordination.
How does Pipelock differ from a WAF or AI firewall for LLM APIs?
A WAF protects a server from inbound attackers. An ‘AI firewall’ for an LLM API protects the model endpoint. Pipelock protects the agent itself: it enforces the boundary between the agent and the outside world by scanning the agent’s own outbound requests and the responses it pulls in. Different traffic direction, different threat model.
What transports does Pipelock scan?
HTTP forward proxy, CONNECT, fetch-style endpoint, WebSocket (bidirectional frame scanning), MCP stdio wrapping, MCP streamable HTTP, MCP HTTP reverse proxy, and Agent-to-Agent (A2A). Pipelock is transport-agnostic by design: one binary, identical scanning logic, on every transport the agent uses.
Does Pipelock see the agent's real secrets?
No. Pipelock holds no agent credentials by design. The agent runs in the privileged zone with its own secrets. Pipelock runs in a separate trust zone with no secret access, inspecting traffic as it crosses the boundary. This capability separation is enforced at the deployment layer (container or process isolation).
Is Pipelock free?
The core is free and Apache-2.0 licensed. Every scanner, every detection, every enforcement layer is in the open-source binary. Pipelock Pro ($49/mo Founding, $99/mo list) adds multi-agent coordination for teams running more than one agent: per-agent configs, budgets, CIDR matching. Enterprise adds fleet management and compliance.
What does Pipelock catch that a domain allowlist misses?
A domain allowlist decides where the agent can go. It does not inspect what the agent sends. Pipelock’s DLP scanner catches credential patterns in request bodies (62 patterns, encoding-aware). Its injection scanner catches prompt-injection payloads in tool responses (29 patterns, 6-pass normalization). Its MCP tool scanner catches poisoned tool descriptions and rug-pull drift. These attacks pass an allowlist because the destination is trusted; the content is not.
Does it fail open or closed?
Closed. Always. Timeouts, parse errors, oversized bodies, compressed content, malformed JSON-RPC, non-terminal HITL: all block. There is no code path where uncertainty results in forwarding.
How are rules updated?
Community rules with Ed25519-signed bundles, CalVer versioning, and hot-reload. pipelock rules install pulls the latest bundle. pipelock rules verify checks signatures against your trusted keyring. Built-in patterns update with each binary release.
Can agents reach internal services?
trusted_domains allows controlled exceptions for services with public DNS that resolve to private IPs (localhost dev servers, local inference endpoints, internal APIs). SSRF protection stays active for everything else.
What's the performance impact?
The current end-to-end performance benchmark shows sub-millisecond MCP stdio overhead and low-millisecond HTTP/tool-chain overhead on localhost. See the Pipelock performance guide for the full transport table, cold-start numbers, and reproduce command: https://pipelab.org/learn/performance/

Get started

Single binary, <30MB, Apache 2.0. Install and the proxy is online.

Install Pipelock Star on GitHub See proof