v2.4.0 · learn-and-lock contracts CNCF Landscape · Security & Compliance

Open-source agent firewall for MCP and AI agent egress

Pipelock enforces MCP, HTTP, and WebSocket egress at the network boundary and produces verifiable audit evidence for every inspected action.

install

$ brew install luckyPipewrench/tap/pipelock

# Then protect Claude Code

$ pipelock claude setup

# Generate a signed assessment

$ pipelock assess init && pipelock assess run assessment-*/

Get Started Free GitHub ★ 342

v2.4.0 ships · learn-and-lock contracts · block reason headers · inbound envelope verification

342+

GitHub Stars

15400+

Tests

Releases

~20MB

Single Binary

151

Bench Cases

Frameworks

CNCF Landscape · April 2026

Pipelock is currently the only AI-agent-firewall listed under Provisioning · Security & Compliance.

Listed via cncf/landscape#4807 · category: provisioning · security-compliance

View listing

Narrative

Detect. Enforce. Prove.

One binary, three jobs. Each line below is a real surface in the Pipelock source tree.

Detect

11-layer scanner pipeline. 48 DLP patterns. A2A scanning. Encoded payload handling across HTTP, WebSocket, and MCP.

11 layers 48 DLP patterns 25 injection

Enforce

OR-composed kill switch. Adaptive escalation. Process sandbox on Linux and macOS. MCP tool policy with redirect. Fail-closed on every path.

4 kill sources 3 escalation levels fail-closed

Prove

Evidence for every machine operation. Hash-chained flight recorder. Ed25519-signed assessment reports. 24+ attack simulations.

5 frameworks Ed25519 signed offline verify

Capabilities

What Pipelock covers

A compressed view. The full inventory lives on the product page.

Data Loss Prevention

48 credential patterns with checksum validation. Base64, hex, URL, and Unicode encoding-aware.

Prompt Injection

25 detection patterns. 6-pass normalization covering zero-width chars, homoglyphs, and leetspeak.

MCP Security

Tool poisoning detection, rug-pull tracking, policy engine with redirect, session binding, and chain detection.

Process Sandbox

Landlock + seccomp + network namespaces on Linux. sandbox-exec on macOS. Per-agent profiles with strict mode.

Adaptive Enforcement

Per-session threat scoring. Three escalation levels. Auto-recovery after clean traffic. No permanent lockouts.

Compliance Evidence

OWASP MCP Top 10, OWASP Agentic Top 10, MITRE ATLAS, EU AI Act, SOC 2 mappings. Ed25519-signed reports.

Plus more surfaces

48DLP 25Prompt injection 11Scanner layers Tool poisoning A2A scanning Process sandbox 4Kill switch Adaptive scoring Hash-chained log 5Frameworks 151Bench cases ~1msScan latency

See full capability inventory →

Evidence

Monitor. Block. Prove.

Three real artifacts the binary produces today. Click any panel to see how it works in production.

Grafana fleet monitoring dashboard with Pipelock metrics

01 Monitor

Live fleet dashboard

70 Prometheus metrics across the fleet. Threat score, kill state, scan latency, blocked verdict counts.

See dashboard →

Pipelock kill switch confirmation via Telegram

02 Block

4-source kill switch

Trigger from CLI, dashboard, API, or Telegram. One source flips the agent into deny-all in under a second.

Kill-switch flow →

Pipelock signed security assessment report sample

03 Prove

Ed25519-signed reports

5 compliance frameworks. Reports verify offline against the published public key.

View Assess →

Get Started

Two minutes to protection

Works with Claude Code, Cursor, VS Code, JetBrains, or any agent that speaks HTTP.

claude-code

$ brew install luckyPipewrench/tap/pipelock

# Wire Claude Code through Pipelock

$ pipelock claude setup

✓ HTTPS_PROXY configured · scanner running

Open the Claude Code guide →

Get Started Free Proof Pricing

Public methodology · Public attack cases · Public Pipelock results