DISCOVER THE FUTURE OF AI AGENTS
Agent Park
BACK TO PROJECTS

Pipelock

Added Apr 25, 2026
Agent & Tooling
Open Source
RustModel Context ProtocolAI AgentsCLIAgent & ToolingProtocol, API & IntegrationSecurity & Privacy

Open-source AI Agent egress firewall providing OS-level sandboxing, 11-layer URL scanning, and prompt-injection response detection for MCP and agentic workflows.

Core Positioning#

Pipelock is a Go-based AI Agent egress firewall and MCP security control plane built on a capability-separation architecture: the Agent process holds credentials but is denied network access, while Pipelock has network access but no Agent keys—even a fully compromised Agent cannot bypass the firewall.

Outbound Request Protection#

Every request passes through an 11-layer scanning pipeline: protocol validation → CRLF detection → path traversal blocking → domain blocklist → DLP pattern matching (48 built-in patterns covering API keys, tokens, credentials, crypto keys, env vars, financial identifiers with checksum validation) → path entropy analysis → subdomain entropy analysis → SSRF protection (with DNS rebinding defense) → per-domain rate limiting → URL length limits → per-domain data budgets. Supports request-side JSON value redaction (e.g., <pl:aws-access-key:1>) across HTTP body, WebSocket messages, and MCP tools/call parameters. Optional TLS CONNECT tunnel MITM decrypt/scan/re-encrypt.

Inbound Response Protection#

Prompt Injection Detection: 6-pass normalization pipeline (zero-width characters, homoglyphs, leet encoding, base64 wrapping, etc.) + 25 built-in patterns covering jailbreaks, instruction manipulation, credential requests, memory persistence, preference poisoning, covert action instructions, model instruction boundaries, CJK instruction overrides. SSE streams (OpenAI, Anthropic, MCP HTTP/SSE) scanned per-event with fail-closed termination on threat detection. Action strategies: block / strip / warn / ask (human-in-the-loop approval).

MCP Security Control#

The MCP proxy supports stdio subprocess wrapping, Streamable HTTP bridging, and HTTP reverse proxy transports with bidirectional scanning of client requests and server responses. Built-in 17 tool pre-execution rules (destructive operations, credential access, reverse shells, persistence, encoded command execution) and 10 call-chain detection patterns (reconnaissance, credential theft, data staging, persistence, exfiltration chains), with tools/list poisoned description and mid-session rug-pull detection. v2.0 adds redirect action routing to audit wrappers.

Process Isolation & Runtime Control#

  • Linux: Landlock LSM (filesystem) + seccomp (dangerous syscalls) + network namespaces (force all traffic through pipelock)
  • macOS: sandbox-exec profile (filesystem + network)
  • Containers: --best-effort mode using Landlock + seccomp, proxy-level routing replacing kernel-level network namespaces
  • Kill Switch: Four independent activation sources (config file, SIGUSR1 signal, sentinel file, remote API); API can run on a separate port to prevent Agent self-disabling
  • Adaptive Execution: Session-level threat scoring with automatic escalation/de-escalation
  • Taint Escalation: Exposure-based policy escalation across MCP + task boundaries

Audit & Compliance#

  • Flight Recorder: Hash-chained JSONL audit logs + Ed25519 signature checkpoints + DLP redaction
  • Filesystem Sentinel: Monitors Agent working directory disk writes, reuses DLP patterns for credential leak detection
  • Canary Tokens: Synthetic secrets injected into Agent environment for leak detection
  • Compliance Mapping: OWASP MCP Top 10, OWASP Agentic Top 15, NIST 800-53, EU AI Act, SOC 2
  • SBOM Generation: CycloneDX format

Domain-Specific#

  • Blockchain Address Protection: ETH/BTC/SOL/BNB address poisoning detection with whitelist comparison
  • A2A Scanning: Google Agent-to-Agent protocol Agent Card poisoning, drift, and session hijacking detection
  • Hostile Model Defense: hostile-model preset providing extra defense layer for uncensored/abliterated models

Deployment & Integration#

Delivered as a single binary (no runtime dependencies), also available as Docker image, Helm chart, and GitHub Action. Compatible with Claude Code, Cursor, VS Code, JetBrains and major AI IDEs, plus OpenAI Agents SDK, Google ADK, AutoGen, CrewAI, LangGraph and more. Three security modes: strict (whitelist-only), balanced (default, block simple + detect complex), audit (log-only). Fleet monitoring via Prometheus metrics + Grafana dashboards. Listed in CNCF Landscape (Security & Compliance) and OpenSSF Best Practices Silver.

Related Projects

View All

Zylos Core

Open-source autonomous AI Agent infrastructure featuring unified communication bridge, five-layer memory system, self-healing ops, and self-evolution capabilities, with Claude/Codex dual runtime support.

Node.jsWorkflow Automation
VIEW DETAILS

verl

🧠

A flexible, efficient, and production-ready post-training reinforcement learning framework for LLMs

PythonPyTorch
VIEW DETAILS

Kalshi AI Trading Bot

A multi-model LLM ensemble autonomous trading system for the Kalshi prediction market, featuring AI ensemble debate, pure math edge, and aggressive strategies, with built-in multi-layer risk controls and an observability dashboard.

PythonLarge Language Models
VIEW DETAILS

STAY UPDATED

Get the latest AI tools and trends delivered straight to your inbox. No spam, just intelligence.