Pipelock

Pipelock is an open-source agent firewall written in Go. It runs as a sidecar or local service between an agent and the network, scanning HTTP, WebSocket, and Model Context Protocol traffic through an 11-layer pipeline. Coverage includes credential exfiltration via 48 DLP patterns, prompt injection detection with 25 patterns and 6-pass normalization, SSRF session binding, and chain detection.

The architecture is capability-separated by design. The agent process holds API keys and credentials and operates without direct network access. Pipelock holds network access and no agent secrets. A compromised proxy cannot leak agent secrets because it never has them.

When signing is enabled, Pipelock emits Ed25519-signed action receipts from outside the agent trust boundary. Each receipt records the action attempted, target, transport, verdict, policy hash, timestamp, and scanner context. A reviewer can verify the receipt chain with the public key, so the evidence does not depend on the agent process attesting to itself.

Distributed as a single ~20MB Go binary. Apache 2.0 license. Listed on the CNCF Landscape under Provisioning > Security & Compliance. Compatible with Claude Code, Cursor, VS Code, JetBrains, OpenAI Agents SDK, Google ADK, AutoGen, CrewAI, and LangGraph.