Changelog
🚀 Features
- 5564402 feat(cli): explain hook blocks via explain --command/--tool/--file (#877)
- 5a04b7c feat(conductor): add --dry-run to publish/kill/rollback and a replay CLI (#989)
- 6440a45 feat(conductor): dry-run and decision-replay for signed policy, kill, and rollback actions (#950)
- ad6cb93 feat(conductor): fleet runtime/apply-state drift guardrail with fail-closed publish preflight (#910)
- 693b51d feat(conductor): sign follower applied-state into audit batches for verifiable fleet overview (#948)
- 4803713 feat(contain): add verified run launcher (#846)
- a59d78c feat(dashboard): add RBAC permission seam (#967)
- 3add482 feat(dashboard): add durable state operability (#971)
- fa96926 feat(dashboard): add trust and keys audit view (#970)
- 757263d feat(dashboard): cross-agent evidence explorer, decision investigator, and free viewer (#946)
- 61d18c4 feat(dashboard): exemption lifecycle store and coverage certificates (#947)
- a42d3f3 feat(dashboard): land on Overview at root; restyle the free evidence console (#995)
- 86c43a6 feat(dashboard): live per-agent forward-budget data via runtime snapshot (#968)
- 68eb7c9 feat(dashboard): mTLS client-certificate authentication (#973)
- 20bc056 feat(dashboard): operator console revamp with a free evidence view, tier gating, and honest states (#991)
- af2ba15 feat(dashboard): pipelock dashboard serve command for the Evidence view (#888)
- f2de27c feat(dashboard): read-only Evidence view for Pro/Enterprise (#885)
- ad7d544 feat(dashboard): read-only Signed Action Workbench and Incident Cockpit (#960)
- 0d4f6d1 feat(dashboard): read-only exemptions inventory with inert-exemption detection (#923)
- e07c26a feat(dashboard): read-only fleet overview of signed follower state (#951)
- 3f06e6d feat(dashboard): read-only per-agent budget panel (#966)
- 5d76d52 feat(deferred): cascade-depth limit + pending-ancestor linkage for held MCP actions (#887)
- 8474b31 feat(enterprise): add compliance console (#969)
- 212c417 feat(examples): add tool-poisoning-honeypot MCP manifest-poisoning demo (#997)
- 426069f feat(mcp): record durable receipts before egress for all forwardable verdicts (#937)
- 596b9b5 feat(mcp): tool-policy type/range/length/value arg validators (#881)
- c11639c feat(playground): WASM browser verifier + load-test harness (#837)
- b01a2ce feat(playground): broker hardening for public exposure (#838)
- 5531946 feat(playground): harden broker for public internet exposure (#831)
- df95834 feat(playground): require real live model, add per-session verify kits, fix model 400 (#834)
- 2b402fe feat(proxy): surface the exempt_domains full-trust blind spot (#936)
- 2a284eb feat(receipt): additive exact-bytes receipt verification foundation (#915)
- d85d4e2 feat(receipt): cross-language verifier parity for rotated chains (#935)
- 23bce3f feat(receipt): strict unknown-field rejection and two-mode chain contract (#963)
- c012f89 feat(replaycapture): add three Make It Leak episode scenarios (#896)
- 870e5a0 feat(rules): verify official bundles on source builds (#955)
- 2134bf7 feat(scanner): central block-remediation table, wired into explain and audit (#875)
- 42e1d2b feat(scanner): operator-configurable endpoint/parameter query-entropy exemption (#916)
- 5737958 feat(verifier): wasm raw receipt-chain verification with parity harness (#952)
- f243013 feat: add CEF SIEM export format and action-aware export filtering (#920)
- 745459f feat: add MCP taint trust by server name (#865)
- 1954ff6 feat: add Rekor anchor submission backend (#861)
- 446ed52 feat: add durable SIEM event forwarding (#972)
- d11094b feat: add explain-event, quickstart, and status operator commands (#921)
- a6a806f feat: add local receipt anchor bundles (#858)
- 730d356 feat: add preset listing, richer startup summary, and unset-knob surfacing (#922)
- 016bce1 feat: durable intent before egress on CONNECT-intercept inner requests (#925)
- 72834c0 feat: durable receipt-evidence lifecycle and honest completeness verifier (#924)
- 7dfbcf2 feat: make all seven config presets selectable via --preset (#874)
- e030fe5 feat: operator surface to list, approve, and deny held (deferred) MCP actions (#905)
- a794ae8 feat: verify Rekor anchor inclusion proofs (#866)
- ace3374 feat: verify the bound-genesis session-control wire format in every language (#926)
🐛 Bug Fixes
- 527f4b3 fix(anchor): make the Rekor hashedrekord hash algorithm configurable (#987)
- 771613d fix(anchor): versioned per-session state index and hostile-filesystem fail-closed loading (#979)
- 18ca6f8 fix(audit): emit operational visibility events (#843)
- cbda57f fix(baseline): cross-process integrity lock and fail-closed profile integrity (#914)
- a1dd7ad fix(baseline): enforce behavioral baseline on A2A methods (#894)
- 441f443 fix(baseline): fail closed on persisted profile tamper via signed integrity manifest (#897)
- bdd5b93 fix(baseline): fail closed on unreadable or corrupt persisted profile under enforcement (#892)
- b1e569c fix(baseline): fingerprint integrity diagnostics (#943)
- 41e5c57 fix(baseline): restore Windows regular-file reads without following symlinks (#980)
- 519f44c fix(baseline): sanitize control characters in agent-identifier log fields (#940)
- 312a995 fix(conductor): additively merge published detection content onto follower baseline (#999)
- c95791c fix(conductor): make bootstrapped policy bundles publishable with a loaded-config policy hash (#986)
- 1d88391 fix(conductor): reject empty-scope audit queries and enforce config-consumption gate (#904)
- 9f814f5 fix(conductor): survive upgrade with an existing bundle and add signed-decision replay modes (#993)
- 26cda65 fix(coverage-cert): re-validate certificate body on verify and bind signer key (#1000)
- dddf762 fix(coveragecert): reject over-claiming certificates by construction (#1001)
- d1e1a37 fix(dashboard): accept mutual TLS as a sole authenticator (#982)
- b87e659 fix(dashboard): harden auth boundary, store loading, and evidence read bounds (#978)
- 9484ba8 fix(dashboard,siemforward): default-proxy coverage certs, forwarder metadata floor, brand favicon (#1002)
- c331bf3 fix(deferred): never derive cascade linkage across session-less holds (#889)
- 58ab15b fix(deferred): record depth-limit denials in the audit journal (#913)
- b6a2985 fix(dlp): anchor dotted-token patterns case-sensitively to stop prose false positives (#836)
- 7a33227 fix(emit): queue syslog delivery asynchronously (#845)
- df4e973 fix(evidence): fail closed when a coverage certificate signer is not in the pinned trusted-signer set (#984)
- 38891a2 fix(evidence): re-tier point-in-time containment grade to kernel_observed (#938)
- 6d0b1be fix(mcp): audit completeness, full-object drift, fail-closed hardening (#895)
- 5cc240d fix(mcp): enforce denial-of-wallet and chain detection on A2A methods (#900)
- b060d9d fix(mcp): enforce session-binding, taint, and contract gates on A2A methods (#909)
- 0f82ed6 fix(mcp): fail closed without envelope leak on empty action id under require-receipts; harden A2A method match + drift doc (#903)
- 1ef37c2 fix(mcp): harden input envelope handling (#840)
- cee8b07 fix(mcp): namespace reserved-prefix tool names in enforcement identity (#934)
- 04438c3 fix(mcp): reject null envelope params (#841)
- edea4fe fix(mcp): scan generic SSE across event boundaries (#844)
- eac23aa fix(playground): orphan-VM reaper blinded by Fly summary mode (#883)
- 952ce86 fix(playground): serve broker UI assets world-readable so the verifier wasm loads (#839)
- 6df4016 fix(proxy): apply response suppressions inside scan cascade (#848)
- bd95577 fix(proxy): fail closed on undecodable multipart transfer encoding (#884)
- aae3f1e fix(proxy): improve receipt failure visibility (#842)
- 0790b4f fix(proxy): scan over-cap size-exempt responses with bounded memory (#899)
- 9f25513 fix(receipt): bind receipt policy_hash to the request config snapshot (#961)
- 8d401dc fix(reload): fail closed when a bundle-resolution error would drop live detection rules (#988)
- 65d069c fix(reverse): label unscanned media passthrough honestly, never clean (#962)
- 40d3792 fix(scanner): close core response-floor bypass (suppression masking + decoded normalization) (#893)
- 982eda1 fix(scanner): cut credential-path directive false positives with intent and path-tier anchoring (#911)
- bba7779 fix(scanner): normalize encoded DLP candidates (#847)
- b542aa1 fix(scanner): reassemble invisible-split keywords across config and decoded scan passes (#882)
- c07629d fix(scanner): robust documentation-example-credential exemption (#878)
- 825205c fix(scanner): sharpen credential-exfil response-injection patterns (#981)
- 3f1de21 fix(scanner): tighten markdown-link credential-exfil pattern to cut benign-docs false positives (#902)
- aca78f8 fix: add reverse response size exemption parity (#869)
- a0b685a fix: attest full MCP tool definitions (#853)
- 16fd0a2 fix: block split DLP in A2A task updates (#851)
- 9ad71ca fix: enforce required receipts in reverse proxy (#857)
- e3e530e fix: eval mint matches net_amount (tax-invariant) + playground bundle signed receipts (#832)
- a8bbbbc fix: harden containment nft drift proof (#868)
- 55246cd fix: keep blocked tool drift out of baseline (#852)
- 44fdb46 fix: reject duplicate MCP and A2A JSON keys (#855)
- 1cdcb78 fix: reject duplicate playground artifact keys (#856)
- 75994e4 fix: reject required-mode reload downgrades (#860)
- d3dd85e fix: scan MCP resource HTTP URIs (#854)
- 4ef4655 fix: verify containment nft rules against current uids (#859)
📦 Dependencies
- 294b3c9 chore(deps): update actions/cache action to v6 (#956)
- 969acec chore(deps): update actions/checkout action to v7 (#957)
- ae33f9d chore(deps): update dependency cryptography to v49 (#958)
- 1e0f42f chore(deps): update luckypipewrench/pipelock action to v3 (#959)
Other Changes
- d99a9f2 Add Cursor integration example with verify script (#927)
- bfec7d6 Add WebSocket proxy example with verify script (#932)
- fae303f Add canary tokens example with verify script (#933)
- bb4a516 Add docker-compose proxy example with verify script (#945)
- d93034d Baseline learning quality: learn only executed tool calls; per-request listener samples (#880)
- 8c7f763 Baseline/taint review follow-ups: startup cleanup + reload downgrade guard (#879)
- dcfa01d Behavioral-baseline runtime enforcement + fail-safe taint default (#876)
- 0f9e4dc Bound cumulative SSE event reads (#850)
- 6dfcfbd Embed validated config paths in installers (#873)
- 5bea182 Evidence-health metrics, self-audit loop, and honest scorecard (#931)
- 3e30904 Fail closed on default MCP binary integrity (#849)
- 7c125e3 Fail closed on unverifiable git diffs and harden rules config loading (#872)
- d167187 Fix image data URL DLP false positives without weakening embedded-secret detection (#870)
- 77803d3 Fix taint ask handling for MCP stdio and local gateways (#965)
- f92bca1 Harden dashboard raw evidence access (#890)
- c8ecffa Harden evidence rendering, hard-limits table, and containment grade (#930)
- 3f5fe51 Harden scanner coverage: SSRF surfaces, encoded secrets, FP precision (#891)
- ebbef10 Make crash reporting opt-in with a minimizing sanitizer (#917)
- fd0b94b Tighten inbound DLP enforcement for OCR AWS ID false positives (#906)
- 50b8045 Use vendor-neutral examples and align config docs to defaults (#918)
- f80c59f Validate signed session_control claims in every verifier (#929)
- 6b01674 chore(release): group and filter changelog, add branded release footer (#944)
- e8a396d ci(release): raise race-test timeout to 30m on monolithic release test steps (#1003)
- f3edb93 docs(dashboard): document OIDC identity-provider audience setup (#985)
- f1b5630 harden(conductor): honest fleet provenance and fail-closed rollback ordering (#977)
- f13eab8 harden(evidence): dev-build rules, checkpoint signing, rekor egress, idempotent bundle merge (#983)
- 6a8ac5e harden(evidence): make posture proofs and session_open durable (#941)
- 29340c8 harden(evidence): strict CSP + no-store on the free evidence-serve console (#998)
- c2a88df harden(evidence,anchor): bound evidence receipt reads and fix Rekor hashedrekord artifact signatures (#992)
- f1c242a harden(mcp): A2A redaction parity and session-binding inventory (#976)
- 7a68cb1 harden(receipt): durable session-close and defense-in-depth posture-capsule verification (#949)
- d6e5242 harden(receipt): fail-closed audit-completeness for defer, receipts, and baseline reads (#975)
- af90fb6 harden(receipt): fail-closed receipt-emission completeness across MCP, proxy, and reverse (#942)
- 6718904 refactor: centralize DLP patterns into one generated source of truth (#919)
- f6e3eee test(liveproof): live-proof harness through the shipped binary (#898)
📚 Docs: https://pipelab.org • 💬 Community: https://discord.gg/badNfhGKTc
Pipelock is an open-source agent firewall. Come poke holes in it.