Skip to content

v3.1.0

Latest

Choose a tag to compare

@github-actions github-actions released this 14 Jul 03:08
v3.1.0
e8a396d

Changelog

🚀 Features

  • 5564402 feat(cli): explain hook blocks via explain --command/--tool/--file (#877)
  • 5a04b7c feat(conductor): add --dry-run to publish/kill/rollback and a replay CLI (#989)
  • 6440a45 feat(conductor): dry-run and decision-replay for signed policy, kill, and rollback actions (#950)
  • ad6cb93 feat(conductor): fleet runtime/apply-state drift guardrail with fail-closed publish preflight (#910)
  • 693b51d feat(conductor): sign follower applied-state into audit batches for verifiable fleet overview (#948)
  • 4803713 feat(contain): add verified run launcher (#846)
  • a59d78c feat(dashboard): add RBAC permission seam (#967)
  • 3add482 feat(dashboard): add durable state operability (#971)
  • fa96926 feat(dashboard): add trust and keys audit view (#970)
  • 757263d feat(dashboard): cross-agent evidence explorer, decision investigator, and free viewer (#946)
  • 61d18c4 feat(dashboard): exemption lifecycle store and coverage certificates (#947)
  • a42d3f3 feat(dashboard): land on Overview at root; restyle the free evidence console (#995)
  • 86c43a6 feat(dashboard): live per-agent forward-budget data via runtime snapshot (#968)
  • 68eb7c9 feat(dashboard): mTLS client-certificate authentication (#973)
  • 20bc056 feat(dashboard): operator console revamp with a free evidence view, tier gating, and honest states (#991)
  • af2ba15 feat(dashboard): pipelock dashboard serve command for the Evidence view (#888)
  • f2de27c feat(dashboard): read-only Evidence view for Pro/Enterprise (#885)
  • ad7d544 feat(dashboard): read-only Signed Action Workbench and Incident Cockpit (#960)
  • 0d4f6d1 feat(dashboard): read-only exemptions inventory with inert-exemption detection (#923)
  • e07c26a feat(dashboard): read-only fleet overview of signed follower state (#951)
  • 3f06e6d feat(dashboard): read-only per-agent budget panel (#966)
  • 5d76d52 feat(deferred): cascade-depth limit + pending-ancestor linkage for held MCP actions (#887)
  • 8474b31 feat(enterprise): add compliance console (#969)
  • 212c417 feat(examples): add tool-poisoning-honeypot MCP manifest-poisoning demo (#997)
  • 426069f feat(mcp): record durable receipts before egress for all forwardable verdicts (#937)
  • 596b9b5 feat(mcp): tool-policy type/range/length/value arg validators (#881)
  • c11639c feat(playground): WASM browser verifier + load-test harness (#837)
  • b01a2ce feat(playground): broker hardening for public exposure (#838)
  • 5531946 feat(playground): harden broker for public internet exposure (#831)
  • df95834 feat(playground): require real live model, add per-session verify kits, fix model 400 (#834)
  • 2b402fe feat(proxy): surface the exempt_domains full-trust blind spot (#936)
  • 2a284eb feat(receipt): additive exact-bytes receipt verification foundation (#915)
  • d85d4e2 feat(receipt): cross-language verifier parity for rotated chains (#935)
  • 23bce3f feat(receipt): strict unknown-field rejection and two-mode chain contract (#963)
  • c012f89 feat(replaycapture): add three Make It Leak episode scenarios (#896)
  • 870e5a0 feat(rules): verify official bundles on source builds (#955)
  • 2134bf7 feat(scanner): central block-remediation table, wired into explain and audit (#875)
  • 42e1d2b feat(scanner): operator-configurable endpoint/parameter query-entropy exemption (#916)
  • 5737958 feat(verifier): wasm raw receipt-chain verification with parity harness (#952)
  • f243013 feat: add CEF SIEM export format and action-aware export filtering (#920)
  • 745459f feat: add MCP taint trust by server name (#865)
  • 1954ff6 feat: add Rekor anchor submission backend (#861)
  • 446ed52 feat: add durable SIEM event forwarding (#972)
  • d11094b feat: add explain-event, quickstart, and status operator commands (#921)
  • a6a806f feat: add local receipt anchor bundles (#858)
  • 730d356 feat: add preset listing, richer startup summary, and unset-knob surfacing (#922)
  • 016bce1 feat: durable intent before egress on CONNECT-intercept inner requests (#925)
  • 72834c0 feat: durable receipt-evidence lifecycle and honest completeness verifier (#924)
  • 7dfbcf2 feat: make all seven config presets selectable via --preset (#874)
  • e030fe5 feat: operator surface to list, approve, and deny held (deferred) MCP actions (#905)
  • a794ae8 feat: verify Rekor anchor inclusion proofs (#866)
  • ace3374 feat: verify the bound-genesis session-control wire format in every language (#926)

🐛 Bug Fixes

  • 527f4b3 fix(anchor): make the Rekor hashedrekord hash algorithm configurable (#987)
  • 771613d fix(anchor): versioned per-session state index and hostile-filesystem fail-closed loading (#979)
  • 18ca6f8 fix(audit): emit operational visibility events (#843)
  • cbda57f fix(baseline): cross-process integrity lock and fail-closed profile integrity (#914)
  • a1dd7ad fix(baseline): enforce behavioral baseline on A2A methods (#894)
  • 441f443 fix(baseline): fail closed on persisted profile tamper via signed integrity manifest (#897)
  • bdd5b93 fix(baseline): fail closed on unreadable or corrupt persisted profile under enforcement (#892)
  • b1e569c fix(baseline): fingerprint integrity diagnostics (#943)
  • 41e5c57 fix(baseline): restore Windows regular-file reads without following symlinks (#980)
  • 519f44c fix(baseline): sanitize control characters in agent-identifier log fields (#940)
  • 312a995 fix(conductor): additively merge published detection content onto follower baseline (#999)
  • c95791c fix(conductor): make bootstrapped policy bundles publishable with a loaded-config policy hash (#986)
  • 1d88391 fix(conductor): reject empty-scope audit queries and enforce config-consumption gate (#904)
  • 9f814f5 fix(conductor): survive upgrade with an existing bundle and add signed-decision replay modes (#993)
  • 26cda65 fix(coverage-cert): re-validate certificate body on verify and bind signer key (#1000)
  • dddf762 fix(coveragecert): reject over-claiming certificates by construction (#1001)
  • d1e1a37 fix(dashboard): accept mutual TLS as a sole authenticator (#982)
  • b87e659 fix(dashboard): harden auth boundary, store loading, and evidence read bounds (#978)
  • 9484ba8 fix(dashboard,siemforward): default-proxy coverage certs, forwarder metadata floor, brand favicon (#1002)
  • c331bf3 fix(deferred): never derive cascade linkage across session-less holds (#889)
  • 58ab15b fix(deferred): record depth-limit denials in the audit journal (#913)
  • b6a2985 fix(dlp): anchor dotted-token patterns case-sensitively to stop prose false positives (#836)
  • 7a33227 fix(emit): queue syslog delivery asynchronously (#845)
  • df4e973 fix(evidence): fail closed when a coverage certificate signer is not in the pinned trusted-signer set (#984)
  • 38891a2 fix(evidence): re-tier point-in-time containment grade to kernel_observed (#938)
  • 6d0b1be fix(mcp): audit completeness, full-object drift, fail-closed hardening (#895)
  • 5cc240d fix(mcp): enforce denial-of-wallet and chain detection on A2A methods (#900)
  • b060d9d fix(mcp): enforce session-binding, taint, and contract gates on A2A methods (#909)
  • 0f82ed6 fix(mcp): fail closed without envelope leak on empty action id under require-receipts; harden A2A method match + drift doc (#903)
  • 1ef37c2 fix(mcp): harden input envelope handling (#840)
  • cee8b07 fix(mcp): namespace reserved-prefix tool names in enforcement identity (#934)
  • 04438c3 fix(mcp): reject null envelope params (#841)
  • edea4fe fix(mcp): scan generic SSE across event boundaries (#844)
  • eac23aa fix(playground): orphan-VM reaper blinded by Fly summary mode (#883)
  • 952ce86 fix(playground): serve broker UI assets world-readable so the verifier wasm loads (#839)
  • 6df4016 fix(proxy): apply response suppressions inside scan cascade (#848)
  • bd95577 fix(proxy): fail closed on undecodable multipart transfer encoding (#884)
  • aae3f1e fix(proxy): improve receipt failure visibility (#842)
  • 0790b4f fix(proxy): scan over-cap size-exempt responses with bounded memory (#899)
  • 9f25513 fix(receipt): bind receipt policy_hash to the request config snapshot (#961)
  • 8d401dc fix(reload): fail closed when a bundle-resolution error would drop live detection rules (#988)
  • 65d069c fix(reverse): label unscanned media passthrough honestly, never clean (#962)
  • 40d3792 fix(scanner): close core response-floor bypass (suppression masking + decoded normalization) (#893)
  • 982eda1 fix(scanner): cut credential-path directive false positives with intent and path-tier anchoring (#911)
  • bba7779 fix(scanner): normalize encoded DLP candidates (#847)
  • b542aa1 fix(scanner): reassemble invisible-split keywords across config and decoded scan passes (#882)
  • c07629d fix(scanner): robust documentation-example-credential exemption (#878)
  • 825205c fix(scanner): sharpen credential-exfil response-injection patterns (#981)
  • 3f1de21 fix(scanner): tighten markdown-link credential-exfil pattern to cut benign-docs false positives (#902)
  • aca78f8 fix: add reverse response size exemption parity (#869)
  • a0b685a fix: attest full MCP tool definitions (#853)
  • 16fd0a2 fix: block split DLP in A2A task updates (#851)
  • 9ad71ca fix: enforce required receipts in reverse proxy (#857)
  • e3e530e fix: eval mint matches net_amount (tax-invariant) + playground bundle signed receipts (#832)
  • a8bbbbc fix: harden containment nft drift proof (#868)
  • 55246cd fix: keep blocked tool drift out of baseline (#852)
  • 44fdb46 fix: reject duplicate MCP and A2A JSON keys (#855)
  • 1cdcb78 fix: reject duplicate playground artifact keys (#856)
  • 75994e4 fix: reject required-mode reload downgrades (#860)
  • d3dd85e fix: scan MCP resource HTTP URIs (#854)
  • 4ef4655 fix: verify containment nft rules against current uids (#859)

📦 Dependencies

  • 294b3c9 chore(deps): update actions/cache action to v6 (#956)
  • 969acec chore(deps): update actions/checkout action to v7 (#957)
  • ae33f9d chore(deps): update dependency cryptography to v49 (#958)
  • 1e0f42f chore(deps): update luckypipewrench/pipelock action to v3 (#959)

Other Changes

  • d99a9f2 Add Cursor integration example with verify script (#927)
  • bfec7d6 Add WebSocket proxy example with verify script (#932)
  • fae303f Add canary tokens example with verify script (#933)
  • bb4a516 Add docker-compose proxy example with verify script (#945)
  • d93034d Baseline learning quality: learn only executed tool calls; per-request listener samples (#880)
  • 8c7f763 Baseline/taint review follow-ups: startup cleanup + reload downgrade guard (#879)
  • dcfa01d Behavioral-baseline runtime enforcement + fail-safe taint default (#876)
  • 0f9e4dc Bound cumulative SSE event reads (#850)
  • 6dfcfbd Embed validated config paths in installers (#873)
  • 5bea182 Evidence-health metrics, self-audit loop, and honest scorecard (#931)
  • 3e30904 Fail closed on default MCP binary integrity (#849)
  • 7c125e3 Fail closed on unverifiable git diffs and harden rules config loading (#872)
  • d167187 Fix image data URL DLP false positives without weakening embedded-secret detection (#870)
  • 77803d3 Fix taint ask handling for MCP stdio and local gateways (#965)
  • f92bca1 Harden dashboard raw evidence access (#890)
  • c8ecffa Harden evidence rendering, hard-limits table, and containment grade (#930)
  • 3f5fe51 Harden scanner coverage: SSRF surfaces, encoded secrets, FP precision (#891)
  • ebbef10 Make crash reporting opt-in with a minimizing sanitizer (#917)
  • fd0b94b Tighten inbound DLP enforcement for OCR AWS ID false positives (#906)
  • 50b8045 Use vendor-neutral examples and align config docs to defaults (#918)
  • f80c59f Validate signed session_control claims in every verifier (#929)
  • 6b01674 chore(release): group and filter changelog, add branded release footer (#944)
  • e8a396d ci(release): raise race-test timeout to 30m on monolithic release test steps (#1003)
  • f3edb93 docs(dashboard): document OIDC identity-provider audience setup (#985)
  • f1b5630 harden(conductor): honest fleet provenance and fail-closed rollback ordering (#977)
  • f13eab8 harden(evidence): dev-build rules, checkpoint signing, rekor egress, idempotent bundle merge (#983)
  • 6a8ac5e harden(evidence): make posture proofs and session_open durable (#941)
  • 29340c8 harden(evidence): strict CSP + no-store on the free evidence-serve console (#998)
  • c2a88df harden(evidence,anchor): bound evidence receipt reads and fix Rekor hashedrekord artifact signatures (#992)
  • f1c242a harden(mcp): A2A redaction parity and session-binding inventory (#976)
  • 7a68cb1 harden(receipt): durable session-close and defense-in-depth posture-capsule verification (#949)
  • d6e5242 harden(receipt): fail-closed audit-completeness for defer, receipts, and baseline reads (#975)
  • af90fb6 harden(receipt): fail-closed receipt-emission completeness across MCP, proxy, and reverse (#942)
  • 6718904 refactor: centralize DLP patterns into one generated source of truth (#919)
  • f6e3eee test(liveproof): live-proof harness through the shipped binary (#898)

📚 Docs: https://pipelab.org • 💬 Community: https://discord.gg/badNfhGKTc

Pipelock is an open-source agent firewall. Come poke holes in it.