chore(helm): bump pipelock to v2.0.0 with trusted domains and redirect profiles (#1266)

* chore(helm): bump pipelock to v2.0.0 with trusted domains and redirect profiles - Bump pipelock image tag from 1.5.0 to 2.0.0 - Add first-class Helm values for trustedDomains and mcpToolPolicy.redirectProfiles - Update CI GitHub Action from @v1 to @v2 - Update compose example, config reference, and docs with v2.0 features * Releasing this today in `alpha` form --------- Co-authored-by: Juan José Mata <jjmata@jjmata.com>
2026-04-25 17:15:07 +02:00 · 2026-03-24 01:30:54 -07:00
parent f3ed07f96b
commit 1ddc427fd5
8 changed files with 115 additions and 20 deletions
--- a/.github/workflows/pipelock.yml
+++ b/.github/workflows/pipelock.yml
@@ -17,7 +17,7 @@ jobs:
          persist-credentials: false

      - name: Pipelock Scan
-        uses: luckyPipewrench/pipelock@v1
+        uses: luckyPipewrench/pipelock@v2
        with:
          scan-diff: 'true'
          fail-on-findings: 'true'
--- a/charts/sure/CHANGELOG.md
+++ b/charts/sure/CHANGELOG.md
@@ -5,9 +5,23 @@ All notable changes to the Sure Helm chart will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

-## [0.6.9-alpha] - 2026-03-21
+## [0.6.9-alpha] - 2026-03-24
+
+### Changed
+- Bumped `pipelock.image.tag` from `1.5.0` to `2.0.0`
+- CI: Pipelock GitHub Action updated from `@v1` to `@v2`
+- Compose example image changed from pinned `1.5.0` to `latest` with pin comment
+- Bumped `pipelock.image.tag` from `0.3.1` to `0.3.2`
+- Consolidated `compose.example.pipelock.yml` into `compose.example.ai.yml` — Pipelock now runs alongside Ollama in one compose file with health checks, config volume mount, and MCP env vars (`MCP_API_TOKEN`, `MCP_USER_EMAIL`)
+- CI: Pipelock scan `fail-on-findings` changed from `false` to `true`; added `exclude-paths` for locale help text false positives

 ### Added
+- **Pipelock v2.0 features**:
+  - `pipelock.trustedDomains`: first-class support for allowing internal services whose public DNS resolves to private IPs (prevents SSRF false positives)
+  - `pipelock.mcpToolPolicy.redirectProfiles`: route matched MCP tool calls to audited handler programs instead of blocking
+  - Updated `pipelock.example.yaml` with v2.0 feature documentation (trusted domains, redirect profiles, attack simulation, security scoring)
+  - Updated `extraConfig` comment to mention new v2.0 sections (sandbox, reverse_proxy)
+- Pipelock v2.0 highlights available via `extraConfig`: process sandbox (Linux/macOS), generic HTTP reverse proxy, adaptive enforcement exempt domains, kill switch API port isolation
 - **Bumped** `pipelock.image.tag` from `0.3.2` to `1.5.0`
 - **Pipelock security proxy** (`pipelock.enabled=true`): Separate Deployment + Service that provides two scanning layers
  - **Forward proxy** (port 8888): Scans outbound HTTPS from Faraday-based clients (e.g. ruby-openai). Auto-injects `HTTPS_PROXY`/`HTTP_PROXY`/`NO_PROXY` env vars into app pods
@@ -32,11 +46,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
  - Component label (`app.kubernetes.io/component: pipelock`) on Service metadata for selector targeting
  - NOTES.txt: Pipelock health check commands, MCP access info, security notes, metrics status

-### Changed
- Bumped `pipelock.image.tag` from `0.3.1` to `0.3.2`
- Consolidated `compose.example.pipelock.yml` into `compose.example.ai.yml` — Pipelock now runs alongside Ollama in one compose file with health checks, config volume mount, and MCP env vars (`MCP_API_TOKEN`, `MCP_USER_EMAIL`)
- CI: Pipelock scan `fail-on-findings` changed from `false` to `true`; added `exclude-paths` for locale help text false positives
-
 ### Fixed
 - Renamed `_asserts.tpl` to `asserts.tpl` — Helm's `_` prefix convention prevented guards from executing

--- a/charts/sure/README.md
+++ b/charts/sure/README.md
@@ -640,21 +640,61 @@ hpa:

 ## Pipelock (AI agent security proxy)

-Pipelock is an optional sidecar that scans AI agent traffic for secret exfiltration, prompt injection, and tool poisoning. It runs as a separate Deployment with two listeners:
+[Pipelock](https://github.com/luckyPipewrench/pipelock) is an optional security proxy that scans AI agent traffic for secret exfiltration, prompt injection, tool poisoning, and SSRF. It runs as a separate Deployment with two listeners:

 - **Forward proxy** (port 8888): Scans outbound HTTPS from Faraday-based AI clients. Auto-injected via `HTTPS_PROXY` env vars when enabled.
 - **MCP reverse proxy** (port 8889): Scans inbound MCP traffic from external AI assistants.

+v2.0 adds enhanced tool poisoning detection (full JSON schema scanning), per-read kill switch preemption on long-lived connections, trusted domain allowlisting, and MCP tool redirect profiles. Process sandboxing and attack simulation are also available via `extraConfig` and CLI.
+
 ### Enabling Pipelock

 ```yaml
 pipelock:
  enabled: true
  image:
-    tag: "1.5.0"
+    tag: "2.0.0"
  mode: balanced   # strict, balanced, or audit
 ```

+### Trusted domains
+
+In Kubernetes, services often have public DNS records that resolve to private IPs. Without `trustedDomains`, the SSRF scanner blocks this legitimate traffic. Add trusted domains to allow them through:
+
+```yaml
+pipelock:
+  trustedDomains:
+    - "api.internal.example.com"
+    - "*.corp.example.com"
+```
+
+### MCP tool redirect profiles
+
+Redirect profiles route matched MCP tool calls to an audited handler program instead of blocking. The handler returns a synthetic MCP response, keeping the agent's flow intact while enforcing policy:
+
+```yaml
+pipelock:
+  mcpToolPolicy:
+    enabled: true
+    action: redirect      # or use per-rule action overrides
+    redirectProfiles:
+      safe-fetch:
+        exec: ["/pipelock", "internal-redirect", "fetch-proxy"]
+        reason: "Route fetch calls through audited proxy"
+```
+
+### Validating your config
+
+Pipelock v2.0 includes two CLI tools for config validation:
+
+```bash
+# Run 24 synthetic attack scenarios against your config
+pipelock simulate --config pipelock.yaml
+
+# Score your config's security posture (0-100)
+pipelock audit score --config pipelock.yaml
+```
+
 ### Exposing MCP to external AI assistants

 When running in Kubernetes, external AI agents need network access to the MCP reverse proxy port. Enable the Pipelock Ingress:
@@ -719,7 +759,7 @@ pipelock:

 ### Extra config (escape hatch)

-For Pipelock config sections not covered by structured values (session profiling, data budgets, kill switch, etc.), use `extraConfig`:
+For Pipelock config sections not covered by structured values (session profiling, data budgets, kill switch, sandbox, reverse proxy, adaptive enforcement, etc.), use `extraConfig`:

 ```yaml
 pipelock:
@@ -727,8 +767,12 @@ pipelock:
    session_profiling:
      enabled: true
      max_sessions: 1000
-    data_budget:
-      max_bytes_per_session: 10485760
+    adaptive_enforcement:
+      enabled: true
+      exempt_domains:
+        - "*.example.com"
+    kill_switch:
+      api_listen: ":9090"    # dedicated port for kill switch API
 ```

 These are appended verbatim to `pipelock.yaml`. Do not duplicate keys already rendered by the chart.
@@ -767,7 +811,7 @@ See `values.yaml` for the complete configuration surface, including:
 - `migrations.*`: strategy job or initContainer
 - `simplefin.encryption.*`: enable + backfill options
 - `cronjobs.*`: custom CronJobs
- `pipelock.*`: AI agent security proxy (forward proxy, MCP reverse proxy, DLP, injection scanning, logging, serviceMonitor, ingress, PDB, extraConfig)
+- `pipelock.*`: AI agent security proxy (forward proxy, MCP reverse proxy, DLP, injection scanning, trusted domains, tool redirect profiles, logging, serviceMonitor, ingress, PDB, extraConfig)
 - `service.*`, `ingress.*`, `serviceMonitor.*`, `hpa.*`

 ## Helm tests
--- a/charts/sure/templates/pipelock-configmap.yaml
+++ b/charts/sure/templates/pipelock-configmap.yaml
@@ -89,6 +89,12 @@ data:
  pipelock.yaml: |
    version: 1
    mode: {{ .Values.pipelock.mode | default "balanced" }}
+{{- if .Values.pipelock.trustedDomains }}
+    trusted_domains:
+{{- range .Values.pipelock.trustedDomains }}
+      - {{ . | quote }}
+{{- end }}
+{{- end }}
    forward_proxy:
      enabled: {{ $fwdEnabled }}
      max_tunnel_seconds: {{ $fwdMaxTunnel }}
@@ -122,6 +128,10 @@ data:
    mcp_tool_policy:
      enabled: {{ $mcpPolicyEnabled }}
      action: {{ $mcpPolicyAction }}
+{{- if and .Values.pipelock.mcpToolPolicy .Values.pipelock.mcpToolPolicy.redirectProfiles }}
+      redirect_profiles:
+        {{- toYaml .Values.pipelock.mcpToolPolicy.redirectProfiles | nindent 8 }}
+{{- end }}
    mcp_session_binding:
      enabled: {{ $mcpBindingEnabled }}
      unknown_tool_action: {{ $mcpBindingAction }}
--- a/charts/sure/values.yaml
+++ b/charts/sure/values.yaml
@@ -488,12 +488,16 @@ pipelock:
  enabled: false
  image:
    repository: ghcr.io/luckypipewrench/pipelock
-    tag: "1.5.0"
+    tag: "2.0.0"
    pullPolicy: IfNotPresent
    imagePullSecrets: []
  replicas: 1
  # Pipelock run mode: strict, balanced, audit
  mode: balanced
+  # Trusted domains: allow internal services whose public DNS resolves to private IPs.
+  # Without this, SSRF scanning blocks legitimate internal-to-internal traffic.
+  # Example: ["api.internal.example.com", "*.corp.example.com"]
+  trustedDomains: []
  forwardProxy:
    enabled: true
    port: 8888
@@ -519,6 +523,14 @@ pipelock:
  mcpToolPolicy:
    enabled: true
    action: warn
+    # Redirect profiles: route matched tool calls to audited handler programs instead
+    # of blocking. The handler returns a synthetic MCP response. Fail-closed on error.
+    # Example:
+    #   redirectProfiles:
+    #     safe-fetch:
+    #       exec: ["/pipelock", "internal-redirect", "fetch-proxy"]
+    #       reason: "Route fetch calls through audited proxy"
+    redirectProfiles: {}
  # MCP session binding: pins tool inventory on first tools/list, detects injection
  mcpSessionBinding:
    enabled: true
@@ -581,8 +593,8 @@ pipelock:

  # Escape hatch: ADDITIONAL config sections appended to pipelock.yaml.
  # Use for sections not covered by structured values above (session_profiling,
-  # data_budget, adaptive_enforcement, kill_switch, internal CIDRs, etc.)
-  # Do NOT duplicate keys already rendered above — behavior is parser-dependent.
+  # data_budget, adaptive_enforcement, kill_switch, sandbox, reverse_proxy, etc.)
+  # Do NOT duplicate keys already rendered above - behavior is parser-dependent.
  extraConfig: {}

  # Hard-fail helm template when externalAssistant is enabled without pipelock.
--- a/compose.example.ai.yml
+++ b/compose.example.ai.yml
@@ -88,7 +88,7 @@ x-rails-env: &rails_env

 services:
  pipelock:
-    image: ghcr.io/luckypipewrench/pipelock:1.5.0
+    image: ghcr.io/luckypipewrench/pipelock:latest  # pin to a specific version (e.g., :2.0.0) for production
    container_name: pipelock
    hostname: pipelock
    restart: unless-stopped
--- a/docs/hosting/pipelock.md
+++ b/docs/hosting/pipelock.md
@@ -77,12 +77,14 @@ Enable Pipelock in your Helm values:
 pipelock:
  enabled: true
  image:
-    tag: "1.5.0"
+    tag: "2.0.0"
  mode: balanced
 ```

 This creates a separate Deployment, Service, and ConfigMap. The chart auto-injects `HTTPS_PROXY`/`HTTP_PROXY`/`NO_PROXY` into web and worker pods.

+v2.0 adds trusted domain allowlisting, MCP tool redirect profiles, enhanced tool poisoning detection (full JSON schema scanning), and per-read kill switch preemption on long-lived connections. Process sandboxing and attack simulation are also available via `extraConfig` and CLI.
+
 ### Exposing MCP to external agents (Kubernetes)

 In Kubernetes, external agents cannot reach the MCP port by default. Enable the Pipelock Ingress:
@@ -144,18 +146,19 @@ The `pipelock.example.yaml` file (Docker Compose) or ConfigMap (Helm) controls s
 | Section | What it controls |
 |---------|-----------------|
 | `mode` | `strict` (block threats), `balanced` (warn + block critical), `audit` (log only) |
+| `trusted_domains` | Allow internal services whose public DNS resolves to private IPs |
 | `forward_proxy` | Outbound HTTPS scanning (tunnel timeouts, idle timeouts) |
 | `dlp` | Data loss prevention (scan env vars, built-in patterns) |
 | `response_scanning` | Scan LLM responses for prompt injection |
 | `mcp_input_scanning` | Scan inbound MCP requests |
 | `mcp_tool_scanning` | Validate tool calls, detect drift |
-| `mcp_tool_policy` | Pre-execution rules (shell obfuscation, etc.) |
+| `mcp_tool_policy` | Pre-execution rules, shell obfuscation, redirect profiles |
 | `mcp_session_binding` | Pin tool inventory, detect manipulation |
 | `tool_chain_detection` | Multi-step attack patterns |
 | `websocket_proxy` | WebSocket frame scanning (disabled by default) |
 | `logging` | Output format (json/text), verbosity |

-For the Helm chart, most sections are configurable via `values.yaml`. For additional sections not covered by structured values (session profiling, data budgets, kill switch), use the `extraConfig` escape hatch:
+For the Helm chart, most sections are configurable via `values.yaml`. For additional sections not covered by structured values (session profiling, data budgets, kill switch, sandbox, reverse proxy, adaptive enforcement), use the `extraConfig` escape hatch:

 ```yaml
 pipelock:
--- a/pipelock.example.yaml
+++ b/pipelock.example.yaml
@@ -1,9 +1,20 @@
 # Pipelock configuration for Docker Compose
 # See https://github.com/luckyPipewrench/pipelock for full options.
+#
+# New in v2.0: trusted_domains, redirect profiles, attack simulation,
+# security scoring, process sandbox, and enhanced tool poisoning detection.
+# Run `pipelock simulate --config <file>` to test your config against 24 attack scenarios.
+# Run `pipelock audit score --config <file>` for a security posture score (0-100).

 version: 1
 mode: balanced

+# Trusted domains: allow services whose public DNS resolves to private IPs.
+# Prevents SSRF scanner from blocking legitimate internal traffic.
+# trusted_domains:
+#   - "api.internal.example.com"
+#   - "*.corp.example.com"
+
 forward_proxy:
  enabled: true
  max_tunnel_seconds: 300
@@ -43,6 +54,12 @@ mcp_tool_scanning:
 mcp_tool_policy:
  enabled: true
  action: warn
+  # Redirect profiles (v2.0): route matched tool calls to audited handler programs
+  # instead of blocking. The handler returns a synthetic MCP response.
+  # redirect_profiles:
+  #   safe-fetch:
+  #     exec: ["/pipelock", "internal-redirect", "fetch-proxy"]
+  #     reason: "Route fetch calls through audited proxy"

 mcp_session_binding:
  enabled: true