chore(helm): bump pipelock to 2.5.0 and surface 2.5 config (#1913)

* chore(helm): bump pipelock to 2.5.0 and surface 2.5 config

Bumps pipelock.image.tag from 2.2.0 to 2.5.0 and exposes the most
relevant 2.5 features as structured Helm values:

- pipelock.requestBodyScanning: scan outbound bodies and sensitive
  headers for prompt-injection and DLP payloads. Disabled by default;
  roll out with action=warn before flipping to block.
- pipelock.healthWatchdog: structured config for the wedge-detection
  watchdog with an exposeSubsystems toggle for /health detail.
- pipelock.mcpToolPolicy.rules: structured values for rendering
  mcp_tool_policy.rules including redirect-profile references.

Also fixes a latent config-validation regression: pipelock 2.x rejects
an enabled mcp_tool_policy with no rules, but the chart previously
defaulted to enabled=true with an empty rules list, which hard-fails
'pipelock check'. The default is now enabled=false; operators must
explicitly enable and provide at least one rule.

Refreshes README, CHANGELOG, docs/hosting/pipelock.md, docs/hosting/ai.md,
compose example pin comment, and pipelock.example.yaml to call out 2.5
highlights (Audit Packet v0 verifiers, SPIFFE-strict envelopes, scanner
attribution on MCP block receipts, pipelock doctor). Also fixes a stale
docs/hosting/mcp.md reference to the removed compose.example.pipelock.yml.

* chore(helm): fail helm template when mcp_tool_policy enabled with no rules

Adds a guard in asserts.tpl so an operator who sets
pipelock.mcpToolPolicy.enabled=true without populating
pipelock.mcpToolPolicy.rules gets a clear render-time error instead
of a container crash-loop with the pipelock validation message.

Per CodeRabbit feedback on #1913.

* Versions

---------

Co-authored-by: Juan José Mata <jjmata@jjmata.com>

pipelock.example.yaml

@@ -1,12 +1,16 @@
 # Pipelock configuration for Docker Compose
 # See https://github.com/luckyPipewrench/pipelock for full options.
 #
-# Recent additions: trusted_domains, redirect profiles, attack simulation,
-# security scoring, process sandbox, enhanced tool poisoning detection, signed
-# action receipts, per-pattern DLP warn mode, and the `pipelock posture verify`
-# / `pipelock session` CLIs.
+# Recent additions (2.5): Audit Packet v0 schema with Go/TypeScript/Rust
+# verifiers, request-body prompt-injection blocking, SPIFFE-strict inbound
+# mediation envelopes, scanner attribution on MCP block receipts, wedge-
+# detection health watchdog, learn-and-lock behavioural contracts, trusted
+# domains, redirect profiles, attack simulation, security scoring, process
+# sandbox, signed action receipts, per-pattern DLP warn mode, and the
+# `pipelock posture verify` / `pipelock session` / `pipelock doctor` CLIs.
 # Run `pipelock simulate --config <file>` to test your config against 24 attack scenarios.
 # Run `pipelock audit score --config <file>` for a security posture score (0-100).
+# Run `pipelock doctor` to verify configured protections are actually enforceable.
 
 version: 1
 mode: balanced
@@ -72,3 +76,23 @@ tool_chain_detection:
   action: warn
   window_size: 20
   max_gap: 3
+
+# Request body scanning (pipelock 2.5+): detect prompt-injection payloads in
+# outbound request bodies (JSON, form-encoded, raw text, WebSocket frames).
+# In enforce mode, prompt-injection findings hard-block non-provider
+# destinations even when action is "warn". Trusted provider hosts (OpenAI,
+# Anthropic, etc.) remain exempt via the response_scanning exemption list.
+request_body_scanning:
+  enabled: false
+  action: warn
+  max_body_bytes: 5242880
+  scan_headers: true
+  header_mode: sensitive
+
+# Health watchdog (pipelock 2.4+): /health returns 503 when any subsystem
+# heartbeat goes stale. Enabled by default; set expose_subsystems true to
+# include a per-subsystem boolean map in /health responses.
+health_watchdog:
+  enabled: true
+  interval_seconds: 2
+  expose_subsystems: false