# Pipelock configuration for Docker Compose
# See https://github.com/luckyPipewrench/pipelock for full options.
#
# Recent additions (2.5): Audit Packet v0 schema with Go/TypeScript/Rust
# verifiers, request-body prompt-injection blocking, SPIFFE-strict inbound
# mediation envelopes, scanner attribution on MCP block receipts, wedge-
# detection health watchdog, learn-and-lock behavioural contracts, trusted
# domains, redirect profiles, attack simulation, security scoring, process
# sandbox, signed action receipts, per-pattern DLP warn mode, and the
# `pipelock posture verify` / `pipelock session` / `pipelock doctor` CLIs.
# Run `pipelock simulate --config <file>` to test your config against 24 attack scenarios.
# Run `pipelock audit score --config <file>` for a security posture score (0-100).
# Run `pipelock doctor` to verify configured protections are actually enforceable.

version: 1
mode: balanced

# Trusted domains: allow services whose public DNS resolves to private IPs.
# Prevents SSRF scanner from blocking legitimate internal traffic.
# trusted_domains:
#   - "api.internal.example.com"
#   - "*.corp.example.com"

forward_proxy:
  enabled: true
  max_tunnel_seconds: 300
  idle_timeout_seconds: 60

websocket_proxy:
  enabled: false
  max_message_bytes: 1048576
  max_concurrent_connections: 128
  scan_text_frames: true
  allow_binary_frames: false
  forward_cookies: false
  strip_compression: true
  max_connection_seconds: 3600
  idle_timeout_seconds: 300
  origin_policy: rewrite

dlp:
  scan_env: true
  include_defaults: true

response_scanning:
  enabled: true
  action: warn
  include_defaults: true

mcp_input_scanning:
  enabled: true
  action: block
  on_parse_error: block

mcp_tool_scanning:
  enabled: true
  action: warn
  detect_drift: true

mcp_tool_policy:
  enabled: false
  action: warn
  # Redirect profiles: route matched tool calls to audited handler programs
  # instead of blocking. The handler returns a synthetic MCP response.
  # redirect_profiles:
  #   safe-fetch:
  #     exec: ["/pipelock", "internal-redirect", "fetch-proxy"]
  #     reason: "Route fetch calls through audited proxy"

mcp_session_binding:
  enabled: true
  unknown_tool_action: warn

tool_chain_detection:
  enabled: true
  action: warn
  window_size: 20
  max_gap: 3

# Request body scanning (pipelock 2.5+): detect prompt-injection payloads in
# outbound request bodies (JSON, form-encoded, raw text, WebSocket frames).
# In enforce mode, prompt-injection findings hard-block non-provider
# destinations even when action is "warn". Trusted provider hosts (OpenAI,
# Anthropic, etc.) remain exempt via the response_scanning exemption list.
request_body_scanning:
  enabled: false
  action: warn
  max_body_bytes: 5242880
  scan_headers: true
  header_mode: sensitive

# Health watchdog (pipelock 2.4+): /health returns 503 when any subsystem
# heartbeat goes stale. Enabled by default; set expose_subsystems true to
# include a per-subsystem boolean map in /health responses.
health_watchdog:
  enabled: true
  interval_seconds: 2
  expose_subsystems: false