mirror of
https://github.com/we-promise/sure.git
synced 2026-05-24 21:14:56 +00:00
ca895416a4
* chore(helm): bump pipelock to 2.5.0 and surface 2.5 config Bumps pipelock.image.tag from 2.2.0 to 2.5.0 and exposes the most relevant 2.5 features as structured Helm values: - pipelock.requestBodyScanning: scan outbound bodies and sensitive headers for prompt-injection and DLP payloads. Disabled by default; roll out with action=warn before flipping to block. - pipelock.healthWatchdog: structured config for the wedge-detection watchdog with an exposeSubsystems toggle for /health detail. - pipelock.mcpToolPolicy.rules: structured values for rendering mcp_tool_policy.rules including redirect-profile references. Also fixes a latent config-validation regression: pipelock 2.x rejects an enabled mcp_tool_policy with no rules, but the chart previously defaulted to enabled=true with an empty rules list, which hard-fails 'pipelock check'. The default is now enabled=false; operators must explicitly enable and provide at least one rule. Refreshes README, CHANGELOG, docs/hosting/pipelock.md, docs/hosting/ai.md, compose example pin comment, and pipelock.example.yaml to call out 2.5 highlights (Audit Packet v0 verifiers, SPIFFE-strict envelopes, scanner attribution on MCP block receipts, pipelock doctor). Also fixes a stale docs/hosting/mcp.md reference to the removed compose.example.pipelock.yml. * chore(helm): fail helm template when mcp_tool_policy enabled with no rules Adds a guard in asserts.tpl so an operator who sets pipelock.mcpToolPolicy.enabled=true without populating pipelock.mcpToolPolicy.rules gets a clear render-time error instead of a container crash-loop with the pipelock validation message. Per CodeRabbit feedback on #1913. * Versions --------- Co-authored-by: Juan José Mata <jjmata@jjmata.com>
99 lines
3.0 KiB
YAML
99 lines
3.0 KiB
YAML
# Pipelock configuration for Docker Compose
|
|
# See https://github.com/luckyPipewrench/pipelock for full options.
|
|
#
|
|
# Recent additions (2.5): Audit Packet v0 schema with Go/TypeScript/Rust
|
|
# verifiers, request-body prompt-injection blocking, SPIFFE-strict inbound
|
|
# mediation envelopes, scanner attribution on MCP block receipts, wedge-
|
|
# detection health watchdog, learn-and-lock behavioural contracts, trusted
|
|
# domains, redirect profiles, attack simulation, security scoring, process
|
|
# sandbox, signed action receipts, per-pattern DLP warn mode, and the
|
|
# `pipelock posture verify` / `pipelock session` / `pipelock doctor` CLIs.
|
|
# Run `pipelock simulate --config <file>` to test your config against 24 attack scenarios.
|
|
# Run `pipelock audit score --config <file>` for a security posture score (0-100).
|
|
# Run `pipelock doctor` to verify configured protections are actually enforceable.
|
|
|
|
version: 1
|
|
mode: balanced
|
|
|
|
# Trusted domains: allow services whose public DNS resolves to private IPs.
|
|
# Prevents SSRF scanner from blocking legitimate internal traffic.
|
|
# trusted_domains:
|
|
# - "api.internal.example.com"
|
|
# - "*.corp.example.com"
|
|
|
|
forward_proxy:
|
|
enabled: true
|
|
max_tunnel_seconds: 300
|
|
idle_timeout_seconds: 60
|
|
|
|
websocket_proxy:
|
|
enabled: false
|
|
max_message_bytes: 1048576
|
|
max_concurrent_connections: 128
|
|
scan_text_frames: true
|
|
allow_binary_frames: false
|
|
forward_cookies: false
|
|
strip_compression: true
|
|
max_connection_seconds: 3600
|
|
idle_timeout_seconds: 300
|
|
origin_policy: rewrite
|
|
|
|
dlp:
|
|
scan_env: true
|
|
include_defaults: true
|
|
|
|
response_scanning:
|
|
enabled: true
|
|
action: warn
|
|
include_defaults: true
|
|
|
|
mcp_input_scanning:
|
|
enabled: true
|
|
action: block
|
|
on_parse_error: block
|
|
|
|
mcp_tool_scanning:
|
|
enabled: true
|
|
action: warn
|
|
detect_drift: true
|
|
|
|
mcp_tool_policy:
|
|
enabled: false
|
|
action: warn
|
|
# Redirect profiles: route matched tool calls to audited handler programs
|
|
# instead of blocking. The handler returns a synthetic MCP response.
|
|
# redirect_profiles:
|
|
# safe-fetch:
|
|
# exec: ["/pipelock", "internal-redirect", "fetch-proxy"]
|
|
# reason: "Route fetch calls through audited proxy"
|
|
|
|
mcp_session_binding:
|
|
enabled: true
|
|
unknown_tool_action: warn
|
|
|
|
tool_chain_detection:
|
|
enabled: true
|
|
action: warn
|
|
window_size: 20
|
|
max_gap: 3
|
|
|
|
# Request body scanning (pipelock 2.5+): detect prompt-injection payloads in
|
|
# outbound request bodies (JSON, form-encoded, raw text, WebSocket frames).
|
|
# In enforce mode, prompt-injection findings hard-block non-provider
|
|
# destinations even when action is "warn". Trusted provider hosts (OpenAI,
|
|
# Anthropic, etc.) remain exempt via the response_scanning exemption list.
|
|
request_body_scanning:
|
|
enabled: false
|
|
action: warn
|
|
max_body_bytes: 5242880
|
|
scan_headers: true
|
|
header_mode: sensitive
|
|
|
|
# Health watchdog (pipelock 2.4+): /health returns 503 when any subsystem
|
|
# heartbeat goes stale. Enabled by default; set expose_subsystems true to
|
|
# include a per-subsystem boolean map in /health responses.
|
|
health_watchdog:
|
|
enabled: true
|
|
interval_seconds: 2
|
|
expose_subsystems: false
|