hostile-model.yaml

# Pipelock config — hostile model preset
# For agents running uncensored, abliterated, or jailbroken models.
# Assumes the model has ZERO safety guardrails and will comply with any instruction.
#
# Use this for: red-team testing, self-hosted uncensored models, models with
# safety refusals removed via weight ablation (e.g. OBLITERATUS), or any agent
# where you cannot trust the model to refuse harmful requests.
#
# This preset enables every defense layer and sets all ambiguous decisions to block.
# The model won't protect you. The network layer will.

version: 1
mode: strict

api_allowlist:
  - "*.anthropic.com"
  - "*.openai.com"

fetch_proxy:
  listen: "127.0.0.1:8888"
  timeout_seconds: 15
  max_response_mb: 5
  user_agent: "Pipelock Fetch/1.0"
  monitoring:
    max_url_length: 300
    # 3.0 is aggressive: catches more encoded secrets, more false positives.
    # Acceptable trade-off when the model is actively hostile.
    entropy_threshold: 3.0
    max_requests_per_minute: 15
    blocklist:
      - "*.pastebin.com"
      - "*.hastebin.com"
      - "*.paste.ee"
      - "*.transfer.sh"
      - "*.file.io"
      - "*.requestbin.com"
      - "*.ngrok.io"
      - "*.ngrok-free.app"
      - "*.pipedream.net"
      - "*.webhook.site"
      - "*.hookbin.com"
      - "*.beeceptor.com"
      - "*.requestcatcher.com"
      - "*.burpcollaborator.net"
    subdomain_entropy_exclusions: []

forward_proxy:
  enabled: true
  max_tunnel_seconds: 120
  idle_timeout_seconds: 30
  sni_verification: true

request_body_scanning:
  enabled: true
  action: block
  max_body_bytes: 5242880
  scan_headers: true
  header_mode: all
  sensitive_headers:
    - Authorization
    - Cookie
    - X-Api-Key
    - X-Token
    - Proxy-Authorization
    - X-Goog-Api-Key

websocket_proxy:
  enabled: true
  max_message_bytes: 524288
  max_concurrent_connections: 16
  scan_text_frames: true
  allow_binary_frames: false
  forward_cookies: false
  strip_compression: true
  max_connection_seconds: 1800
  idle_timeout_seconds: 120
  origin_policy: rewrite

dlp:
  scan_env: true
  include_defaults: false
  patterns:
    # Provider API keys
    - name: "Anthropic API Key"
      regex: 'sk-ant-[a-zA-Z0-9\-_]{10,}'
      severity: critical
    - name: "OpenAI API Key"
      regex: 'sk-proj-[a-zA-Z0-9\-_]{10,}'
      severity: critical
    - name: "OpenAI Service Key"
      regex: 'sk-svcacct-[a-zA-Z0-9\-]{10,}'
      severity: critical
    - name: "Fireworks API Key"
      regex: 'fw_[a-zA-Z0-9]{24,}'
      severity: critical
    - name: "Google API Key"
      regex: 'AIza[0-9A-Za-z\-_]{35}'
      severity: critical
    - name: "Google OAuth Client Secret"
      regex: 'GOCSPX-[A-Za-z0-9_\-]{28,}'
      severity: critical
    - name: "Stripe Key"
      regex: '[sr]k[-_](live|test)[-_][a-zA-Z0-9]{20,}'
      severity: critical
    - name: "Stripe Webhook Secret"
      regex: 'whsec_[a-zA-Z0-9_\-]{20,}'
      severity: critical
    # Source control tokens
    - name: "GitHub Token"
      regex: 'gh[pousr]_[A-Za-z0-9_]{36,}'
      severity: critical
    - name: "GitHub Fine-Grained PAT"
      regex: 'github_pat_[a-zA-Z0-9_]{36,}'
      severity: critical
    - name: "GitLab PAT"
      regex: 'glpat-[a-zA-Z0-9\-_]{20,}'
      severity: critical
    # Cloud provider credentials
    - name: "AWS Access ID"
      regex: '(AKIA|A3T|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16,}'
      severity: critical
    - name: "AWS Secret Key"
      regex: '(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY|secret.?access.?key|SecretAccessKey)\s*["''=:\s]{1,5}\s*[A-Za-z0-9/+=]{40}'
      severity: critical
    - name: "Google OAuth Token"
      regex: 'ya29\.[a-zA-Z0-9_-]{20,}'
      severity: critical
    # Messaging platform tokens
    - name: "Slack Token"
      regex: 'xox[bpras]-[0-9a-zA-Z-]{15,}'
      severity: critical
    - name: "Slack App Token"
      regex: 'xapp-[0-9]+-[A-Za-z0-9_]+-[0-9]+-[a-f0-9]+'
      severity: critical
    - name: "Discord Bot Token"
      regex: '[MN][A-Za-z0-9]{23,}\.[A-Za-z0-9\-_]{6}\.[A-Za-z0-9\-_]{27,}'
      severity: critical
    # Communication service keys
    - name: "Twilio API Key"
      regex: 'SK[a-f0-9]{32}'
      severity: critical
    - name: "SendGrid API Key"
      regex: 'SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}'
      severity: critical
    - name: "Mailgun API Key"
      regex: 'key-[a-zA-Z0-9]{32}'
      severity: critical
    # Observability / monitoring
    - name: "New Relic API Key"
      regex: 'NRAK-[A-Z0-9]{27,}'
      severity: critical
    # AI/ML provider keys
    - name: "Hugging Face Token"
      regex: 'hf_[A-Za-z0-9]{20,}'
      severity: critical
    - name: "Databricks Token"
      regex: 'dapi[a-z0-9]{30,}'
      severity: critical
    - name: "Replicate API Token"
      regex: 'r8_[A-Za-z0-9]{20,}'
      severity: critical
    - name: "Together AI Key"
      regex: 'tok_[a-z0-9]{40,}'
      severity: critical
    - name: "Pinecone API Key"
      regex: 'pcsk_[a-zA-Z0-9]{36,}'
      severity: critical
    - name: "Groq API Key"
      regex: 'gsk_[a-zA-Z0-9]{48,}'
      severity: critical
    - name: "xAI API Key"
      regex: 'xai-[a-zA-Z0-9\-_]{80,}'
      severity: critical
    # Infrastructure and platform tokens
    - name: "DigitalOcean Token"
      regex: 'dop_v1_[a-f0-9]{64}'
      severity: critical
    - name: "HashiCorp Vault Token"
      regex: 'hvs\.[a-zA-Z0-9]{23,}'
      severity: critical
    - name: "Vercel Token"
      regex: '(?:vercel|vc[piark])_[a-zA-Z0-9]{24,}'
      severity: critical
    - name: "Supabase Service Key"
      regex: 'sb_secret_[a-zA-Z0-9_-]{20,}'
      severity: critical
    # Package registry tokens
    - name: "npm Token"
      regex: 'npm_[A-Za-z0-9]{36,}'
      severity: critical
    - name: "PyPI Token"
      regex: 'pypi-[A-Za-z0-9_-]{16,}'
      severity: critical
    # Developer platform tokens
    - name: "Linear API Key"
      regex: 'lin_api_[a-zA-Z0-9]{40,}'
      severity: critical
    - name: "Notion API Key"
      regex: 'ntn_[a-zA-Z0-9]{40,}'
      severity: critical
    - name: "Sentry Auth Token"
      regex: 'sntrys_[a-zA-Z0-9]{40,}'
      severity: critical
    # Cryptographic material
    - name: "Private Key Header"
      regex: '-----BEGIN\s+(RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----'
      severity: critical
    - name: "JWT Token"
      regex: '(ey[a-zA-Z0-9_\-=]{10,}\.){2}[a-zA-Z0-9_\-=]{10,}'
      severity: critical
    # Cryptocurrency private keys
    - name: "Bitcoin WIF Private Key"
      regex: '(?:5[1-9A-HJ-NP-Za-km-z]{50}|[KL][1-9A-HJ-NP-Za-km-z]{51})'
      severity: critical
      validator: wif
    - name: "Extended Private Key"
      regex: '[xyzt]prv[1-9A-HJ-NP-Za-km-z]{107,108}'
      severity: critical
    - name: "Ethereum Private Key"
      regex: '0x[0-9a-f]{64}\b'
      severity: critical
    - name: "Ethereum Address"
      regex: '0x[0-9a-fA-F]{40}\b'
      severity: high
    - name: "Social Security Number"
      regex: '\b\d{3}-\d{2}-\d{4}\b'
      severity: low
    # Identity / PII
    - name: "Google OAuth Client ID"
      regex: '[0-9]{6,}-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com'
      severity: critical
    # Generic credential patterns
    - name: "Credential in URL"
      regex: '(?m)(?:^|[?&;])\s*(?:password|passwd|secret|token|apikey|api_key|api-key)\s*=\s*[^\s&]{4,}'
      severity: critical
    - name: "Environment Variable Secret"
      regex: '(?-i:[A-Z][A-Z0-9]*[_-](?:SECRET(?:[_-]ACCESS)?[_-]?KEY|SECRET|PASSWORD|PASSWD|TOKEN|API[_-]?KEY))\b\s*=\s*\S{8,}'
      severity: high
    # Financial identifiers (validated with post-match checksums)
    - name: "Credit Card Number"
      regex: '\b\d{4}(?:[- ]?\d){11,15}\b'
      severity: medium
      validator: luhn
    - name: "IBAN"
      regex: '\b[A-Z]{2}\d{2}[A-Z0-9]{11,30}\b'
      severity: medium
      validator: mod97

response_scanning:
  enabled: true
  action: block
  include_defaults: false
  patterns:
    - name: "Prompt Injection"
      regex: '(?i)(ignore|disregard|forget|abandon)[-,;:.\s]+\s*(?:all\s+\w+\s+|\w+\s+all\s+|all\s+|\w+\s+)?(previous|prior|above|earlier)\s+(\w+\s+)?(instructions|prompts|rules|context|directives|constraints|policies|guardrails)'
    - name: "System Override"
      regex: '(?im)^\s*system\s*:'
    - name: "Role Override"
      regex: '(?i)you\s+are\s+(now\s+)?(a\s+)?((?-i:\bDAN\b)|evil|unrestricted|jailbroken|unfiltered)'
    - name: "New Instructions"
      regex: '(?i)(new|updated|revised)\s+(instructions|directives|rules|prompt)'
    - name: "Jailbreak Attempt"
      regex: '(?i)((?-i:\bDAN\b)|developer\s+mode|sudo\s+mode|unrestricted\s+mode)'
    - name: "Hidden Instruction"
      regex: '(?i)(do\s+not\s+(reveal|tell|show|display|mention)\s+this\s+to\s+the\s+user|hidden\s+instruction|invisible\s+to\s+(the\s+)?user|the\s+user\s+(cannot|must\s+not|should\s+not)\s+see\s+this)'
    - name: "Behavior Override"
      regex: '(?i)from\s+now\s+on\s+(you\s+)?(will|must|should|shall)\s+'
    - name: "Encoded Payload"
      regex: '(?i)(decode\s+(this|the\s+following)\s+(from\s+)?base64\s+and\s+(execute|run|follow)|eval\s*\(\s*atob\s*\()'
    - name: "Tool Invocation"
      regex: '(?i)you\s+must\s+(immediately\s+)?(call|execute|run|invoke)\s+(the|this)\s+(function|tool|command|api|endpoint)'
    - name: "Authority Escalation"
      regex: '(?i)you\s+(now\s+)?have\s+(full\s+)?(admin|root|system|superuser|elevated)\s+(access|privileges|permissions|rights)'
    - name: "Pliny Divider"
      regex: '(?i)={1,3}/?[A-Z\-]{2,}(/[A-Z\-]{1,4}){3,}=+'
    - name: "Meta-Command Activation"
      regex: '(?i)(\{GODMODE\s*:\s*(ENABLED|ON|TRUE)\}|!OMNI\b|RESET_CORTEX|LIBERTAS\s+FACTOR|ENABLE\s+DEV(ELOPER)?\s+MODE|JAILBREAK\s+(ENABLED|ACTIVATED|ON))'
    - name: "Roleplay Framing"
      regex: '(?i)(let''?s\s+play\s+a\s+game\s+where\s+you|pretend\s+you\s+are\s+an?\s+(character|person|AI)\s+(who|that)\s+(has\s+no|doesn''?t\s+have|ignores?|bypasses?)|(in\s+this\s+)?(hypothetical|fictional|imaginary)\s+scenario\s+(where\s+)?you\s+(are|have|can|must))'
    - name: "Instruction Boundary"
      regex: '(<\|(?:endoftext|im_start|im_end|system|end_header_id|begin_of_text)\|>|\[/?INST\]|<\|(?:user|assistant)\|>|<</?SYS>>)'
    - name: "Covert Action Directive"
      regex: '(?i)(secretly|silently|covertly|quietly|without\s+(?:the\s+user\s+)?(?:knowing|noticing|seeing))\s+.{0,40}\b(execut\w*|run|call|invoke|send|fetch|curl|wget|download|upload|post)\b'
    - name: "Output Format Forcing"
      regex: '(?i)(respond\s+with|first\s+(output|write|print|say))\s*[\[\("]?\s*(FILTERED|ERROR|BLOCKED|REFUSED|DECLINED|CENSORED)\s*[\]\)"]?\s*(then|followed\s+by|and\s+then|after\s+(that|which))'
    - name: "System Prompt Extraction"
      regex: '(?i)(repeat\s+(your|the)\s+(entire\s+)?(instructions|system\s+prompt|initial\s+prompt|rules)|what\s+(is|are)\s+your\s+(system\s+prompt|instructions|rules|directives)|output\s+(your|the)\s+(full\s+)?(system|initial)\s+(prompt|instructions|message)|show\s+me\s+(your|the)\s+(system\s+prompt|hidden\s+instructions|initial\s+instructions)|(disclose|expose|dump|divulge)\s+(your|the)\s+(hidden\s+|secret\s+|internal\s+)*(system\s+|initialization\s+)*(prompt|instructions|rules|directives))'
    - name: "Instruction Invalidation"
      regex: '(?i)(treat|consider|regard)\s+(all\s+)?(earlier|prior|previous|preceding|above)\s+(directions|instructions|guidelines|rules|prompts?)\s+as\s+(obsolete|void|invalid|superseded|overridden|null|cancelled|revoked|inapplicable)'
    - name: "Instruction Dismissal"
      regex: '(?i)(set|put|cast|push|throw)\s+(all\s+)?(previous|prior|earlier|preceding|above|existing|current)\s+(\w+\s+)?(directives|instructions|guidelines|rules|prompts?|constraints|safeguards|policies|guardrails)\s+(aside|away|to\s+(one|the)\s+side)'
    - name: "Instruction Downgrade"
      regex: '(?i)(treat|consider|regard|reinterpret|downgrade)\s+((?:the|all)\s+)?(previous|prior|above|earlier|system|policy|original|existing)\s+(\w+\s+)?(text|instructions?|rules|directives|guidelines|safeguards|constraints|controls|checks|context|prompt|policies|guardrails|parameters)\s+((as|to)\s+)?(historical|outdated|deprecated|optional|background|secondary|non-binding|non-authoritative|informational|advisory)'
    - name: "Priority Override"
      regex: '(?i)prioritize\s+(the\s+)?(task|user|current|new|latest)\s+(request|message|input|instructions?|prompt)'

mcp_input_scanning:
  enabled: true
  action: block
  on_parse_error: block

mcp_tool_scanning:
  enabled: true
  action: block
  detect_drift: true

mcp_tool_policy:
  enabled: true
  action: block
  rules:
    - name: "Destructive File Delete"
      tool_pattern: '(?i)^(bash|shell|exec|run_command|execute|terminal|bash_exec)$'
      arg_pattern: '(?i)\brm\s+(--\s+)?(-[a-z]*[rf]\b|--(?:recursive|force)\b)'
      action: block
    - name: "Recursive Permission Change"
      tool_pattern: '(?i)^(bash|shell|exec|run_command|execute|terminal|bash_exec)$'
      arg_pattern: '(?i)\b(chmod\s+(-R|--recursive)\s+(777|666)|chmod\s+(777|666)\s+(-R|--recursive)|chown\s+(-R|--recursive))\b'
      action: block
    - name: "Credential File Access"
      tool_pattern: '(?i)^(bash|shell|exec|run_command|execute|terminal|bash_exec|read_file|file_read)$'
      arg_pattern: '(?i)(\.ssh/(id_|authorized)|\.aws/credentials|\.env\b|\.netrc|/etc/shadow|\.kube/config|\.docker/config)'
      action: block
    - name: "Network Exfiltration"
      tool_pattern: '(?i)^(bash|shell|exec|run_command|execute|terminal|bash_exec)$'
      arg_pattern: '(?i)\b(curl|wget|nc|ncat|socat)\b'
      action: block
    - name: "Reverse Shell"
      tool_pattern: '(?i)^(bash|shell|exec|run_command|execute|terminal|bash_exec)$'
      arg_pattern: '(?i)(bash\s+-i\s+>&|/dev/tcp/|mkfifo\s+|nc\s+-e|ncat\s+-e)'
      action: block
    - name: "Disk Wipe Command"
      tool_pattern: '(?i)^(bash|shell|exec|run_command|execute|terminal|bash_exec)$'
      arg_pattern: '(?i)\b(dd\s+if=.*of=/dev/|mkfs\.|fdisk)\b'
      action: block
    - name: "Package Install"
      tool_pattern: '(?i)^(bash|shell|exec|run_command|execute|terminal|bash_exec)$'
      arg_pattern: '(?i)\b(pip|npm|gem|cargo|go)\s+install\b'
      action: block
    - name: "Destructive Git Operation"
      tool_pattern: '(?i)^(bash|shell|exec|run_command|execute|terminal|bash_exec|git)$'
      arg_pattern: '(?i)(\bgit\s+)?(push\s+(--force(\s|$)|-f\b)|reset\s+--hard\b|clean\s+-fd\b)'
      action: block
    - name: "Encoded Command Execution"
      tool_pattern: '(?i)^(bash|shell|exec|run_command|execute|terminal|bash_exec)$'
      arg_pattern: '(?i)(\beval\b.*\bbase64\b|\bbase64\s+(-d|--decode)\b.*\|\s*(ba)?sh\b)'
      action: block
    - name: "Cron Job Persistence"
      tool_pattern: '(?i)^(bash|shell|exec|run_command|execute|terminal|bash_exec)$'
      arg_pattern: '(?i)(\bcrontab\s+(-\w+\s+\S+\s+)*-e\b|\bcrontab\s+(-\w+\s+\S+\s+)*[^-\s]|>{1,2}\s*/(?:var/spool/cron|etc/cron)|\|\s*crontab\b)'
      action: block
    - name: "Systemd Service Persistence"
      tool_pattern: '(?i)^(bash|shell|exec|run_command|execute|terminal|bash_exec)$'
      arg_pattern: '(?i)\bsystemctl\s+(-{1,2}\w+\s+)*(enable|daemon-reload)\b'
      action: block
    - name: "Persistence Path Write"
      tool_pattern: '(?i)^(write_file|file_write|edit_file|create_file|modify_file|append_file)$'
      arg_pattern: '(?i)(/etc/crontab\b|/etc/cron\.(d|daily|hourly|weekly|monthly)/|/var/spool/cron/|/etc/init\.d/|/etc/systemd/|/lib/systemd/|/usr/lib/systemd/|\.config/systemd/user/|/Library/Launch(Daemons|Agents)/)'
      action: block
    - name: "Persistence Path Write via Command"
      tool_pattern: '(?i)^(bash|shell|exec|run_command|execute|terminal|bash_exec)$'
      arg_pattern: '(?i)(>{1,2}\s*[^;|&]*(/etc/crontab\b|/etc/cron\.(d|daily|hourly|weekly|monthly)/|/var/spool/cron/|/etc/init\.d/|/etc/systemd/|/lib/systemd/|/usr/lib/systemd/|\.config/systemd/user/|/Library/Launch(Daemons|Agents)/)|\b(tee|sed\s+-i)\s+[^;|&]*(/etc/crontab\b|/etc/cron\.(d|daily|hourly|weekly|monthly)/|/var/spool/cron/|/etc/init\.d/|/etc/systemd/|/lib/systemd/|/usr/lib/systemd/|\.config/systemd/user/|/Library/Launch(Daemons|Agents)/)|\b(cp|mv|install|ln)\b\s+(\S+\s+)+\S*(/etc/crontab\b|/etc/cron\.(d|daily|hourly|weekly|monthly)/|/var/spool/cron/|/etc/init\.d/|/etc/systemd/|/lib/systemd/|/usr/lib/systemd/|\.config/systemd/user/|/Library/Launch(Daemons|Agents)/))'
      action: block
    - name: "Shell Profile Modification"
      tool_pattern: '(?i)^(write_file|file_write|edit_file|create_file|modify_file|append_file)$'
      arg_pattern: '(?i)((?:^|/)\.(bashrc|bash_profile|profile|zshrc|zprofile|zshenv|bash_logout)\b|/etc/profile\b)'
      action: block
    - name: "Shell Profile Write via Command"
      tool_pattern: '(?i)^(bash|shell|exec|run_command|execute|terminal|bash_exec)$'
      arg_pattern: '(?i)(>{1,2}[^;|&]*(?:^|[/\s])\.(bashrc|bash_profile|profile|zshrc|zprofile|zshenv|bash_logout)\b|\b(tee|sed\s+-i)[^;|&]*(?:^|[/\s])\.(bashrc|bash_profile|profile|zshrc|zprofile|zshenv|bash_logout)\b|\b(cp|mv|install|ln)\b\s+(\S+\s+)+(?:\S*/)?\.(bashrc|bash_profile|profile|zshrc|zprofile|zshenv|bash_logout)\s*$|\balias\s+\w+=|>{1,2}[^;|&]*/etc/profile\b|\b(tee|sed\s+-i)[^;|&]*/etc/profile\b|\b(cp|mv|install|ln)\b\s+(\S+\s+)+\S*/etc/profile\s*$)'
      action: block
    - name: "Detached Process Spawning"
      tool_pattern: '(?i)^(bash|shell|exec|run_command|execute|terminal|bash_exec)$'
      arg_pattern: '(?i)(\bnohup\s+|\bdisown\b|\bsetsid\s+|\bscreen\s+(-\S+\s+)*-[dDm]|\btmux\s+(new-session|new)\s+-d)'
      action: block
    - name: "Audit Log Tampering"
      tool_pattern: '(?i)^(bash|shell|exec|run_command|execute|terminal|bash_exec|write_file|file_write|edit_file|create_file|modify_file|append_file)$'
      arg_pattern: '(?i)(\b(rm|truncate|shred)\b[^;|&]*/var/log/|\b(rm|truncate|shred)\b[^;|&]*\.(log|audit|jsonl)\b|>{1,2}\s*[^;|&]*(/var/log/|\.(log|audit|jsonl)\b)|\bhistory\s+-c\b|\bunset\s+HISTFILE\b|\bexport\s+HISTFILE=/dev/null\b)'
      action: block
    - name: "Environment Dump"
      tool_pattern: '(?i)^(bash|shell|exec|run_command|execute|terminal|bash_exec)$'
      arg_pattern: '(?i)\b(printenv|env\b|set\b|export\s+-p)'
      action: block

# Session binding: pin tool inventory per session. New tools mid-session = block.
mcp_session_binding:
  enabled: true

# Session behavioral profiling
session_profiling:
  enabled: true

# Adaptive enforcement: aggressive — lower threshold, slower decay, ask→block at level 1.
adaptive_enforcement:
  enabled: true
  escalation_threshold: 3.0    # lower threshold = faster escalation for hostile models
  decay_per_clean_request: 0.25  # slower decay; trust is earned back slowly
  levels:
    elevated:
      upgrade_warn: block
      upgrade_ask: block        # ask→block even at elevated; hostile models get no benefit of the doubt
    high:
      upgrade_warn: block
      upgrade_ask: block
    critical:
      upgrade_warn: block
      upgrade_ask: block
      block_all: true           # deny all requests when session is critical

# Tool chain detection
tool_chain_detection:
  enabled: true
  action: block

# Cross-request exfiltration detection
cross_request_detection:
  enabled: true
  action: block
  entropy_budget:
    enabled: true
    bits_per_window: 4096
    window_minutes: 5
    action: block
  fragment_reassembly:
    enabled: true
    max_buffer_bytes: 65536
    window_minutes: 5

# Kill switch preconfigured with sentinel file.
# Touch /tmp/pipelock-kill to instantly deny all traffic.
kill_switch:
  enabled: false
  sentinel_file: /tmp/pipelock-kill
  message: "Emergency deny-all active"

logging:
  format: json
  output: stdout
  include_allowed: true
  include_blocked: true

# Defaults to pipelock maintainer Sentry for crash reporting.
# Override via SENTRY_DSN env var or set dsn below.
sentry:
  enabled: true
  dsn: "https://b1902c1ea2d87902780bfbf59c0fb343@o4511026551783424.ingest.us.sentry.io/4511026559254528"
  environment: production
  sample_rate: 1.0

internal:
  - "0.0.0.0/8"
  - "127.0.0.0/8"
  - "10.0.0.0/8"
  - "172.16.0.0/12"
  - "192.168.0.0/16"
  - "169.254.0.0/16"
  - "100.64.0.0/10"
  - "::1/128"
  - "fc00::/7"
  - "fe80::/10"
  - "224.0.0.0/4"
  - "ff00::/8"

# TLS interception: disabled by default because it requires CA setup.
# To enable: run 'pipelock tls init' to generate a CA, then
# 'pipelock tls install-ca' to trust it, and set enabled: true below
# with ca_cert/ca_key paths. Without interception, HTTPS CONNECT traffic
# is tunneled opaquely (hostname-only scanning).
tls_interception:
  enabled: false
  ca_cert: ""
  ca_key: ""
  passthrough_domains: []
  cert_ttl: 24h
  cert_cache_size: 10000
  max_response_bytes: 5242880

# Scan API: evaluation-plane listener for external integrations.
# Disabled by default. Set listen address to enable.
scan_api:
  listen: ""

# --- Address Protection (optional) ---
# Detect crypto address poisoning: lookalike addresses compared against
# a user-supplied allowlist of known-good destinations.
# address_protection:
#   enabled: false
#   action: block
#   unknown_action: block
#   allowed_addresses: []
#   chains:
#     eth: true
#     btc: true
#     sol: false
#     bnb: true
#   similarity:
#     prefix_length: 4
#     suffix_length: 4

seed_phrase_detection:
  enabled: true
  min_words: 12
  verify_checksum: true

# --- Agent Profiles (optional) ---
# Per-agent policy overrides. Each agent gets its own merged config.
# Agents are identified by listener binding (spoof-proof), source CIDR matching,
# X-Pipelock-Agent header, or ?agent= query param. Requires a license key
# (via PIPELOCK_LICENSE_KEY env var, license_file path, or inline license_key).
#
# agents:
#   claude-code:
#     listeners: [":8889"]
#     source_cidrs: ["10.42.3.0/24"]
#     mode: strict
#     api_allowlist: ["github.com", "*.githubusercontent.com"]
#     budget:
#       max_unique_domains_per_session: 50
#       window_minutes: 60
#   _default:
#     mode: balanced

# Community rule bundles — install with: pipelock rules install pipelock-community
# rules:
#   min_confidence: medium
#   include_experimental: false

# Process sandbox — OS-level containment for MCP subprocess mode (v2.0)
# sandbox:
#   enabled: false       # enable via --sandbox CLI flag
#   strict: false        # deny all filesystem access outside explicit allowlist

# HTTP reverse proxy — bidirectional body scanning for any HTTP service (v2.0)
# reverse_proxy:
#   enabled: false
#   listen: ":8890"
#   upstream: "http://localhost:7899"

# ---- airlock (per-session quarantine) ----
# Per-session graduated containment: soft -> hard -> drain. Disabled in
# presets — enable with deliberate trigger/timer tuning per deployment.
airlock:
  enabled: false
  triggers:
    on_elevated: none
    on_high: soft
    on_critical: hard
  timers:
    soft_minutes: 5
    hard_minutes: 15
    drain_minutes: 0
    drain_timeout_seconds: 30

# Exposure-based policy escalation (v2.2.0)
# Strict policy: tainted sessions are blocked on protected paths immediately.
taint:
  enabled: true
  policy: strict

# Media policy: strip everything. Hostile model may embed instructions in media.
media_policy:
  strip_images: true
  strip_audio: true
  strip_video: true