v2.4.0

Changelog

• 9001a16 Add mediation envelope federation verification (#465)
• 31403b8 Add redaction provider parser registry (#462)
• 8f4909f Guard ratify against low-confidence enforcement (#493)
• a502b71 chore(deps): pin python verifier fixture and add CI policy gate (#448)
• 5523c94 ci: bump github/codeql-action in the ci-actions group (#477)
• e8d146a ci: bump the ci-actions group across 1 directory with 2 updates (#446)
• cef4f47 ci: pin release build to Go 1.25.10 for stdlib security fixes (#496)
• 7541930 deps: bump cryptography (#450)
• fac893d deps: bump github.com/fsnotify/fsnotify in the go-deps group (#476)
• 66a53f4 deps: bump the pr-review-deps group in /.github with 4 updates (#451)
• 72f3717 feat(blockreason): X-Pipelock-Block-Reason header schema and emit package (#467)
• dd4fd4e feat(blockreason,runtime): contract reason codes + proxy_decision receipt builder (#484)
• 4b575b0 feat(capture): add contract-aware replay fidelity gates (#456)
• 39874e4 feat(cli/signing): operator commands to bootstrap live-lock trust (#494)
• 38bacb4 feat(contract): add activation lifecycle commands (#461)
• bfb6b18 feat(contract): add active manifest store (#459)
• 7a4091d feat(contract): add inference confidence and exposure gates (#452)
• d293305 feat(contract): add runtime contract evaluation (#460)
• 4d01e23 feat(contract): add shadow replay reports (#458)
• 42e99d6 feat(contract): emit signed shadow delta receipts (#457)
• f6602da feat(contract): live-lock foundation: validator, evaluator, loader (#482)
• 9bc5104 feat(contract): path normalization with cardinality cap and operator pin/split (#454)
• 6b2a3a1 feat(contract): v2.4 schema package + EvidenceReceipt v2 envelope (#442)
• 2adae9b feat(contract,runtime): mcp_tool_call rule kind + EvaluateMCP (#485)
• 3b55d33 feat(contract/runtime): fsnotify watcher for active manifest (#483)
• 23a947b feat(health): wedge-detection watchdog reports /health 503 on wedge (#473)
• 3e91534 feat(learn): add contract compile candidate pipeline (#455)
• 3d47d6b feat(learn): add ratify and forget commands (#463)
• 64b108d feat(learn-and-lock): observe phase wiring (config, privacy, recorder schema, metrics, CLI) (#447)
• 3c722e9 feat(mcp): live-lock enforcement on MCP transports (#490)
• abeba87 feat(metrics,capture): soak observability, transport parity, header hardening, reason matrix (#475)
• ebb94f6 feat(proxy): gate fetch, CONNECT, and WebSocket contracts (#489)
• d06b25c feat(proxy): live-lock enforcement on forward proxy (#486)
• a8e1247 feat(proxy): live-lock enforcement on intercept proxy (#487)
• 1d6364a feat(proxy): live-lock enforcement on reverse and redirect paths (#488)
• 9ace0e6 feat(proxy/blockheaders): emit X-Pipelock-Block-Reason on every block path (#469)
• 4086512 feat(signing): deployment-level key roster, recovery authorization, and root transition primitive (#444)
• db1ea3b fix(capture): classify learn observations for debt metrics (#480)
• f8b64dc fix(capture,config): SessionID empty + caller-side metadata + race + e2e regression test (#474)
• aa33b39 fix(envelope): verify origin-form target URIs (#481)
• 10826e8 fix(learn): require nested live-lock environment (#495)
• 066aa93 fix(mcp): drain adopted-descendant zombies during long-lived wraps (#449)
• a84f28e fix(mcp): listener routes SSE upstream responses through SSEReader (#472)
• 84d544b fix(proxy/reload): scanner drain, detect_drift rebuild, reverse-proxy receipt parity (#443)
• 456c010 fix(runtime/loader): atomic writes in watcher tests to match production (#492)
• 0d6789a fix(sentry): adapt scrubber to sentry-go 0.46 (#453)
• 918bcca refactor(metrics): split internal/metrics into per-feature bundles (TD-6) (#441)
• 9ca43dc test(capture): add live-lock decision matrix harness (#491)
• 64d194b test(capture): add synthetic replay regression harness (#468)

v2.3.0

Changelog

• 11a4822 chore(pr-review): drop /review fast alias, bump default models to gpt-5.5 (#430)
• e07234f chore(release): v2.3.0 pre-tag polish (CHANGELOG, appVersion, docs) (#435)
• 50d2e69 ci: bump the ci-actions group with 3 updates (#415)
• d3c59c4 ci: harden composite action download retry budget (#410)
• 582f3cd deps: bump the go-deps group with 3 updates (#414)
• 0c0e180 feat: class-preserving redaction library and config schema (#413)
• 66c3012 feat: finalize redaction v1c across proxy and MCP transports (#420)
• 9b47a15 feat: scan generic text/event-stream responses, not just A2A (#429)
• d7e8858 feat: wire redaction into forward, intercept, reverse proxy paths (#416)
• 97e387b fix(mcp/tools): strict verb-form regex for Dangerous Capability pattern (#423)
• b744180 fix(proxy)+docs: browser-shield media bypass + README receipt-positioning sharpen (#421)
• 2842494 fix(proxy): keep SSRF DNS failures adaptive-neutral (#434)
• c5f31c0 fix(release): close v2.3.0 blockers in redaction, SSE scanning, and transport compression (#436)
• fca1529 fix(reloadwarn): detect same-length DLP coverage downgrades (#433)
• d08b60e fix(sentry): drop context.Canceled from CaptureError (#412)
• b8ef3be fix: tolerate subprocess-exit flake in MCP test; dereference v2 tag (#409)
• 7ef3557 refactor(config): split config.go into 7 focused files (#431)
• ea22c68 refactor(mcp): extract EvaluateMCPInputGatesStdio and migrate ForwardScannedInput (#432)
• 0260067 refactor(mcp): extract MCPFrame + MCPDecision helpers (#427)
• 4704bac refactor(mcp): migrate parse + emission sites to Frame/Decision helpers (#428)
• 30cd3cb refactor: consolidate runtime config resolution into Config.ResolveRuntime (#422)
• 79067ae refactor: extract runtime server lifecycle (#424)
• 256822d test(config): add canonical hash golden fixtures (#425)
• b9c7083 test(mcp): add transport-parity regression fixtures for TD-4 (#426)
• 437b769 test(proxy): disable rate limiter in reload atomicity soak (#437)
• 7a3b7de test(proxy): raise reload-soak rate limit above stress, guard against regression (#438)

v2.2.0

Changelog

• b799b2a Add posture capsule emit scaffold (#391)
• 388421d Add task boundaries for taint-scoped trust overrides (#384)
• cdd0a0f Harden exposure-based policy escalation across MCP transports (#383)
• 5b2b482 ci: bump govulncheck Go to 1.26.2 (GO-2026-4865 fix) (#376)
• d1187a7 ci: bump the ci-actions group with 3 updates (#395)
• 5d4ceae deps: bump the go-deps group with 6 updates (#394)
• b3ea7c3 examples: add tool-response-injection reproduction harness (#387)
• 905ab19 feat: RFC 9421 envelope signing + canonical policy hash + redirect refresh (#403)
• a8470d0 feat: add pipelock session CLI for airlock inspection and recovery (#399)
• f0b3130 feat: add posture verify CLI with score model and CI gate (#397)
• f9d12ae feat: cross-implementation receipt conformance suite (#379)
• 8182493 feat: emit signed action receipts from pipelock mcp proxy (#385)
• a24be72 feat: extend receipt emission to fetch error paths, WebSocket, and A2A (#402)
• f1318e9 feat: mediation envelope — sideband metadata on proxied requests (#374)
• ac13a66 feat: per-pattern warn mode for DLP rollout safety (#392)
• 5c4dd61 feat: pipelock init sidecar + agent identity default + exemption audit emission (#400)
• a6bb095 feat: standard tier source selection, rules status, core SSRF literal, RequiredFeatures (#373)
• 67cd7d7 feat: stego stripping, media policy, SVG active content hardening (#382)
• 058806b feat: wire DLP warn audit emission into runtime lifecycle (#396)
• f5e654b fix: SVG active content bypass — unquoted event handlers and animation injection (#393)
• 28b3fa1 fix: edge-trigger airlock from adaptive escalation (#388)
• 508ddf7 fix: emit block receipts on post-fetch deny paths, extract bundleExecCtx (#377)
• c75a837 fix: harden log context field routing (#389)
• 3d2a365 fix: pre-tag hardening — media policy parity, receipt chain restart, posture integrity, CLI polish (#404)
• 9392aed fix: strict posture policy requires MCP server discovery (#398)
• 21d57a2 fix: v2.2.0 pre-tag hardening bundle (#408)
• 8936062 refactor: typed LogContext constructors and URL field semantic split (#378)

v2.1.2

Changelog

• 3880176 ci: bump the ci-actions group with 2 updates (#358)
• adf3e37 deps: bump modernc.org/sqlite from 1.48.0 to 1.48.1 in the go-deps group (#357)
• 3870e10 feat: add action receipts with Ed25519 signing and verify-receipt CLI (#351)
• 8c6adc6 feat: hash-chained receipts and transcript roots (#354)
• 8d8eefb feat: immutable core scanner and bundle metadata v2 (#359)
• 44f1177 feat: onboarding stack (init CLI, README, Helm chart, FP guide) (#355)
• f6f562d feat: runtime hardening (airlock, browser shield, posture capsule) (#356)
• bdab6f7 fix: receipt emission for TLS interception, field-level redaction, and hot-reload lifecycle (#362)
• d37166f fix: respect pipelock:ignore inline comments in scan-diff mode (#365)
• 4c47d1e fix: runtime hardening follow-up — review findings and tracked issues (#371)
• 2e45ac4 fix: scan all multipart part bodies, headers, and transfer encodings (#370)

v2.1.1

Changelog

• ce7afb5 feat: ClusterFuzzLite integration and Hangul Filler normalization (#339)
• be84440 fix: SSRF hex/octal IP decoding + separate subdomain entropy threshold (#336)
• 5b12011 fix: SSRF trust gap for allowlisted domains resolving to internal IPs (#334)
• 0889578 fix: harden MCP input DLP with new patterns and path coverage (#337)
• 94d99be fix: harden chain detection and shell obfuscation coverage (#338)
• 6da4a85 fix: recursive response decode + remove numbered comment lists (#344)
• c3d7bf4 fix: reject MCP batch requests at ingress (#335)
• 4c4a7cb fix: widen DLP and tool scanner patterns for gauntlet coverage (#348)
• 208bedc fix: widen Tool Invocation pattern and add SYS closing tag to Instruction Boundary (#350)
• 7951e28 refactor: BodyScanRequest struct, server timeout constants, token field docs (#345)
• e71b19d refactor: consolidate signal recording + split mcp/input.go (#346)
• 3f0911a refactor: extract LogContext and InterceptContext structs for audit + intercept pipelines (#340)
• e0b2b07 refactor: extract relay and hop-by-hop helpers into relay.go (#347)

v2.1.0

Changelog

• b346ac0 Add support for trusted_domains to forward proxy mode (#297)
• 57abaa4 Improve scanner coverage for encoded payloads and cross-transport DLP (#315)
• 2dcb48f chore(deps): bump requests (#300)
• b261e8e ci: bump the ci-actions group across 1 directory with 6 updates (#331)
• 872bdf7 ci: fix deprecated goreleaser format field (formats plural) (#332)
• 0b1257a deps: bump the go-deps group with 3 updates (#326)
• 8841118 feat: A2A protocol scanning foundation — types, field walker, detection (#316)
• 40bcc17 feat: MCP binary integrity and denial-of-wallet detection (#310)
• a561070 feat: MCP tool provenance and profile-then-lock baseline (#311)
• 2dfaf58 feat: add SecureIQLab Docker Compose test harness (#318)
• 20ea349 feat: add exempt_domains to response scanning (#305)
• f8a41e5 feat: add pipelock assess command for signed security assessments (#296)
• 789079b feat: add session admin API for adaptive enforcement recovery (#308)
• 71a2d51 feat: canary token detection and simulate expansion (#313)
• 9794e35 feat: compliance evidence mappings and trust attestation (#314)
• b418d3c feat: flight recorder and agent bill of materials (#309)
• fb2e4ce feat: implement MCP redirect handlers (fetch-proxy + quarantine-write) (#307)
• 4e3d355 feat: policy capture and replay engine (#319)
• fe1384a feat: session manifest and signed decision records (#312)
• defc715 fix(assess): HTML report with visual hierarchy and remediation (#306)
• e268702 fix: add best_effort mode for file sentry in MCP proxy (#292)
• 68cac04 fix: autonomous block_all recovery for adaptive enforcement (#304)
• 04dcfec fix: classify scanner results to prevent adaptive enforcement death spiral (#295)
• 41ef558 fix: scan redirect handler output through DLP pipeline (#323)
• 63c6a2f fix: structured exit codes and subprocess error handling (#320)
• 04589d8 fix: v2.1.0 RC test findings and feature wiring (#328)
• 2f9784c fix: v2.1.0 polish — audit logging, transport tests, config validation (#321)
• da95706 refactor: extract shared escalation recording helper (#290)
• cb2e784 refactor: introduce MCPProxyOpts to replace long MCP proxy parameter lists (#294)
• 76ee281 refactor: split 91-file CLI god package into 10 subpackages (#303)
• baa13bf refactor: split config.Validate, DRY audit logger, coverage boost (#322)
• 96609f6 security: redact secrets and server names from assess evidence (#301)

v2.0.0

Changelog

• 67e2ed3 ci: bump the ci-actions group with 4 updates (#287)
• c609b0b deps: bump modernc.org/sqlite from 1.46.1 to 1.47.0 (#282)
• e87d8c2 feat: JetBrains/Junie MCP proxy integration (#260)
• b7145d2 feat: adaptive enforcement exempt_domains for DLP scoring (#268)
• d8f1ef4 feat: add --sandbox and --workspace flags to jetbrains install (#269)
• 33330fb feat: add redirect policy action for MCP tool call routing (#271)
• 65b936b feat: built-in attack simulation command (#277)
• f98bf70 feat: config security scoring and tool policy overpermission audit (#273)
• d735d3e feat: full-schema tool poisoning + state/control response patterns (#270)
• f5a1fa6 feat: generic HTTP reverse proxy with body scanning (#278)
• 62094cb feat: macOS sandbox via sandbox-exec (seatbelt) (#275)
• 6624862 feat: per-agent sandbox profiles, strict mode, diagnostics, redirect handler (#272)
• cfec5f8 feat: sandbox --best-effort for container environments (#289)
• ce39f12 feat: unprivileged process sandbox (Landlock + seccomp + netns) (#267)
• 2332fb1 fix: harden reverse proxy scanning and kill switch preemption (#281)

v1.5.0

Changelog

• 3f93984 feat: OTLP log export sink (HTTP/protobuf) (#262)
• 753a258 feat: adaptive enforcement v2 — escalation-aware enforcement across all transports (#256)
• 35d831b feat: community rules rollout — build wiring, docs, and registry URL (#255)
• f76467a feat: filesystem sentinel for subprocess MCP mode (#261)
• 48bb939 feat: financial DLP patterns with checksum validation (#258)
• 66eda7b feat: key-scoped tool policy matching (arg_key) (#257)
• aca9df9 fix: adaptive enforcement death spiral (#266)
• e188cb6 fix: harden shell normalization against 3 evasion techniques (#259)
• 3309fdd fix: reject unsupported dlp.action and per-pattern action fields (#263) (#264)
• dda4c33 fix: transport parity — WS header DLP + forward HTTP response scanning (#254)

v1.4.0

Changelog

• 03a5eaa Merge pull request #242
• 41ee2bd ci: bump docker/login-action from 3.7.0 to 4.0.0 (#241)
• 9da483f ci: bump sigstore/cosign-installer from 4.0.0 to 4.1.0 (#237)
• ce3e754 feat: add DLP patterns for Groq, xAI, GitLab, New Relic, and Stripe webhooks (#246)
• 6dfdef9 feat: add VS Code MCP proxy integration (vscode install/remove) (#248)
• f62ad5f feat: add address similarity tracker for blockchain address poisoning detection (#231)
• d9dadac feat: add crypto address poisoning detection (#233)
• 7a25a07 feat: add crypto secret DLP detection (BIP-39 seed phrases, WIF, xprv, ETH keys) (#249)
• eb0a59e feat: add response scanning pre-filter for keyword-gated regex (#230)
• 8d4c9c7 feat: community rule bundles — signed YAML detection patterns (#247)
• 22639c3 feat: detect delimiter-separated hex encoding in DLP scanner (#243)
• 2f37db1 feat: trial tier and one-time purchase support for license service (#232)
• f17a8d2 fix: k8s Secret volume compatibility for key and license file loading (#229)
• e92466c fix: make rules lock cross-platform for Windows release builds (#252)
• 1d1ac98 fix: skip general response scanning on empty tools/list responses (#250)
• 324a509 perf: extend response pre-filter to opt-space and vowel-fold passes (#245)

v1.3.0

Changelog

• e995702 Sentry: Initial support (#211)
• 0b2089c feat: add CRLF injection and path traversal detection to scanner pipeline (#224)
• 037e82f feat: add POST /api/v1/scan evaluation endpoint (#223)
• bbe9ddc feat: add SARIF output for audit and git scan-diff (#217)
• fa7e92f feat: add license service scaffold (enterprise, ELv2) (#218)
• 36cd8f9 feat: add pipelock license install command (#216)
• dff1c99 feat: add subdomain entropy exclusions for high-entropy cloud domains (#214) (#222)
• dce46c3 feat: add tier and subscription_id fields to license token (#215)
• 5f64534 feat: runtime license loading from env var and file path (#213)
• bf51529 fix: close config fail-open, WS header DLP bypass, and secrets_file permission gap (#219)
• 6d8aaf4 fix: set explicit archive ID for Homebrew formula matching (#227)
• c18e894 refactor: thread request context through Scanner.Scan for DNS cancellation (#221)