### Quick Start TLS Interception Setup Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/tls-interception.md A quick setup guide to generate a CA, trust it, enable TLS interception in the config, and run Pipelock. ```bash pipelock tls init pipelock tls install-ca cat >> pipelock.yaml << 'EOF' tls_interception: enabled: true EOF pipelock run --config pipelock.yaml ``` -------------------------------- ### Install Enterprise Pipelock Helm Charts Source: https://github.com/luckypipewrench/pipelock/blob/main/charts/pipelock/README.md Examples for installing Pipelock in different enterprise topologies using custom values files. ```bash helm install pipelock-conductor ./charts/pipelock -f charts/pipelock/examples/values-enterprise-conductor.yaml ``` ```bash helm install pipelock-follower ./charts/pipelock -f charts/pipelock/examples/values-enterprise-follower.yaml ``` ```bash helm install pipelock-fleet-sink ./charts/pipelock -f charts/pipelock/examples/values-enterprise-devfleet.yaml ``` -------------------------------- ### TLS Setup Commands Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/configuration.md Commands to generate a CA key pair, install the CA certificate into the system trust store, or display the CA certificate. ```bash # Generate a CA key pair pipelock tls init # Install the CA into the system trust store (macOS/Linux) pipelock tls install-ca # Or export the CA cert for manual installation pipelock tls show-ca ``` -------------------------------- ### Install and Configure Pipelock Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/autogen.md Install the pipelock CLI, generate a configuration file using a preset, and verify the installation. ```bash go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest ``` ```bash pipelock generate config --preset balanced > pipelock.yaml ``` ```bash pipelock version ``` -------------------------------- ### Install and Configure Pipelock Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/google-adk.md Install the Pipelock CLI, generate a configuration file, and verify the installation. ```bash # 1. Install pipelock go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest # 2. Generate a config (or copy a preset) pipelock generate config --preset balanced > pipelock.yaml # 3. Verify pipelock version ``` -------------------------------- ### Install Pipelock Helm Chart Source: https://github.com/luckypipewrench/pipelock/blob/main/charts/pipelock/README.md Basic installation of the Pipelock Helm chart. This deploys the Pipelock proxy by default. ```bash helm install pipelock ./charts/pipelock ``` -------------------------------- ### Run Pipelock Detection Example Harness Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/detection-integration.md Navigate to the tool-response-injection example directory and run the demo script to execute the full detection loop. ```bash cd examples/tool-response-injection python3 demo.py ``` -------------------------------- ### Install License Token to Custom Path Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/configuration.md Installs a license token to a specified custom file path. ```bash pipelock license install --path /etc/pipelock/license.token # custom path ``` -------------------------------- ### Install and Verify Pipelock Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/claude-code.md Install the Pipelock CLI tool and verify its installation by checking the version. ```bash # 1. Install pipelock go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest # 2. Verify it works pipelock version ``` -------------------------------- ### Install Pipelock Bundle from URL Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/rules.md Installs a bundle from a remote URL. Use this to install bundles not available in the default community repository. ```bash pipelock rules install --source https://example.com/finance-pii/bundle.yaml finance-pii ``` -------------------------------- ### Install Pipelock and Langchain MCP Adapter Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/langgraph.md Installs Pipelock, generates a configuration file, and installs the necessary Python adapter for Langchain MCP. ```bash go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest pipelock generate config --preset generic-agent > pipelock.yaml pip install langchain-mcp-adapters langgraph ``` -------------------------------- ### Install License Token to Default Path Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/configuration.md Installs a license token to the default Pipelock configuration path. ```bash pipelock license install # writes to ~/.config/pipelock/license.token ``` -------------------------------- ### Install Pipelock CLI Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/cline.md Install the Pipelock command-line interface using Homebrew. ```bash # 1. Install pipelock brew install luckyPipewrench/tap/pipelock ``` -------------------------------- ### Install Pipelock from Source Source: https://github.com/luckypipewrench/pipelock/blob/main/README.md Installs Pipelock from its source code using the Go toolchain. Requires Go version 1.25 or later. ```bash # From source (requires Go 1.25+) go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest ``` -------------------------------- ### Install Enterprise License Token Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/enterprise-license-issuance-runbook.md Install a signed license token to the specified path. This is typically used by Conductor or follower deployments. ```bash pipelock license install "$PIPELOCK_LICENSE_KEY" \ --path /etc/pipelock/license/license.token ``` -------------------------------- ### Install Zed Proxy Configuration Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/security/current-unsupported-paths.md Use this command to set up explicit proxy configuration for Zed. This installer wires known MCP config surfaces. ```bash pipelock zed install ``` -------------------------------- ### Install Pipelock Options Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/jetbrains.md Provides commands for installing Pipelock at the user-level (default), project-level, for a dry run to preview changes, or with a specific configuration file. ```bash # User-level (default, visible to pipelock discover) pipelock jetbrains install # Project-level (current directory only) pipelock jetbrains install --project # Preview changes without writing pipelock jetbrains install --dry-run # Use a specific pipelock config pipelock jetbrains install --config ~/.config/pipelock/pipelock.yaml ``` -------------------------------- ### Install JetBrains Proxy Configuration Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/security/current-unsupported-paths.md Use this command to set up explicit proxy configuration for JetBrains. This installer wires known MCP config surfaces. ```bash pipelock jetbrains install ``` -------------------------------- ### Run Full Harness Source: https://github.com/luckypipewrench/pipelock/blob/main/examples/tool-response-injection/README.md Execute the complete demonstration harness from the current directory. Ensure Python 3 and the 'cryptography' library are installed. ```bash python3 demo.py ``` -------------------------------- ### Full License Configuration Example Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/configuration.md An example demonstrating all available license-related configuration fields, including inline token, file paths for token and CRL, intermediate certificate, and public key. ```yaml license_key: "pipelock_lic_v1_eyJ..." # inline token (lowest priority) license_file: "/etc/pipelock/license.token" # file path (medium priority) license_crl_file: "/etc/pipelock/license.crl" # signed revocation list license_intermediate_file: "/etc/pipelock/license-intermediate.json" # root-signed intermediate cert license_require_intermediate: false # require the token to chain through an intermediate license_crl_max_age: 25h # CRL freshness window under require mode (default 25h) license_public_key: "a1b2c3d4..." # hex-encoded Ed25519 public key (dev builds only) ``` -------------------------------- ### Pipelock Hooks Configuration Example Source: https://github.com/luckypipewrench/pipelock/blob/main/examples/cursor-integration/README.md An example of the JSON structure written to hooks.json after Pipelock installation. This defines the commands Cursor will execute before specific actions. ```json { "version": 1, "hooks": { "beforeShellExecution": [ { "command": "/path/to/pipelock cursor hook --config /path/to/pipelock.yaml", "timeout": 10 } ], "beforeMCPExecution": [ ... ], "beforeReadFile": [ ... ] } } ``` -------------------------------- ### Initialize Pipelock Configuration Source: https://github.com/luckypipewrench/pipelock/blob/main/README.md Sets up Pipelock by discovering IDE configurations, generating necessary configuration files, and verifying detection capabilities. Run this after installation. ```bash # Set up (discovers IDE configs, generates config, verifies detection) pipelock init ``` -------------------------------- ### Regenerate Example Artifacts Source: https://github.com/luckypipewrench/pipelock/blob/main/examples/agent-threat-detection/README.md This command regenerates the OTLP log record and the synthetic signed receipt used in this example. Ensure you have Go installed and are in the correct project directory. ```sh go test -run AgentThreatDetectionAttrs_GoldenSample ./internal/emit/... ``` -------------------------------- ### Check License Status Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/enterprise-license-issuance-runbook.md Print the verified tier, features, and expiry of the installed license. Ensure the 'fleet' feature is included before starting Conductor. ```bash pipelock license status ``` -------------------------------- ### Restart OpenCode Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/opencode.md Restart OpenCode after installing Pipelock to ensure it recognizes the wrapped MCP entries. This step is crucial for Pipelock to start monitoring traffic. ```bash # 3. Restart OpenCode so it picks up the wrapped MCP entries ``` -------------------------------- ### Get Pipelock Rules Status as JSON Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/rules.md Outputs the rules stack health in JSON format, suitable for programmatic parsing in CI or dashboards. This example filters for the 'healthy' field. ```bash pipelock rules status --json | jq '.healthy' ``` -------------------------------- ### Start Fleet Sink for Loopback Development Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/conductor-operator-runbook.md Use this command to start a local development instance of the fleet sink. Ensure the trusted audit key is source-verified. ```bash /tmp/pipelock-ent fleet-sink \ --listen 127.0.0.1:8894 \ --storage-dir "$FLEET_DIR/fleet-sink" \ --trusted-audit-key id=follower-audit-1,file="$FLEET_DIR/follower/audit-signing.pub",org=org-local,fleet=dev,instance=follower-1 \ --probe-listen 127.0.0.1:9094 ``` -------------------------------- ### Start Follower Service Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/conductor-operator-runbook.md Start the follower service using a specified configuration file. This command assumes the environment variables for the license key are already set. ```bash /tmp/pipelock-ent run -c "$FLEET_DIR/follower/follower.yaml" ``` -------------------------------- ### Generate Starter Pipelock Configuration Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/configuration.md Use the 'pipelock generate config' command to create a starter configuration file. You can list available presets or generate a balanced configuration directly to 'pipelock.yaml'. ```bash pipelock presets pipelock generate config --list pipelock generate config --preset balanced > pipelock.yaml pipelock run --config pipelock.yaml ``` -------------------------------- ### Generate TLS Certificates and Start Containers Source: https://github.com/luckypipewrench/pipelock/blob/main/test/secureiqlab/README.md Run these commands to initialize the TLS certificates and start all Docker containers for the Pipelock harness. Ensure you run 'make init' only once. ```bash # 1. Generate TLS certificates (first time only) make init # 2. Start all containers make up # 3. Verify everything works make smoke # 4. Run false positive tests make fp-test ``` -------------------------------- ### Install Pipelock Verifier CLI Source: https://github.com/luckypipewrench/pipelock/blob/main/sdk/verifiers/ts/README.md Install the verifier globally or as a project dependency. The global CLI is available after installation, or use `npx` for project dependencies. ```bash npm install -g @pipelock/verifier-ts pipelock-verifier-ts receipt receipt.json --key ``` ```bash npm install @pipelock/verifier-ts npx pipelock-verifier-ts receipt receipt.json --key ``` -------------------------------- ### Install a Single Zed Settings File Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/zed.md Use the `--path` flag to specify a single settings file for pipelock to wrap, bypassing default discovery. ```bash pipelock zed install --path ~/some/custom/settings.json ``` -------------------------------- ### Build and Test Commands Source: https://github.com/luckypipewrench/pipelock/blob/main/CONTRIBUTING.md Use these make commands for building the project with version metadata, running tests, linting, and building a Docker image. ```bash make build # Build with version metadata make test # Run tests make lint # Lint make docker # Build Docker image ``` -------------------------------- ### Install Pipelock Python Verifier Source: https://github.com/luckypipewrench/pipelock/blob/main/sdk/verifiers/python/README.md Install the verifier package with its dependencies pinned by hash for offline-friendly installations. Use --no-deps if dependencies are already satisfied. ```bash pip install --require-hashes -r sdk/verifiers/python/requirements.txt pip install --no-deps sdk/verifiers/python ``` -------------------------------- ### Rollback pipelock contain installation Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/contain-cli.md Idempotently undoes the `install` command. This command safely re-runs on a partial install, checking state before mutating. It removes various pipelock components and configurations. ```bash sudo pipelock contain rollback ``` -------------------------------- ### Install Pipelock Binary Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/openclaw.md Download and install the pipelock binary for Linux AMD64 systems. ```bash # Or download binary curl -fsSL https://github.com/luckyPipewrench/pipelock/releases/latest/download/pipelock_linux_amd64.tar.gz | tar xz sudo mv pipelock /usr/local/bin/ ``` -------------------------------- ### Install and Run Python Verifier Source: https://github.com/luckypipewrench/pipelock/blob/main/testdata/python_verifier_fixture/README.md Instructions for setting up a virtual environment, installing dependencies, and running the Python verifier against golden test data. The verifier outputs 'OK ' or 'FAIL : ' and exits with a status code. ```bash python3 -m venv .venv source .venv/bin/activate pip install --require-hashes -r requirements.txt python3 verify.py ../../internal/contract/testdata/golden/ ``` -------------------------------- ### Verify Pipelock Hermes Installation Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/hermes.md Confirms the Pipelock Hermes installation and checks what has been wired. ```bash # 3. Confirm what was wired pipelock hermes verify ``` -------------------------------- ### Serve Playground Live Chat Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/playground-live-chat.md Command to start the live-chat playground server. Configure listening address, invite code, LLM agent binary, model API details, and message budgets. ```bash pipelock-playground-live serve \ --listen 0.0.0.0:8099 \ --code \ --llm-agent-bin /usr/local/bin/pipelock-playground-llm-agent \ --model-base-url https://api.provider.example/v1 \ --model \ --model-secret-file /run/secrets/model.key \ --daily-turn-budget 2000 \ --max-messages-per-session 40 ``` -------------------------------- ### URL Explanation with Custom Config Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/cli/explain.md Specify a custom configuration file for the explanation of a URL. ```sh pipelock explain --config /etc/pipelock/pipelock.yaml "https://example.com/download?id=42" ``` -------------------------------- ### Install Claude Code Hooks with Pipelock Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/claude-code.md Install Pipelock hooks to scan tool calls before execution. This command writes to ~/.claude/settings.json by default. You can specify a policy file or install to a project-local settings file. ```bash pipelock claude setup ``` ```bash pipelock claude setup --config ~/.config/pipelock/pipelock.yaml ``` ```bash pipelock claude setup --project ``` ```bash pipelock claude setup --dry-run ``` ```bash pipelock claude remove ``` -------------------------------- ### Install Pipelock and Wrap Junie MCP Servers Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/jetbrains.md Installs Pipelock using Homebrew or Go, then wraps all Junie MCP servers for user-level protection. Restart your IDE after installation and verify protection using 'pipelock discover'. ```bash # 1. Install pipelock brew install luckyPipewrench/tap/pipelock # or: go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest # 2. Wrap all Junie MCP servers (user-level) pipelock jetbrains install # 3. Restart your JetBrains IDE # 4. Verify protection pipelock discover ``` -------------------------------- ### Pipelock Configuration Example Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/rules.md Example configuration file for Pipelock, specifying rules directory, minimum confidence, and inclusion of experimental rules. Trusted keys can also be configured here. ```yaml # pipelock.yaml rules: rules_dir: ~/.local/share/pipelock/rules # default ($XDG_DATA_HOME/pipelock/rules) min_confidence: medium # skip experimental rules (low confidence) include_experimental: false # default: only stable rules are active # trusted_keys: # additional trusted public keys (beyond embedded keyring) # - name: "vendor-security" # public_key: "64-char-hex-encoded-ed25519-public-key" ``` -------------------------------- ### Serve Playground Broker Source: https://github.com/luckypipewrench/pipelock/blob/main/docs/guides/playground-broker-operations.md Starts the pipelock-playground-broker with specified configurations for listening, provider integration, resource allocation, and security settings. Secrets should be managed via environment variables or files, not directly in the command. ```bash pipelock-playground-broker serve \ --listen 0.0.0.0:8100 \ --provider fly \ --fly-app playground-example \ --fly-token-env FLY_API_TOKEN \ --image registry.example.com/pipelock/playground-vm:review \ --region iad \ --memory-mb 256 \ --cpus 1 \ --internal-port 8080 \ --concurrency 20 \ --code press-review-code \ --max-per-code 25 \ --global-daily-budget 60 \ --per-ip-daily-budget 20 \ --per-code-daily-budget 60 \ --admin-listen 127.0.0.1:8101 \ --admin-token-env PLAYGROUND_ADMIN_TOKEN \ --turnstile-secret-env PLAYGROUND_TURNSTILE_SECRET \ --vm-model-base-url https://api.provider.example/v1 \ --vm-model demo-model \ --vm-model-max-steps 20 \ --vm-daily-turn-budget 400 \ --vm-max-messages-per-session 20 \ --vm-session-ttl 30m \ --static-dir ./dist/playground \ --allow-origin https://playground.example.com \ --public-host playground.example.com ``` -------------------------------- ### Rust Verifier Publishing Steps Source: https://github.com/luckypipewrench/pipelock/blob/main/sdk/verifiers/PUBLISHING.md Commands to navigate to the Rust SDK directory, run tests, package, and publish the verifier crate. Use `--dry-run` for a preliminary check before the actual publish. ```bash cd sdk/verifiers/rust cargo test --release cargo package --list # confirm audit-packet-v0.json is in the package cargo publish --dry-run # builds the packaged crate in isolation cargo publish # the real publish ``` -------------------------------- ### Install Python Package Source: https://github.com/luckypipewrench/pipelock/blob/main/internal/skillscan/testdata/deps-skill/SKILL.md Installs a Python package using pip. Use this for general Python dependency management. ```bash pip install sample-package ```