Adds the pipelock half of the PRD 0001 egress topology:
- Pins the pipelock image by digest (sha256:3b1a39...) for the
multi-arch ghcr.io/luckypipewrench/pipelock:2.3.0 manifest list,
resolved on 2026-05-08. The registry uses unprefixed tags, so the
v2.3.0 GitHub release maps to the 2.3.0 Docker tag.
- Bakes in the default allowlist for Claude Code's required hosts
(api.anthropic.com, statsig.anthropic.com, sentry.io, claude.ai,
platform.claude.com, downloads.claude.ai, raw.githubusercontent.com)
and unions it with the bottle's egress.allowlist for the effective
list.
- Generates a minimum-viable YAML config at mode 600: strict mode +
enforce + api_allowlist + forward_proxy.enabled + DLP defaults +
scan_env. No env values, no secrets, hostnames only. Schema keys
cite pipelock's docs/configuration.md inline.
- Sidecar lifecycle: docker create → docker cp the YAML in → connect
to the default bridge for upstream egress → docker start. Avoids
bind mounts (Docker Desktop ownership quirks). Stop is idempotent
for use in cli.sh's exit trap.
- Helper for the y/N preflight: one-line summary "<N> hosts allowed
(host1, host2, host3 +M more)".
Refs: docs/prds/0001-per-agent-egress-proxy-via-pipelock.md
Refs: docs/research/pipelock-assessment.md
Assisted-by: Claude Code
