chore(release): prepare v2.6.0 pre-tag updates

[luckyPipewrench]

Summary

• Reconcile the v2.6.0 changelog and release-facing docs for request_policy, Hermes, pipelock scan, signed demo receipts, compliance mappings, Scan API, FileSentry, media/redaction behavior, and transport-mode hardening.
• Refresh pipelock demo with signed action receipts and the cloud-metadata SSRF scenario, including the updated demo GIF.
• Add release-polish hardening for config reloads, reverse-proxy profile reloads, forward-proxy response scan caps, Scan API tool_call scanning, FileSentry oversized/unreadable skip visibility, and demo receipt/test hygiene.
• Surface the v2.6 user-facing config knobs in the configuration reference, including dns.host_overrides, fetch_proxy.monitoring.query_entropy_exclusions, reverse_proxy.profile: submit fields, Scan API tool_call behavior, file_sentry.max_file_bytes, tool_chain_detection.sensitivity_labels, and license_crl_file.
• Bump the Helm chart to 0.3.0 / appVersion 2.6.0 and clear the stale v2.5 default image digest so chart installs follow the v2.6.0 image tag unless operators explicitly pin a digest.
• Keep Conductor framed as an enterprise preview, not GA in v2.6, with user-facing Conductor documentation deferred to v2.7.

Summary by CodeRabbit

• New Features

  • Request Policy: per-operation outbound controls for HTTP and WebSocket (per-frame), GraphQL predicates, JSON batch recursion, and fail‑closed behavior
  • pipelock scan CLI: invisible-Unicode / bidi / control-character detection
  • Demo receipts: Ed25519-signed demo receipts output

• Enhancements

  • File Sentry: configurable max-file-bytes with visible skip/error reporting
  • Response scanning: budget-aware caps with clarified truncation vs. fail‑closed
  • Scan API: tool_call runs DLP/prompt‑injection scans on-demand

• Bug Fixes

  • Reverse-proxy profile changes are deferred to restart during reload

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• ✅ Review completed - (🔄 Check again to review again)

📝 Walkthrough

Walkthrough

v2.6.0 updates release docs and guides; adds Request Policy documentation and pipelock scan CLI doc; implements demo CLI Ed25519-signed receipts and receipt emission tests; introduces FileSentry max-file-size cap and watcher error reporting; coalesces config reloads to latest; Server.Reload defers ReverseProxy structural changes; distinguishes forward-proxy scan cap vs. data budget; and ungates Scan API tool_call Stage‑2 scanning when argument text exists.

Changes

v2.6.0 Release Documentation

Layer / File(s)	Summary
Release changelog and Helm chart CHANGELOG.md, charts/pipelock/Chart.yaml, charts/pipelock/*	Adds v2.6.0 release notes and highlights; bumps Helm chart version/appVersion and updates chart README/values.
CLI, guides, and configuration docs README.md, docs/cli/scan.md, docs/configuration.md, docs/guides/*, docs/scan-api.md	New pipelock scan doc; Request Policy docs; verify-install scanning_websocket check; filesystem/media/redaction/transport clarifications; scan-api tool_call documentation; health/posture/guides updates.
Compliance and specs docs/compliance/*, docs/specs/*, docs/guides/block-reason-header.md	EU AI Act and NIST mappings updated for v2.6 review notes; spec example version bumps; adds request_policy_deny reason entry.

Implementation and Testing

Layer / File(s)	Summary
Demo receipt signing and emission internal/cli/diag/demo.go, internal/cli/diag/demo_test.go	Demo CLI generates per-run Ed25519 keypair, signs/verifies JSON receipts (optional --receipts-dir), refactors scenarios to return evidence patterns, and adds end-to-end and unit tests for receipts and CLI flow.
Config reload coalescing & ReverseProxy gating internal/config/reload.go, internal/config/reload_test.go, internal/cli/runtime/server_reload.go, internal/cli/runtime/server_test.go	Reloader.tryReload coalesces-to-latest buffered config; Server.Reload deep-equals whole ReverseProxy and defers changes to restart with a warning; tests added.
FileSentry schema & watcher cap/visibility internal/config/schema.go, internal/filesentry/watcher_impl.go, internal/filesentry/watcher_test.go	Adds FileSentry.MaxFileBytes config and effectiveMaxFileSize(); watcher reads cap+1 to detect overruns and surfaces open/stat/read/oversized skip via error path; tests verify visibility and cap behavior.
Forward proxy response scan cap vs budget internal/proxy/forward.go, internal/proxy/forward_test.go	Distinguishes configured response scan cap from per-request data budget (configMaxBytes vs budgetLimited); reads maxBytes+1 to detect overruns; fails closed when configured scan cap exceeded; integration test added.
Scan API: tool_call Stage‑2 ungated when args exist internal/scanapi/scan.go, internal/scanapi/handler_test.go	Removes global cfg from scanToolCall; Stage‑2 DLP/prompt-injection runs when extracted argument text is non-empty regardless of MCPInputScanning toggle; handler tests updated.
Canonical fixtures and minor runtime tests internal/config/canonical_golden_test.go, internal/cli/runtime/server_test.go	Golden hashes updated to reflect schema/policy surface changes; server reload test added verifying ReverseProxy profile-only reload is ignored.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• luckyPipewrench/pipelock#425: Related canonical policy-hash golden fixtures adjustments.
• luckyPipewrench/pipelock#88: Related compliance mapping documentation edits.
• luckyPipewrench/pipelock#639: Related forward-proxy response handling and scan-cap logic.

Suggested labels

size:XL, contributor:verified

Suggested reviewers

• BlueAceFrost
• DeathCamel58

"A rabbit signed and hopped with glee,
Receipts in paw for all to see,
Caps on files and scans that mind,
Tool calls checked when text we find,
v2.6 leaps out — hop, celebrate with me!" 🐇

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 24.32% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(release): prepare v2.6.0 pre-tag updates' is directly related to the main purpose of this PR: preparing documentation, configuration, and tooling for the v2.6.0 release.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/release-prep-v2.6.0

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sentry]

Codecov Report

❌ Patch coverage is 79.29293% with 41 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/cli/diag/demo.go	86.30%	16 Missing and 4 partials ⚠️
internal/filesentry/watcher_impl.go	45.94%	12 Missing and 8 partials ⚠️
internal/config/reload.go	87.50%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

internal/filesentry/watcher_impl.go (1)

356-359: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Surface os.Open failures as well.

Unreadable files still disappear silently here. permission denied, transient removal, or other open-time failures never reach the new visibility path, so a watched file can still be left unscanned with no operator signal.

Suggested fix

 	f, err := os.Open(filepath.Clean(path))
 	if err != nil {
+		w.logError(fmt.Errorf("filesentry: open failed, file left unscanned: %s: %w", path, err))
 		return
 	}

Also applies to: 427-430

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/filesentry/watcher_impl.go` around lines 356 - 359, The
os.Open(filepath.Clean(path)) failure is being swallowed (if err { return }) —
change this so open failures are surfaced instead of returning silently: either
return the error up the call chain or call the watcher’s
visibility/error-reporting API to record the path open failure (e.g., replace
the silent return with a call that logs and records the error with the
watcher/visibility component), and do the same change for the analogous os.Open
handling at the other location (lines 427-430).

internal/cli/diag/demo.go (1)

137-139: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Read interactive input from Cobra command input (cmd.InOrStdin()), not fmt.Scanln()

fmt.Scanln() reads from process stdin, ignoring cmd.SetIn()/cmd.InOrStdin(), so pipelock demo --interactive can’t be driven reliably by tests or scripted callers. Also ensure to add the needed bufio import.

Suggested change

+	reader := bufio.NewReader(cmd.InOrStdin())
+
 	for i, s := range scenarios {
 		if interactive && i > 0 {
 			cmd.Print("\n  Press Enter for next scenario...")
-			_, _ = fmt.Scanln() //nolint:errcheck // interactive prompt
+			_, _ = reader.ReadString('\n')
 		} else if i > 0 {
 			time.Sleep(150 * time.Millisecond)
 		}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/cli/diag/demo.go` around lines 137 - 139, Replace the blocking
fmt.Scanln() call (inside the interactive && i > 0 branch) with reading a line
from the Cobra command input stream via cmd.InOrStdin() so tests and scripted
callers work; create a bufio.Reader from cmd.InOrStdin(), call ReadString('\n')
(or ReadBytes) to consume the Enter, handle or intentionally ignore the returned
error instead of using fmt.Scanln(), and add the bufio import to the file.
Ensure you still call cmd.Print("\n  Press Enter for next scenario...") and
reference the same interactive/i logic.

🧹 Nitpick comments (2)

internal/cli/diag/demo.go (2)

105-113: ⚡ Quick win

Normalize receiptsDir before using it for writes.

This flag value is a trust boundary, but it is passed straight into MkdirAll and later file writes. Clean it once up front and reuse the normalized path for signer.pub and per-receipt JSON files.

Suggested change

 func runDemo(cmd *cobra.Command, interactive, color bool, receiptsDir string) error {
+	if receiptsDir != "" {
+		receiptsDir = filepath.Clean(receiptsDir)
+	}
+
 	cfg := config.Defaults()
 	cfg.Internal = nil // disable SSRF (avoids DNS lookups)
@@
-	rec := &demoReceipts{cmd: cmd, privKey: privKey, pubHex: pubHex, policyHash: policyHash, dir: receiptsDir, color: color}
+	rec := &demoReceipts{cmd: cmd, privKey: privKey, pubHex: pubHex, policyHash: policyHash, dir: receiptsDir, color: color}

As per coding guidelines "In Go code, use filepath.Clean(path) to satisfy gosec G304 linter rule for file inclusion. For trust boundaries, also validate containment using EvalSymlinks and filepath.Rel."

Also applies to: 132-132, 274-275

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/cli/diag/demo.go` around lines 105 - 113, Normalize and validate the
receiptsDir before creating or writing files: call filepath.Clean on receiptsDir
at its earliest use, resolve symlinks with filepath.EvalSymlinks, and ensure the
resolved path is contained within an expected base (use filepath.Rel to verify
it doesn't escape), then reuse that normalized path for os.MkdirAll, for
constructing pubPath (filepath.Join(normalizedReceiptsDir, "signer.pub")), and
for per-receipt JSON writes; update the code around receiptsDir, os.MkdirAll,
pubPath, and os.WriteFile to use the validated normalized path and return an
error if EvalSymlinks or containment checks fail.

---

325-331: ⚡ Quick win

Use shared severity constants instead of raw literals.

These receipts are release-facing metadata. Hardcoding "high" and "critical" here makes the demo drift-prone if the canonical config.Severity* values ever change.

As per coding guidelines "Check existing config.Action*, config.Mode*, config.Severity* constants before creating new ones."

Also applies to: 344-350, 367-373, 384-390, 401-407, 440-446, 480-486

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/cli/diag/demo.go` around lines 325 - 331, Replace hardcoded severity
string literals in the receipt definitions by using the shared config severity
constants (e.g., change severity: "critical" and severity: "high" to severity:
config.SeverityCritical and severity: config.SeverityHigh). Update every receipt
literal that sets the severity field (including the examples around the
"Credential Exfiltration" entry and the other ranges called out) to reference
the canonical config.Severity* constants so these release-facing metadata values
stay in sync with the central config.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/compliance/eu-ai-act-mapping.md`:
- Line 11: The shorthand phrase "same five =" in the v2.6 review note (the line
starting with "v2.6 review (May 2026): per-frame WS request_policy,
allowlist_unparseable passthrough, media truncation, file_sentry block,
header-DLP parity, submit SSRF-safe dial = Art.15/15(4)/15(5); Conductor
enterprise+fleet-license gated, never inline.") should be replaced with explicit
mappings: list each feature mentioned (per-frame WS request_policy,
allowlist_unparseable passthrough, media truncation, file_sentry block,
header-DLP parity, submit SSRF-safe dial, Conductor enterprise+fleet-license
gated, never inline) on its own line and map it directly to the specific EU AI
Act article/paragraph (e.g., "per-frame WS request_policy → Art.15(1)/15(4)"),
mirroring the format used in prior sections so auditors can verify each claim
without inference; ensure consistency in wording and use the same article
identifiers used elsewhere in the document.

In `@docs/compliance/nist-800-53.md`:
- Line 11: Replace the compressed shorthand line that begins with "v2.6 review:
same five = AC-4(4),SI-4(4),SC-7,SI-12,SC-28,SI-10,AC-3,SC-7(5); Conductor
partially addresses CM-7/AU-12, fleet-license gated, never inline." with
explicit mappings: for each listed NIST control (e.g., AC-4(4), SI-4(4), SC-7,
SI-12, SC-28, SI-10, AC-3, SC-7(5), CM-7, AU-12) add a short sentence or bullet
that names the v2.6 capability it maps to and a one-line description of how that
capability satisfies the control (mention "Conductor" and "fleet-license" where
relevant), so auditors can see direct, reviewable traceability from v2.6
features to each NIST control.

In `@internal/filesentry/watcher_impl.go`:
- Around line 376-382: The read using io.ReadAll(io.LimitReader(f, sizeCap+1))
in watcher_impl.go currently ignores whether the extra byte was consumed, so if
the file grew after Stat() you may scan a truncated prefix; change the logic in
the scan path that uses io.ReadAll(io.LimitReader(f, sizeCap+1)) to check if
len(data) > sizeCap (i.e. the LimitReader returned the extra byte) and, when it
is, treat the file as grown/oversized/unscanned instead of proceeding to scan
the truncated data; apply the same fix to the equivalent block around the other
read (the second occurrence noted in the comment).

---

Outside diff comments:
In `@internal/cli/diag/demo.go`:
- Around line 137-139: Replace the blocking fmt.Scanln() call (inside the
interactive && i > 0 branch) with reading a line from the Cobra command input
stream via cmd.InOrStdin() so tests and scripted callers work; create a
bufio.Reader from cmd.InOrStdin(), call ReadString('\n') (or ReadBytes) to
consume the Enter, handle or intentionally ignore the returned error instead of
using fmt.Scanln(), and add the bufio import to the file. Ensure you still call
cmd.Print("\n  Press Enter for next scenario...") and reference the same
interactive/i logic.

In `@internal/filesentry/watcher_impl.go`:
- Around line 356-359: The os.Open(filepath.Clean(path)) failure is being
swallowed (if err { return }) — change this so open failures are surfaced
instead of returning silently: either return the error up the call chain or call
the watcher’s visibility/error-reporting API to record the path open failure
(e.g., replace the silent return with a call that logs and records the error
with the watcher/visibility component), and do the same change for the analogous
os.Open handling at the other location (lines 427-430).

---

Nitpick comments:
In `@internal/cli/diag/demo.go`:
- Around line 105-113: Normalize and validate the receiptsDir before creating or
writing files: call filepath.Clean on receiptsDir at its earliest use, resolve
symlinks with filepath.EvalSymlinks, and ensure the resolved path is contained
within an expected base (use filepath.Rel to verify it doesn't escape), then
reuse that normalized path for os.MkdirAll, for constructing pubPath
(filepath.Join(normalizedReceiptsDir, "signer.pub")), and for per-receipt JSON
writes; update the code around receiptsDir, os.MkdirAll, pubPath, and
os.WriteFile to use the validated normalized path and return an error if
EvalSymlinks or containment checks fail.
- Around line 325-331: Replace hardcoded severity string literals in the receipt
definitions by using the shared config severity constants (e.g., change
severity: "critical" and severity: "high" to severity: config.SeverityCritical
and severity: config.SeverityHigh). Update every receipt literal that sets the
severity field (including the examples around the "Credential Exfiltration"
entry and the other ranges called out) to reference the canonical
config.Severity* constants so these release-facing metadata values stay in sync
with the central config.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 883e12e0-d907-43c7-96b4-682f0e2352a6

📥 Commits

Reviewing files that changed from the base of the PR and between cde0ce1 and 180e2bf.

⛔ Files ignored due to path filters (1)

• assets/demo.gif is excluded by !**/*.gif

📒 Files selected for processing (25)

• CHANGELOG.md
• README.md
• docs/cli/scan.md
• docs/compliance/eu-ai-act-mapping.md
• docs/compliance/nist-800-53.md
• docs/configuration.md
• docs/guides/codex.md
• docs/guides/health.md
• docs/guides/posture-capsule.md
• docs/specs/in-toto-agent-action-receipt-v0.1.md
• docs/specs/pipelock-conductor-audit-sink.md
• internal/cli/diag/demo.go
• internal/cli/diag/demo_test.go
• internal/cli/runtime/server_reload.go
• internal/cli/runtime/server_test.go
• internal/config/canonical_golden_test.go
• internal/config/reload.go
• internal/config/reload_test.go
• internal/config/schema.go
• internal/filesentry/watcher_impl.go
• internal/filesentry/watcher_test.go
• internal/proxy/forward.go
• internal/proxy/forward_test.go
• internal/scanapi/handler_test.go
• internal/scanapi/scan.go

[cla-assistant]

All committers have signed the CLA.