A wire-only proxy scans wire bytes. Opaque media bytes pass through the wire layer untouched. Anyone evaluating an agent firewall should know which class of attacks gets caught at which layer, because pretending the wire layer covers everything is the wrong sales pitch and the wrong mental model. This post is the layer split. Pipelock has two inspection layers that operate at different abstraction levels, and the marketing-friendly claim "we scan everything" is true for some shapes of attack and false for others. Saying so plainly is more useful to a buyer than saying nothing. The wire layer Pipelock's wire layer scans bytes as they cross the proxy. Every transport Pipelock supports gets the same set of scanners: HTTP forward proxy. CONNECT and absolute-URI requests, request and response bodies on intercept paths, headers on every transport. MCP stdio. JSON-RPC frames on the subprocess pipe, both directions. MCP HTTP and SSE.…