This tool processes local session data from ~/.copilot/session-state/ and ~/.claude/projects/. The data is trusted by default since it's generated by your own AI coding sessions. However:

• Do NOT import databases from untrusted sources — the sync feature (sync-knowledge.py) merges external .db files. Only sync from machines you control.
• Semantic search models are now stored as JSON (not pickle), eliminating arbitrary code execution risk from tampered databases. Legacy pickle models will trigger a deprecation warning.

• API keys for embedding providers (OpenAI, Fireworks, OpenRouter) can be configured in ~/.copilot/tools/embedding-config.json
• The config file is automatically set to 0o600 (owner-only) on Unix systems
• Recommended: Use environment variables instead of config file storage:

  export FIREWORKS_API_KEY="your-key"
  export OPENAI_API_KEY="your-key"

• The tool prefers environment variables over config file values

On Unix/macOS systems:

• embedding-config.json — auto-set to 0o600 (owner read/write only)
• knowledge.db — follows default umask (typically 0o644)
• Lock files (.watch.lock) — temporary, cleaned up on exit

• build-session-index.py runs PRAGMA quick_check on database open
• sync-knowledge.py creates SHA-256 verified backups before merge operations
• WAL journal mode is used for crash recovery

• All user-input queries use parameterized SQL (? placeholders)
• FTS5 queries are sanitized: special characters stripped, boolean operators removed, length limited
• Migration DDL uses whitelist validation for table/column names

• CLI input titles limited to 200 characters
• Content limited to 10,000 characters
• Path filters limited to 256 characters
• WSL paths validated: must start with /home/, no .. traversal, length < 256

• Lock files use atomic creation (O_CREAT | O_EXCL) to prevent race conditions
• Daemon mode re-acquires locks atomically after fork

• TF-IDF models use JSON serialization (not pickle)
• Backward compatibility: legacy pickle models are supported with deprecation warnings
• Vector embeddings use struct.pack/struct.unpack (safe binary format)

AI agents run as the same OS user, so they can potentially modify the hook scripts that enforce rules on them. To prevent this:

• macOS: chflags uchg — user immutable, same user cannot modify
• Linux: chattr +i — requires root to modify
• Windows: attrib +R — read-only (weaker protection)

python3 ~/.copilot/tools/install.py --lock-hooks    # Set immutable flags
python3 ~/.copilot/tools/install.py --unlock-hooks   # Remove for updates

• install.py --lock-hooks generates SHA256 checksums for all hook files
• Stored in ~/.copilot/hooks/integrity-manifest.json
• verify-integrity.py (sessionStart hook) checks hashes on every session start
• If tampered: warns loudly with 🚨 HOOK INTEGRITY ALERT

• track-bash-edits.py (postToolUse) runs git status --porcelain after every bash command
• Detects ALL file modifications regardless of method (python, node, ruby, cp, mv, tee, etc.)
• Updates edit counters used by enforce-learn.py to gate git commit and task_complete
• enforce-briefing.py also has heuristic preToolUse detection for common write patterns

If you discover a security vulnerability, please:

1. Do NOT open a public issue
2. Email the maintainer or open a private security advisory on GitHub
3. Include steps to reproduce and potential impact

python test_security.py

This runs source-level checks verifying all security measures are in place.