Quick Start
Install ArmorCopilot and see it enforce tool calls in under 2 minutes
Quick Start
Get ArmorCopilot running in under 2 minutes. An ArmorIQ account is required to authenticate the plugin.
Prerequisites
- GitHub Copilot CLI 1.0+
- Active GitHub Copilot subscription
- Node.js 20+
- Git
- macOS, Linux, or Windows (WSL / Git Bash)
Install
curl -fsSL https://armoriq.ai/install_armorcopilot.sh | bashcurl -fsSL https://armoriq.ai/install_armorcopilot.sh | bashRun from WSL or Git Bash, not PowerShell/CMD.
The installer handles everything: clones the plugin, installs runtime deps, adds the marketplace, installs the plugin, installs the ArmorIQ CLI, and connects your ArmorIQ account via device-code login. Declining the connect prompt aborts the install.
Try a prompt with enforcement
copilotThen in the interactive session:
> list the files in this directoryArmorCopilot will:
- Tell Copilot to register an intent plan via the
register_intent_planMCP tool - Verify the tool call against that plan in the
preToolUsehook - Allow
list_dir(it's in the plan) - Enqueue an audit row for the call
You'll see the file listing as usual. The enforcement is invisible until something gets blocked.
Try a policy rule
In the same interactive session:
> Policy new: deny webfetchCopilot calls the policy_update MCP tool. ArmorCopilot stores the rule in ~/.copilot/armorcopilot/policy.json.
Then try a tool the rule denies:
> fetch https://example.comYou'll see the web_fetch tool blocked, with a reason like policy denied.
Heads up: LLMs can route around single-tool blocks
Denying web_fetch blocks that specific tool, but Copilot may try to achieve the same outcome via shell (e.g. curl https://example.com). See Writing effective policies for how to block outcomes, not just tools.
What's next
- Policy rules: write effective policies that block outcomes
- Concepts: intent plans, drift detection, CSRG proofs
- Configuration: endpoints, env vars, data dirs, debug
- Troubleshooting: common errors + recovery