Airlock Copilot Enforcer

Airlock Copilot Enforcer

Open-source reference sample for intercepting AI actions in GitHub Copilot — adapt for your enterprise Gateway deployment

VS Code Marketplace Open VSX Registry GitHub
Reference sample, not a consumer install guide. Source lives on GitHub. Configure the integration against your organization's Gateway at https://<your-gateway-host> and identity at https://<your-auth-host>/realms/<your-realm>.

Prerequisites

  • VS Code with GitHub Copilot extension installed
  • Deployed Airlock Gateway and identity provider for your organization
  • Mobile Approver distributed to reviewers via your organization's channel (MDM or internal app catalog)

Getting Started

  1. 1

    Install the Extension

    In VS Code, open the Extensions panel (Ctrl+Shift+X / Cmd+Shift+X), search for Airlock Enforcer, and install Airlock Copilot Enforcer.

  2. 2

    Sign In

    Open the Command Palette (Ctrl+Shift+P / Cmd+Shift+P) and run Airlock: Sign In. Authenticate with your organization's identity provider.

  3. 3

    Pair with Mobile Approver

    Run Airlock: Start Mobile Pairing from the Command Palette. A QR code will be displayed. On the Mobile Approver, go to Settings → Pair Another Workspace, scan the QR code or enter the pairing code manually.

  4. 4

    Enable Auto Mode

    Run Airlock: Enable Auto Mode to start intercepting AI actions. All Copilot commands will now require approver sign-off via the Mobile Approver.

Extension Commands

Command Description
Airlock: Sign InAuthenticate with the Gateway
Airlock: Sign OutClear authentication
Airlock: Start Mobile PairingPair with the Mobile Approver (QR code)
Airlock: Unpair Mobile ApproverRemove paired device
Airlock: Enable Auto ModeStart automatic approval gating
Airlock: Disable Auto ModeStop gating
Airlock: Show StatusShow current endpoint, enforcer ID, pairing state

Copilot-Specific Notes

Hooks Configuration: The Copilot enforcer uses airlock-hooks.json to register with the Copilot agent. The hook configuration is automatically managed by the extension — no manual setup required.

How It Works

The Airlock Copilot Enforcer intercepts all AI-generated terminal commands and file mutations from GitHub Copilot. Each action is encrypted with AES-256-GCM and submitted to the Gateway. Your Mobile Approver receives a push notification — you review the action and sign your decision with Ed25519. The enforcer verifies the signature locally before allowing execution.

Security model: The enforcer operates in fail-closed mode. If the gateway is unreachable, the signature is invalid, or the request times out — the action is blocked. No exceptions.

← All Docs Back to Airlock