Copilot CLI app.js reverse-engineering wiki
Copilot CLI app.js reverse-engineering wiki
This wiki organizes the implementation notes for the extracted @github/copilot CLI bundle around reader journeys instead of a flat list of files. The analyzed artifact is:
copilot-cli-pkg/app.js
The docs are based on static inspection of the extracted package, command/help output, string/anchor extraction, and script-assisted scans. Because app.js is bundled/minified, symbol names are unstable; source anchors are intended for searching the analyzed bundle, not as public API names.
Wiki map
flowchart TD Home[Wiki home] --> O[00 Overview] Home --> R[01 Runtime and UI] Home --> C[02 Context and input] Home --> S[03 Sessions and remote] Home --> T[04 Tools and integrations] Home --> P[05 Security and policy] Home --> M[06 Models and reliability] Home --> A[07 Agents and automation] Home --> Ops[08 Operations and research]
O --> R R --> C C --> S S --> T T --> P P --> M M --> A A --> OpsVolumes
| Volume | Purpose | Pages |
|---|---|---|
| Overview | Start here: what the extracted bundle is, how to read the docs, and the high-level feature map. | 2 |
| Runtime and UI | Bootstrap, root command routing, interactive TUI, terminal ergonomics, voice mode, protocol server modes, and rendering support. | 7 |
| Context and input | Everything that becomes model-visible context: prompts, custom instructions, attachments, memory, compaction, and rewind boundaries. | 6 |
| Sessions and remote | Local event-sourced sessions, cloud/remote control, SQLite indexing, UI projection, repository metadata, and Mission Control steering. | 6 |
| Tools and integrations | Built-in tools, MCP, plugins, IDE/LSP/editor bridges, web access, and integration overview surfaces. | 6 |
| Security and policy | Permissions, content exclusion, hooks, sandboxing, and persistent policy/configuration state. | 5 |
| Models and reliability | Authentication, provider selection, wire APIs, resilience, rate limits, usage metrics, quota, and billing. | 4 |
| Agents and automation | Task orchestration, subagents, autopilot, fleet mode, and scheduled prompt/command automation. | 4 |
| Operations and research | Feature gates, diagnostics, debug bundles, observability/update/shutdown, and the original documentation backlog. | 4 |
Naming and maintenance conventions
| Area | Convention |
|---|---|
| Volume directories | Numbered prefixes preserve a stable reading order while keeping related pages together. |
| Topic filenames | Use short lower-kebab-case wiki slugs. Rename only when a page’s scope changes, not just because a title is reworded. |
| Topic titles | Prefer reader-facing titles over historical source filenames. Keep app.js in the title only when the page is specifically about bundle-level behavior. |
| Merging pages | Merge only when two pages describe the same lifecycle or runtime boundary. Otherwise keep focused implementation pages and connect them through volume indexes. |
| Adding pages | Add the page under the closest volume, then update that volume README.md, the root page index, and SUMMARY.md. |
| Link text | Use human-readable page titles in prose; reserve raw filenames for tables or maintenance notes. |
Recommended reading paths
| Goal | Read this path |
|---|---|
| Get oriented quickly | Overview → Runtime and UI → Context and input |
| Understand local/remote session behavior | Sessions and remote → Operations and research |
| Trace a model request end to end | Context and input → Tools and integrations → Models and reliability |
| Review safety and trust boundaries | Security and policy → Tools and integrations → Operations and research |
| Study automation and subagents | Context and input → Agents and automation → Sessions and remote |
Cross-cutting implementation matrix
| Concern | Primary volume | Key supporting volumes |
|---|---|---|
| Prompt/context assembly | Context and input | Tools and integrations, Models and reliability |
| Session/event lifecycle | Sessions and remote | Runtime and UI, Operations and research |
| Tool execution | Tools and integrations | Security and policy, Agents and automation |
| Permissions and redaction | Security and policy | Context and input, Tools and integrations |
| Model routing and quota | Models and reliability | Operations and research |
| Remote/cloud operation | Sessions and remote | Runtime and UI, Security and policy |
Complete page index
| Volume | Page | Covers |
|---|---|---|
| Overview | app.js overview | Bundle identity, responsibilities, and caveats. |
| Overview | Main feature map for Copilot CLI | High-level map of feature areas and runtime ownership. |
| Runtime and UI | Loader and bootstrap workflows | SEA/npm loader chain, restart wrapper, secure module loading, and bootstrap safeguards. |
| Runtime and UI | CLI runtime workflows | Root CLI routing, pre-action setup, prompt/headless/server dispatch, and session resolution. |
| Runtime and UI | Interactive TUI and slash-command workflows | Interactive TUI event loop, dialogs, slash command macros, and permission surfaces. |
| Runtime and UI | Terminal setup and shell environment | Terminal detection, Shift+Enter setup, shell context, and command-history state. |
| Runtime and UI | Voice mode and Foundry Local | Foundry Local dictation runtime, voice settings, native audio modules, and model cache checks. |
| Runtime and UI | Embedded server, ACP, and JSON-RPC protocol | JSON-RPC/ACP server modes, external tool calls, elicitation, sampling, and commands. |
| Runtime and UI | Tree-sitter WASM usage in the Copilot CLI | Packaged Tree-sitter grammars, highlight queries, rich diff rendering, and fallback behavior. |
| Context and input | Prompt sources in Copilot CLI | Static/runtime prompt sources, YAML package prompts, instructions, MCP prompts, hooks, and provider mapping. |
| Context and input | Custom agents and skills packaging | AGENTS.md, SKILL.md, plugin/remote/provided agents, skill directories, and enable/disable events. |
| Context and input | Attachment and file-ingestion pipeline | Native image/document attachments, tagged-file fallback, MIME detection, payload mapping, and limits. |
| Context and input | Memory and dynamic context board in Copilot CLI | Agentic memory API, local memory, dynamic context board, rem-agent, sidekicks, and shutdown consolidation. |
| Context and input | Conversation compaction and memory compression in Copilot CLI | /compact, automatic compaction, summary replacement, checkpoints, hooks, telemetry, and UI status. |
| Context and input | Checkpoints, undo, rewind, and fork | /undo, /rewind, /fork, event-log truncation/replay, snapshot_rewind, and workspace events. |
| Sessions and remote | Session support implementation in the Copilot CLI | Event-sourced local persistence, workspace artifacts, startup resolution, APIs, and handoff behavior. |
| Sessions and remote | Session, remote, cloud, and history workflows | Resume/continue/name handling, background sessions, cloud sessions, remote steering, and history. |
| Sessions and remote | Session-store SQLite indexing | session-store.db schema, FTS/search, /reindex, Chronicle, refs, cloud sync, and backfill. |
| Sessions and remote | System events and UI projection | System messages, notifications, info/warning/error events, timeline entries, and ephemeral UI projection. |
| Sessions and remote | Git, repository, PR, and ref context | Git root/branch/head/base detection, session refs, PR context, and GitHub MCP overlap. |
| Sessions and remote | Remote control implementation in Copilot CLI | Mission Control exporter, command polling, /remote, permission bridging, and remote task attach. |
| Tools and integrations | Built-in tool execution pipeline | Tool registration, model-visible schemas, permission/hook flow, execution events, streaming, and telemetry. |
| Tools and integrations | MCP support implementation in the Copilot CLI | MCP config discovery, transports, host lifecycle, tool exposure, OAuth, permissions, and tasks. |
| Tools and integrations | Plugin and extension architecture | Plugin install/cache/config lifecycle, marketplaces, local plugin dirs, contributions, and SDK loading. |
| Tools and integrations | IDE, LSP, and editor integration | IDE tools, selections, diagnostics, diffs, session title sync, LSP config, and extension state. |
| Tools and integrations | Web search, URL fetching, and URL permissions | Built-in web_fetch, GitHub MCP web_search, URL allow/deny persistence, and web-tool gates. |
| Tools and integrations | Integrations, permissions, auth, and config workflows | Cross-cutting overview of MCP, plugins, permissions, auth/provider selection, login, and updates. |
| Security and policy | Permission system design in Copilot CLI | Central PermissionService pipeline, rule precedence, path/URL managers, prompts, scopes, and allow-all behavior. |
| Security and policy | Content exclusion and redaction | Content-exclusion service, policy fetch/merge, filtered outputs, bypass limits, secret env vars, and redaction. |
| Security and policy | Hooks and lifecycle automation | Hook schema, command/HTTP hooks, VS Code aliases, security restrictions, events, and lifecycle automation. |
| Security and policy | Sandbox Implementation | Local command sandboxing, /sandbox, SANDBOX gate, shell wiring, MXC policy, and platform caveats. |
| Security and policy | Settings and configuration persistence | Config roots, typed stores, writeKey/load paths, settings overlays, URL/MCP/plugin/sandbox state, and migration. |
| Models and reliability | Models, providers, and authentication workflows | Auth manager, login, GitHub tokens, BYOK/custom providers, offline mode, model selection, and effort. |
| Models and reliability | Model API routing and provider wire formats | Routing to Chat Completions, Responses, WebSocket Responses, and Anthropic Messages APIs. |
| Models and reliability | Rate limits, concurrency, retries, and error recovery | Retry policy, rate-limit recovery, auto-mode switching, queue pauses, concurrency limits, fallback, and cancellation. |
| Models and reliability | Usage, quota, and billing metrics | /usage, assistant.usage, session.usage_info, premium/AI-unit metrics, token details, and billing/quota errors. |
| Agents and automation | Agent and task orchestration in Copilot CLI | Task tool dispatch, TaskRegistry, main/subagent/custom-agent collaboration, hooks, MCP tasks, research, and fleet. |
| Agents and automation | Autopilot and no-ask-user flags | Implementation comparison of —autopilot, —no-ask-user, continuation, task_complete, ask_user, and permission boundaries. |
| Agents and automation | Fleet mode implementation in Copilot CLI | /fleet, session.fleet.start, autopilot_fleet, SQL todo coordination, dependencies, and parallel subagents. |
| Agents and automation | Scheduled prompts and command queue | /every and /after parsing, ScheduleRegistry replay, queue integration, and ephemeral command dispatch. |
| Operations and research | Feature gates and rollout logic in Copilot CLI | Gate tiers, rollout inputs, env/settings overrides, remote experiments, repo/team allowlists, and MCP permission gates. |
| Operations and research | Diagnostics, feedback, and debug bundles | /diagnose, /feedback, /bug, /collect-debug-logs, .tgz bundles, secret gist uploads, and debug-log paths. |
| Operations and research | Observability, update, and shutdown workflows | Logging, telemetry, OpenTelemetry, debug artifacts, update/version paths, and graceful shutdown. |
| Operations and research | Further documentation opportunities for Copilot CLI | Historical scan report, implemented backlog, command surfaces, and future niche follow-ups. |
Full table of contents
For a compact sidebar-style table of contents, see SUMMARY.md.
Important caveat
These pages document a bundled/minified production artifact, not clean source. Semantic names in prose and diagrams are explanatory aliases. Generated/minified symbols are retained only when useful as search anchors for the analyzed bundle.