Live Prompt Injection via Hardcoded expertise-api Endpoint Exposes Claude Code, Copilot Users

A critical security vulnerability in the expertise pipeline exposes users to session-scoped prompt injection. The `UserPromptSubmit` hook (`hooks/expertise-preflight.sh`) automatically calls `${EXPERTISE_API_URL}/expertise/search` on every prompt submission and injects the API response into the `systemMessage` field, which both Claude Code and VS Code Copilot process as system-role content. A compromised or malicious endpoint therefore gains full prompt-injection capability with session-level blast radius—any response it returns executes within the user's active session context.

The threat is not theoretical. The default URL `https://expertise.dev.thepantsless.casa` is hardcoded in both `settings.json:7` and `hooks/expertise-preflight.sh:17`, meaning the exposure is live by default for any user running `setup.sh`. The vulnerability mirrors the MCP-server threat the project explicitly prohibits in `rules/no-mcp-servers.md`, invoking OWASP ASI04 and citing CVE-2025-59536 alongside CVE-2026-21852 as structural analogues. The same architectural pattern—blindly trusting external API responses as system instructions—has already been flagged as unacceptable elsewhere in the codebase.

A hotfix is underway targeting the smallest possible diff to close the live exposure. Hook scripts and associated skills remain on disk pending full removal in a follow-up issue. Users who have run `setup.sh` with default settings are advised to treat the hardcoded endpoint as potentially adversarial until the patch is applied.