Commit graph

13 commits

Author SHA1 Message Date
Evgeny Boger
698037bd4d Remove github_app_token.sh, improve proxy docs
- Remove unused github_app_token.sh (only github_app_token_demo.py is
  used by claude-vm.sh)
- Document token generation flow: GitHub App device flow with
  repository_id scoping
- Rename "Security layers" to "Defense-in-depth" to clarify these
  are additional layers on top of GitHub's token scoping

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 03:11:28 +03:00
Evgeny Boger
180a702916 Add GitHub MCP proxy documentation to README
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 02:35:15 +03:00
Evgeny Boger
967bc51256 Add GitHub MCP proxy with security hardening
Defense-in-depth repo scope enforcement for the GitHub MCP proxy:
- Default-deny for unknown tools (allowlist of known tools)
- Search query scoping: auto-inject repo:OWNER/REPO, block org:/user: qualifiers
- Block non-repo-scoped tools (search_users, search_orgs, get_teams, etc.)
- Inject owner/repo when tools omit them
- Server-side tool filtering via X-MCP-Toolsets/Tools/Readonly/Lockdown headers
- Sensible default toolsets: repos,issues,pull_requests,git,labels
- Lockdown mode enabled by default
- VM cannot override X-MCP-* headers
- Skip body re-serialization when unmodified

Also adds GitHub App token generation scripts and comprehensive tests
(unit + end-to-end with mock upstream server).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 02:33:46 +03:00
Evgeny Boger
76f652f831 Add host-side API proxy to keep credentials out of VMs
Instead of storing OAuth tokens inside the VM template, credentials now
stay on the host. A lightweight Python proxy (claude-vm-proxy.py) reads
the host's ~/.claude/.credentials.json, injects the real auth headers
(Bearer + oauth beta for OAuth, x-api-key for API keys), and forwards
requests to api.anthropic.com. The VM gets only ANTHROPIC_BASE_URL
pointing at the proxy and dummy credentials so Claude Code detects
the correct subscription tier.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 23:01:16 +03:00
Evgeny Boger
ca6c51893d cleanup test 2026-02-10 04:41:30 +03:00
Evgeny Boger
9b9571f25d test scoping 2026-02-10 04:40:41 +03:00
Evgeny Boger
7478e8c7cf Add security hardening for VM sessions
Snapshot security-sensitive files before each VM session and check for
unauthorized modifications afterward. Mount .git/hooks and .git/config
as read-only at the Lima level to prevent the VM from tampering with
host-side git hooks or config.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 15:13:01 +03:00
Sylvain Zimmer
375b784bf6
Add arguments to claude-vm-setup 2026-01-29 10:14:10 +01:00
Sylvain Zimmer
180c575c5d
Merge pull request #1 from sylvinus/claude/forward-vm-arguments-EeIOt
Forward arguments from claude-vm to the underlying claude command
2026-01-29 09:13:01 +01:00
Claude
b181d33245
Forward arguments from claude-vm to the underlying claude command
Allows passing CLI options like -p, --resume, or -c directly to claude-vm,
which are forwarded to the claude command inside the VM.

https://claude.ai/code/session_01ESjq1MiEWwf4zzfa3iChpi
2026-01-29 08:04:57 +00:00
Sylvain Zimmer
10e39f1210
Fix issue with double dashes in VM names 2026-01-28 02:18:43 +01:00
Sylvain Zimmer
827c93403a
Fix login in claude code and add more details to the README on VMs 2026-01-28 01:46:19 +01:00
Sylvain Zimmer
f865122778
first commit 2026-01-28 01:15:09 +01:00