Install gh in the template VM, inject a wrapper that routes gh API
traffic through the existing git proxy, and extend the proxy to forward
API requests to api.github.com with bearer auth.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Detect GitHub submodules from .gitmodules, request a token for each,
and pass a JSON dict of {repo: token} to both proxies. The git proxy
injects per-repo Basic auth based on request path. The MCP proxy
selects the correct Bearer token based on owner/repo in tool call
arguments. Both proxies fall back to single-repo env vars for
backward compatibility.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Instead of forwarding raw HTML error pages from GitHub to the client
(which dumps unreadable HTML on screen), save them to timestamped files
and retry with exponential backoff (1s, 2s, 4s, up to 4 attempts).
After exhausting retries, return a clean short error message.
Applies to all three GitHub-facing scripts:
- github-mcp-proxy.py (MCP tool calls)
- github-git-proxy.py (git push/pull)
- github_app_token_demo.py (OAuth token generation)
Also fixes connection leaks on exception paths in both proxy files
and adds URLError handling in the token demo for network-level failures.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- github-git-proxy.py: host-side HTTP proxy that injects GitHub token
(Basic auth) for the configured repo, forwards to github.com over HTTPS.
Other repos are forwarded without credentials.
- Integrate into claude-vm.sh: starts alongside MCP proxy, configures
git url.insteadOf (scoped to repo only), copies user.name/email from host
- Writes CLAUDE.md instructions in VM so Claude knows git push/pull works
- Logs to file (not stderr), with GITHUB_GIT_PROXY_DEBUG env var
- Update README with full GitHub integration docs (token generation,
git proxy, MCP proxy, defense-in-depth, configuration)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>