Grant GitHub Push Access to a Sandboxed Agent

This tutorial walks through an iterative sandbox policy workflow. You launch a sandbox, ask Claude Code to push code to GitHub, and observe the default network policy denying the request. You then diagnose the denial from your machine and from inside the sandbox, apply a policy update, and verify that the policy update to the sandbox takes effect.

After completing this tutorial, you have:

A running sandbox with Claude Code that can push to a GitHub repository.
A custom network policy that grants GitHub access for a specific repository.
Experience with the policy iteration workflow: fail, diagnose, update, verify.

This tutorial shows example prompts and responses from Claude Code. The exact wording you see might vary between sessions. Use the examples as a guide for the type of interaction, not as expected output.

Prerequisites

This tutorial requires the following:

A working OpenShell installation. Complete the Quickstart before proceeding.
A GitHub personal access token (PAT) with repo scope. Generate one from the GitHub personal access token settings page by selecting Generate new token (classic) and enabling the repo scope.
An Anthropic account with access to Claude Code. OpenShell provides the sandbox runtime, not the agent. You must authenticate with your own account.
A GitHub repository you own to use as the push target. A scratch repository is sufficient. You can create one with a README if needed.

This tutorial uses two terminals to demonstrate the iterative policy workflow:

Terminal 1: The sandbox terminal. You create the sandbox in this terminal by running openshell sandbox create and interact with Claude Code inside it.
Terminal 2: A terminal outside the sandbox on your machine. You use this terminal for viewing the sandbox logs with openshell term and applying an updated policy with openshell policy set.

Each section below indicates which terminal to use.

Set Up a Sandbox with Your GitHub Token

Depending on whether you start a new sandbox or use an existing sandbox, choose the appropriate tab and follow the instructions.

Starting a new sandbox

Using an existing sandbox

In terminal 2, create a new sandbox with Claude Code. The default policy is applied automatically, which allows read-only access to GitHub.

Create a credential provider that injects your GitHub token into the sandbox automatically. The provider reads GITHUB_TOKEN from your host environment and sets it as an environment variable inside the sandbox:

$ GITHUB_TOKEN=<your-token>
$ openshell provider create --name my-github --type github --from-existing
$ openshell sandbox create --provider my-github -- claude

openshell sandbox create keeps the sandbox running after Claude Code exits, so you can apply policy updates later without recreating the environment. Add --no-keep if you want the sandbox deleted automatically instead.

Claude Code starts inside the sandbox. It prints an authentication link. Open it in your browser, sign in to your Anthropic account, and return to the terminal. When prompted, trust the /sandbox workspace to allow Claude Code to read and write files.

Push Code to GitHub

In terminal 1, ask Claude Code to write a simple script and push it to your repository. Replace <org> with your GitHub organization or username and <repo> with your repository name.

Prompt

Write a `hello_world.py` script and push it to `https://github.com/<org>/<repo>`.

Claude recognizes that it needs GitHub credentials. It asks how you want to authenticate. Provide your GitHub personal access token by pasting it into the conversation. Claude configures authentication and attempts the push.

The push fails. Claude reports an error, but the failure is not an authentication problem. The default sandbox policy permits read-only access to GitHub and blocks write operations, so the proxy denies the push before the request reaches the GitHub server.

Diagnose the Denial

In this section, you diagnose the denial from your machine and from inside the sandbox.

View the Logs from Your Machine

In terminal 2, launch the OpenShell terminal:

$ openshell term

The dashboard shows sandbox status and a live stream of policy decisions. Look for entries with l7_decision=deny. Select a deny entry to see the full detail:

l7_action:      PUT
l7_target:      /repos/<org>/<repo>/contents/hello_world.py
l7_decision:    deny
dst_host:       api.github.com
dst_port:       443
l7_protocol:    rest
policy:         github_rest_api
l7_deny_reason: PUT /repos/<org>/<repo>/contents/hello_world.py not permitted by policy

The log shows that the sandbox proxy intercepted an outbound PUT request to api.github.com and denied it. The github_rest_api policy allows read operations (GET) but blocks write operations (PUT, POST, DELETE) to the GitHub API. A similar denial appears for github.com if Claude attempted a git push over HTTPS.

Ask Claude Code to Check the Sandbox Logs

In terminal 1, ask Claude Code to check the sandbox logs for denied requests:

Prompt

Check the sandbox logs for any denied network requests. What is blocking the push?

Claude reads the deny entries and identifies the root cause. It explains that the failure is a sandbox network policy restriction, not a token permissions issue. For example, the following is a possible response:

Response

The sandbox runs a proxy that enforces policies on outbound traffic. The github_rest_api policy allows GET requests (used to read the file) but blocks PUT/write requests to GitHub. This is a sandbox-level restriction, not a token issue. No matter what token you provide, pushes through the API are blocked until you update the policy.

Both perspectives confirm the same thing: the proxy is doing its job. The default policy is designed to be restrictive. To allow GitHub pushes, you need to update the network policy.

Copy the deny reason from Claude’s response. You paste it into an agent running on your machine in the next step.

Update the Policy from Your Machine

In terminal 2, paste the deny reason from the previous step into your coding agent on your machine, such as Claude Code or Cursor, and ask it to recommend a policy update. The deny reason gives the agent the context it needs to generate the correct policy rules. After pasting the following prompt sample, properly provide the GitHub organization and repository names of the repository you are pushing to.

Prompt

Based on the following deny reasons, recommend a sandbox policy update that allows GitHub pushes to `https://github.com/<org>/<repo>`, and save to `/tmp/sandbox-policy-update.yaml`:
The `filesystem_policy`, `landlock`, and `process` sections are static. They are read once at sandbox creation and cannot be changed by a hot-reload. They are included here for completeness so the file is self-contained, but only the `network_policies` section takes effect when you apply this to a running sandbox.

The following steps outline the expected process done by the agent:

Inspects the deny reasons.
Writes an updated policy that adds github_git and github_api blocks that grant write access to your repository.
Saves the policy to /tmp/sandbox-policy-update.yaml.

Review the Generated Policy

Refer to the following policy example to compare with the generated policy before applying it. Confirm that the policy grants only the access you expect. In this case, git push operations and GitHub REST API access scoped to a single repository.

Full reference policy

The following YAML shows a complete policy that extends the default policy with GitHub access for a single repository. Replace <org> with your GitHub organization or username and <repo> with your repository name.

The filesystem_policy, landlock, and process sections are static. OpenShell reads them at sandbox creation, and a hot reload cannot change them. They are included here for completeness so the file is self-contained, but only the network_policies section takes effect when you apply this to a running sandbox.

1 version: 1
2 
3 # ── Static (locked at sandbox creation) ──────────────────────────
4 
5 filesystem_policy:
6   include_workdir: true
7   read_only:
8     - /usr
9     - /lib
10     - /proc
11     - /dev/urandom
12     - /app
13     - /etc
14     - /var/log
15   read_write:
16     - /sandbox
17     - /tmp
18     - /dev/null
19 
20 landlock:
21   compatibility: best_effort
22 
23 process:
24   run_as_user: sandbox
25   run_as_group: sandbox
26 
27 # ── Dynamic (hot-reloadable) ─────────────────────────────────────
28 
29 network_policies:
30 
31   # Claude Code ↔ Anthropic API
32   claude_code:
33     name: claude-code
34     endpoints:
35       - { host: api.anthropic.com, port: 443, protocol: rest, enforcement: enforce, access: full }
36       - { host: statsig.anthropic.com, port: 443 }
37       - { host: sentry.io, port: 443 }
38       - { host: raw.githubusercontent.com, port: 443 }
39       - { host: platform.claude.com, port: 443 }
40     binaries:
41       - { path: /usr/local/bin/claude }
42       - { path: /usr/bin/node }
43 
44   # NVIDIA inference endpoint
45   nvidia_inference:
46     name: nvidia-inference
47     endpoints:
48       - { host: integrate.api.nvidia.com, port: 443 }
49     binaries:
50       - { path: /usr/bin/curl }
51       - { path: /bin/bash }
52       - { path: /usr/local/bin/opencode }
53 
54   # ── GitHub: git operations (clone, fetch, push) ──────────────
55 
56   github_git:
57     name: github-git
58     endpoints:
59       - host: github.com
60         port: 443
61         protocol: rest
62         enforcement: enforce
63         rules:
64           - allow:
65               method: GET
66               path: "/<org>/<repo>.git/info/refs*"
67           - allow:
68               method: POST
69               path: "/<org>/<repo>.git/git-upload-pack"
70           - allow:
71               method: POST
72               path: "/<org>/<repo>.git/git-receive-pack"
73     binaries:
74       - { path: /usr/bin/git }
75 
76   # ── GitHub: REST API ─────────────────────────────────────────
77 
78   github_api:
79     name: github-api
80     endpoints:
81       - host: api.github.com
82         port: 443
83         path: "/repos/<org>/<repo>/**"
84         protocol: rest
85         enforcement: enforce
86         rules:
87           # Full read-write access to the repository
88           - allow:
89               method: "*"
90               path: "/repos/<org>/<repo>/**"
91       - host: api.github.com
92         port: 443
93         path: "/graphql"
94         protocol: graphql
95         enforcement: enforce
96         rules:
97           # GitHub GraphQL API (used by gh CLI)
98           - allow:
99               operation_type: query
100           - allow:
101               operation_type: mutation
102               fields: [createIssue, updateIssue, addComment]
103         deny_rules:
104           - operation_type: mutation
105             fields: [deleteRepository, deleteRef, updateBranchProtectionRule]
106     binaries:
107       - { path: /usr/local/bin/claude }
108       - { path: /usr/local/bin/opencode }
109       - { path: /usr/bin/gh }
110       - { path: /usr/bin/curl }
111 
112   # ── Package managers ─────────────────────────────────────────
113 
114   pypi:
115     name: pypi
116     endpoints:
117       - { host: pypi.org, port: 443 }
118       - { host: files.pythonhosted.org, port: 443 }
119       - { host: github.com, port: 443 }
120       - { host: objects.githubusercontent.com, port: 443 }
121       - { host: api.github.com, port: 443 }
122       - { host: downloads.python.org, port: 443 }
123     binaries:
124       - { path: /sandbox/.venv/bin/python }
125       - { path: /sandbox/.venv/bin/python3 }
126       - { path: /sandbox/.venv/bin/pip }
127       - { path: "/sandbox/.uv/python/**/python*" }
128       - { path: /usr/local/bin/uv }
129       - { path: "/sandbox/.uv/python/**" }
130 
131   # ── VS Code Remote ──────────────────────────────────────────
132 
133   vscode:
134     name: vscode
135     endpoints:
136       - { host: update.code.visualstudio.com, port: 443 }
137       - { host: "*.vo.msecnd.net", port: 443 }
138       - { host: vscode.download.prss.microsoft.com, port: 443 }
139       - { host: marketplace.visualstudio.com, port: 443 }
140       - { host: "*.gallerycdn.vsassets.io", port: 443 }
141     binaries:
142       - { path: /usr/bin/curl }
143       - { path: /usr/bin/wget }
144       - { path: "/sandbox/.vscode-server/**" }
145       - { path: "/sandbox/.vscode-remote-containers/**" }

The following table summarizes the two GitHub-specific blocks:

Block	Endpoint	Behavior
`github_git`	`github.com:443`	Git Smart HTTP protocol. The proxy auto-detects and terminates TLS to inspect requests. Permits `info/refs` (clone/fetch), `git-upload-pack` (fetch data), and `git-receive-pack` (push) for the specified repository. Denies all operations on unlisted repositories.
`github_api`	`api.github.com:443`	REST API. The proxy auto-detects and terminates TLS to inspect requests. Permits all HTTP methods for the specified repository and GraphQL queries. Denies API access to unlisted repositories.

The remaining blocks (claude_code, nvidia_inference, pypi, vscode) are identical to the default policy. The default policy’s github_ssh_over_https and github_rest_api blocks are replaced by the github_git and github_api blocks above, which grant write access to the specified repository. Sandbox behavior outside of GitHub operations is unchanged.

For details on policy block structure, refer to Policies.

Apply the Policy

After you have reviewed the generated policy, apply it to the running sandbox:

$ openshell policy set <sandbox-name> --policy /tmp/sandbox-policy-update.yaml --wait

Network policies are hot-reloadable. The --wait flag blocks until the policy engine confirms the new revision loaded, and the update takes effect immediately without restarting the sandbox or reconnecting Claude Code.

Retry the Push

In terminal 1, ask Claude Code to retry the push:

Prompt

The sandbox policy has been updated. Try pushing to the repository again.

The push completes successfully. The openshell term dashboard now shows l7_decision=allow entries for api.github.com and github.com where it previously showed denials.

Clean Up

When you are finished, delete the sandbox to free gateway compute resources:

$ openshell sandbox delete <sandbox-name>

Next Steps

The following resources cover related topics in greater depth:

To add per-repository access levels (read-write vs read-only) or restrict to specific API methods, refer to the Policy Schema Reference.
To learn the full policy iteration workflow (pull, edit, push, verify), refer to Policies.
To inject credentials automatically instead of pasting tokens, refer to Manage Providers

After completing this tutorial, you have:

A running sandbox with Claude Code that can push to a GitHub repository.
A custom network policy that grants GitHub access for a specific repository.
Experience with the policy iteration workflow: fail, diagnose, update, verify.

Prerequisites

This tutorial requires the following:

A working OpenShell installation. Complete the Quickstart before proceeding.
A GitHub personal access token (PAT) with repo scope. Generate one from the GitHub personal access token settings page by selecting Generate new token (classic) and enabling the repo scope.
An Anthropic account with access to Claude Code. OpenShell provides the sandbox runtime, not the agent. You must authenticate with your own account.
A GitHub repository you own to use as the push target. A scratch repository is sufficient. You can create one with a README if needed.

This tutorial uses two terminals to demonstrate the iterative policy workflow:

Terminal 1: The sandbox terminal. You create the sandbox in this terminal by running openshell sandbox create and interact with Claude Code inside it.
Terminal 2: A terminal outside the sandbox on your machine. You use this terminal for viewing the sandbox logs with openshell term and applying an updated policy with openshell policy set.

Each section below indicates which terminal to use.

Set Up a Sandbox with Your GitHub Token

Depending on whether you start a new sandbox or use an existing sandbox, choose the appropriate tab and follow the instructions.

Starting a new sandbox

Using an existing sandbox

In terminal 2, create a new sandbox with Claude Code. The default policy is applied automatically, which allows read-only access to GitHub.

$ GITHUB_TOKEN=<your-token>
$ openshell provider create --name my-github --type github --from-existing
$ openshell sandbox create --provider my-github -- claude

Push Code to GitHub

In terminal 1, ask Claude Code to write a simple script and push it to your repository. Replace <org> with your GitHub organization or username and <repo> with your repository name.

Prompt

Write a `hello_world.py` script and push it to `https://github.com/<org>/<repo>`.

Diagnose the Denial

In this section, you diagnose the denial from your machine and from inside the sandbox.

View the Logs from Your Machine

In terminal 2, launch the OpenShell terminal:

$ openshell term

The dashboard shows sandbox status and a live stream of policy decisions. Look for entries with l7_decision=deny. Select a deny entry to see the full detail:

l7_action:      PUT
l7_target:      /repos/<org>/<repo>/contents/hello_world.py
l7_decision:    deny
dst_host:       api.github.com
dst_port:       443
l7_protocol:    rest
policy:         github_rest_api
l7_deny_reason: PUT /repos/<org>/<repo>/contents/hello_world.py not permitted by policy

Ask Claude Code to Check the Sandbox Logs

In terminal 1, ask Claude Code to check the sandbox logs for denied requests:

Prompt

Check the sandbox logs for any denied network requests. What is blocking the push?

Response

Both perspectives confirm the same thing: the proxy is doing its job. The default policy is designed to be restrictive. To allow GitHub pushes, you need to update the network policy.

Copy the deny reason from Claude’s response. You paste it into an agent running on your machine in the next step.

Update the Policy from Your Machine

Prompt

Based on the following deny reasons, recommend a sandbox policy update that allows GitHub pushes to `https://github.com/<org>/<repo>`, and save to `/tmp/sandbox-policy-update.yaml`:
The `filesystem_policy`, `landlock`, and `process` sections are static. They are read once at sandbox creation and cannot be changed by a hot-reload. They are included here for completeness so the file is self-contained, but only the `network_policies` section takes effect when you apply this to a running sandbox.

The following steps outline the expected process done by the agent:

Inspects the deny reasons.
Writes an updated policy that adds github_git and github_api blocks that grant write access to your repository.
Saves the policy to /tmp/sandbox-policy-update.yaml.

Review the Generated Policy

Full reference policy

1 version: 1
2 
3 # ── Static (locked at sandbox creation) ──────────────────────────
4 
5 filesystem_policy:
6   include_workdir: true
7   read_only:
8     - /usr
9     - /lib
10     - /proc
11     - /dev/urandom
12     - /app
13     - /etc
14     - /var/log
15   read_write:
16     - /sandbox
17     - /tmp
18     - /dev/null
19 
20 landlock:
21   compatibility: best_effort
22 
23 process:
24   run_as_user: sandbox
25   run_as_group: sandbox
26 
27 # ── Dynamic (hot-reloadable) ─────────────────────────────────────
28 
29 network_policies:
30 
31   # Claude Code ↔ Anthropic API
32   claude_code:
33     name: claude-code
34     endpoints:
35       - { host: api.anthropic.com, port: 443, protocol: rest, enforcement: enforce, access: full }
36       - { host: statsig.anthropic.com, port: 443 }
37       - { host: sentry.io, port: 443 }
38       - { host: raw.githubusercontent.com, port: 443 }
39       - { host: platform.claude.com, port: 443 }
40     binaries:
41       - { path: /usr/local/bin/claude }
42       - { path: /usr/bin/node }
43 
44   # NVIDIA inference endpoint
45   nvidia_inference:
46     name: nvidia-inference
47     endpoints:
48       - { host: integrate.api.nvidia.com, port: 443 }
49     binaries:
50       - { path: /usr/bin/curl }
51       - { path: /bin/bash }
52       - { path: /usr/local/bin/opencode }
53 
54   # ── GitHub: git operations (clone, fetch, push) ──────────────
55 
56   github_git:
57     name: github-git
58     endpoints:
59       - host: github.com
60         port: 443
61         protocol: rest
62         enforcement: enforce
63         rules:
64           - allow:
65               method: GET
66               path: "/<org>/<repo>.git/info/refs*"
67           - allow:
68               method: POST
69               path: "/<org>/<repo>.git/git-upload-pack"
70           - allow:
71               method: POST
72               path: "/<org>/<repo>.git/git-receive-pack"
73     binaries:
74       - { path: /usr/bin/git }
75 
76   # ── GitHub: REST API ─────────────────────────────────────────
77 
78   github_api:
79     name: github-api
80     endpoints:
81       - host: api.github.com
82         port: 443
83         path: "/repos/<org>/<repo>/**"
84         protocol: rest
85         enforcement: enforce
86         rules:
87           # Full read-write access to the repository
88           - allow:
89               method: "*"
90               path: "/repos/<org>/<repo>/**"
91       - host: api.github.com
92         port: 443
93         path: "/graphql"
94         protocol: graphql
95         enforcement: enforce
96         rules:
97           # GitHub GraphQL API (used by gh CLI)
98           - allow:
99               operation_type: query
100           - allow:
101               operation_type: mutation
102               fields: [createIssue, updateIssue, addComment]
103         deny_rules:
104           - operation_type: mutation
105             fields: [deleteRepository, deleteRef, updateBranchProtectionRule]
106     binaries:
107       - { path: /usr/local/bin/claude }
108       - { path: /usr/local/bin/opencode }
109       - { path: /usr/bin/gh }
110       - { path: /usr/bin/curl }
111 
112   # ── Package managers ─────────────────────────────────────────
113 
114   pypi:
115     name: pypi
116     endpoints:
117       - { host: pypi.org, port: 443 }
118       - { host: files.pythonhosted.org, port: 443 }
119       - { host: github.com, port: 443 }
120       - { host: objects.githubusercontent.com, port: 443 }
121       - { host: api.github.com, port: 443 }
122       - { host: downloads.python.org, port: 443 }
123     binaries:
124       - { path: /sandbox/.venv/bin/python }
125       - { path: /sandbox/.venv/bin/python3 }
126       - { path: /sandbox/.venv/bin/pip }
127       - { path: "/sandbox/.uv/python/**/python*" }
128       - { path: /usr/local/bin/uv }
129       - { path: "/sandbox/.uv/python/**" }
130 
131   # ── VS Code Remote ──────────────────────────────────────────
132 
133   vscode:
134     name: vscode
135     endpoints:
136       - { host: update.code.visualstudio.com, port: 443 }
137       - { host: "*.vo.msecnd.net", port: 443 }
138       - { host: vscode.download.prss.microsoft.com, port: 443 }
139       - { host: marketplace.visualstudio.com, port: 443 }
140       - { host: "*.gallerycdn.vsassets.io", port: 443 }
141     binaries:
142       - { path: /usr/bin/curl }
143       - { path: /usr/bin/wget }
144       - { path: "/sandbox/.vscode-server/**" }
145       - { path: "/sandbox/.vscode-remote-containers/**" }

The following table summarizes the two GitHub-specific blocks:

Block	Endpoint	Behavior
`github_git`	`github.com:443`	Git Smart HTTP protocol. The proxy auto-detects and terminates TLS to inspect requests. Permits `info/refs` (clone/fetch), `git-upload-pack` (fetch data), and `git-receive-pack` (push) for the specified repository. Denies all operations on unlisted repositories.
`github_api`	`api.github.com:443`	REST API. The proxy auto-detects and terminates TLS to inspect requests. Permits all HTTP methods for the specified repository and GraphQL queries. Denies API access to unlisted repositories.

For details on policy block structure, refer to Policies.

Apply the Policy

After you have reviewed the generated policy, apply it to the running sandbox:

$ openshell policy set <sandbox-name> --policy /tmp/sandbox-policy-update.yaml --wait

Retry the Push

In terminal 1, ask Claude Code to retry the push:

Prompt

The sandbox policy has been updated. Try pushing to the repository again.

The push completes successfully. The openshell term dashboard now shows l7_decision=allow entries for api.github.com and github.com where it previously showed denials.

Clean Up

When you are finished, delete the sandbox to free gateway compute resources:

$ openshell sandbox delete <sandbox-name>

Next Steps

The following resources cover related topics in greater depth:

To add per-repository access levels (read-write vs read-only) or restrict to specific API methods, refer to the Policy Schema Reference.
To learn the full policy iteration workflow (pull, edit, push, verify), refer to Policies.
To inject credentials automatically instead of pasting tokens, refer to Manage Providers

$	GITHUB_TOKEN=<your-token>
$	openshell provider create --name my-github --type github --from-existing
$	openshell sandbox create --provider my-github -- claude

1	version: 1
2
3	# ── Static (locked at sandbox creation) ──────────────────────────
4
5	filesystem_policy:
6	include_workdir: true
7	read_only:
8	- /usr
9	- /lib
10	- /proc
11	- /dev/urandom
12	- /app
13	- /etc
14	- /var/log
15	read_write:
16	- /sandbox
17	- /tmp
18	- /dev/null
19
20	landlock:
21	compatibility: best_effort
22
23	process:
24	run_as_user: sandbox
25	run_as_group: sandbox
26
27	# ── Dynamic (hot-reloadable) ─────────────────────────────────────
28
29	network_policies:
30
31	# Claude Code ↔ Anthropic API
32	claude_code:
33	name: claude-code
34	endpoints:
35	- { host: api.anthropic.com, port: 443, protocol: rest, enforcement: enforce, access: full }
36	- { host: statsig.anthropic.com, port: 443 }
37	- { host: sentry.io, port: 443 }
38	- { host: raw.githubusercontent.com, port: 443 }
39	- { host: platform.claude.com, port: 443 }
40	binaries:
41	- { path: /usr/local/bin/claude }
42	- { path: /usr/bin/node }
43
44	# NVIDIA inference endpoint
45	nvidia_inference:
46	name: nvidia-inference
47	endpoints:
48	- { host: integrate.api.nvidia.com, port: 443 }
49	binaries:
50	- { path: /usr/bin/curl }
51	- { path: /bin/bash }
52	- { path: /usr/local/bin/opencode }
53
54	# ── GitHub: git operations (clone, fetch, push) ──────────────
55
56	github_git:
57	name: github-git
58	endpoints:
59	- host: github.com
60	port: 443
61	protocol: rest
62	enforcement: enforce
63	rules:
64	- allow:
65	method: GET
66	path: "/<org>/<repo>.git/info/refs*"
67	- allow:
68	method: POST
69	path: "/<org>/<repo>.git/git-upload-pack"
70	- allow:
71	method: POST
72	path: "/<org>/<repo>.git/git-receive-pack"
73	binaries:
74	- { path: /usr/bin/git }
75
76	# ── GitHub: REST API ─────────────────────────────────────────
77
78	github_api:
79	name: github-api
80	endpoints:
81	- host: api.github.com
82	port: 443
83	path: "/repos/<org>/<repo>/**"
84	protocol: rest
85	enforcement: enforce
86	rules:
87	# Full read-write access to the repository
88	- allow:
89	method: "*"
90	path: "/repos/<org>/<repo>/**"
91	- host: api.github.com
92	port: 443
93	path: "/graphql"
94	protocol: graphql
95	enforcement: enforce
96	rules:
97	# GitHub GraphQL API (used by gh CLI)
98	- allow:
99	operation_type: query
100	- allow:
101	operation_type: mutation
102	fields: [createIssue, updateIssue, addComment]
103	deny_rules:
104	- operation_type: mutation
105	fields: [deleteRepository, deleteRef, updateBranchProtectionRule]
106	binaries:
107	- { path: /usr/local/bin/claude }
108	- { path: /usr/local/bin/opencode }
109	- { path: /usr/bin/gh }
110	- { path: /usr/bin/curl }
111
112	# ── Package managers ─────────────────────────────────────────
113
114	pypi:
115	name: pypi
116	endpoints:
117	- { host: pypi.org, port: 443 }
118	- { host: files.pythonhosted.org, port: 443 }
119	- { host: github.com, port: 443 }
120	- { host: objects.githubusercontent.com, port: 443 }
121	- { host: api.github.com, port: 443 }
122	- { host: downloads.python.org, port: 443 }
123	binaries:
124	- { path: /sandbox/.venv/bin/python }
125	- { path: /sandbox/.venv/bin/python3 }
126	- { path: /sandbox/.venv/bin/pip }
127	- { path: "/sandbox/.uv/python/*/python" }
128	- { path: /usr/local/bin/uv }
129	- { path: "/sandbox/.uv/python/**" }
130
131	# ── VS Code Remote ──────────────────────────────────────────
132
133	vscode:
134	name: vscode
135	endpoints:
136	- { host: update.code.visualstudio.com, port: 443 }
137	- { host: "*.vo.msecnd.net", port: 443 }
138	- { host: vscode.download.prss.microsoft.com, port: 443 }
139	- { host: marketplace.visualstudio.com, port: 443 }
140	- { host: "*.gallerycdn.vsassets.io", port: 443 }
141	binaries:
142	- { path: /usr/bin/curl }
143	- { path: /usr/bin/wget }
144	- { path: "/sandbox/.vscode-server/**" }
145	- { path: "/sandbox/.vscode-remote-containers/**" }