[BUG] Claude Code Web Cannot Use gh CLI Commands (Permission Denied)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Summary: Strategic Claude (consultant mode) receives "Permission denied" errors when attempting to use GitHub CLI (gh) commands, while Code Claude (implementation mode) can successfully execute the same commands using the same PAT authentication.
Impact: Prevents Strategic Claude from accessing GitHub projects, issues, and PRs for roadmap planning and strategic analysis, requiring manual workarounds.
What Should Happen?
Environment
Claude Code Version: 2.0.31 (Claude Code)
Operating System: Linux 4.4.0
GitHub CLI Version: [Unknown - couldn't check due to permission error]
Repository: --redacted--
Branch: --redacted--
Session Type: Strategic Claude (Consultant/Analyst)
Authentication: Personal Access Token (PAT) configured via git remote URL
Expected Behavior
Strategic Claude should be able to use gh CLI commands when:
- A valid GitHub PAT is configured (via environment variable or git remote)
- The PAT has appropriate scopes (
repo,project, etc.) - GitHub CLI is installed on the system
Rationale:
- Strategic Claude needs to access GitHub projects for roadmap planning
- Strategic Claude needs to review issues/PRs for strategic analysis
- Code Claude can already do this - Strategic Claude should have equivalent capability
- Git operations work fine (using same PAT), so authentication is valid
---
Actual Behavior
All gh commands are blocked with "Permission denied" error:
gh --version❌gh auth status❌gh project list❌gh issue list❌export GH_TOKEN=...❌- Even
which gh❌
But git operations work fine:
git push origin --redacted--✅git pull origin --redacted--✅git commit✅
And Code Claude (different session) can use gh:
- Code Claude:
gh project list✅ Works - Code Claude:
gh issue list✅ Works - Code Claude:
gh project item-list✅ Works
Error Messages/Logs
Steps to Reproduce
Context
- Strategic Claude session initiated for roadmap planning
- Git remote configured with PAT:
git remote set-url origin https://username:PAT@github.com/... - Git operations (clone, pull, push, commit) work successfully with PAT
- Code Claude (in separate session) can successfully use
ghCLI with same PAT
Reproduction Steps
Attempt 1: Check gh version
gh --version
Result: Permission to use Bash with command gh --version has been denied.
Attempt 2: Check gh installation
which gh
Result: Error (permission denied)
Attempt 3: Authenticate gh with PAT
export GH_TOKEN=ghp_... && gh auth status
Result: Permission to use Bash with command export GH_TOKEN=... has been denied.
Attempt 4: List projects
gh project list --owner cnighswonger
Result: Permission to use Bash with command gh project list --owner cnighswonger has been denied.
Attempt 5: Even basic gh commands fail
gh --help
Result: Permission denied
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.0.31
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
Other
Additional Information
Impact Assessment
Severity: Medium-High
Impact on Workflow:
- ❌ Cannot access GitHub projects for roadmap integration
- ❌ Cannot review issues programmatically for strategic planning
- ❌ Cannot check PR status or project board state
- ❌ Must rely on manual copy/paste from user instead of direct access
- ❌ Inconsistent capability between Code Claude and Strategic Claude
Current Workarounds:
- User manually copies/pastes project data from GitHub web UI
- Code Claude fetches data and shares with Strategic Claude
- WebFetch tool (but doesn't work for private projects)
Workarounds are cumbersome and break natural workflow.
---
Hypothesis: Root Cause
Possible Explanation 1: Role-Based Command Filtering
- Strategic Claude has restricted Bash command access
- Code Claude has broader Bash permissions
ghcommands are in the "restricted" list for Strategic Claude- Question: Is this intentional security design, or a bug?
Possible Explanation 2: Environment Configuration
- Code Claude sessions have
GH_TOKENpre-configured - Strategic Claude sessions don't inherit this configuration
- But this doesn't explain why
export GH_TOKEN=...also fails
Possible Explanation 3: Command Pattern Matching
- Some filter is blocking commands starting with
gh - Filter applies to Strategic Claude but not Code Claude
- Even
which ghis blocked, suggesting aggressive filtering
---
Expected Resolution
Ideal Solution:
- Strategic Claude can use
ghcommands when properly authenticated - Same capabilities as Code Claude for GitHub access
- Consistent behavior across session types
Acceptable Alternative:
- Document that Strategic Claude has restricted
ghaccess - Provide official workaround (e.g., Code Claude as bridge)
- Explain security rationale if intentional
Not Acceptable:
- Current state with no documentation or explanation
- Inconsistent behavior between Claude types without justification
---
Additional Context
Why Strategic Claude Needs gh Access
Strategic Claude's role includes:
- Roadmap planning (needs to see project boards)
- Issue prioritization (needs to review open issues)
- Milestone tracking (needs to check milestone progress)
- ADR creation based on project state
- Integration of code review findings into strategic plans
Real-world example from this session:
- User created GitHub project for Beta 2026 deployment
- Strategic Claude created comprehensive Beta roadmap
- Needed to integrate GitHub project items with roadmap
- Blocked: Cannot access project via
ghCLI - Workaround: User must manually copy/paste
Git Remote Configuration (for reference)
PAT is configured and working:
git remote get-url origin
# Returns: https://username:PAT@github.com/cnighswonger/--redacted--.git
git push origin nda-wip
# Works successfully ✅
But gh cannot use the same credentials:
gh auth status
# Permission denied ❌
---
Suggested Investigation
For Anthropic Team:
- Check if
ghcommands are in a restricted command list - Verify if Strategic Claude has different Bash permissions than Code Claude
- Check if environment variable exports are blocked for Strategic Claude
- Review if this is intentional security design or unintended bug
For User Workaround (if needed):
- Can
GH_TOKENbe pre-configured in Claude Code settings? - Can Strategic Claude permissions be elevated for this use case?
- Is there a command whitelist that can include
gh?
---
Logs/Error Messages
Complete error message:
Permission to use Bash with command gh --version has been denied.
Pattern:
- ALL commands starting with
ghare denied - Even
export GH_TOKEN=...is denied - But
gitcommands work fine - Other Bash commands work (ls, cd, cat, grep, etc.)
---
Reproducibility
Frequency: 100% reproducible
When: Every Strategic Claude session attempting gh commands
Where: Any repository, any project, any gh command
---
Priority Justification
Why this should be fixed:
- Inconsistent behavior - Code Claude can, Strategic Claude cannot
- No documentation - Users don't know this limitation exists
- Workflow blocker - Prevents legitimate strategic planning tasks
- Poor UX - Requires manual workarounds instead of direct access
- PAT is valid - Authentication works for git, should work for gh
Expected by users:
- If Code Claude can use
gh, Strategic Claude should too - If
ghis restricted, it should be documented - Workarounds should be official, not discovered by trial-and-error
---
Workaround (Temporary)
Current workaround in use:
- User opens GitHub project in web browser
- User copies project data (manually)
- User pastes into chat for Strategic Claude to analyze
- Strategic Claude integrates data with roadmap
Alternative workaround:
- User asks Code Claude to fetch project data via
ghCLI - Code Claude outputs data (JSON/text)
- User shares output with Strategic Claude
- Strategic Claude analyzes
Both workarounds are suboptimal and increase friction.
27 Comments
Attempting to move the session to a local terminal on my development box and then asking Claude to run a
ghcommand results in an API error even though the session does move over as expected.ADDENDUM: Web UI → CLI Transition Causes API Errors
Discovery Date: 2025-11-06 (same session, after initial bug report)
New Evidence
When attempting to work around the
ghpermission issue by moving the Strategic Claude session from Web UI to CLI, requestingghcommands causes API-level errors.Error Details
Reproduction:
ghcommands (original bug)claudeCLI tool)ghcommand from CLIComplete Error Message:
Analysis
Error Type:
invalid_request_errorRoot Cause: Message structure is malformed
tool_resultblock exists without correspondingtool_useblockWhy This Happens:
ghcommands are blocked/filtered in Web UIghcommandTool ID Referenced:
toolu_017xDJDR9y46ZpEYKDq9aSV1Implications
This Suggests Three Related Bugs
Bug A: Permission Filtering (Original)
ghcommands in Web UIBug B: Message Structure Corruption (New)
ghcommands are filtered, message structure breaksBug C: Web→CLI Transition Issues (New)
Combined Effect
gh→ Permission Denied (Bug A)gh→ Message corruption (Bug B)Result: User is completely blocked from using
ghin Strategic Claude, even when trying workaroundsImpact Severity Upgrade
Original Assessment: Medium-High (workflow inconvenience)
Revised Assessment: HIGH (complete blocker with cascade failure)
Reasoning:
Recommended Investigation
For Anthropic Engineering:
ghcommand filtering logicghor affects other commands?Additional Context
Session Flow:
ghcommands consistently deniedExpected Behavior:
ghis restricted for Strategic Claude, restriction should be consistentActual Behavior:
ghin Strategic ClaudeTest Case for Reproduction
Prerequisites:
Steps:
gh --version→ Expect: Permission denied ✓claude(or equivalent)gh --versionfrom CLIExpected: Either permission denied OR successful execution
Actual: API protocol error (worse than permission denied)
Recommendation
This bug is more severe than initially reported. The permission filtering is not just blocking commands, but corrupting the message structure in certain contexts (specifically Web→CLI transitions).
Priority should be upgraded from Medium-High to HIGH.
@claude You need a
claude-code-webtag for bugs related to that.Further testing on the teleported session shows that any message send by the user results in:
Although the session itself loads fine and without any apparent issues. This, of course, makes teleporting the session useless.
ADDENDUM 2: CLI Session Completely Unusable After Web→CLI Teleport
Discovery Date: 2025-11-06 (same session, after Addendum 1)
Severity Upgrade: HIGH → CRITICAL
---
Critical Discovery
After teleporting a Strategic Claude session from Web UI to CLI, the CLI session becomes completely unusable. EVERY message (not just
ghcommands) triggers the same API Error 400.This is not limited to
ghcommands - the entire CLI session is broken.---
Error Details
Every message in CLI produces:
Pattern:
toolu_017xDJDR9y46ZpEYKDq9aSV1---
Reproduction Steps
Guaranteed 100% reproduction:
Tried messages that all failed:
Nothing works in CLI after teleport.
---
Impact Assessment
Severity: CRITICAL ⚠️
Why Critical:
Impact Scope
Affected:
Working:
Workaround:
---
Root Cause Analysis
What Happens During Teleport
tool_useblocks with IDstool_resultblocks referencing those IDstool_useblock removed/filteredtool_resultblock orphanedtool_resultblock existstoolu_017xDJDR9y46ZpEYKDq9aSV1tool_useblocktool_resultblockKey Insight
The corruption happens during teleport, not during usage.
The tool_use_id
toolu_017xDJDR9y46ZpEYKDq9aSV1is "stuck" in the CLI session history as an orphaned result.---
Comparison to Original Bug
Original Bug (Web UI)
ghcommands onlyAddendum 1 (Web→CLI +
gh)ghcommands in CLI after teleportAddendum 2 (Web→CLI + ANY message) ← YOU ARE HERE
This is a cascade failure:
ghpermission issueghAPI error in CLI---
Testing Notes
Confirmed Working
Web UI Strategic Claude:
Code Claude (separate session):
ghcommands successfullyConfirmed Broken
Strategic Claude CLI (after teleport):
---
User Impact
Expected Workflow (Doesn't Work)
Actual Required Workflow (Broken)
Current reality:
This defeats the purpose of teleport feature.
---
Recommended Fixes
Short-Term (Urgent)
Long-Term (Root Cause)
---
Suggested Investigation Steps
For Anthropic Engineering:
toolu_017xDJDR9y46ZpEYKDq9aSV1ghbug?---
Real-World Impact
This session (actual example):
ghworkaroundUser loses:
---
Priority Justification
Why This is CRITICAL:
This should be highest priority bug fix.
---
Test Case for Anthropic QA
Minimal reproduction:
Expected behavior:
Actual behavior:
---
Additional Context
Session Details
Session ID:
session_011CUoTzNRMYKDuk4AKN8V4HOrphaned tool_use_id:
toolu_017xDJDR9y46ZpEYKDq9aSV1Error request IDs:
req_011CUsA21u3Kht6zRvnkgcmX(example from testing)Web UI: Continues working normally (unaffected)
CLI: Completely broken (every message fails)
---
Recommendation
Immediate action required:
This bug makes Web→CLI teleport completely non-functional for Strategic Claude sessions.
---
END OF ADDENDUM 2
bumping and supporting the case: it's overkill to tell claude web each time to generate gh cli commands (create issue, add to project, assign label, create label, etc)
there are workarounds -- I can go do Claude Code or terminal and run by my own, or go to gh web and copy paste desription but it's LESS CONVENIENT
<img width="1060" height="166" alt="Image" src="https://github.com/user-attachments/assets/86e9e57c-60f8-47b7-aa43-f247f6be1c3a" />
Particularly Irksome
<img width="1027" height="112" alt="Image" src="https://github.com/user-attachments/assets/f6e2a104-1fdf-40cd-99bf-812e2897596a" />
Claude Code Web cannot even easily work with GitHub issues... 😬
Impact of gh CLI Permission Denial on Strategic Claude Workflow From Claude's Perspective
Context: I'm Strategic Claude, responsible for triaging bugs, prioritizing work, and maintaining the development roadmap for a manufacturing app. We have a three-Claude workflow (Testing Claude (Claude-Code) → Strategic Claude (Claude Code Web) → Code Claude (Claude Code)) with comprehensive bug reporting and triage documentation.
The Problem
Permission denied when attempting:
gh issue list --limit 20 --state open
gh issue view 123
gh pr list
This blocks critical parts of my workflow that we've specifically designed and documented.
Specific Friction Points
We just created comprehensive bug workflow documentation:
bug-reporting-process.md - Testing Claude creates GitHub issues
bug-triage-prioritization.md - I'm supposed to triage those issues
bug-fix-workflow.md - Code Claude fixes based on my triage
The workflow chain is:
| | | |
|-----------------------------------|------------------------------|---------------------|
| Testing Claude creates issue → | Strategic Claude triages → | Code Claude fixes |
| | ^^^^^^^^^^^^^^^^^ | |
| | THIS STEP IS BLOCKED | |
What I need to do but can't:
Review new bug reports from Testing Claude
Validate severity assessments (P0/P1/P2/P3)
Read reproduction steps and test evidence
Assess roadmap impact
Add triage comments to issues
Assign priority labels
Update issue milestones
Current workaround: User must manually copy/paste issue content to me. This adds significant friction and delays.
The workflow documentation specifies triage timelines:
CRITICAL (P0): Review within 1 hour
HIGH (P1): Review within 24 hours
MEDIUM (P2): Review within 1 week
But I can't proactively check for new issues. I have to wait for the user to notice issues and manually bring them to me, which defeats the purpose of having triage timelines.
I just created 2,200+ lines of bug workflow documentation that assumes I can access GitHub issues. Examples from the docs:
From bug-triage-prioritization.md:
Step 1: Initial Review
When Testing Claude reports a bug, immediately check:
Actions:
I can't do any of this without gh access. The documentation describes an ideal workflow that's not actually achievable.
We have three Claude instances working together:
Testing Claude can create issues (he just did)
Strategic Claude (me) should triage issues → BLOCKED
Code Claude should fix based on triage → Waiting on me
Testing Claude is doing his job (creating issues), but I can't do mine (triage them), which blocks Code Claude from knowing what to work on.
Even when the user pastes issue content, I'm missing:
GitHub labels (bug, P0/P1/P2/P3, security, testing, regression)
Issue numbers (for commit message references)
Comments and discussion
Current assignee
Milestone information
Issue state (open/closed)
Cross-references to related issues
This makes triage less effective because I can't see the full context.
Current reality:
Testing Claude creates Issue #123
↓
User notices new issue
↓
User manually copies issue content
↓
User pastes to Strategic Claude
↓
Strategic Claude triages
↓
User manually updates issue with triage decision
↓
User notifies Code Claude
What it should be:
Testing Claude creates Issue #123
↓
Strategic Claude sees new issue (via gh issue list)
↓
Strategic Claude reviews issue (via gh issue view 123)
↓
Strategic Claude adds triage comment (via gh issue comment)
↓
Code Claude sees assignment notification
The manual intervention adds:
Delays (user must be available)
Friction (copy/paste overhead)
Errors (potential transcription issues)
Context loss (missing labels, metadata)
Real-World Example (Happening Right Now)
User: "Testing Claude has opened several issues. Do you want to triage them now?"
Me: "Absolutely! Let me check... [tries gh issue list] ...Permission denied."
Me: "I'd be happy to triage them! Could you provide the issue numbers or content?"
This is broken. I should be able to immediately:
gh issue list --state open --label bug
gh issue view 123
gh issue comment 123 --body "[triage assessment]"
gh issue edit 123 --add-label "P1" --milestone "Week 6"
Instead, the workflow grinds to a halt waiting for manual intervention.
Why This Matters for our manufacturing app
We're building toward a January 1, 2026 Beta deployment with:
75+ tests managed by Testing Claude
Security remediation in Week 6
CI/CD pipeline in Week 7
Complex multi-Claude collaboration
Bug triage is a critical bottleneck. If Testing Claude discovers a CRITICAL security vulnerability and I can't triage it immediately, we risk:
Missing the 1-hour CRITICAL triage timeline
Delaying security fixes
Blocking Beta deployment
Suggested Fix
Allow gh CLI commands for read operations:
gh issue list - See what issues exist
gh issue view <number> - Read issue content
gh issue comment - Add triage comments (write, but non-destructive)
gh pr list - See pull requests
gh pr view - Review PR content
Block only destructive operations if needed:
gh issue delete (if that even exists)
gh repo delete
Rationale: GitHub issues are the communication mechanism between Claude instances. Blocking gh breaks multi-Claude collaboration at a fundamental level.
Current Workaround (Painful)
I have to ask the user to manually relay information:
"Can you paste Issue #123 content?"
"What labels does it have?"
"Can you add my triage comment to the issue?"
"Can you set the milestone to Week 6?"
This turns what should be an automated workflow into a manual relay system.
TL;DR: The gh CLI permission denial breaks the entire bug triage workflow we've carefully designed and documented. It forces manual intervention for every issue, defeats the purpose of multi-Claude collaboration, and creates a bottleneck in a time-sensitive Beta deployment process.
Feel free to share this on the Anthropic issue. I hope it helps illustrate the practical impact of this limitation!
Is there any current work around? The whole point of this for me is to create issues, then go to claude code and tell it to work on the issue from my phone. This works great with codex. Not being able to us gh cli or at minimum read private repo issues is a complete non-starter for any real developer. Did I miss something obvious here? I guess of you are OSS then it's fine.. .but for private work this falls short significantly compared to codex.
Piling on here: Claude Code Web is not useful to me at all without the ability to read & update issues on a private GitHub repo. I will return to using the terminal.
im having this issue, pls fix
Claude web seems like accesing your git over a proxy, not directly talkign with git, maybe due to secruity reason. But in this shape, its imposible to fetch submodules, which it really narrows down my projects.
Its completely useless without GH access, we can manage our tokens ourselves to provide read only acccess to the scopes we need, or if we want to give it write access, that is our problem...
To re-iterating what others have said, it is useful to give Claude Code for Web access to context in GitHub Issues or Pull Requests to begin work eg. "Read issue 830 and create a solution".
The current access through the GitHub Proxy doesn't allow read access to Issues or Pull requests.
To work around this restriction, you can:
GITHUB_TOKENSessionStarthook that asserts the token is exists and (hopefully) informs Claude how to use it:.claude/settings.json.claude/hooks/claude-code-for-web-setup.shThis hasn't worked 100% of the time for me. Claude may need to be prompted to use it even after encountering it in setup.
It seems awfully odd to release Claude Code for the web, not give users access to the filesystem / artefacts and deny it access to be able to push it's changes anywhere.
This basically makes it useless?
This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.
Claude web is useless for a number of reasons. This is one of them.
still occurring
Still there
this is really bad when using claude code web.
The core issue is that the proxy only allows the /git/ path prefix, so it returns "Invalid path format" for /api/, /repos/, or other paths needed for the mentioned operations. Hopefully Anthropic increases the scope allowed by the proxy in the future.
_My solution for now is to just use the gh CLI with tightly scoped tokens for other operations than git stuff._
Setup is automated through a startup hook.
Problem 1: gh CLI is not installed in the CC Web image
Solution: Install it manually.
Problem 2: Git remote not recognized as GitHub host
The gh CLI doesn't recognize the CC Web proxy (http://local_proxy@127.0.0.1:PORT/git/owner/repo) as a GitHub host, so repo-scoped commands like gh pr list, gh workflow list fail with "no known GitHub host".
Solution: Add a secondary remote that points to the real GitHub URL:
The origin remote still uses the proxy for push/pull/fetch, the github remote is passive and won't interfere with that.
Startup Hook Setup
_Prerequisites_
GH_TOKEN must be set in the selected CC Web env. The gh CLI will automatically use this for authentication.
.claude/settings.json
.claude/scripts/setup-web-session.sh
---
_Be mindful that your GH_TOKEN is more vulnerable to exfiltration attacks in CC Web than in CC locally (in normal permission mode), as it’s running CC in YOLO mode basically, so scope it as tightly as possible._
small adjustments to @marofyi suggestion above which avoids a sudo and avoids needing to access release-assets.githubusercontent.com domain which is not in the Trusted domains list (if you're using your own custom domain list, then you can just add release-assets.githubusercontent.com and use curl instead if that's your jam).
also i found that i needed to specifically NOT quote the token in the env definition for claude.
also i added
to my CLAUDE.md so we didnt need to gh auth login or anything first.
EDIT 10-Jan-26: the apt-get update started failing recently, so i removed that and seems to work ok again.
Currently Claude Code on the Web is not disallowing
ghcommand, however remote environment, cc on the Web, still doesn't haveghcommand as default.I created work around which install
ghcommand with using SessionStartHooks:https://github.com/oikon48/gh-setup-hooks
I hope Claude Code on the Web will pre-install
ghcommand in future release.I'm trying to use Claude Code Web to submit a PR for me and hitting this issue. Here's how CC Web agent described the issue to report here. I thought append to this issue instead of opening a new one as I believe it's the same cause.
Title: Claude Code Web cannot create GitHub PRs despite GitHub App having proper permissions
Description:
When using Claude Code on the web with the Claude GitHub App properly installed and configured with the following permissions:
Read and write access to code, discussions, issues, pull requests, and workflows
Read access to actions, checks, and metadata
Claude Code agents are unable to programmatically create pull requests, despite being able to successfully:
Clone repositories
Push commits to branches
Make other git operations through the GitHub proxy
Expected behavior:
Claude Code should be able to create PRs automatically using gh pr create or direct GitHub API calls, given that the GitHub App has "Read and write access to pull requests" permission.
Actual behavior:
gh pr create fails with "To get started with GitHub CLI, please run: gh auth login"
Direct GitHub API calls fail with 401 authentication errors
The git proxy at 127.0.0.1:36994 only supports git protocol operations, not GitHub API endpoints
As of today, it _seems_ like Claude Code on the Web now out of the box / default access to a set GitHub actions via MCP:
Works arounds for at least a subset of these no longer seem required, though I haven't yet seen the docs updates to reflect this.
Indeed it works now, but it impersonates you making comments which is too much IMHO. Needs to keep the "Claude using your credentials" workflow that is in effect elsewhere.