[BUG] Managed Agents git push to non-claude/* branch returns HTTP 403 with App-installation token

Open 💬 2 comments Opened May 21, 2026 by rtman

Environment

  • Product: Claude Managed Agents (CMA)
  • SDK: @anthropic-ai/sdk@0.97.1, beta header managed-agents-2026-04-01
  • Agent toolset: agent_toolset_20260401
  • Resource: github_repository with authorization_token set to a GitHub App-installation token (ghs_*) minted via actions/create-github-app-token@v1
  • Repo type: private, same-org as the GitHub App

Symptom

Inside a CMA session, the agent's git push -u origin <pr-head-branch> returns:

error: RPC failed; HTTP 403 curl 22 The requested URL returned error: 403
send-pack: unexpected disconnect while reading sideband packet
fatal: the remote end hung up unexpectedly

Two observations from the same session that distinguish what is and isn't accepted:

  1. Same session, same token, pushing to the claude/<session-id> namespace succeeds:

```
$ git push -u origin HEAD:claude/sesn_<id>
To http://127.0.0.1:<port>/git/<owner>/<repo>

  • [new branch] HEAD -> claude/sesn_<id>

```

  1. Same token, outside CMA, pushing the same branch from the GitHub Actions runner that minted the token succeeds (verified via a probe step that git clones and pushes an empty commit using https://x-access-token:${ghs_*}@github.com/...).

So the token is valid and has push permission on the target branch; only the CMA-internal proxy at http://127.0.0.1:<port>/git/<owner>/<repo> rejects pushes to branches outside the claude/<session-id> namespace.

Steps to reproduce

  1. Mint a GitHub App-installation token (ghs_*) with contents: write on a private repo.
  2. Open a CMA session with a github_repository resource:

``ts
resources: [{
type: 'github_repository',
url: 'https://github.com/<owner>/<repo>',
mount_path: '/workspace/repo',
authorization_token: '<ghs_*>',
checkout: { type: 'branch', name: '<existing-pr-branch>' },
}]
``

  1. Have the agent stage a commit and run git push -u origin <existing-pr-branch> — returns 403 with the body above.
  2. Have the agent run git push -u origin HEAD:claude/<session-id> in the same session — succeeds.

Session IDs (for Anthropic engineers)

  • sesn_01H16kD42xMG5T75U42JhxFK — push to PR branch 403'd, fell back to pushing to claude/sesn_01H16kD42xMG5T75U42JhxFK
  • sesn_011GjN5SkvTAzwB89aArtVPz — push to PR branch 403'd, no fallback

I can share workflow-run logs and repo details privately if helpful.

Ask

Is this restriction intentional (App-installation tokens permitted only for claude/<session-id> pushes)? If so, please document it — the github_repository resource docs don't note a branch-namespace restriction, and the proxy's HTTP 403 response carries no actionable body explaining the constraint.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗