[BUG] Managed Agents git push to non-claude/* branch returns HTTP 403 with App-installation token
Environment
- Product: Claude Managed Agents (CMA)
- SDK:
@anthropic-ai/sdk@0.97.1, beta headermanaged-agents-2026-04-01 - Agent toolset:
agent_toolset_20260401 - Resource:
github_repositorywithauthorization_tokenset to a GitHub App-installation token (ghs_*) minted viaactions/create-github-app-token@v1 - Repo type: private, same-org as the GitHub App
Symptom
Inside a CMA session, the agent's git push -u origin <pr-head-branch> returns:
error: RPC failed; HTTP 403 curl 22 The requested URL returned error: 403
send-pack: unexpected disconnect while reading sideband packet
fatal: the remote end hung up unexpectedly
Two observations from the same session that distinguish what is and isn't accepted:
- Same session, same token, pushing to the
claude/<session-id>namespace succeeds:
```
$ git push -u origin HEAD:claude/sesn_<id>
To http://127.0.0.1:<port>/git/<owner>/<repo>
- [new branch] HEAD -> claude/sesn_<id>
```
- Same token, outside CMA, pushing the same branch from the GitHub Actions runner that minted the token succeeds (verified via a probe step that
git clones and pushes an empty commit usinghttps://x-access-token:${ghs_*}@github.com/...).
So the token is valid and has push permission on the target branch; only the CMA-internal proxy at http://127.0.0.1:<port>/git/<owner>/<repo> rejects pushes to branches outside the claude/<session-id> namespace.
Steps to reproduce
- Mint a GitHub App-installation token (
ghs_*) withcontents: writeon a private repo. - Open a CMA session with a
github_repositoryresource:
``ts``
resources: [{
type: 'github_repository',
url: 'https://github.com/<owner>/<repo>',
mount_path: '/workspace/repo',
authorization_token: '<ghs_*>',
checkout: { type: 'branch', name: '<existing-pr-branch>' },
}]
- Have the agent stage a commit and run
git push -u origin <existing-pr-branch>— returns 403 with the body above. - Have the agent run
git push -u origin HEAD:claude/<session-id>in the same session — succeeds.
Session IDs (for Anthropic engineers)
sesn_01H16kD42xMG5T75U42JhxFK— push to PR branch 403'd, fell back to pushing toclaude/sesn_01H16kD42xMG5T75U42JhxFKsesn_011GjN5SkvTAzwB89aArtVPz— push to PR branch 403'd, no fallback
I can share workflow-run logs and repo details privately if helpful.
Ask
Is this restriction intentional (App-installation tokens permitted only for claude/<session-id> pushes)? If so, please document it — the github_repository resource docs don't note a branch-namespace restriction, and the proxy's HTTP 403 response carries no actionable body explaining the constraint.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗