Ultraplan web handoff fails to push PR when container has read-only GitHub access
Summary
When using Ultraplan to hand off a plan from the local terminal to Claude Code on the web for execution, the web session cannot push the resulting branch or create a PR if the remote container's network policy doesn't grant write access to GitHub. The session executes successfully but the PR never lands, leaving the user with no automated way to retrieve the changes.
Steps to reproduce
- In local terminal, use Ultraplan to hand off a plan to the web session
- Approve the plan in the browser
- Web session executes the plan and commits changes to a local branch in the container
- Web session attempts
git push— receives 403 from the git proxy GITHUB_TOKEN=proxy-injectedis present in env but the token does not carry push scope in the default network policy- No PR is created; terminal receives no result
Expected behaviour
The web session pushes the branch to the user's GitHub remote and opens a PR. The local terminal surfaces the PR link as promised ("Results will land as a pull request when the cloud session finishes").
Actual behaviour
Push fails with 403. Session ends with changes stranded in the container. User must manually extract changes via a patch file.
Suggested fixes (either would resolve this)
- Write-capable token — inject a GitHub token with push scope into the container, or accept one from the user's local git credential store at handoff time.
- Local fallback — if the container detects it cannot push (no remote configured, or push returns 403), teleport execution back to the local terminal instead of running in the web session.
Environment
- Claude Code web session (CCR container,
CLAUDE_CODE_USE_CCR_V2=true) - Network policy: default (egress proxy, read-only GitHub clone)
- No
ghCLI available in container
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗