[BUG] Claude GitHub integration needs org-installation-only mode and must not access repos outside selected app installation
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Right now, the Claude GitHub App can be installed on a work org with access restricted to selected repos, but the user authorization flow can still authorize Claude against the user's broader GitHub identity. There is no clear way to say: "Claude may use only this work org installation and must not discover or access any personal repositories".
For coding agents, this is a serious permission-boundary problem. Many users have both work and personal GitHub access on the same GitHub account. If Claude can use a user authorization path to discover or access repositories outside the selected GitHub App installation, then selected-repo app installation is not a sufficient safety guarantee.
If the Claude GitHub App is installed only on a work org and only for selected repos, then Claude should have no access to private repositories under the personal GitHub account, even if authorized by GitHub user identity to use the connector.
What Should Happen?
One should be able to configure Claude like this:
- Install the Claude GitHub App on a work org.
- Restrict the installation to selected work repositories.
- Authorize their GitHub user only to bind/use that org installation.
- Ensure Claude cannot discover, read, write, clone, open PRs against, or otherwise operate on any repository outside that selected installation scope.
In other words, the effective repository allowlist should be selected repos in the selected GitHub App installation, not anything the GitHub user can access.
Error Messages/Logs
Steps to Reproduce
The GitHub authorization flow does not provide a clear option to bind Claude only to a selected org installation.
There is no UI to say "authorize this app only for the work org installation" or "exclude my personal repositories".
This creates ambiguity about whether Claude is limited to the selected GitHub App installation or whether it can also use user-authorized access to reach other repositories available to the user.
In testing, Claude appeared able to access personal repositories even though the Claude app was not installed on the personal GitHub account. The integration is using the user authorization path, not only the selected GitHub App installation path.
Claude Model
_No response_
Is this a regression?
No, this never worked
Last Working Version
_No response_
Claude Code Version
*
Platform
Anthropic API
Operating System
Other
Terminal/Shell
Other
Additional Information
Why this matters
For AI coding agents, "act on my behalf" is not a minor convenience permission. It is the core attack surface.
Repo-scoped GitHub App installation gives users the impression that access is limited to selected repositories. If the connector can also use a user authorization path to reach repos outside that installation, then the user-facing permission model is misleading and unsafe for anyone who uses the same GitHub account for work and personal repos.
This blocks safe adoption for users who want Claude on work repositories but do not want to expose personal repositories.
Requested fix
Please add a strict access mode with these guarantees:
- Allow users to bind Claude to a specific GitHub App installation, e.g. one org installation.
- Show the effective repository allowlist before authorization.
- Do not allow any user-token fallback to discover, read, write, clone, or operate on repositories outside that selected installation scope.
- Provide a clear UI distinction between identity authorization and repository/content authorization.
- Fail closed if a repo is not included in the selected installation.
Suggested product labels:
- "Use only this GitHub App installation"
- "Org-installation-only access"
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗