[BUG] Cloud/Cowork sessions: git proxy now blocks all pushes — "not in this session's authorized repository set"; PAT pass-through no longer works (CCR_TEST_GITPROXY rollout?)
Summary
As of ~10 Jul 2026 (AEST), Cowork / remote cloud sessions can no longer push to GitHub repositories that aren't in the session's "authorized repository set" — including when the user supplies their own fine-grained PAT, which previously worked. The change appeared mid-session (pushes worked in the morning, then began failing a few hours later with no client-side change) and persists in fresh sessions.
Exact errors
git push (PAT embedded in remote URL, fine-grained, Contents R/W):
remote: access denied by the git proxy: Loneplanet117/portal-cw-brands is not in this session's authorized repository set, so the proxy will not inject a credential for it. To fix, add the repository to the session's sources.
fatal: unable to access 'https://github.com/Loneplanet117/portal-cw-brands.git/': The requested URL returned error: 403
REST API calls to api.github.com with the same PAT are also intercepted by the proxy:
{"message":"GitHub access to this repository is not enabled for this session. Use add_repo to request access.","documentation_url":"https://docs.anthropic.com/en/docs/claude-code/github-actions"}
The session's built-in credential also fails: requests using the environment's GITHUB_TOKEN return builtin injection failed.
Clones/fetches/reads still work fine. Only writes are blocked.
Evidence this is a server-side rollout
- The session environment contains
CCR_TEST_GITPROXY=1, which looks like a feature flag for new git-proxy enforcement. - Timeline: push worked on the morning of 10 Jul (AEST), was blocked mid-session the same day with no client-side change, and remains blocked in brand-new sessions (different container, fresh clone, same PAT).
- The user did not change PAT scopes, repo permissions, or session configuration between the working and non-working states.
Impact
- Established PAT-per-session workflows (user pastes a scoped PAT in chat; session pushes to a private repo) are broken with no self-service fix visible from the product.
- The error text says "add the repository to the session's sources", and the API error says "Use
add_repoto request access" — but in a Cowork desktop session there is no visible UI to add a GitHub repository as a session source, and noadd_repotool/command exists in the sandbox (not in PATH, not an available MCP tool in the session). - Docs (https://code.claude.com/docs/en/claude-code-on-the-web) describe GitHub App /
/web-setupauthorization for Claude Code on the web, but it's unclear how that maps to Cowork sessions, and no error surface points the user at it.
Expected behavior
Either (a) user-supplied credentials continue to work for repos the credential legitimately has access to, or (b) the product provides a clear, discoverable way to add a repository to a Cowork session's authorized set (and the proxy error points at it accurately).
Environment
- Product: Cowork (Claude desktop app) → remote cloud sandbox session
- Session:
session_01YQvhPVCkNAFXKDFTmEpL2K(envCLAUDE_CODE_REMOTE_SESSION_ID=cse_01YQvhPVCkNAFXKDFTmEpL2K) - Env flags observed:
CCR_TEST_GITPROXY=1,CCR_AGENT_PROXY_ENABLED=1,CCR_UPSTREAM_PROXY_ENABLED=1 - Repo: private,
Loneplanet117/portal-cw-brands - Date observed: 2026-07-09 → 2026-07-10 (AEST)
Repro steps
- Start a Cowork session from the Claude desktop app (no GitHub repo configured as a session source).
git clone https://x-access-token:<fine-grained-PAT>@github.com/<owner>/<private-repo>.git→ succeeds.- Create a branch, empty commit,
git push origin <branch>→ 403 from the git proxy with the message above. - The 403 originates from the sandbox git proxy ("remote: access denied by the git proxy"), not from GitHub — GitHub never evaluates the supplied PAT.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗