dev-bubble 0.7.5__tar.gz → 0.7.8__tar.gz

{dev_bubble-0.7.5 → dev_bubble-0.7.8}/.claude/CLAUDE.md

@@ -121,14 +121,19 @@ Bubbles can run on a remote machine instead of locally. The `--ssh HOST` flag (o
 Users can place a `customize.sh` script at `~/.bubble/customize.sh` to run custom setup in all container images. The script runs as root as the final step when building any image (base, lean, lean-v4.X.Y). This lets users add tools, dotfiles, shell config, etc. without forking image scripts. The script's content hash is tracked in `~/.bubble/customize-hash`; on `bubble open`, if the hash differs from the stored value, a background rebuild of the base image is triggered (same pattern as VS Code commit hash drift). Code is in `builder.py` (`customize_hash()`, `_run_customize_script()`).
 
 ### GitHub Auth Proxy
-The auth proxy (`auth_proxy.py`) provides repo-scoped GitHub authentication without injecting the host's token into containers. It's an HTTP reverse proxy that runs on the host with graduated access levels:
-
-| Level | Description | Routes |
-|-------|-------------|--------|
-| 1 | Git only | `/git/{owner}/{repo}/...` (smart HTTP) |
-| 2 | Git + REST read | + `GET /repos/{owner}/{repo}/...` |
-| 3 | Git + gh read-only (default) | + `POST /graphql` (queries only, mutations blocked) |
-| 4 | Git + gh read-write | + mutations + REST POST/PATCH/DELETE |
+The auth proxy (`auth_proxy.py`) provides repo-scoped GitHub authentication without injecting the host's token into containers. It's an HTTP reverse proxy that runs on the host. The access level is controlled by the unified `github` security setting (`security.py`), which picks one level from a graduated escalation ladder:
+
+| `github` level | Behavior |
+|----------------|----------|
+| `off` | no GitHub access at all |
+| `basic` | git push/pull only (proxy rewrites, repo-scoped) |
+| `rest` | + repo-scoped REST API |
+| `allowlist-read-graphql` | + allowlisted GraphQL queries |
+| `allowlist-write-graphql` | + allowlisted GraphQL mutations (default) |
+| `write-graphql` | + arbitrary GraphQL, no allowlist filtering |
+| `direct` | inject the raw token, no proxy |
+
+`auto` defaults to `allowlist-write-graphql`. The old `github-auth`, `github-api`, and `github-token-inject` settings are deprecated but migrated automatically.
 
 **Git flow:** Container git → `url.insteadOf` rewrites to `http://127.0.0.1:7654/git/...` → proxy validates `X-Bubble-Token` header → checks path matches allowed `owner/repo` → adds `Authorization: token <real-token>` → forwards to `https://github.com` → returns response.
 

{dev_bubble-0.7.5 → dev_bubble-0.7.8}/CHANGELOG.md

@@ -218,7 +218,7 @@
 - Templated Claude prompts for issues and PRs (#33)
 - PR bubbles now auto-inject a Claude prompt that checks CI status and summarizes PR comments
 - User-customizable prompt templates via `~/.bubble/templates/issue.txt` and `~/.bubble/templates/pr.txt`
-- Issue template placeholders: `{owner}`, `{repo}`, `{issue_num}`, `{title}`, `{body}`, `{comments}`, `{comments_section}`, `{branch}`
+- Issue template placeholders: `{owner}`, `{repo}`, `{issue_num}`, `{title}`, `{body}`, `{comments}`, `{comments_section}`, `{branch}`, `{instructions}`
 - PR template placeholders: `{owner}`, `{repo}`, `{pr_num}`, `{title}`, `{body}`, `{branch}`
 - Falls back to built-in defaults when no custom template exists
 

{dev_bubble-0.7.5/dev_bubble.egg-info → dev_bubble-0.7.8}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dev-bubble
-Version: 0.7.5
+Version: 0.7.8
 Summary: Containerized development environments powered by Incus
 Author-email: Kim Morrison <kim@tqft.net>
 License-Expression: Apache-2.0

{dev_bubble-0.7.5 → dev_bubble-0.7.8}/bubble/__init__.py

@@ -1,3 +1,3 @@
 """bubble: Containerized development environments."""
 
-__version__ = "0.7.5"
+__version__ = "0.7.8"

{dev_bubble-0.7.5 → dev_bubble-0.7.8}/bubble/claude.py

@@ -18,18 +18,56 @@ CLAUDE_TASK_COMMAND = (
 
 TEMPLATES_DIR = DATA_DIR / "templates"
 
+# Ordered autonomy levels. Each level implies all lower levels.
+AUTONOMY_LEVELS = ("read", "plan", "implement", "pr", "merge")
+
+# Valid values for the second_opinion setting.
+SECOND_OPINION_VALUES = ("auto", "on", "off")
+
+# Issue prompt instructions keyed by autonomy level.
+_ISSUE_INSTRUCTIONS = {
+    "read": (
+        "Please read and understand the issue. "
+        "Summarize the problem and any relevant context, but take no further action."
+    ),
+    "plan": (
+        "Please read and understand the issue, then propose a plan to fix it. "
+        "Describe what files need to change and how, but do not implement anything yet."
+    ),
+    "implement": (
+        "Please claim this issue (assign it to yourself if possible), "
+        "then implement a fix or feature as described. "
+        "Work on a branch named `{branch}`. Do not commit or open a PR."
+    ),
+    "pr": (
+        "Please claim this issue (assign it to yourself if possible), "
+        "then implement a fix or feature as described. "
+        "Work on a branch named `{branch}`, and open a PR when done."
+    ),
+    "merge": (
+        "Please claim this issue (assign it to yourself if possible), "
+        "then implement a fix or feature as described. "
+        "Work on a branch named `{branch}`, open a PR, "
+        "rebase onto the default branch, watch CI, and merge when it passes."
+    ),
+}
+
+_SECOND_OPINION_SUFFIX = (
+    "\n\nBefore proceeding, get a second opinion from another AI "
+    "(e.g. Codex) to review your approach."
+)
+
 # Default issue prompt template. Placeholders:
 #   {owner}, {repo}, {issue_num}, {title}, {body}, {comments},
-#   {comments_section} (pre-formatted, empty when no comments), {branch}
+#   {comments_section} (pre-formatted, empty when no comments), {branch},
+#   {instructions}
 _DEFAULT_ISSUE_TEMPLATE = (
     'Please read and understand GitHub issue #{issue_num}: "{title}".\n'
     "\n"
     "Issue description:\n"
     "{body}\n"
     "{comments_section}"
-    "\nPlease claim this issue (assign it to yourself if possible), "
-    "then implement a fix or feature as described. "
-    "Work on a branch named `{branch}`, and open a PR when done."
+    "\n{instructions}"
 )
 
 # Default PR prompt template. Placeholders:
@@ -105,12 +143,44 @@ def _fetch_github_item(owner: str, repo: str, endpoint: str, jq: str) -> str | N
         return None
 
 
-def generate_issue_prompt(owner: str, repo: str, issue_num: str, branch: str) -> str | None:
+def _resolve_second_opinion(second_opinion: str, config: dict | None = None) -> bool:
+    """Resolve the second_opinion setting to a boolean.
+
+    'on' → True, 'off' → False, 'auto' → True if codex will be
+    available in the container (checked via tool resolution, not host PATH).
+    """
+    if second_opinion == "on":
+        return True
+    if second_opinion == "off":
+        return False
+    # auto: check if codex is resolved as an enabled tool
+    if config is not None:
+        from .tools import resolve_tools
+
+        return "codex" in resolve_tools(config)
+    # Fallback when no config available: check host PATH
+    import shutil
+
+    return shutil.which("codex") is not None
+
+
+def generate_issue_prompt(
+    owner: str,
+    repo: str,
+    issue_num: str,
+    branch: str,
+    autonomy: str = "plan",
+    second_opinion: str = "auto",
+    config: dict | None = None,
+) -> str | None:
     """Fetch GitHub issue details and generate a Claude prompt.
 
     Returns the prompt string, or None if the issue can't be fetched.
     Uses a custom template from ~/.bubble/templates/issue.txt if present,
     otherwise falls back to the built-in default.
+
+    The autonomy level controls what action instructions are included:
+      read, plan, implement, pr, merge.
     """
     raw = _fetch_github_item(owner, repo, f"issues/{issue_num}", ".title,.body")
     if raw is None:
@@ -129,8 +199,21 @@ def generate_issue_prompt(owner: str, repo: str, issue_num: str, branch: str) ->
     if comments_text:
         comments_section = f"\nComments:\n{comments_text}\n"
 
-    template = _load_template("issue") or _DEFAULT_ISSUE_TEMPLATE
-    return _render_template(
+    # Build instructions from autonomy level
+    if autonomy not in AUTONOMY_LEVELS:
+        autonomy = "plan"
+    instructions = _ISSUE_INSTRUCTIONS[autonomy]
+    # The instructions may contain {branch} placeholder
+    instructions = instructions.format(branch=branch)
+
+    # Append second opinion request if enabled
+    if _resolve_second_opinion(second_opinion, config=config):
+        instructions += _SECOND_OPINION_SUFFIX
+
+    custom_template = _load_template("issue")
+    template = custom_template or _DEFAULT_ISSUE_TEMPLATE
+
+    prompt = _render_template(
         template,
         owner=owner,
         repo=repo,
@@ -140,8 +223,16 @@ def generate_issue_prompt(owner: str, repo: str, issue_num: str, branch: str) ->
         comments=comments_text,
         comments_section=comments_section,
         branch=branch,
+        instructions=instructions,
     )
 
+    # If a custom template didn't use {instructions}, append them so
+    # autonomy/second-opinion settings are never silently lost.
+    if custom_template and "{instructions}" not in custom_template:
+        prompt = prompt.rstrip() + "\n\n" + instructions
+
+    return prompt
+
 
 def generate_pr_prompt(owner: str, repo: str, pr_num: str, branch: str) -> str | None:
     """Fetch GitHub PR details and generate a Claude prompt.

{dev_bubble-0.7.5 → dev_bubble-0.7.8}/bubble/clean.py

@@ -70,7 +70,9 @@ REASONS=""
 EXPECTED=$(echo {q_repo} | tr '[:upper:]' '[:lower:]')
 
 # Check 1: no unexpected non-hidden items in home
-ITEMS=$(ls /home/user/ 2>/dev/null || true)
+# Filter out known infrastructure files (build.log from background builds,
+# bin/ from tool installation)
+ITEMS=$(ls /home/user/ 2>/dev/null | grep -v -x -e 'build.log' -e 'bin' || true)
 if [ -n "$EXPECTED" ]; then
   if [ "$(echo "$ITEMS" | tr '[:upper:]' '[:lower:]')" != "$EXPECTED" ]; then
     CLEAN=false

{dev_bubble-0.7.5 → dev_bubble-0.7.8}/bubble/cli.py

@@ -51,6 +51,7 @@ from .native import open_native
 from .provisioning import mount_overlaps, provision_container
 from .repo_registry import RepoRegistry
 from .security import (
+    get_github_level,
     is_enabled,
     is_locked_off,
     print_warnings,
@@ -264,7 +265,20 @@ def _resolve_claude_prompt_locally(target: str, new_branch: str | None = None) -
             from .output import detail
 
             detail(f"Fetching issue #{t.ref} for Claude prompt...")
-            prompt = generate_issue_prompt(t.owner, t.repo, t.ref, branch) or ""
+            _cfg = load_config()
+            _claude_cfg = _cfg.get("claude", {})
+            prompt = (
+                generate_issue_prompt(
+                    t.owner,
+                    t.repo,
+                    t.ref,
+                    branch,
+                    autonomy=_claude_cfg.get("autonomy", "plan"),
+                    second_opinion=_claude_cfg.get("second_opinion", "auto"),
+                    config=_cfg,
+                )
+                or ""
+            )
         elif t.kind == "pr":
             from .claude import generate_pr_prompt
 
@@ -329,8 +343,9 @@ def _open_remote(
     # Inject local SSH keys into the container so the chained ProxyCommand works
     inject_local_ssh_keys(remote_host, name)
 
-    # Set up GitHub auth: token injection (level 5) or tunneled proxy (levels 1-4)
-    if is_enabled(config, "github_token_inject"):
+    # Set up GitHub auth based on the unified github security level
+    gh_level = get_github_level(config)
+    if gh_level == "direct":
         from .github_token import setup_gh_token
 
         setup_gh_token(
@@ -339,7 +354,7 @@ def _open_remote(
             remote_host=remote_host,
             token_inject=True,
         )
-    elif is_enabled(config, "github_auth"):
+    elif gh_level != "off":
         from .github_token import setup_gh_token
         from .tools import resolve_tools
 
@@ -993,9 +1008,10 @@ def _open_single(
         )
 
         # Set up GitHub auth BEFORE clone — network allowlisting strips
-        # github.com from allowed domains when using the auth proxy (levels
-        # 1-4), so git must be configured to route through the proxy first.
-        if is_enabled(config, "github_token_inject"):
+        # github.com from allowed domains when using the auth proxy, so
+        # git must be configured to route through the proxy first.
+        gh_level = get_github_level(config)
+        if gh_level == "direct":
             from .github_token import setup_gh_token
 
             setup_gh_token(
@@ -1004,7 +1020,7 @@ def _open_single(
                 machine_readable=machine_readable,
                 token_inject=True,
             )
-        elif is_enabled(config, "github_auth"):
+        elif gh_level != "off":
             from .github_token import setup_gh_token
             from .tools import resolve_tools
 
@@ -1033,7 +1049,19 @@ def _open_single(
             from .output import detail
 
             detail(f"Fetching issue #{t.ref} for Claude prompt...")
-            claude_prompt = generate_issue_prompt(t.owner, t.repo, t.ref, checkout_branch) or ""
+            claude_cfg = config.get("claude", {})
+            claude_prompt = (
+                generate_issue_prompt(
+                    t.owner,
+                    t.repo,
+                    t.ref,
+                    checkout_branch,
+                    autonomy=claude_cfg.get("autonomy", "plan"),
+                    second_opinion=claude_cfg.get("second_opinion", "auto"),
+                    config=config,
+                )
+                or ""
+            )
         elif not claude_prompt and t.kind == "pr" and not machine_readable:
             from .claude import generate_pr_prompt
             from .output import detail

{dev_bubble-0.7.5 → dev_bubble-0.7.8}/bubble/commands/security_cmd.py

@@ -38,8 +38,9 @@ def register_security_commands(main):
         if changed:
             save_config(config)
             for name in changed:
-                click.echo(f"  security.{display_setting_name(name)} = on")
-            click.echo(f"Set {len(changed)} setting(s) to on. All conveniences enabled.")
+                val = config["security"][name]
+                click.echo(f"  security.{display_setting_name(name)} = {val}")
+            click.echo(f"Set {len(changed)} setting(s) to most permissive.")
         else:
             click.echo("All settings are already on.")
 
@@ -75,11 +76,12 @@ def register_security_commands(main):
     def security_set(key, value):
         """Set a security setting: bubble security set <name> <value>.
 
-        Setting names use hyphens (e.g. github-auth, claude-credentials).
+        Setting names use hyphens (e.g. github, claude-credentials).
         Underscores are also accepted as permanent aliases.
 
         Most settings accept: auto, on, off.
-        github-api also accepts: read-write (enables mutations).
+        github accepts: off, basic, rest, allowlist-read-graphql,
+          allowlist-write-graphql, write-graphql, direct.
         """
         # Accept both "security.X" and bare "X", normalize hyphens to underscores
         name = normalize_setting_name(key.removeprefix("security."))

{dev_bubble-0.7.5 → dev_bubble-0.7.8}/bubble/commands/settings.py

@@ -157,12 +157,64 @@ def register_settings_commands(main):
         else:
             click.echo("Claude credentials disabled.")
 
+    @claude_group.command("set")
+    @click.argument("key", type=click.Choice(["autonomy", "second-opinion"]))
+    @click.argument("value")
+    def claude_set_cmd(key, value):
+        """Set a Claude Code setting.
+
+        \b
+        Settings:
+          autonomy       read, plan, implement, pr, merge (default: plan)
+          second-opinion auto, on, off (default: auto)
+
+        \b
+        Examples:
+          bubble claude set autonomy pr
+          bubble claude set second-opinion on
+        """
+        from ..claude import AUTONOMY_LEVELS, SECOND_OPINION_VALUES
+
+        config_key = key.replace("-", "_")
+
+        if config_key == "autonomy":
+            if value not in AUTONOMY_LEVELS:
+                click.echo(
+                    f"Invalid autonomy level: {value}. Choose from: {', '.join(AUTONOMY_LEVELS)}",
+                    err=True,
+                )
+                sys.exit(1)
+        elif config_key == "second_opinion":
+            if value not in SECOND_OPINION_VALUES:
+                click.echo(
+                    f"Invalid second-opinion value: {value}. "
+                    f"Choose from: {', '.join(SECOND_OPINION_VALUES)}",
+                    err=True,
+                )
+                sys.exit(1)
+
+        config = load_config()
+        config.setdefault("claude", {})[config_key] = value
+        save_config(config)
+        click.echo(f"Set claude.{key} = {value}")
+
     @claude_group.command("status")
     def claude_status_cmd():
         """Show current Claude Code settings."""
+        from ..claude import _resolve_second_opinion
+
         config = load_config()
-        creds = config.get("claude", {}).get("credentials", True)
-        click.echo(f"  credentials: {'on' if creds else 'off'}")
+        claude_cfg = config.get("claude", {})
+        creds = claude_cfg.get("credentials", True)
+        autonomy = claude_cfg.get("autonomy", "plan")
+        second_opinion = claude_cfg.get("second_opinion", "auto")
+        resolved_so = _resolve_second_opinion(second_opinion, config=config)
+
+        click.echo(f"  credentials:    {'on' if creds else 'off'}")
+        click.echo(f"  autonomy:       {autonomy}")
+        so_resolved = "on" if resolved_so else "off"
+        so_extra = f" (resolved: {so_resolved})" if second_opinion == "auto" else ""
+        click.echo(f"  second-opinion: {second_opinion}{so_extra}")
 
     # --- codex ---
 
@@ -321,34 +373,30 @@ def register_settings_commands(main):
         """Show GitHub integration status."""
         from ..automation import is_auth_proxy_installed
         from ..github_token import has_gh_auth
-        from ..security import is_enabled as sec_is_enabled
+        from ..security import get_github_level
 
         config = load_config()
-        github_auth = get_setting(config, "github_auth")
-        enabled = sec_is_enabled(config, "github_auth")
+        gh_level = get_github_level(config)
+        raw_value = get_setting(config, "github")
         host_auth = has_gh_auth()
         proxy_installed = is_auth_proxy_installed()
 
-        token_inject = get_setting(config, "github_token_inject")
-        inject_enabled = sec_is_enabled(config, "github_token_inject")
-
-        click.echo(f"GitHub auth:      {github_auth} (effectively {'on' if enabled else 'off'})")
-        click.echo(
-            f"Token injection:  {token_inject} (effectively {'on' if inject_enabled else 'off'})"
-        )
+        if raw_value == "auto":
+            click.echo(f"GitHub level:     auto (effectively {gh_level})")
+        else:
+            click.echo(f"GitHub level:     {gh_level}")
         click.echo(f"Host gh auth:     {'authenticated' if host_auth else 'not authenticated'}")
         click.echo(f"Auth proxy:       {'installed' if proxy_installed else 'not installed'}")
-        if inject_enabled:
+        if gh_level == "direct":
             click.echo(
-                "\nWarning: token injection is enabled. Containers get your full GitHub token."
-                "\nDisable: bubble security set github-token-inject off"
+                "\nWarning: direct token injection is enabled."
+                " Containers get your full GitHub token."
+                "\nChange: bubble security set github allowlist-write-graphql"
             )
+        elif gh_level == "off":
+            click.echo("\nGitHub access is disabled. Enable: bubble security set github auto")
         elif not host_auth:
             click.echo("\nRun 'gh auth login' to authenticate on the host first.")
-        elif not enabled:
-            click.echo(
-                "\nRun 'bubble security set github-auth on' to enable GitHub auth in bubbles."
-            )
 
     @gh_group.group("proxy")
     def gh_proxy_group():
@@ -479,7 +527,7 @@ def register_settings_commands(main):
         """Set a security setting: bubble config set security.<name> <value>.
 
         Alias for `bubble security set <name> <value>`.
-        Setting names use hyphens (e.g. github-auth, claude-credentials).
+        Setting names use hyphens (e.g. github, claude-credentials).
         Underscores are also accepted as permanent aliases.
         """
         # Accept both "security.X" and bare "X", normalize hyphens to underscores

{dev_bubble-0.7.5 → dev_bubble-0.7.8}/bubble/config.py

@@ -62,6 +62,8 @@ DEFAULT_CONFIG = {
     },
     "claude": {
         "credentials": True,
+        "autonomy": "plan",
+        "second_opinion": "auto",
     },
     "codex": {
         "credentials": True,

{dev_bubble-0.7.5 → dev_bubble-0.7.8}/bubble/container_helpers.py

@@ -11,7 +11,7 @@ import click
 from .lifecycle import load_registry
 from .output import detail, step
 from .runtime.base import ContainerRuntime
-from .security import filter_github_domains, is_enabled
+from .security import filter_github_domains
 from .vscode import add_ssh_config
 
 
@@ -123,11 +123,13 @@ def apply_network(
     for d in tool_runtime_domains(resolve_tools(config)):
         if d not in domains:
             domains.append(d)
-    # Direct GitHub network access is only allowed when github_token_inject
-    # is enabled (level 5: direct token injection). For proxy-mediated access
-    # (levels 0-4) or no auth, iptables blocks direct GitHub traffic — all
-    # GitHub communication is forced through the auth proxy on loopback.
-    if not is_enabled(config, "github_token_inject"):
+    # Direct GitHub network access is only allowed when the github level
+    # is "direct" (raw token injection). For proxy-mediated access or no
+    # auth, iptables blocks direct GitHub traffic — all GitHub communication
+    # is forced through the auth proxy on loopback.
+    from .security import get_github_level
+
+    if get_github_level(config) != "direct":
         domains = filter_github_domains(domains)
     if domains:
         try:

{dev_bubble-0.7.5 → dev_bubble-0.7.8}/bubble/github_token.py

@@ -1,6 +1,6 @@
 """GitHub authentication for containers via auth proxy or direct injection.
 
-Levels 1-4 use an HTTP reverse proxy on the host:
+Most github levels use an HTTP reverse proxy on the host:
 1. Receives plain HTTP git requests from the container
 2. Validates the request targets only the allowed repository
 3. Adds the real Authorization header
@@ -9,8 +9,8 @@ Levels 1-4 use an HTTP reverse proxy on the host:
 The host GitHub token never enters the container. Each container
 gets a per-container bearer token scoped to one repository.
 
-Level 5 (token injection) bypasses the proxy entirely: the host's
-actual GitHub token is injected into the container as GH_TOKEN and
+The "direct" level bypasses the proxy entirely: the host's actual
+GitHub token is injected into the container as GH_TOKEN and
 GITHUB_TOKEN environment variables, giving unrestricted access.
 
 For local containers, the proxy is exposed via Incus proxy devices.
@@ -18,15 +18,18 @@ For remote/cloud containers, an SSH reverse tunnel forwards the
 local proxy port to the remote host, then an Incus proxy device
 on the remote exposes it into the container.
 
-Access levels:
-  Level 1: git only (push/pull)
-  Level 3: git + gh read-only (REST read + GraphQL queries)
-  Level 4: git + gh read-write (REST read-write + GraphQL mutations)
-  Level 5: direct token injection (bypasses proxy)
-
-When the gh tool is installed and github_api is enabled, the proxy
-is also exposed as a Unix socket at /bubble/gh-proxy.sock and gh
-is configured to route through it via http_unix_socket.
+GitHub levels (each a strict superset of the one above):
+  off:                      no GitHub access
+  basic:                    git push/pull only
+  rest:                     + repo-scoped REST API
+  allowlist-read-graphql:   + allowlisted GraphQL queries
+  allowlist-write-graphql:  + allowlisted GraphQL mutations (default)
+  write-graphql:            + arbitrary GraphQL
+  direct:                   raw token injection, no proxy
+
+When gh is installed and the github level includes REST or higher,
+the proxy is also exposed as a Unix socket at /bubble/gh-proxy.sock
+and gh is configured to route through it via http_unix_socket.
 """
 
 import platform
@@ -109,16 +112,23 @@ def _ensure_auth_proxy_running() -> int | None:
 def _resolve_access_level(config: dict, gh_enabled: bool) -> int:
     """Determine the auth proxy REST access level for a container.
 
-    Returns the REST access level (1 or 4) based on config and tool
-    availability.  GraphQL policies are resolved separately by
-    _resolve_graphql_config().
+    Returns the REST access level (1 or 4) based on the unified github
+    security level and tool availability.  GraphQL policies are resolved
+    separately by _resolve_graphql_config().
     """
     from .auth_proxy import LEVEL_GH_READWRITE, LEVEL_GIT_ONLY
-    from .security import is_enabled
+    from .security import get_github_level
+
+    level = get_github_level(config)
+
+    # basic = git only; off/direct shouldn't reach here but return git-only
+    if level in ("off", "basic", "direct"):
+        return LEVEL_GIT_ONLY
 
-    if not gh_enabled or not is_enabled(config, "github_api"):
+    if not gh_enabled:
         return LEVEL_GIT_ONLY
 
+    # rest, allowlist-read-graphql, allowlist-write-graphql, write-graphql
     # REST is already repo-scoped by path validation, so read-write is
     # safe by default.  This enables REST POST operations like
     # gh run rerun (/repos/{owner}/{repo}/actions/runs/{id}/rerun).
@@ -128,18 +138,26 @@ def _resolve_access_level(config: dict, gh_enabled: bool) -> int:
 def _resolve_graphql_config(config: dict, gh_enabled: bool) -> tuple[str, str]:
     """Determine GraphQL policies for a container.
 
-    Returns (graphql_read, graphql_write).
+    Returns (graphql_read, graphql_write) based on the unified github
+    security level.
     """
-    from .security import get_setting, is_enabled
+    from .security import get_github_level
 
-    if not gh_enabled or not is_enabled(config, "github_api"):
+    level = get_github_level(config)
+
+    if not gh_enabled or level in ("off", "basic", "rest", "direct"):
         return "none", "none"
 
-    if get_setting(config, "github_api") == "read-write":
+    if level == "allowlist-read-graphql":
+        return "whitelisted", "none"
+
+    if level == "allowlist-write-graphql":
+        return "whitelisted", "whitelisted"
+
+    if level == "write-graphql":
         return "unrestricted", "unrestricted"
 
-    # Default: whitelisted for both — repo-scoped reads, allowlisted mutations
-    return "whitelisted", "whitelisted"
+    return "none", "none"
 
 
 def _describe_graphql_mode(graphql_read: str, graphql_write: str) -> str: