dev-bubble 0.7.9__tar.gz → 0.7.11__tar.gz

{dev_bubble-0.7.9 → dev_bubble-0.7.11}/.claude/CLAUDE.md

@@ -139,15 +139,15 @@ The auth proxy (`auth_proxy.py`) provides repo-scoped GitHub authentication with
 
 **gh CLI flow:** `gh` configured with `http_unix_socket: /bubble/gh-proxy.sock` (via `GH_CONFIG_DIR=/etc/bubble/gh`) → sends requests through Unix socket → proxy validates token from `Authorization` header → enforces access level (REST repo-scoping, GraphQL mutation filtering) → adds real token → forwards to `https://api.github.com`.
 
-**GraphQL validation** (`graphql_validator.py`): GraphQL access is controlled by two independent axes — `graphql_read` and `graphql_write` — each supporting `whitelisted`, `unrestricted`, or `none` modes. The default is `whitelisted` for both. In whitelisted mode, a lightweight tokenizer/parser validates structure (single operation, single top-level field, no aliases/directives, no fragments in mutations) and semantics. Read validation repo-scopes `repository` queries via variables, verifies `node` queries via pre-flight ownership checks, and checks second-level fields against an allowlist. Write validation checks mutations against an allowlist (createPullRequest, addComment, mergePullRequest, etc.) with repo-scoping via repositoryId comparison or pre-flight node ownership verification. Old tokens without `graphql_*` fields derive policies from the legacy `level` field for backward compatibility.
+**GraphQL validation** (`graphql_validator.py`): GraphQL access is controlled by two independent axes — `graphql_read` and `graphql_write` — each supporting `whitelisted`, `unrestricted`, or `none` modes. The default is `whitelisted` for both. In whitelisted mode, a lightweight tokenizer/parser validates structure (single operation, single top-level field, no aliases/directives, no fragments in mutations) and semantics. Read validation repo-scopes `repository` queries via variables, verifies `node` queries via pre-flight ownership checks, and checks second-level fields against an allowlist. Write validation checks mutations against an allowlist (createPullRequest, addComment, mergePullRequest, etc.) with repo-scoping via repositoryId comparison or pre-flight node ownership verification.
 
-**REST security:** REST paths validated against `/repos/{owner}/{repo}/...` (repo-scoped). REST level defaults to `LEVEL_GH_READWRITE` since path validation already constrains access. API redirects (e.g. CI log downloads) followed with hardened rules: GET/HEAD only, HTTPS only, allowlisted hosts, max 2 hops, auth headers stripped. GitHub 4xx errors are passed through to clients (not collapsed to 502).
+**REST security:** REST paths validated against `/repos/{owner}/{repo}/...` (repo-scoped). All HTTP methods are allowed when REST access is enabled, since path validation already constrains access to the scoped repo. API redirects (e.g. CI log downloads) followed with hardened rules: GET/HEAD only, HTTPS only, allowlisted hosts, max 2 hops, auth headers stripped. GitHub 4xx errors are passed through to clients (not collapsed to 502).
 
 **Local bubbles:** Exposed via Incus proxy devices — TCP for git, Unix socket for gh (`listen=unix:/bubble/gh-proxy.sock`).
 
 **Remote/cloud bubbles:** SSH reverse tunnel forwards the local proxy port. Incus proxy devices on the remote expose both TCP and Unix socket endpoints.
 
-**Token management:** Per-container tokens in `~/.bubble/auth-tokens.json` map to `{container, owner, repo, level, graphql_read, graphql_write}`. Tokens are cleaned up on `bubble pop`. The daemon is managed via launchd/systemd.
+**Token management:** Per-container tokens in `~/.bubble/auth-tokens.json` map to `{container, owner, repo, rest_api, graphql_read, graphql_write}`. Tokens are cleaned up on `bubble pop`. The daemon is managed via launchd/systemd.
 
 ### Security Model
 The `user` account has no sudo and a locked password. Network allowlisting is applied on container creation. SSH keys are injected via `incus file push` (not shell interpolation). All user-supplied values in shell commands are quoted with `shlex.quote()`. Each container mounts only its specific bare repo, not the entire git store.

{dev_bubble-0.7.9/dev_bubble.egg-info → dev_bubble-0.7.11}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dev-bubble
-Version: 0.7.9
+Version: 0.7.11
 Summary: Containerized development environments powered by Incus
 Author-email: Kim Morrison <kim@tqft.net>
 License-Expression: Apache-2.0

{dev_bubble-0.7.9 → dev_bubble-0.7.11}/SPEC.md

@@ -339,9 +339,16 @@ of the versioned image for next time.
 > compromised container could write poisoned `.olean` files that subsequent
 > containers would pick up via `lake exe cache get`. The cache is *not* shared
 > with `lake exe cache` run on the host — only bubble containers are affected.
-> Set `shared-cache` to `off` (via `bubble security set shared-cache off`) to
-> mount the cache read-only and prevent future poisoning. If you suspect the
-> cache has already been compromised, delete `~/.bubble/mathlib-cache/`.
+> Three modes are available via `bubble security set shared-cache`:
+> - `on` (default): shared read-write — fastest, but vulnerable to cache
+>   poisoning across containers
+> - `overlay`: shared cache mounted read-only with a per-container writable
+>   overlayfs layer — fast reads from the shared cache with isolated writes
+>   that don't affect other containers (recommended for security-conscious use)
+> - `off`: shared cache mounted read-only — prevents future poisoning
+>
+> If you suspect the cache has already been compromised, delete
+> `~/.bubble/mathlib-cache/`.
 
 **Post-clone behavior:**
 - Pre-populate Lake dependencies from `lake-manifest.json` (see 2.4)
@@ -670,6 +677,7 @@ Each tool has:
 | `elan` | 10 | `elan` | — |
 | `claude` | 50 | `claude` | `api.anthropic.com` |
 | `codex` | 50 | `codex` | `api.openai.com` |
+| `gh` | 50 | `gh` | — |
 | `vscode` | 90 | `code` | VS Code marketplace domains |
 | `emacs` | 90 | `emacs` | — |
 | `neovim` | 90 | `nvim` | — |
@@ -701,6 +709,10 @@ versions from a `pins.json` file.
 
 **`bubble tools set TOOL yes|no|auto`** — configure a tool.
 
+**VS Code extension auto-install:** When both `claude` and `vscode` tools are
+enabled, the Claude Code VS Code extension (`anthropic.claude-code`) is
+pre-installed in the base image.
+
 ### 6.4 Drift detection
 
 A content-aware hash of the enabled tool set (tool names + script contents +
@@ -922,6 +934,12 @@ Credential files (`.credentials.json`) are mounted by default. Disable with
 **Symlink safety:** Reject symlinks that escape `~/.claude/` to prevent
 exposing arbitrary host files.
 
+**Settings pre-population:** During container finalization, `~/.claude.json` is
+written in all containers (not just those with AI task injection). Allowlisted
+settings (theme, onboarding state) are copied from the host, project trust is
+pre-configured for the container's project directory, and
+`hasCompletedOnboarding` is set to skip the first-run wizard.
+
 ### 10.2 Codex config mounting
 
 Similar to Claude. Config: `config.toml` (read-only). Credentials: `auth.json`
@@ -941,27 +959,33 @@ Similar to Claude. Config: `config.toml` (read-only). Credentials: `auth.json`
 ### 10.4 GitHub auth proxy
 
 An HTTP reverse proxy on the host provides GitHub authentication without
-exposing the host's token. Git and REST API requests are repo-scoped;
-GraphQL requests are operation-validated (queries vs mutations) but not
-repo-scoped — see access levels below.
+exposing the host's token. The access level is controlled by the unified
+`github` security setting, which picks one level from a graduated escalation
+ladder (see Security section).
 
 **Port:** 7654 (default, configurable).
 
-**Flow:**
-1. Container git is configured with `url.insteadOf` to route HTTPS through the proxy
-2. Container sends request with `X-Bubble-Token` header
-3. Proxy validates token against `~/.bubble/auth-tokens.json` (mode 0600)
-4. For git/REST: proxy checks path matches the allowed `owner/repo`. For GraphQL: proxy validates operation type (queries allowed at level 3, mutations require level 4) but does not scope to a specific repo
-5. Proxy adds `Authorization: token <real-token>` header
-6. Proxy forwards to `https://github.com`
-7. Response returned to container
+**Git flow:** Container git → `url.insteadOf` rewrites to
+`http://127.0.0.1:7654/git/...` → proxy validates `X-Bubble-Token` header →
+checks path matches allowed `owner/repo` → adds `Authorization` header →
+forwards to `https://github.com` → returns response.
+
+**gh CLI flow:** `gh` configured with `http_unix_socket: /bubble/gh-proxy.sock`
+(via `GH_CONFIG_DIR=/etc/bubble/gh`) → sends requests through Unix socket →
+proxy validates token → enforces access level (REST repo-scoping, GraphQL
+allowlist validation) → adds real token → forwards to `https://api.github.com`.
 
 **Token format:** `~/.bubble/auth-tokens.json`
 ```json
 {
-  "hex_token": {"container": "name", "owner": "owner", "repo": "repo"}
+  "hex_token": {
+    "container": "name",
+    "owner": "owner",
+    "repo": "repo",
+    "graphql_read": "whitelisted",
+    "graphql_write": "whitelisted"
+  }
 }
-```
 
 **Allowed paths (git smart HTTP only):**
 - `GET /git/{owner}/{repo}[.git]/info/refs?service=git-upload-pack`
@@ -969,33 +993,53 @@ repo-scoped — see access levels below.
 - `POST /git/{owner}/{repo}[.git]/git-upload-pack`
 - `POST /git/{owner}/{repo}[.git]/git-receive-pack`
 
-**Access levels (per-container):**
-| Level | Description | Scope |
-|-------|-------------|-------|
-| 1 | Git smart HTTP only (push/pull) | Repo-scoped |
-| 2 | Git + REST API read-only | Repo-scoped (REST paths validated against `/repos/{owner}/{repo}/...`) |
-| 3 (default) | Git + gh read-only (REST read + GraphQL queries) | Git and REST are repo-scoped; **GraphQL is account-wide** — queries can read any data the host token can access |
-| 4 | Git + gh read-write (REST + GraphQL + mutations) | Git and REST are repo-scoped; **GraphQL queries and mutations are account-wide** |
-
-> **Note:** GitHub's GraphQL API does not support path-based scoping.
-> At the default level 3, a container can query any repository, org membership,
-> or user data readable by the host token. To restrict containers to git-only
-> access, use `bubble security set github-api off`.
+**Access levels** (set via `bubble security set github <level>`):
+
+| `github` level | Behavior |
+|----------------|----------|
+| `off` | No GitHub access at all |
+| `basic` | Git push/pull only (proxy rewrites, repo-scoped) |
+| `rest` | + repo-scoped REST API |
+| `allowlist-read-graphql` | + allowlisted read-only GraphQL queries |
+| `allowlist-write-graphql` (default) | + allowlisted GraphQL mutations |
+| `write-graphql` | + arbitrary GraphQL, no allowlist filtering |
+| `direct` | Inject the raw token into the container, no proxy |
+
+**`direct` mode:** The host's `GH_TOKEN` and `GITHUB_TOKEN` environment
+variables are injected into the container via `/etc/profile.d`. No proxy is
+used — git and `gh` connect directly to GitHub. Network allowlisting permits
+direct GitHub access (iptables allows `github.com`).
+
+**GraphQL validation** (`allowlist-read-graphql` and `allowlist-write-graphql`
+levels): GraphQL access is controlled by two independent axes — `graphql_read`
+and `graphql_write` — each supporting `whitelisted`, `unrestricted`, or `none`
+modes. In whitelisted mode, a lightweight tokenizer/parser validates structure
+(single operation, single top-level field, no aliases/directives, no fragments
+in mutations) and semantics. Read validation repo-scopes `repository` queries
+via variables and verifies `node` queries via pre-flight ownership checks.
+Write validation checks mutations against an allowlist with repo-scoping via
+repositoryId comparison or pre-flight node ownership verification.
+
+**REST security:** REST paths validated against `/repos/{owner}/{repo}/...`
+(repo-scoped). API redirects (e.g., CI log downloads) followed with hardened
+rules: GET/HEAD only, HTTPS only, allowlisted hosts
+(`*.blob.core.windows.net`, `*.githubusercontent.com`), max 2 hops, auth
+headers stripped. GitHub 4xx errors are passed through to clients.
 
 **Security:**
 - Path canonicalization: reject encoded separators, dot-segments, duplicate slashes
-- No redirect following (returns redirects as-is to prevent token leakage)
 - Pinned to `github.com:443` with TLS verification
 - Ignores `HTTPS_PROXY`/`ALL_PROXY` environment variables
 - Rate limited: 60/minute, 600/hour per container
 - Maximum request body: 256 MB
 
-**Local containers:** Exposed via Incus proxy device connecting host TCP port to
-container `127.0.0.1:7654`.
+**Local containers:** Exposed via Incus proxy devices — TCP for git, Unix
+socket for gh (`listen=unix:/bubble/gh-proxy.sock`).
 
-**Remote containers:** SSH reverse tunnel (`ssh -R 7654:127.0.0.1:7654 remote`)
-forwards the local proxy port to the remote host. Tunnel PID files in
-`~/.bubble/tunnels/`. One tunnel per remote host (shared across containers).
+**Remote containers:** SSH reverse tunnel forwards the local proxy port to the
+remote host. Incus proxy devices on the remote expose both TCP and Unix socket
+endpoints. Tunnel PID files in `~/.bubble/tunnels/`. One tunnel per remote
+host (shared across containers).
 
 **Daemon management:** launchd (`com.bubble.auth-proxy`) or systemd
 (`bubble-auth-proxy.service`).
@@ -1067,6 +1111,12 @@ location = "fsn1"
 server_name = "bubble-cloud"
 default = false
 
+[ai]
+preferred = "claude"
+autonomy = "plan"
+second_opinion = "auto"
+second_opinion_provider = "codex"
+
 [claude]
 credentials = true
 
@@ -1098,19 +1148,18 @@ get/set interface:
 
 ### Security settings
 
-Every isolation-weakening feature is individually configurable with three
-values: `auto`, `on`, `off`.
+Most settings are individually configurable with three values: `auto`, `on`,
+`off`. The `github` setting uses graduated named levels (see auth proxy
+section) and `shared-cache` accepts an additional `overlay` value.
 
 | Setting | Auto default | Description |
 |---------|-------------|-------------|
-| `shared-cache` | on | Writable shared mounts (mathlib cache) — see [Lean 4 hook](#22-lean-4-hook) security note |
+| `shared-cache` | on | Writable shared mounts (mathlib cache) — `on`, `off`, or `overlay`. See [Lean 4 hook](#22-lean-4-hook) security note |
 | `user-mounts` | on | `--mount` flag support |
 | `git-manifest-trust` | on | Auto-clone Lake manifest dependencies |
 | `claude-credentials` | on | Mount Claude credentials into containers |
 | `codex-credentials` | on | Mount Codex credentials into containers |
-| `github-auth` | on | Repo-scoped GitHub auth via proxy (git push/pull) |
-| `github-api` | on | GitHub API access via auth proxy: REST is repo-scoped; **GraphQL queries are read-only but account-wide** (can read any repo the host token can access). Set to `off` for git-only, or `read-write` for mutations |
-| `github-token-inject` | off | Direct GitHub token injection (bypasses proxy) |
+| `github` | allowlist-write-graphql | Unified GitHub access level — graduated from `off` through `basic`, `rest`, `allowlist-read-graphql`, `allowlist-write-graphql`, `write-graphql`, to `direct` (see [auth proxy](#104-github-auth-proxy)) |
 | `relay` | on | Bubble-in-bubble relay |
 | `host-key-trust` | on | Disable SSH StrictHostKeyChecking |
 
@@ -1119,15 +1168,15 @@ user to `bubble security`. Suppressed by `BUBBLE_QUIET_SECURITY=1`.
 
 **Commands:**
 - `bubble security` — show full security posture
-- `bubble security set NAME on|off|auto` — set individual setting
+- `bubble security set NAME VALUE` — set individual setting (most accept `on|off|auto`; `github` accepts named levels; `shared-cache` also accepts `overlay`)
 - `bubble security permissive` — set all to `on`
 - `bubble security lockdown` — set all to `off`
 - `bubble security default` — reset all to `auto`
 
 **GitHub network access:** Direct GitHub network access (via iptables) is only
-allowed when `github-token-inject` is enabled (level 5). At all other auth
-levels (0–4), iptables blocks direct GitHub traffic and forces it through the
-auth proxy on loopback, which enforces repo-scoping and rate limits.
+allowed when `github` is set to `direct`. At all other levels, iptables blocks
+direct GitHub traffic and forces it through the auth proxy on loopback, which
+enforces rate limits and (for levels below `write-graphql`) repo-scoping.
 
 ---
 
@@ -1159,6 +1208,10 @@ container lifecycle, but a complete implementation should include them:
 - `bubble remote clear-default` — clear default remote host
 - `bubble remote status` — show remote configuration and list remote bubbles
 - `bubble gh status` — show GitHub authentication status
+- `bubble completion <shell>` — output shell completion script (`bash`, `zsh`, `fish`); `--install` writes to a persistent location
+- `bubble ai set autonomy read|plan|implement|pr|merge` — set AI autonomy level
+- `bubble ai set second-opinion auto|on|off` — toggle second-opinion provider
+- `bubble ai status` — show AI provider settings and credential status
 
 ---
 
@@ -1189,7 +1242,7 @@ container lifecycle, but a complete implementation should include them:
 | `~/.bubble/cloud_key` | SSH private key for cloud (ed25519, mode 0600) |
 | `~/.bubble/cloud_key.pub` | SSH public key for cloud |
 | `~/.bubble/known_hosts` | SSH known_hosts for cloud |
-| `~/.bubble/claude-projects/` | Claude session state for containers |
+| `~/.bubble/ai-projects/` | AI provider session state for containers |
 | `~/.ssh/config.d/bubble` | Auto-managed SSH config entries |
 
 ---

{dev_bubble-0.7.9 → dev_bubble-0.7.11}/bubble/__init__.py

@@ -1,3 +1,3 @@
 """bubble: Containerized development environments."""
 
-__version__ = "0.7.9"
+__version__ = "0.7.11"

{dev_bubble-0.7.9 → dev_bubble-0.7.11}/bubble/ai.py

@@ -301,6 +301,7 @@ _CLAUDE_JSON_SAFE_KEYS = frozenset(
         "numStartups",
         "preferredNotifChannel",
         "autoUpdaterStatus",
+        "effortCalloutV2Dismissed",
     }
 )
 

{dev_bubble-0.7.9 → dev_bubble-0.7.11}/bubble/auth_proxy.py

@@ -9,17 +9,15 @@ The host GitHub token never enters the container. Each container
 gets a per-container bearer token that only works against this
 proxy and is scoped to a single repository.
 
-Access levels (per-container):
-  1 = git smart HTTP only (push/pull)
-  2 = git + REST API read-only (GET /repos/{owner}/{repo}/...)
-  3 = git + gh read-only (REST read + GraphQL queries, no mutations)
-  4 = git + gh read-write (REST read-write + GraphQL queries + mutations)
+Access policies (per-container):
+  rest_api:       whether repo-scoped REST API access is allowed
+  graphql_read:   "whitelisted", "unrestricted", or "none"
+  graphql_write:  "whitelisted", "unrestricted", or "none"
 
 Security model:
 - Git: strict 4-pattern allowlist (git smart HTTP protocol only)
 - REST API: path-validated against /repos/{owner}/{repo}/...
-- GraphQL: parsed operation type, mutations rejected at level 3
-  (NOT repo-scoped — queries can access any data the host token can read)
+- GraphQL: controlled by graphql_read/graphql_write policies
 - Path canonicalization rejects encoded separators, dot-segments,
   duplicate slashes
 - Redirect following for API responses (CI logs) with hardened rules:
@@ -76,18 +74,6 @@ RATE_LIMIT_PER_HOUR = 600
 # Maximum tracked containers
 MAX_TRACKED_CONTAINERS = 100
 
-# ---------------------------------------------------------------------------
-# Access levels
-# ---------------------------------------------------------------------------
-
-LEVEL_GIT_ONLY = 1
-LEVEL_REST_READ = 2
-LEVEL_GH_READ = 3
-LEVEL_GH_READWRITE = 4
-LEVEL_TOKEN_INJECT = 5
-
-DEFAULT_LEVEL = LEVEL_GH_READ
-
 # ---------------------------------------------------------------------------
 # Path patterns
 # ---------------------------------------------------------------------------
@@ -144,13 +130,13 @@ def generate_auth_token(
     container_name: str,
     owner: str,
     repo: str,
-    level: int = DEFAULT_LEVEL,
+    rest_api: bool = True,
     graphql_read: str = "whitelisted",
     graphql_write: str = "whitelisted",
 ) -> str:
     """Generate an auth proxy token for a container.
 
-    The token maps to (container_name, owner, repo, level, graphql_read,
+    The token maps to (container_name, owner, repo, rest_api, graphql_read,
     graphql_write) — the proxy uses this to validate requests and enforce
     the access policy.
     Uses file locking to prevent read-modify-write races.
@@ -160,7 +146,7 @@ def generate_auth_token(
             "container": container_name,
             "owner": owner,
             "repo": repo,
-            "level": level,
+            "rest_api": rest_api,
             "graphql_read": graphql_read,
             "graphql_write": graphql_write,
         }
@@ -278,14 +264,15 @@ def _build_api_url(path: str, query: str) -> str:
 
 
 # ---------------------------------------------------------------------------
-# API path validation (levels 2+)
+# API path validation
 # ---------------------------------------------------------------------------
 
 
-def validate_api_path(
-    path: str, query: str, method: str, owner: str, repo: str, level: int
-) -> str | None:
-    """Validate a REST API request path against the access level.
+def validate_api_path(path: str, query: str, method: str, owner: str, repo: str) -> str | None:
+    """Validate a REST API request path.
+
+    REST is always repo-scoped by path validation, so all HTTP methods
+    are allowed when REST access is enabled.
 
     Returns an error message string, or None if the path is valid.
     """
@@ -313,11 +300,6 @@ def validate_api_path(
     if path_owner.lower() != owner.lower() or path_repo.lower() != repo.lower():
         return f"Repository mismatch: {path_owner}/{path_repo} != {owner}/{repo}"
 
-    # Method checks: levels 1-3 are read-only REST, level 4 allows writes
-    if level < LEVEL_GH_READWRITE:
-        if method not in ("GET", "HEAD"):
-            return f"Method {method} not allowed at access level {level}"
-
     return None
 
 
@@ -433,31 +415,6 @@ def _parse_graphql_op_type(query: str) -> str | None:
     return "query"
 
 
-def _resolve_graphql_policies(info: dict) -> tuple[str, str]:
-    """Extract GraphQL policies from token info, with backward compat.
-
-    Returns (graphql_read, graphql_write).
-    For tokens created before the graphql_read/graphql_write fields
-    existed, derives policies from the legacy level field.
-    """
-    from .graphql_validator import VALID_GRAPHQL_POLICIES
-
-    graphql_read = info.get("graphql_read")
-    graphql_write = info.get("graphql_write")
-
-    if graphql_read in VALID_GRAPHQL_POLICIES and graphql_write in VALID_GRAPHQL_POLICIES:
-        return graphql_read, graphql_write
-
-    # Backward compat: derive from level
-    level = info.get("level", LEVEL_GIT_ONLY)
-    if level < LEVEL_GH_READ:
-        return "none", "none"
-    elif level < LEVEL_GH_READWRITE:
-        return "unrestricted", "none"
-    else:
-        return "unrestricted", "unrestricted"
-
-
 def classify_graphql(body: bytes) -> tuple[str | None, str | None]:
     """Classify a GraphQL request body.
 
@@ -704,8 +661,9 @@ class AuthProxyHandler(BaseHTTPRequestHandler):
         container = info["container"]
         owner = info["owner"]
         repo = info["repo"]
-        level = info.get("level", LEVEL_GIT_ONLY)
-        graphql_read, graphql_write = _resolve_graphql_policies(info)
+        rest_api = info.get("rest_api", False)
+        graphql_read = info.get("graphql_read", "none")
+        graphql_write = info.get("graphql_write", "none")
 
         # Rate limit
         if not self.rate_limiter.check(container):
@@ -727,7 +685,7 @@ class AuthProxyHandler(BaseHTTPRequestHandler):
 
         # Route: git smart HTTP (/git/...)
         if path.startswith("/git/"):
-            self._handle_git_request(method, path, query, body, container, owner, repo, level)
+            self._handle_git_request(method, path, query, body, container, owner, repo)
             return
 
         # Route: GraphQL (/graphql)
@@ -737,7 +695,7 @@ class AuthProxyHandler(BaseHTTPRequestHandler):
 
         # Route: REST API (/repos/{owner}/{repo}/...)
         if path.startswith("/repos/"):
-            self._handle_api_request(method, path, query, body, container, owner, repo, level)
+            self._handle_api_request(method, path, query, body, container, owner, repo, rest_api)
             return
 
         self._send_error(403, "Path not recognized")
@@ -759,8 +717,8 @@ class AuthProxyHandler(BaseHTTPRequestHandler):
             return self._read_chunked()
         return b""
 
-    def _handle_git_request(self, method, path, query, body, container, owner, repo, level):
-        """Handle git smart HTTP requests (level 1+)."""
+    def _handle_git_request(self, method, path, query, body, container, owner, repo):
+        """Handle git smart HTTP requests (always allowed for valid tokens)."""
         error = validate_path(path, query, owner, repo)
         if error:
             self._send_error(403, error)
@@ -772,16 +730,14 @@ class AuthProxyHandler(BaseHTTPRequestHandler):
             method, upstream_url, body, container, path, host=GITHUB_HOST, follow_redirects=False
         )
 
-    def _handle_api_request(self, method, path, query, body, container, owner, repo, level):
-        """Handle REST API requests (level 2+)."""
-        if level < LEVEL_REST_READ:
-            self._send_error(403, "REST API access not enabled at this access level")
-            logger.info(
-                "BLOCKED %s %s container=%s reason=level_%d", method, path, container, level
-            )
+    def _handle_api_request(self, method, path, query, body, container, owner, repo, rest_api):
+        """Handle REST API requests (requires rest_api=True)."""
+        if not rest_api:
+            self._send_error(403, "REST API access not enabled")
+            logger.info("BLOCKED %s %s container=%s reason=rest_disabled", method, path, container)
             return
 
-        error = validate_api_path(path, query, method, owner, repo, level)
+        error = validate_api_path(path, query, method, owner, repo)
         if error:
             self._send_error(403, error)
             logger.info("BLOCKED %s %s container=%s reason=%s", method, path, container, error)

{dev_bubble-0.7.9 → dev_bubble-0.7.11}/bubble/finalization.py

@@ -42,6 +42,20 @@ def finalize_bubble(
     if hook:
         hook.post_clone(runtime, name, project_dir)
 
+    # Add a "github" remote with SSH-format URL for gh CLI host discovery.
+    # The global url.insteadOf rewrites HTTPS github.com URLs to the proxy,
+    # so `git remote -v` shows proxy URLs that gh can't match to github.com.
+    # SSH-format URLs (git@github.com:...) bypass the HTTPS insteadOf rule,
+    # letting gh discover the host without needing to actually use the remote.
+    if t.owner and t.repo:
+        q_repo = shlex.quote(f"git@github.com:{t.owner}/{t.repo}.git")
+        q_dir = shlex.quote(project_dir)
+        add_cmd = f"cd {q_dir} && git remote add github {q_repo} 2>/dev/null || true"
+        try:
+            runtime.exec(name, ["su", "-", "user", "-c", add_cmd])
+        except Exception:
+            pass
+
     # Pre-populate Claude Code settings to skip the first-run wizard
     from .ai import setup_claude_settings