Merge branch 'main' into adding-playwright

Author: sei-jbooz

.claude/settings.json

@@ -7,6 +7,41 @@
   "permissions": {
     "additionalDirectories": [
       "/mnt/data/crucible"
+    ],
+    "deny": [
+      "Bash(gh api *)",
+      "Bash(gh alias delete *)",
+      "Bash(gh auth logout *)",
+      "Bash(gh cache delete *)",
+      "Bash(gh codespace delete *)",
+      "Bash(gh codespace rebuild *)",
+      "Bash(gh config clear-cache *)",
+      "Bash(gh extension remove *)",
+      "Bash(gh gist delete *)",
+      "Bash(gh gpg-key delete *)",
+      "Bash(gh issue delete *)",
+      "Bash(gh issue transfer *)",
+      "Bash(gh label delete *)",
+      "Bash(gh project close *)",
+      "Bash(gh project delete *)",
+      "Bash(gh project field-delete *)",
+      "Bash(gh project item-delete *)",
+      "Bash(gh project item-archive *)",
+      "Bash(gh release delete *)",
+      "Bash(gh release delete-asset *)",
+      "Bash(gh repo archive *)",
+      "Bash(gh repo delete *)",
+      "Bash(gh repo deploy-key delete *)",
+      "Bash(gh repo rename *)",
+      "Bash(gh repo transfer *)",
+      "Bash(gh repo unarchive *)",
+      "Bash(gh repo visibility *)",
+      "Bash(gh run cancel *)",
+      "Bash(gh run delete *)",
+      "Bash(gh secret delete *)",
+      "Bash(gh ssh-key delete *)",
+      "Bash(gh variable delete *)",
+      "Bash(gh workflow disable *)"
     ]
   }
 }

.devcontainer/Dockerfile

@@ -111,6 +111,11 @@ setopt HIST_VERIFY             # don't immediately execute recalled commands
 # DEVCONTAINER ZSH HISTORY END
 EOF
 
+# Export GitHub token from gh CLI for MCP server auth
+RUN echo '' >> /home/vscode/.zshrc && \
+    echo '# GitHub MCP token from gh CLI' >> /home/vscode/.zshrc && \
+    echo 'export GITHUB_PERSONAL_ACCESS_TOKEN=$(gh auth token 2>/dev/null)' >> /home/vscode/.zshrc
+
 # Switch back to vscode user
 USER vscode
 

.devcontainer/devcontainer.json

@@ -57,6 +57,8 @@
     "source=crucible-dev-claude,target=/home/vscode/.claude,type=volume",
     // SSH keys and config
     "source=crucible-dev-ssh,target=/home/vscode/.ssh,type=volume",
+    // GitHub CLI auth
+    "source=crucible-dev-gh,target=/home/vscode/.config/gh,type=volume",
     // MSBuild files for local library development
     "source=${localWorkspaceFolder}/.devcontainer/msbuild/Directory.Build.props,target=/mnt/data/Directory.Build.props,type=bind",
     "source=${localWorkspaceFolder}/.devcontainer/msbuild/Directory.Build.targets,target=/mnt/data/Directory.Build.targets,type=bind"

Crucible.AppHost/AppHost.cs

@@ -117,7 +117,7 @@ private static IResourceBuilder<ExecutableResource> AddAngularUI(
         else
         {
             var buildCommand = string.IsNullOrEmpty(buildArgs) ? "npm run build" : $"npm run build {buildArgs}";
-            var serveProd = $"if [ ! -d {distPath} ] || [ -z \"$(ls -A {distPath} 2>/dev/null)\" ] || [ -n \"$(find src -newer {distPath} -print -quit)\" ]; then npm install && {buildCommand}; fi; npx serve -s {distPath} -l {port}";
+            var serveProd = $"if [ ! -d {distPath} ] || [ -z \"$(ls -A {distPath} 2>/dev/null)\" ] || [ -n \"$(find src -newer {distPath} -print -quit)\" ]; then npm install && {buildCommand}; fi; echo '{{\"cleanUrls\":false,\"rewrites\":[{{\"source\":\"**\",\"destination\":\"/index.html\"}}]}}' > {distPath}/serve.json && npx serve -c serve.json {distPath} -l {port}";
             ui = builder.AddExecutable(name, "bash", appRoot, "-c", serveProd)
                 .WithHttpEndpoint(port: port, isProxied: false);
         }

Crucible.AppHost/resources/crucible-realm.json

@@ -5,7 +5,7 @@
   "defaultSignatureAlgorithm": "RS256",
   "revokeRefreshToken": false,
   "refreshTokenMaxReuse": 0,
-  "accessTokenLifespan": 300,
+  "accessTokenLifespan": 1800,
   "accessTokenLifespanForImplicitFlow": 900,
   "ssoSessionIdleTimeout": 1800,
   "ssoSessionMaxLifespan": 36000,

README.md

@@ -13,6 +13,7 @@ Development Environment for [Crucible](https://github.com/cmu-sei/crucible) - a
   - [Default Credentials](#default-credentials)
 - [Claude Code](#claude-code)
 - [Playwright Testing](#playwright-testing)
+- [GitHub CLI](#github-cli)
 - [Memory Optimization](#memory-optimization)
   - [Intelephense PHP Extension](#intelephense-php-extension)
   - [UI Development vs Production Mode](#ui-development-vs-production-mode)
@@ -218,6 +219,86 @@ All service URLs used by the test suite are defined in a single file:
 ```
 
 Edit this file to change ports or hostnames for your environment. The `.env` file is loaded by both the shell scripts (`run-tests.sh`, `setup.sh`) and the Playwright TypeScript configuration. If the file is missing, all URLs fall back to their default `localhost` values.
+## GitHub CLI
+
+The dev container includes the [GitHub CLI](https://cli.github.com/) (`gh`). The GitHub CLI's authentication is reused by the GitHub MCP server for agentic development.
+
+### Authentication
+
+GitHub CLI authentication is **persisted across container rebuilds** using a bind mount. Credentials stored via `gh auth login` are saved and automatically available inside the container after a rebuild.
+
+To authenticate for the first time:
+
+```bash
+gh auth login
+```
+
+Follow the prompts to authenticate via browser or token.
+
+### Recommended: Use a Fine-Grained Personal Access Token
+
+We strongly recommend authenticating with a **fine-grained personal access token (PAT)** rather than a full OAuth login. Fine-grained PATs let you limit exactly what `gh` can do on your behalf.
+
+**To create a fine-grained PAT:**
+
+1. Go to **GitHub → Settings → Developer settings → Personal access tokens → Fine-grained tokens**
+2. Click **Generate new token**
+3. Set an expiration date
+4. Under **Repository access**, select only the repositories relevant to your work
+5. Under **Permissions**, grant only what you need — a reasonable read-heavy baseline:
+
+| Permission | Access |
+|---|---|
+| Contents | Read-only |
+| Issues | Read and write |
+| Pull requests | Read and write |
+| Metadata | Read-only (required) |
+| Actions | Read-only |
+| Secrets | None |
+| Administration | None |
+
+6. Click **Generate token**, copy it, then run:
+
+```bash
+gh auth login --with-token <<< "your_token_here"
+```
+
+> Avoid granting `Administration`, `Secrets`, or `Members` permissions — these allow destructive or sensitive operations that are unlikely to be needed during normal development.
+
+### Claude Code Restrictions
+
+To prevent accidental or unintended destructive actions, Claude Code has been configured to **deny** the following `gh` commands in `.claude/settings.json`:
+
+**Raw API access**
+- `gh api` — bypasses all CLI safeguards; denied entirely
+
+**Delete operations**
+- `gh alias delete`, `gh cache delete`, `gh codespace delete`
+- `gh extension remove`, `gh gist delete`, `gh gpg-key delete`
+- `gh issue delete`, `gh label delete`
+- `gh project delete`, `gh project field-delete`, `gh project item-delete`, `gh project item-archive`
+- `gh release delete`, `gh release delete-asset`
+- `gh repo delete`, `gh repo deploy-key delete`
+- `gh run delete`, `gh secret delete`, `gh ssh-key delete`, `gh variable delete`
+
+**Repository state changes**
+- `gh repo archive`, `gh repo unarchive`
+- `gh repo rename`, `gh repo transfer`
+- `gh repo visibility` — prevents accidentally making a private repo public
+
+**Operational disruption**
+- `gh run cancel` — halts CI runs
+- `gh workflow disable` — disables automation
+- `gh issue transfer` — moves issues to other repos
+- `gh codespace rebuild` — destroys current codespace state
+
+**Credential operations**
+- `gh auth logout` — removes stored credentials
+- `gh config clear-cache` — wipes cached auth data
+
+Claude will be blocked from running any of the above and will need to ask you to run them manually if they are genuinely required.
+
+
 
 ## Memory Optimization