gh CLI. Routes all commands to gh running on the gateway host. Repository deletion (repo delete) is permanently blocked regardless of configuration.
Installation
Install this tool individually:Configuration
All
gh subcommands are permitted by default except api, which is excluded because it allows arbitrary HTTP methods and GraphQL mutations. When allowedCommands is set explicitly, it fully replaces the default list.
Authentication
The tool supports two authentication modes: Token in config (recommended for multi-agent setups) Settoken in the agent’s pluginConfigs. The token is forwarded to gh via GH_TOKEN and takes precedence over any credential stored on the host, so different agents can authenticate as different GitHub identities.
Both token formats work without any special configuration:
- Classic personal access tokens:
ghp_… - Fine-grained personal access tokens:
github_pat_…
token is configured, the tool inherits the gateway process’s environment and gh picks up whatever auth is already present on the host (~/.config/gh/, GITHUB_TOKEN env var, etc.). Run gh auth login on the host once, and all agents without an explicit token will share that credential.
Prerequisites
Config Examples
Agent with its own token:Per-Agent Configuration (pluginConfigs)
Use beige’spluginConfigs to give different agents different GitHub tokens and permissions:
Error Reference
Implementation Details
- Target: Gateway (runs on the host, not in the sandbox)
- Dependency:
ghCLI - Stateless: Each invocation spawns a fresh
ghprocess - Token precedence:
config.token→GH_TOKEN→ host~/.config/gh/
