Enable git operations inside guest VMs

Include .git/objects/ in snapshots (COW makes this zero-cost), inject
a sanitized .git/config into snapshots, forward git identity and
GITHUB_TOKEN/GH_TOKEN into the VM, add a credential helper scoped to
github.com, and implement SSH agent forwarding from host to guest.

New domain types: git.Identity, git.IdentityProvider, CommonEnvPatterns,
workspace.SnapshotPostProcessor, and GitConfig with tighten-only merge.

New infra: ConfigSanitizer (allowlist-based .git/config parser that
strips credentials, dangerous sections, and sensitive keys),
HostIdentityProvider (reads ~/.gitconfig), InjectGitConfig rootfs hook
(credential helper + .gitconfig), and client-side SSH agent forwarding.

CLI flags: --no-git-token, --no-git-ssh-agent.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: JAORMX

cmd/apiary-init/main.go

@@ -31,7 +31,7 @@ func main() {
 	stopReaper := reaper.Start(logger)
 	defer stopReaper()
 
-	shutdown, err := boot.Run(logger)
+	shutdown, err := boot.Run(logger, boot.WithSSHAgentForwarding(true))
 	if err != nil {
 		logger.Error("boot failed", "error", err)
 		halt()

cmd/apiary/main.go

@@ -23,10 +23,12 @@ import (
 	"github.com/stacklok/apiary/internal/domain/egress"
 	"github.com/stacklok/apiary/internal/domain/progress"
 	"github.com/stacklok/apiary/internal/domain/snapshot"
+	"github.com/stacklok/apiary/internal/domain/workspace"
 	infraagent "github.com/stacklok/apiary/internal/infra/agent"
 	infraconfig "github.com/stacklok/apiary/internal/infra/config"
 	"github.com/stacklok/apiary/internal/infra/diff"
 	"github.com/stacklok/apiary/internal/infra/exclude"
+	infragit "github.com/stacklok/apiary/internal/infra/git"
 	infralogging "github.com/stacklok/apiary/internal/infra/logging"
 	inframcp "github.com/stacklok/apiary/internal/infra/mcp"
 	infraprogress "github.com/stacklok/apiary/internal/infra/progress"
@@ -70,6 +72,8 @@ func rootCmd() *cobra.Command {
 		mcpGroup      string
 		mcpPort       uint16
 		mcpConfig     string
+		noGitToken    bool
+		noGitSSHAgent bool
 	)
 
 	cmd := &cobra.Command{
@@ -114,6 +118,8 @@ Example:
 				mcpGroup:      mcpGroup,
 				mcpPort:       mcpPort,
 				mcpConfig:     mcpConfig,
+				noGitToken:    noGitToken,
+				noGitSSHAgent: noGitSSHAgent,
 			})
 		},
 		SilenceUsage:  true,
@@ -136,6 +142,8 @@ Example:
 	cmd.Flags().StringVar(&mcpGroup, "mcp-group", "default", "ToolHive group to discover MCP servers from")
 	cmd.Flags().Uint16Var(&mcpPort, "mcp-port", 4483, "Port for MCP proxy on VM gateway")
 	cmd.Flags().StringVar(&mcpConfig, "mcp-config", "", "Path to custom vmcp config YAML")
+	cmd.Flags().BoolVar(&noGitToken, "no-git-token", false, "Disable forwarding GITHUB_TOKEN/GH_TOKEN into the VM")
+	cmd.Flags().BoolVar(&noGitSSHAgent, "no-git-ssh-agent", false, "Disable SSH agent forwarding into the VM")
 
 	// Add list subcommand.
 	cmd.AddCommand(listCmd())
@@ -175,6 +183,8 @@ type runFlags struct {
 	mcpGroup      string
 	mcpPort       uint16
 	mcpConfig     string
+	noGitToken    bool
+	noGitSSHAgent bool
 }
 
 func run(parentCtx context.Context, agentName string, flags runFlags) error {
@@ -334,6 +344,13 @@ func run(parentCtx context.Context, agentName string, flags runFlags) error {
 		cfg.MCP.ConfigPath = mcpConfigPath
 	}
 
+	// Resolve git config from config + CLI flags.
+	gitTokenEnabled := cfg.Git.GitTokenEnabled() && !flags.noGitToken
+	sshAgentEnabled := cfg.Git.SSHAgentEnabled() && !flags.noGitSSHAgent
+
+	// Wire git identity provider (unconditional — used for both review and no-review modes).
+	deps.GitIdentityProvider = infragit.NewHostIdentityProvider("")
+
 	// Wire snapshot isolation dependencies only when review is enabled.
 	if reviewEnabled {
 		deps.WorkspaceCloner = infraws.NewFSWorkspaceCloner(
@@ -343,6 +360,11 @@ func run(parentCtx context.Context, agentName string, flags runFlags) error {
 		deps.Reviewer = reviewer
 		deps.Flusher = review.NewFSFlusher()
 		deps.Differ = diff.NewFSDiffer()
+
+		// Wire snapshot post-processors (git config sanitizer).
+		deps.SnapshotPostProcessors = []workspace.SnapshotPostProcessor{
+			infragit.NewConfigSanitizer(logger),
+		}
 	}
 
 	// Validate and parse egress flags.
@@ -367,13 +389,15 @@ func run(parentCtx context.Context, agentName string, flags runFlags) error {
 	runner := app.NewSandboxRunner(deps)
 
 	opts := app.RunOpts{
-		CPUs:          flags.cpus,
-		Memory:        flags.memory,
-		Workspace:     ws,
-		SSHPort:       flags.sshPort,
-		ImageOverride: flags.image,
-		EgressProfile: flags.egressProfile,
-		AllowHosts:    parsedAllowHosts,
+		CPUs:            flags.cpus,
+		Memory:          flags.memory,
+		Workspace:       ws,
+		SSHPort:         flags.sshPort,
+		ImageOverride:   flags.image,
+		EgressProfile:   flags.egressProfile,
+		AllowHosts:      parsedAllowHosts,
+		GitTokenEnabled: gitTokenEnabled,
+		SSHAgentForward: sshAgentEnabled,
 		Snapshot: app.SnapshotOpts{
 			Enabled:         reviewEnabled,
 			SnapshotMatcher: snapshotMatcher,
@@ -395,9 +419,7 @@ func run(parentCtx context.Context, agentName string, flags runFlags) error {
 		}
 	}()
 
-	restore, _ := terminal.MakeRaw()
 	termErr := runner.Attach(ctx, sb, terminal)
-	restore()
 
 	if stopErr := runner.Stop(sb); stopErr != nil {
 		logger.Error("failed to stop VM", "error", stopErr)

internal/app/sandbox.go

@@ -14,6 +14,7 @@ import (
 	"github.com/stacklok/apiary/internal/domain/agent"
 	"github.com/stacklok/apiary/internal/domain/config"
 	"github.com/stacklok/apiary/internal/domain/egress"
+	domaingit "github.com/stacklok/apiary/internal/domain/git"
 	"github.com/stacklok/apiary/internal/domain/hostservice"
 	"github.com/stacklok/apiary/internal/domain/progress"
 	"github.com/stacklok/apiary/internal/domain/session"
@@ -62,6 +63,12 @@ type RunOpts struct {
 	// Snapshot holds snapshot isolation options.
 	Snapshot SnapshotOpts
 
+	// GitTokenEnabled controls whether git token env vars are forwarded.
+	GitTokenEnabled bool
+
+	// SSHAgentForward enables SSH agent forwarding to the VM.
+	SSHAgentForward bool
+
 	// Terminal provides I/O streams for the session. Required for Run().
 	Terminal session.Terminal
 }
@@ -84,18 +91,25 @@ type SandboxDeps struct {
 
 	// MCPProvider creates host services for MCP proxy (nil = disabled).
 	MCPProvider hostservice.Provider
+
+	// SnapshotPostProcessors run after snapshot creation but before VM start.
+	SnapshotPostProcessors []workspace.SnapshotPostProcessor
+
+	// GitIdentityProvider resolves the host git user identity.
+	GitIdentityProvider domaingit.IdentityProvider
 }
 
 // Sandbox holds the state of a running sandbox session.
 // Created by Prepare, consumed by Attach/Stop/Changes/Flush/Cleanup.
 type Sandbox struct {
-	Agent         agent.Agent
-	VM            domvm.VM
-	VMConfig      domvm.VMConfig
-	Snapshot      *workspace.Snapshot
-	WorkspacePath string
-	DiffMatcher   snapshot.Matcher
-	EnvVars       map[string]string
+	Agent           agent.Agent
+	VM              domvm.VM
+	VMConfig        domvm.VMConfig
+	Snapshot        *workspace.Snapshot
+	WorkspacePath   string
+	DiffMatcher     snapshot.Matcher
+	EnvVars         map[string]string
+	SSHAgentForward bool
 }
 
 // Cleanup releases resources (snapshot dir). Safe to call multiple times.
@@ -116,18 +130,20 @@ func (sb *Sandbox) Cleanup() error {
 // Changes(), Flush(), and Sandbox.Cleanup() individually. This allows the caller
 // to control terminal attachment, async review workflows, and concurrent sessions.
 type SandboxRunner struct {
-	registry        agent.Registry
-	vmRunner        domvm.VMRunner
-	sessionRunner   session.TerminalSession
-	config          *config.Config
-	envProvider     agent.EnvProvider
-	logger          *slog.Logger
-	observer        progress.Observer
-	workspaceCloner workspace.WorkspaceCloner
-	reviewer        snapshot.Reviewer
-	flusher         snapshot.Flusher
-	differ          snapshot.Differ
-	mcpProvider     hostservice.Provider
+	registry               agent.Registry
+	vmRunner               domvm.VMRunner
+	sessionRunner          session.TerminalSession
+	config                 *config.Config
+	envProvider            agent.EnvProvider
+	logger                 *slog.Logger
+	observer               progress.Observer
+	workspaceCloner        workspace.WorkspaceCloner
+	reviewer               snapshot.Reviewer
+	flusher                snapshot.Flusher
+	differ                 snapshot.Differ
+	mcpProvider            hostservice.Provider
+	snapshotPostProcessors []workspace.SnapshotPostProcessor
+	gitIdentityProvider    domaingit.IdentityProvider
 }
 
 // NewSandboxRunner creates a new SandboxRunner with the given dependencies.
@@ -137,18 +153,20 @@ func NewSandboxRunner(deps SandboxDeps) *SandboxRunner {
 		obs = progress.Nop()
 	}
 	return &SandboxRunner{
-		registry:        deps.Registry,
-		vmRunner:        deps.VMRunner,
-		sessionRunner:   deps.SessionRunner,
-		config:          deps.Config,
-		envProvider:     deps.EnvProvider,
-		logger:          deps.Logger,
-		observer:        obs,
-		workspaceCloner: deps.WorkspaceCloner,
-		reviewer:        deps.Reviewer,
-		flusher:         deps.Flusher,
-		differ:          deps.Differ,
-		mcpProvider:     deps.MCPProvider,
+		registry:               deps.Registry,
+		vmRunner:               deps.VMRunner,
+		sessionRunner:          deps.SessionRunner,
+		config:                 deps.Config,
+		envProvider:            deps.EnvProvider,
+		logger:                 deps.Logger,
+		observer:               obs,
+		workspaceCloner:        deps.WorkspaceCloner,
+		reviewer:               deps.Reviewer,
+		flusher:                deps.Flusher,
+		differ:                 deps.Differ,
+		mcpProvider:            deps.MCPProvider,
+		snapshotPostProcessors: deps.SnapshotPostProcessors,
+		gitIdentityProvider:    deps.GitIdentityProvider,
 	}
 }
 
@@ -230,8 +248,12 @@ func (s *SandboxRunner) Prepare(ctx context.Context, agentName string, opts RunO
 		)
 	}
 
-	// 3. Collect env vars.
-	envVars := agent.ForwardEnv(ag.EnvForward, s.envProvider)
+	// 3. Collect env vars (merge common git patterns when token forwarding is enabled).
+	allPatterns := ag.EnvForward
+	if opts.GitTokenEnabled {
+		allPatterns = mergeEnvPatterns(allPatterns, domaingit.CommonEnvPatterns())
+	}
+	envVars := agent.ForwardEnv(allPatterns, s.envProvider)
 	if len(envVars) > 0 {
 		keys := make([]string, 0, len(envVars))
 		for k := range envVars {
@@ -240,6 +262,44 @@ func (s *SandboxRunner) Prepare(ctx context.Context, agentName string, opts RunO
 		s.logger.Debug("forwarding environment variables", "keys", keys)
 	}
 
+	// Resolve git identity (fallback for env vars not already set).
+	var gitIdentity domaingit.Identity
+	if s.gitIdentityProvider != nil {
+		id, idErr := s.gitIdentityProvider.GetIdentity()
+		if idErr != nil {
+			s.logger.Warn("failed to resolve git identity", "error", idErr)
+		} else {
+			gitIdentity = id
+		}
+	}
+
+	// Inject git identity into env vars as fallback when not already present.
+	if gitIdentity.Name != "" {
+		if envVars == nil {
+			envVars = make(map[string]string)
+		}
+		if _, ok := envVars["GIT_AUTHOR_NAME"]; !ok {
+			envVars["GIT_AUTHOR_NAME"] = gitIdentity.Name
+		}
+		if _, ok := envVars["GIT_COMMITTER_NAME"]; !ok {
+			envVars["GIT_COMMITTER_NAME"] = gitIdentity.Name
+		}
+	}
+	if gitIdentity.Email != "" {
+		if envVars == nil {
+			envVars = make(map[string]string)
+		}
+		if _, ok := envVars["GIT_AUTHOR_EMAIL"]; !ok {
+			envVars["GIT_AUTHOR_EMAIL"] = gitIdentity.Email
+		}
+		if _, ok := envVars["GIT_COMMITTER_EMAIL"]; !ok {
+			envVars["GIT_COMMITTER_EMAIL"] = gitIdentity.Email
+		}
+	}
+
+	// Determine if a GitHub token is available for credential helper injection.
+	hasGitToken := opts.GitTokenEnabled && (envVars["GITHUB_TOKEN"] != "" || envVars["GH_TOKEN"] != "")
+
 	// 4. Set up MCP host services if enabled.
 	var hostServices []domvm.HostService
 	mcpCfg := s.resolveMCPConfig(cfg, agentName)
@@ -286,6 +346,20 @@ func (s *SandboxRunner) Prepare(ctx context.Context, agentName string, opts RunO
 			"original", snap.OriginalPath,
 			"snapshot", snap.SnapshotPath,
 		)
+
+		// Run post-processors on the snapshot (e.g., git config sanitizer).
+		// Failures abort VM start — post-processors are security-relevant
+		// (credential stripping) and must not be silently skipped.
+		for _, pp := range s.snapshotPostProcessors {
+			if ppErr := pp.Process(ctx, snap.OriginalPath, snap.SnapshotPath); ppErr != nil {
+				s.observer.Fail("Snapshot post-processing failed")
+				if cleanErr := snap.Cleanup(); cleanErr != nil {
+					s.logger.Error("failed to clean up snapshot after post-processor failure", "error", cleanErr)
+				}
+				return nil, fmt.Errorf("snapshot post-processing: %w", ppErr)
+			}
+		}
+
 		workspacePath = snap.SnapshotPath
 	}
 
@@ -303,6 +377,9 @@ func (s *SandboxRunner) Prepare(ctx context.Context, agentName string, opts RunO
 		EgressPolicy:    egressPolicy,
 		HostServices:    hostServices,
 		MCPConfigFormat: ag.MCPConfigFormat,
+		GitIdentity:     gitIdentity,
+		HasGitToken:     hasGitToken,
+		SSHAgentForward: opts.SSHAgentForward,
 	}
 
 	sandboxVM, err := s.vmRunner.Start(ctx, vmCfg)
@@ -320,13 +397,14 @@ func (s *SandboxRunner) Prepare(ctx context.Context, agentName string, opts RunO
 	s.observer.Complete("Sandbox ready")
 
 	return &Sandbox{
-		Agent:         ag,
-		VM:            sandboxVM,
-		VMConfig:      vmCfg,
-		Snapshot:      snap,
-		WorkspacePath: workspacePath,
-		DiffMatcher:   diffMatcher,
-		EnvVars:       envVars,
+		Agent:           ag,
+		VM:              sandboxVM,
+		VMConfig:        vmCfg,
+		Snapshot:        snap,
+		WorkspacePath:   workspacePath,
+		DiffMatcher:     diffMatcher,
+		EnvVars:         envVars,
+		SSHAgentForward: opts.SSHAgentForward,
 	}, nil
 }
 
@@ -335,12 +413,13 @@ func (s *SandboxRunner) Prepare(ctx context.Context, agentName string, opts RunO
 // The terminal parameter provides I/O streams and PTY control for this session.
 func (s *SandboxRunner) Attach(ctx context.Context, sb *Sandbox, terminal session.Terminal) error {
 	sessionOpts := session.SessionOpts{
-		Host:     "127.0.0.1",
-		Port:     sb.VM.SSHPort(),
-		User:     "sandbox",
-		KeyPath:  sb.VM.SSHKeyPath(),
-		Command:  sb.Agent.Command,
-		Terminal: terminal,
+		Host:            "127.0.0.1",
+		Port:            sb.VM.SSHPort(),
+		User:            "sandbox",
+		KeyPath:         sb.VM.SSHKeyPath(),
+		Command:         sb.Agent.Command,
+		Terminal:        terminal,
+		SSHAgentForward: sb.SSHAgentForward,
 	}
 
 	s.logger.Debug("connecting to sandbox VM",
@@ -449,6 +528,23 @@ func (s *SandboxRunner) Run(ctx context.Context, agentName string, opts RunOpts)
 	return reviewErr
 }
 
+// mergeEnvPatterns combines two pattern lists, deduplicating entries.
+func mergeEnvPatterns(base, extra []string) []string {
+	seen := make(map[string]bool, len(base))
+	for _, p := range base {
+		seen[p] = true
+	}
+	merged := make([]string, len(base))
+	copy(merged, base)
+	for _, p := range extra {
+		if !seen[p] {
+			merged = append(merged, p)
+			seen[p] = true
+		}
+	}
+	return merged
+}
+
 // resolveMCPConfig returns the effective MCP configuration by merging
 // global config with any agent-specific override.
 func (s *SandboxRunner) resolveMCPConfig(cfg *config.Config, agentName string) config.MCPConfig {