Skip to content

DIFC proxy (CLI proxy mode) returns 404 for GraphQL requests (/api/graphql) #4276

@lpcox

Description

@lpcox

Problem

When the DIFC proxy is used as the GH_HOST for the gh CLI (CLI proxy mode, port 18443), it returns HTTP 404 for all requests to /api/graphql. This means any gh CLI command that uses the GraphQL API fails silently.

Example failing command:

gh pr list --repo github/gh-aw-firewall --state merged --limit 2 --json title,number

Error:

HTTP 404: Not Found (https://localhost:18443/api/graphql)

Root Cause

The DIFC proxy in CLI proxy mode proxies GitHub REST API requests (/api/v3/*) but does not handle the GraphQL endpoint (/api/graphql), returning 404 for all GraphQL traffic.

Many core gh CLI commands use GraphQL under the hood, including:

  • gh pr list
  • gh issue list
  • gh pr view
  • gh search prs
  • gh search issues

REST-based commands (e.g. gh api /repos/{owner}/{repo}/...) work correctly.

Evidence

Observed in smoke test run github/gh-aw-firewall#24738050353 — the CLI proxy (mcpg v0.2.22) is started with CLI_PROXY_POLICY={"allow-only":{"repos":"all","min-integrity":"none"}} on port 18443, and the gh CLI inside the agent container has GH_HOST=localhost:18443 (TCP tunnel to the DIFC proxy on the runner host).

From the cli-proxy access log:

{
  "ts": "2026-04-21T18:00:05.317Z",
  "event": "exec_done",
  "args": ["pr", "list", "--repo", "github/gh-aw-firewall", "--state", "merged", "--limit", "2", "--json", "title,number"],
  "exitCode": 1,
  "stderrPreview": "HTTP 404: Not Found (https://localhost:18443/api/graphql)\n"
}

Expected Behavior

The DIFC proxy should forward /api/graphql POST requests to https://api.github.com/graphql (applying the same write-control policy where applicable), so all gh CLI commands work transparently through the CLI proxy.

Impact

Any agentic workflow that uses the gh CLI with GraphQL-backed subcommands (pr list, issue list, etc.) via the CLI proxy sidecar will silently fail. Smoke tests pass only because the agent tolerates the failure, masking the issue in CI.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions