docs: GitHub MCP proxy demo (Vaara in front of github/github-mcp-server)

[vaaraio]

Summary

Adds examples/github-mcp-proxy-demo/ with a README walkthrough and a Claude Code MCP config example showing how to insert Vaara's runtime governance proxy in front of GitHub's official MCP server (github/github-mcp-server, MIT-licensed, 29.9k stars).

Sibling demo to examples/sap-mcp-proxy-demo/. Same three-step recipe shape (pip install vaara, replace the existing MCP config entry with the Vaara proxy command in front of the same upstream, restart the MCP client). Demonstrates that the v0.21.0 proxy is MCP-protocol-level, not SAP-specific.

Target reader: any developer running Claude Code, Cursor, VS Code Copilot, or Claude Desktop against GitHub. Reader brings their GitHub PAT, Docker, and existing MCP config. Demo brings the Vaara wiring.

GitHub-specific framing

The "Why this matters" section names the categories where runtime evidence has real load on GitHub specifically:

• Code modification. create_or_update_file, push_files, merge_pull_request. Audit chain separable from the human commit graph.
• Privilege escalation surfaces. update_repository, branch protection edits, Actions secret reads, workflow dispatches.
• Notification and identity exposure. The agent posts in your name, the trail records that fact.
• Supply-chain-adjacent operations. Dependabot alert reads, security advisory access, release publication.

AI Act Article 12 (logging) and Article 14 (human oversight) apply at the tool-call layer.

Files

• examples/github-mcp-proxy-demo/README.md (171 lines)
• examples/github-mcp-proxy-demo/claude_code_config.example.json (28 lines)

Docs-only. No code changes, no test changes.

Summary by CodeRabbit

Release Notes

• Documentation
  • Added comprehensive guide and example configuration for deploying Vaara as an MCP proxy in front of GitHub's official MCP server, including setup instructions, policy customization, and audit trail documentation.
  • Extended documentation to clarify that the MCP proxy pattern applies to other MCP servers (SAP, Salesforce, ServiceNow, and major cloud providers).

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds documentation and configuration examples demonstrating Vaara as a protocol-level proxy for MCP servers. It introduces a complete GitHub MCP proxy example directory with setup guides and configuration templates, and extends existing SAP documentation to clarify that the same pattern generalizes to other MCP server implementations.

Changes

Vaara MCP Proxy Examples

Layer / File(s)	Summary
GitHub MCP proxy example examples/github-mcp-proxy-demo/README.md, examples/github-mcp-proxy-demo/claude_code_config.example.json	Complete GitHub example including architecture overview, three-step setup (install Vaara, configure proxy wrapper, restart), audit trail documentation, policy customization options (fail-closed defaults, ESCALATE routing, agent-id overrides), compliance evidence generation, troubleshooting guidance, and example Claude Code MCP config that invokes the Vaara proxy wrapper with GitHub token forwarding.
Pattern generalization note in SAP example examples/sap-mcp-proxy-demo/README.md	Added section documenting that the proxy pattern applies protocol-level across any MCP server (GitHub, Microsoft Graph, Salesforce, ServiceNow, cloud providers, Databricks), with an invitation for community example contributions.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🐰 New examples blooming bright,
GitHub proxies, done just right,
MCP servers now align,
Vaara's pattern so divine,
Documentation shines with light! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly and clearly summarizes the main change: adding a GitHub MCP proxy demo documentation example for Vaara. It is specific, concise, and accurately reflects the primary purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/github-mcp-proxy-demo

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@examples/github-mcp-proxy-demo/claude_code_config.example.json`:
- Line 20: Replace the token-shaped example value for the
"GITHUB_PERSONAL_ACCESS_TOKEN" key with a neutral placeholder or remove the key
from the example; specifically update the example JSON entry for
"GITHUB_PERSONAL_ACCESS_TOKEN" to use a non-token-looking string like
"REPLACE_WITH_GITHUB_PAT" or omit the env entry entirely so users are encouraged
to supply the secret via their shell/CI rather than storing a plaintext token in
the example file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 9ad82bf0-8993-4826-835a-8af7abb89645

📥 Commits

Reviewing files that changed from the base of the PR and between e39aed0 and 3584134.

📒 Files selected for processing (3)

• examples/github-mcp-proxy-demo/README.md
• examples/github-mcp-proxy-demo/claude_code_config.example.json
• examples/sap-mcp-proxy-demo/README.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use a non-token-shaped placeholder for PAT values.

At Line 20, prefer a neutral placeholder (or omit the env block in favor of shell-provided env only) to avoid encouraging plaintext token storage and to reduce secret-scanner false positives.

Suggested tweak

-        "GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_replace_with_your_token"
+        "GITHUB_PERSONAL_ACCESS_TOKEN": "__SET_IN_SHELL_OR_LOCAL_SECRET_STORE__"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_replace_with_your_token"
	"GITHUB_PERSONAL_ACCESS_TOKEN": "__SET_IN_SHELL_OR_LOCAL_SECRET_STORE__"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@examples/github-mcp-proxy-demo/claude_code_config.example.json` at line 20,
Replace the token-shaped example value for the "GITHUB_PERSONAL_ACCESS_TOKEN"
key with a neutral placeholder or remove the key from the example; specifically
update the example JSON entry for "GITHUB_PERSONAL_ACCESS_TOKEN" to use a
non-token-looking string like "REPLACE_WITH_GITHUB_PAT" or omit the env entry
entirely so users are encouraged to supply the secret via their shell/CI rather
than storing a plaintext token in the example file.