From 23bb613c17f131f754b9519e3906bd104b4cc5a9 Mon Sep 17 00:00:00 2001
From: Patryk Kobielak <patryk.kobielak@gmail.com>
Date: Thu, 4 Jun 2026 15:34:23 +0200
Subject: [PATCH] fix(iron-proxy): allow content-encoding header so private git
 clone works

iron-proxy's strict outbound header_allowlist omitted content-encoding, so
the gzip-compressed git-upload-pack POST body was forwarded while the
Content-Encoding: gzip header was stripped. GitHub then parsed the gzip
bytes as plaintext and returned HTTP 400, breaking private git clone/fetch/
pull over HTTPS from sandboxes (gh api and public clones were unaffected).

Add content-encoding to the header_allowlist in both the authoritative
base config and the standalone egress proxy copy.

Fixes #402
---
 services/api/api/iron-proxy.base.yaml | 1 +
 services/iron-proxy/iron-proxy.yaml   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/services/api/api/iron-proxy.base.yaml b/services/api/api/iron-proxy.base.yaml
index 00a8eb382..66eceb628 100644
--- a/services/api/api/iron-proxy.base.yaml
+++ b/services/api/api/iron-proxy.base.yaml
@@ -25,6 +25,7 @@ transforms:
         - "host"
         - "content-type"
         - "content-length"
+        - "content-encoding"
         - "accept"
         - "accept-encoding"
         - "accept-language"
diff --git a/services/iron-proxy/iron-proxy.yaml b/services/iron-proxy/iron-proxy.yaml
index 00a8eb382..66eceb628 100644
--- a/services/iron-proxy/iron-proxy.yaml
+++ b/services/iron-proxy/iron-proxy.yaml
@@ -25,6 +25,7 @@ transforms:
         - "host"
         - "content-type"
         - "content-length"
+        - "content-encoding"
         - "accept"
         - "accept-encoding"
         - "accept-language"