One command
Add GitHub to any Ashlr Stack project with a single command. Stack runs the auth flow, provisions the upstream resource via the GitHub Management API, and writes every secret slot into Phantom.
stack add github
Or describe what you're building and let Claude pick it up via stack recommend:
stack recommend "git hosting and CI"Auth flow
Stack runs the OAuth device flow. You paste a code into the provider's authorization page; Stack polls until you confirm.
How-to: Browser device-code flow — enter the code GitHub shows you, authorise, done.
Secret slots
stack add github writes these 1 secret
slot into your Phantom vault:
GITHUB_TOKEN
The values never leave Phantom in plaintext. Your .env file references slot
names, and stack exec -- <cmd> swaps them in at process-spawn time via
Phantom's local proxy.
MCP wiring
GitHub ships an MCP server.
stack add github auto-wires it into .mcp.json so your Claude Code / Cursor / Windsurf session can use it immediately.
@modelcontextprotocol/server-github with GITHUB_PERSONAL_ACCESS_TOKEN piped from Phantom.
FAQ
Do I need a GitHub account to use it with Stack?
Yes — Stack provisions GitHub on your behalf, but it authenticates as you. Stack runs the OAuth device flow. You paste a code into the provider's authorization page; Stack polls until you confirm. If you don't have an account yet, Stack can create one during the OAuth flow.
Where does Stack store my GitHub credentials?
In Phantom Secrets, an E2E-encrypted local vault. Stack writes the secret slot names (GITHUB_TOKEN) into .stack.toml — the actual values live only in Phantom and never touch disk in plaintext.
Can I rotate or revoke this integration later?
Yes. Run `stack remove github` to pull the GitHub service back out (Phantom secrets deleted, MCP entry removed, .stack.toml cleaned up). Rotate the underlying GitHub credentials in their dashboard — https://github.com — and Stack's next `doctor --fix` will pick up the new values.