Hmm. Sounds as an interesting problem.
But how can you really differentiate b/w a user opening git and some other program running git.
I think we would need friction there , some sort of manual intervention.
The best I could think of was something like bitwarden/keepassxc like cli where it requires a password and it would just straight up copy that token into github.
If we are really talking / you have the source code and you want end to end security , you could theoeretically also compile git with the specific idea / implementation of whatever encrypted password manager you might use directly within the code of git / github but I know that can be an overkill for this problem.
What I’d want is to be able to run top level commands differently from other commands and being able to have git and gh be a wrapper that injects the permissions. They could also filter the arguments and environment variables, which I know is hard to get right. Subshells and other programs would be able to run git and gh, but not with the permissions.
I could even run git and gh in a container that has a volume to be able to access the directory.
I think I have an idea of what this could look like and I might try and prototype it with fish and see what code parts it goes down to gauge how secure it’s likely to be.