diff --git a/tests/README.md b/tests/README.md
index 6d6764cae..c2db9b9b8 100644
--- a/tests/README.md
+++ b/tests/README.md
@@ -4,7 +4,7 @@ TypeScript-based integration tests for the awf (Agentic Workflow Firewall) CLI.
 
 ## Overview
 
-This directory contains comprehensive integration tests that verify firewall behavior across multiple scenarios. Currently includes **17 integration test files** covering:
+This directory contains comprehensive integration tests that verify firewall behavior across multiple scenarios, including:
 
 ### Core Functionality
 - **Basic Firewall Functionality** (`basic-firewall.test.ts`) - Domain whitelisting, subdomain matching, exit code propagation
@@ -33,6 +33,7 @@ This directory contains comprehensive integration tests that verify firewall beh
 - **Log Commands** (`log-commands.test.ts`) - Log parsing and analysis
 
 ### Integration Testing
+- **CLI Proxy** (`cli-proxy.test.ts`) - gh wrapper routing, token isolation, and opt-in approved-integrity live regression coverage
 - **Claude Code** (`claude-code.test.ts`) - Claude Code CLI integration
 - **No Docker** (`no-docker.test.ts`) - Docker-in-Docker removal verification
 - **Docker Warning** (`docker-warning.test.ts`) - Docker command warning messages
@@ -54,9 +55,10 @@ These smoke tests use the locally built firewall and validate:
 
 ```
 tests/
-├── integration/              # Integration test suites (17 files)
+├── integration/              # Integration test suites
 │   ├── basic-firewall.test.ts
 │   ├── blocked-domains.test.ts
+│   ├── cli-proxy.test.ts
 │   ├── claude-code.test.ts
 │   ├── container-workdir.test.ts
 │   ├── dns-servers.test.ts
@@ -125,6 +127,14 @@ npm test:unit
 npm run test:integration
 ```
 
+### Run the CLI proxy approved-integrity live regression
+
+This opt-in regression requires a running external DIFC proxy plus a GitHub token supplied via `GITHUB_TOKEN` or `GH_TOKEN`.
+
+```bash
+AWF_RUN_APPROVED_DIFC_PROXY_TESTS=1 sudo -E npm run test:integration -- cli-proxy
+```
+
 ### Run Specific Test Suite
 
 ```bash
@@ -267,7 +277,7 @@ Key considerations:
 
 The project uses TypeScript-based integration tests that run in CI via `.github/workflows/test-coverage.yml`:
 
-**Integration test files (17 total):**
+**Selected integration test files:**
 | Category | Test File | Description |
 |----------|-----------|-------------|
 | Core | `basic-firewall.test.ts` | Domain whitelisting, connectivity |
@@ -277,6 +287,7 @@ The project uses TypeScript-based integration tests that run in CI via `.github/
 | Domains | `wildcard-patterns.test.ts` | Wildcard matching |
 | Security | `network-security.test.ts` | Capability restrictions, SSRF |
 | Security | `robustness.test.ts` | Edge cases, bypass prevention |
+| Integration | `cli-proxy.test.ts` | CLI proxy sidecar coverage, including opt-in approved-integrity gh api array regression |
 | Config | `dns-servers.test.ts` | DNS configuration |
 | Config | `environment-variables.test.ts` | Environment variables |
 | Config | `volume-mounts.test.ts` | Volume mounts |
diff --git a/tests/integration/cli-proxy.test.ts b/tests/integration/cli-proxy.test.ts
index f1224a6a4..22c40ad0e 100644
--- a/tests/integration/cli-proxy.test.ts
+++ b/tests/integration/cli-proxy.test.ts
@@ -35,6 +35,11 @@ const cliProxyDefaults = {
   },
 };
 
+const approvedIntegrityToken = process.env.GITHUB_TOKEN || process.env.GH_TOKEN;
+const approvedIntegrityLiveTest = process.env.AWF_RUN_APPROVED_DIFC_PROXY_TESTS === '1' && approvedIntegrityToken
+  ? test
+  : test.skip;
+
 describe('CLI Proxy Sidecar', () => {
   let runner: AwfRunner;
 
@@ -116,6 +121,25 @@ describe('CLI Proxy Sidecar', () => {
       // Should NOT get "command not found" — the wrapper must be installed
       expect(output + stderr).not.toContain('command not found');
     }, 180000);
+
+    approvedIntegrityLiveTest(
+      'should preserve array JSON responses for gh api issue comment endpoints under approved integrity',
+      async () => {
+        const result = await runner.runWithSudo(
+          'bash -o pipefail -c \'gh api "repos/github/gh-aw-firewall/issues/1/comments?per_page=1" | jq -er type\'',
+          {
+            ...cliProxyDefaults,
+            env: {
+              GITHUB_TOKEN: approvedIntegrityToken!,
+            },
+          },
+        );
+
+        expect(result).toSucceed();
+        expect(extractCommandOutput(result.stdout).trim()).toBe('array');
+      },
+      180000
+    );
   });
 
   describe('Meta-command Denial', () => {