diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml
index 1c072095156..15e7d9944c3 100644
--- a/.github/workflows/daily-issues-report.lock.yml
+++ b/.github/workflows/daily-issues-report.lock.yml
@@ -342,6 +342,7 @@ jobs:
       - name: Start DIFC proxy for pre-agent gh calls
         env:
           GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
         run: |
           bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6'
       - name: Setup jq utilities directory
diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml
index e27dd057965..41258a9a7c7 100644
--- a/.github/workflows/issue-arborist.lock.yml
+++ b/.github/workflows/issue-arborist.lock.yml
@@ -309,6 +309,7 @@ jobs:
       - name: Start DIFC proxy for pre-agent gh calls
         env:
           GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
         run: |
           bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6'
       - name: Setup jq utilities directory
diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml
index 467d0832b2f..0fceb637a9e 100644
--- a/.github/workflows/stale-repo-identifier.lock.yml
+++ b/.github/workflows/stale-repo-identifier.lock.yml
@@ -340,6 +340,7 @@ jobs:
       - name: Start DIFC proxy for pre-agent gh calls
         env:
           GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
         run: |
           bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6'
       - name: Setup Python environment
diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml
index 9f6c43c6f9d..eca74dab4ae 100644
--- a/.github/workflows/weekly-blog-post-writer.lock.yml
+++ b/.github/workflows/weekly-blog-post-writer.lock.yml
@@ -1252,6 +1252,7 @@ jobs:
       - name: Start DIFC proxy for pre-agent gh calls
         env:
           GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+          GITHUB_SERVER_URL: ${{ github.server_url }}
         run: |
           bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":["github/gh-aw"]}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6'
       - name: Restore qmd index from cache
diff --git a/actions/setup/sh/start_difc_proxy.sh b/actions/setup/sh/start_difc_proxy.sh
index 3dc639c6e31..5a06ca321a8 100644
--- a/actions/setup/sh/start_difc_proxy.sh
+++ b/actions/setup/sh/start_difc_proxy.sh
@@ -9,6 +9,7 @@
 #
 # Environment:
 #   GH_TOKEN - GitHub token passed to the proxy container
+#   GITHUB_SERVER_URL - GitHub server URL for upstream routing (e.g. https://github.com or https://TENANT.ghe.com)
 #   GITHUB_REPOSITORY - Repository name (owner/repo) for git remote
 #   GITHUB_ENV - Path to GitHub Actions environment file
 
@@ -36,6 +37,7 @@ echo "Starting DIFC proxy container: $CONTAINER_IMAGE"
 
 docker run -d --name awmg-proxy --network host \
   -e GH_TOKEN \
+  -e GITHUB_SERVER_URL \
   -e DEBUG='*' \
   -v "$PROXY_LOG_DIR:$PROXY_LOG_DIR" \
   -v "$MCP_LOG_DIR:$MCP_LOG_DIR" \
diff --git a/pkg/workflow/compiler_difc_proxy.go b/pkg/workflow/compiler_difc_proxy.go
index 23bb0d23039..ac56969ec9c 100644
--- a/pkg/workflow/compiler_difc_proxy.go
+++ b/pkg/workflow/compiler_difc_proxy.go
@@ -210,6 +210,7 @@ func (c *Compiler) buildStartDIFCProxyStepYAML(data *WorkflowData) string {
 	sb.WriteString("      - name: Start DIFC proxy for pre-agent gh calls\n")
 	sb.WriteString("        env:\n")
 	fmt.Fprintf(&sb, "          GH_TOKEN: %s\n", effectiveToken)
+	sb.WriteString("          GITHUB_SERVER_URL: ${{ github.server_url }}\n")
 	sb.WriteString("        run: |\n")
 	// The policy JSON contains only static values from the workflow frontmatter
 	// (min-integrity and repos). It never contains GitHub Actions expressions (${{ }})
diff --git a/pkg/workflow/compiler_difc_proxy_test.go b/pkg/workflow/compiler_difc_proxy_test.go
index 03954809e1f..1d5e9975040 100644
--- a/pkg/workflow/compiler_difc_proxy_test.go
+++ b/pkg/workflow/compiler_difc_proxy_test.go
@@ -299,6 +299,7 @@ func TestGenerateStartDIFCProxyStep(t *testing.T) {
 		require.NotEmpty(t, result, "should generate proxy start step")
 		assert.Contains(t, result, "Start DIFC proxy for pre-agent gh calls", "step name should be present")
 		assert.Contains(t, result, "GH_TOKEN:", "step should include GH_TOKEN env var")
+		assert.Contains(t, result, "GITHUB_SERVER_URL:", "step should include GITHUB_SERVER_URL env var")
 		assert.Contains(t, result, "start_difc_proxy.sh", "step should call the proxy script")
 		assert.Contains(t, result, `"allow-only"`, "step should include guard policy JSON")
 		assert.Contains(t, result, `"min-integrity":"approved"`, "step should include min-integrity in policy")