Issue Station
Sign In
Tools hereToolbox

claude-code - 💡(How to fix) Fix Cowork Desktop: "Allow network egress" additional-domain entries not enforced when mode is "Package managers only" (DNS EAI_AGAIN; wildcard matching inconsistent)

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…

In the Claude Enterprise admin console, under Organization settings → Capabilities → Code execution → Allow network egress, there is a top-level mode dropdown ("Package managers only" / "All domains") plus a list where admins can add additional domain entries (wildcards like *.salesforce.com or literals like login.salesforce.com).

The additional-domain list does not enforce entries when the top-level mode is set to "Package managers only." DNS resolution inside the MCP plugin runtime fails with EAI_AGAIN for hostnames explicitly present in the allowlist. Switching the dropdown to "All domains" is the only workaround — forcing admins into a permissive mode that defeats the purpose of having an allowlist.

Additionally, wildcard matching is inconsistent: *.lexion.ai correctly resolves app.lexion.ai, but *.salesforce.com does not resolve login.salesforce.com.

Reporter: Greg Baden, SVP & General Counsel / AI Initiative Lead, NetBrain Technologies
Contact: [email protected]
Anthropic org: NetBrain Technologies (Enterprise)
Date observed: 2026-04-20
Severity: Blocks 400-user rollout of our custom Salesforce MCP plugin; forces admins to widen egress to "All domains" as only workaround
Product area: Cowork desktop, MCP plugin runtime, admin egress controls
Related ticket: #51398 (${CLAUDE_PLUGIN_DATA} not persistent across conversations) — same investigation session, same plugin

Error Message

Wildcard entries should match subdomains uniformly — *.example.com should match www.example.com for all domains without exception. Plugin error log (captured by salesforce-mcp v0.2.2's err.cause logging): "error": "fetch failed",

  • Silent misconfiguration: the UI shows allowlist entries as saved with no error state, so admins have no feedback their entries aren't working until a plugin fails with an opaque fetch error.

Root Cause

In the Claude Enterprise admin console, under Organization settings → Capabilities → Code execution → Allow network egress, there is a top-level mode dropdown ("Package managers only" / "All domains") plus a list where admins can add additional domain entries (wildcards like *.salesforce.com or literals like login.salesforce.com).

The additional-domain list does not enforce entries when the top-level mode is set to "Package managers only." DNS resolution inside the MCP plugin runtime fails with EAI_AGAIN for hostnames explicitly present in the allowlist. Switching the dropdown to "All domains" is the only workaround — forcing admins into a permissive mode that defeats the purpose of having an allowlist.

Additionally, wildcard matching is inconsistent: *.lexion.ai correctly resolves app.lexion.ai, but *.salesforce.com does not resolve login.salesforce.com.

Reporter: Greg Baden, SVP & General Counsel / AI Initiative Lead, NetBrain Technologies
Contact: [email protected]
Anthropic org: NetBrain Technologies (Enterprise)
Date observed: 2026-04-20
Severity: Blocks 400-user rollout of our custom Salesforce MCP plugin; forces admins to widen egress to "All domains" as only workaround
Product area: Cowork desktop, MCP plugin runtime, admin egress controls
Related ticket: #51398 (${CLAUDE_PLUGIN_DATA} not persistent across conversations) — same investigation session, same plugin

Fix Action

Fix / Workaround

The additional-domain list does not enforce entries when the top-level mode is set to "Package managers only." DNS resolution inside the MCP plugin runtime fails with EAI_AGAIN for hostnames explicitly present in the allowlist. Switching the dropdown to "All domains" is the only workaround — forcing admins into a permissive mode that defeats the purpose of having an allowlist.

Reporter: Greg Baden, SVP & General Counsel / AI Initiative Lead, NetBrain Technologies
Contact: [email protected]
Anthropic org: NetBrain Technologies (Enterprise)
Date observed: 2026-04-20
Severity: Blocks 400-user rollout of our custom Salesforce MCP plugin; forces admins to widen egress to "All domains" as only workaround
Product area: Cowork desktop, MCP plugin runtime, admin egress controls
Related ticket: #51398 (${CLAUDE_PLUGIN_DATA} not persistent across conversations) — same investigation session, same plugin

  • Blocks secure rollout of salesforce-mcp to ~400 NetBrain users. The only workaround removes the admin's ability to restrict outbound traffic — a material weakening of enterprise security posture.
  • Silent misconfiguration: the UI shows allowlist entries as saved with no error state, so admins have no feedback their entries aren't working until a plugin fails with an opaque fetch error.
  • Affects every MCP plugin deployment on Cowork desktop. Any enterprise wanting to restrict egress to a specific allowlist cannot today — they must choose between "Package managers only" (plugins break) or "All domains" (no restriction).

Code Example

{
  "tool": "salesforce_start_auth",
  "error": "fetch failed",
  "error_name": "TypeError",
  "cause_code": "EAI_AGAIN",
  "cause_syscall": "getaddrinfo",
  "cause_hostname": "login.salesforce.com",
  "cause_message": "getaddrinfo EAI_AGAIN login.salesforce.com"
}

---

$ curl -I https://login.salesforce.com/
HTTP/2 200
RAW_BUFFERClick to expand / collapse

Summary

In the Claude Enterprise admin console, under Organization settings → Capabilities → Code execution → Allow network egress, there is a top-level mode dropdown ("Package managers only" / "All domains") plus a list where admins can add additional domain entries (wildcards like *.salesforce.com or literals like login.salesforce.com).

The additional-domain list does not enforce entries when the top-level mode is set to "Package managers only." DNS resolution inside the MCP plugin runtime fails with EAI_AGAIN for hostnames explicitly present in the allowlist. Switching the dropdown to "All domains" is the only workaround — forcing admins into a permissive mode that defeats the purpose of having an allowlist.

Additionally, wildcard matching is inconsistent: *.lexion.ai correctly resolves app.lexion.ai, but *.salesforce.com does not resolve login.salesforce.com.

Reporter: Greg Baden, SVP & General Counsel / AI Initiative Lead, NetBrain Technologies
Contact: [email protected]
Anthropic org: NetBrain Technologies (Enterprise)
Date observed: 2026-04-20
Severity: Blocks 400-user rollout of our custom Salesforce MCP plugin; forces admins to widen egress to "All domains" as only workaround
Product area: Cowork desktop, MCP plugin runtime, admin egress controls
Related ticket: #51398 (${CLAUDE_PLUGIN_DATA} not persistent across conversations) — same investigation session, same plugin

Expected behavior

When an admin adds a domain entry to the allowlist (wildcard or literal), MCP plugin runtimes should reach that hostname regardless of the "Package managers only" vs "All domains" dropdown setting. The additional-domain list should be additive to the package-manager defaults, not gated behind "All domains."

Wildcard entries should match subdomains uniformly — *.example.com should match www.example.com for all domains without exception.

Actual behavior

With the top-level mode set to "Package managers only" and specific domains in the allowlist, the plugin runtime cannot resolve DNS for any of those domains. Node fetch() fails with cause.code: EAI_AGAIN from getaddrinfo, and HTTP CONNECT attempts return 403 from the Cowork proxy. Switching to "All domains" — without changing any other setting — makes the same plugin work immediately.

Wildcard matching is inconsistent: *.lexion.ai resolves subdomains correctly; *.salesforce.com does not.

Reproduction steps

Bug 1: "Package managers only" + specific-domain enforcement

  1. As an org admin, set Organization settings → Capabilities → Code execution → Allow network egress to "Package managers only".
  2. Add specific hostnames to the allowlist, e.g.:
    • login.salesforce.com
    • nbtech.my.salesforce.com
    • *.salesforce.com
    • *.force.com
  3. Install any MCP plugin that calls one of those domains. (We used salesforce-mcp v0.2.2, which POSTs to https://login.salesforce.com/services/oauth2/token on salesforce_start_auth.)
  4. Fully quit and relaunch Cowork. Start a fresh conversation.
  5. Invoke the plugin tool that triggers the outbound HTTP.

Observed: Plugin fails with cause.code: EAI_AGAIN, cause.syscall: getaddrinfo, cause.hostname: login.salesforce.com. Proxy logs show 403 from proxy after CONNECT login.salesforce.com:443.

  1. Without changing any other setting, flip the dropdown to "All domains". Re-run the same tool.

Observed: Plugin works immediately.

Bug 2: Wildcard-matcher inconsistency

  1. With "Package managers only" on, add *.lexion.ai and *.salesforce.com to the allowlist.
  2. Confirm *.lexion.ai correctly allows app.lexion.ai (Lexion MCP plugin works).
  3. Confirm *.salesforce.com does NOT allow login.salesforce.com — same EAI_AGAIN failure, even with the literal login.salesforce.com also present in the list alongside the wildcard.

Evidence

Plugin error log (captured by salesforce-mcp v0.2.2's err.cause logging):

{
  "tool": "salesforce_start_auth",
  "error": "fetch failed",
  "error_name": "TypeError",
  "cause_code": "EAI_AGAIN",
  "cause_syscall": "getaddrinfo",
  "cause_hostname": "login.salesforce.com",
  "cause_message": "getaddrinfo EAI_AGAIN login.salesforce.com"
}

Mac terminal sanity check (same host, same time):

$ curl -I https://login.salesforce.com/
HTTP/2 200

DNS and routing from the host OS are healthy — the failure is specific to the Cowork plugin sandbox.

Allowlist configuration at time of failure (Package managers only mode):

  • login.salesforce.com
  • test.salesforce.com
  • nbtech.my.salesforce.com
  • nbtech.lightning.force.com
  • nbtech.file.force.com
  • *.salesforce.com
  • *.force.com
  • *.content.force.com
  • *.lexion.ai
  • *.netbraintech.com

Every form of the failing hostname (literal + wildcard) is present. *.lexion.ai worked; *.salesforce.com and all its literal companions did not.

After switching to "All domains" (same session, no other changes):
All Salesforce plugin tools succeed: salesforce_start_auth returns a user_code, Device Flow browser prompt completes, salesforce_poll_auth returns status: success with instance_url: https://nbtech.my.salesforce.com, and salesforce_query_records runs SOQL successfully.

Impact

  • Blocks secure rollout of salesforce-mcp to ~400 NetBrain users. The only workaround removes the admin's ability to restrict outbound traffic — a material weakening of enterprise security posture.
  • Silent misconfiguration: the UI shows allowlist entries as saved with no error state, so admins have no feedback their entries aren't working until a plugin fails with an opaque fetch error.
  • Affects every MCP plugin deployment on Cowork desktop. Any enterprise wanting to restrict egress to a specific allowlist cannot today — they must choose between "Package managers only" (plugins break) or "All domains" (no restriction).

Requested fix

  1. Primary: Make the additional-domain allowlist enforce correctly in "Package managers only" mode. Entries should be additive to the package-manager defaults.
  2. Secondary: Normalize wildcard matching across all domains so *.salesforce.comlogin.salesforce.com behaves identically to *.lexion.aiapp.lexion.ai.
  3. UX: If additional-domain entries are intentionally scoped in some way, surface that in the admin UI — a mode-dependent hint, section header, or warning banner.

Current workaround

Set Allow network egress to "All domains." This is the only configuration that allows our MCP plugin to reach Salesforce OAuth and API hosts. We consider this a temporary measure and intend to revert to a specific-domain allowlist once a fix lands.

Contact

Please reply to [email protected]. Available to provide:

  • Full plugin source (TypeScript)
  • Verbose err.cause logs from salesforce-mcp v0.2.2 capturing the EAI_AGAIN / 403-from-proxy failure pattern
  • Admin console screenshots showing allowlist state at failure, and passing after the "All domains" flip
  • Access to a NetBrain Enterprise Cowork environment to reproduce live

extent analysis

TL;DR

The most likely fix involves updating the allowlist enforcement logic in "Package managers only" mode to correctly apply additional domain entries and normalizing wildcard matching across all domains.

Guidance

  1. Verify allowlist configuration: Confirm that the allowlist entries are correctly formatted and saved in the admin console, and that the "Package managers only" mode is properly set.
  2. Investigate DNS resolution: Check the DNS resolution process for the affected domains to ensure that it is working correctly and not causing the EAI_AGAIN error.
  3. Test wildcard matching: Perform thorough testing of wildcard matching for different domains to identify any inconsistencies and ensure that the matching logic is uniform.
  4. Review plugin runtime configuration: Examine the plugin runtime configuration to ensure that it is correctly set up to use the allowlist and that there are no conflicts with other settings.

Example

No code snippet is provided as the issue does not contain sufficient information about the specific code or APIs involved.

Notes

The issue seems to be related to the allowlist enforcement logic and wildcard matching in the "Package managers only" mode. The fact that switching to "All domains" resolves the issue suggests that the problem is specific to the allowlist configuration. However, without more information about the underlying code and configuration, it is difficult to provide a more detailed solution.

Recommendation

Apply a workaround by setting Allow network egress to "All domains" until a permanent fix is available, as this is the only configuration that allows the MCP plugin to reach Salesforce OAuth and API hosts.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

When an admin adds a domain entry to the allowlist (wildcard or literal), MCP plugin runtimes should reach that hostname regardless of the "Package managers only" vs "All domains" dropdown setting. The additional-domain list should be additive to the package-manager defaults, not gated behind "All domains."

Wildcard entries should match subdomains uniformly — *.example.com should match www.example.com for all domains without exception.

#api#ssr#pipeline error#runtime error#dependency conflict

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

claude-code - 💡(How to fix) Fix Cowork Desktop: "Allow network egress" additional-domain entries not enforced when mode is "Package managers only" (DNS EAI_AGAIN; wildcard matching inconsistent)