[Bug] Egress proxy blocks GitHub subdomains, breaking git operations in web bash environment
Bug Description
claude-code
4. **Use the `/bug` command** and provide this description:
/bug
Git operations fail in Claude web interface bash environment with 401 Unauthorized errors as of October 22, 2025.
Root cause: Egress proxy JWT whitelist includes github.com but blocks GitHub subdomains (api.github.com, raw.githubusercontent.com, etc.), causing git clone/push/pull to fail with "CONNECT tunnel failed, response 401".
Session details:
- Container: container_container_011CUNEzwCxTHdWKpZNVa1V8--wavy-crafty-quick-rating
- Org UUID: cd410308-6244-4d0f-923b-6407efb7744a
- Time: Oct 22, 2025, 12:44 UTC
Error example:
git clone https://github.com/[user]/[repo].git
fatal: unable to access '...': CONNECT tunnel failed, response 401
While curl https://github.com works (200 OK), curl https://api.github.com returns 403 Forbidden with x-deny-reason: host_not_allowed.
Diagnostics performed:
- Verified GitHub PAT valid
- Confirmed repo accessible
- Decoded JWT - allowed_hosts has github.com but missing api.github.com, raw.githubusercontent.com, gist.github.com, etc.
- Tested base domain vs subdomains - exact domain matching only, no wildcard support
This worked fine for several days (Oct 15-21) then suddenly failed Oct 22, suggesting recent whitelist policy change.
Request: Add GitHub subdomains to egress proxy whitelist:
- api.github.com
- raw.githubusercontent.com
- gist.github.com
- codeload.github.com
- objects.githubusercontent.com
Or implement wildcard subdomain support (*.github.com).
Impact: Cannot use Claude web interface bash for git workflows. Must use Claude Code instead, which defeats the purpose of Computer Use capabilities.
Full diagnostic reports available if needed.
Environment Info
- Platform: darwin
- Terminal: Apple_Terminal
- Version: 2.0.25
- Feedback ID: 5c31645a-84af-4568-a361-c6b9984963e6
Errors
[{"error":"Error: Could not resolve authentication method. Expected either apiKey or authToken to be set. Or for one of the \"X-Api-Key\" or \"Authorization\" headers to be explicitly omitted\n at validateHeaders (/$bunfs/root/claude:506:935)\n at buildHeaders (/$bunfs/root/claude:506:8427)\n at async buildRequest (/$bunfs/root/claude:506:7493)\n at async makeRequest (/$bunfs/root/claude:506:3332)\n at processTicksAndRejections (native:7:39)\n at spawnSync (unknown)\n at spawnSync (node:child_process:226:22)\n at y11 (/$bunfs/root/claude:67:1337)\n at a4 (/$bunfs/root/claude:67:3436)\n at RR0 (/$bunfs/root/claude:493:971)\n at isRelevant (/$bunfs/root/claude:2782:10499)\n at isRelevant (/$bunfs/root/claude:2782:10511)","timestamp":"2025-10-22T12:29:17.247Z"},{"error":"Error: Could not resolve authentication method. Expected either apiKey or authToken to be set. Or for one of the \"X-Api-Key\" or \"Authorization\" headers to be explicitly omitted\n at validateHeaders (/$bunfs/root/claude:506:935)\n at buildHeaders (/$bunfs/root/claude:506:8427)\n at async buildRequest (/$bunfs/root/claude:506:7493)\n at async makeRequest (/$bunfs/root/claude:506:3332)\n at processTicksAndRejections (native:7:39)","timestamp":"2025-10-22T12:29:17.489Z"},{"error":"Error: Could not resolve authentication method. Expected either apiKey or authToken to be set. Or for one of the \"X-Api-Key\" or \"Authorization\" headers to be explicitly omitted\n at validateHeaders (/$bunfs/root/claude:506:935)\n at buildHeaders (/$bunfs/root/claude:506:8427)\n at async buildRequest (/$bunfs/root/claude:506:7493)\n at async makeRequest (/$bunfs/root/claude:506:3332)\n at processTicksAndRejections (native:7:39)","timestamp":"2025-10-22T12:29:17.563Z"}]This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗