Cowork Desktop: "Allow network egress" additional-domain entries not enforced when mode is "Package managers only" (DNS EAI_AGAIN; wildcard matching inconsistent)

Resolved 💬 3 comments Opened Apr 21, 2026 by grbaden Closed Apr 24, 2026

Summary

In the Claude Enterprise admin console, under Organization settings → Capabilities → Code execution → Allow network egress, there is a top-level mode dropdown ("Package managers only" / "All domains") plus a list where admins can add additional domain entries (wildcards like *.salesforce.com or literals like login.salesforce.com).

The additional-domain list does not enforce entries when the top-level mode is set to "Package managers only." DNS resolution inside the MCP plugin runtime fails with EAI_AGAIN for hostnames explicitly present in the allowlist. Switching the dropdown to "All domains" is the only workaround — forcing admins into a permissive mode that defeats the purpose of having an allowlist.

Additionally, wildcard matching is inconsistent: *.lexion.ai correctly resolves app.lexion.ai, but *.salesforce.com does not resolve login.salesforce.com.

Reporter: Greg Baden, SVP & General Counsel / AI Initiative Lead, NetBrain Technologies
Contact: greg.baden@netbraintech.com
Anthropic org: NetBrain Technologies (Enterprise)
Date observed: 2026-04-20
Severity: Blocks 400-user rollout of our custom Salesforce MCP plugin; forces admins to widen egress to "All domains" as only workaround
Product area: Cowork desktop, MCP plugin runtime, admin egress controls
Related ticket: #51398 (${CLAUDE_PLUGIN_DATA} not persistent across conversations) — same investigation session, same plugin

---

Expected behavior

When an admin adds a domain entry to the allowlist (wildcard or literal), MCP plugin runtimes should reach that hostname regardless of the "Package managers only" vs "All domains" dropdown setting. The additional-domain list should be additive to the package-manager defaults, not gated behind "All domains."

Wildcard entries should match subdomains uniformly — *.example.com should match www.example.com for all domains without exception.

Actual behavior

With the top-level mode set to "Package managers only" and specific domains in the allowlist, the plugin runtime cannot resolve DNS for any of those domains. Node fetch() fails with cause.code: EAI_AGAIN from getaddrinfo, and HTTP CONNECT attempts return 403 from the Cowork proxy. Switching to "All domains" — without changing any other setting — makes the same plugin work immediately.

Wildcard matching is inconsistent: *.lexion.ai resolves subdomains correctly; *.salesforce.com does not.

---

Reproduction steps

Bug 1: "Package managers only" + specific-domain enforcement

  1. As an org admin, set Organization settings → Capabilities → Code execution → Allow network egress to "Package managers only".
  2. Add specific hostnames to the allowlist, e.g.:
  • login.salesforce.com
  • nbtech.my.salesforce.com
  • *.salesforce.com
  • *.force.com
  1. Install any MCP plugin that calls one of those domains. (We used salesforce-mcp v0.2.2, which POSTs to https://login.salesforce.com/services/oauth2/token on salesforce_start_auth.)
  2. Fully quit and relaunch Cowork. Start a fresh conversation.
  3. Invoke the plugin tool that triggers the outbound HTTP.

Observed: Plugin fails with cause.code: EAI_AGAIN, cause.syscall: getaddrinfo, cause.hostname: login.salesforce.com. Proxy logs show 403 from proxy after CONNECT login.salesforce.com:443.

  1. Without changing any other setting, flip the dropdown to "All domains". Re-run the same tool.

Observed: Plugin works immediately.

Bug 2: Wildcard-matcher inconsistency

  1. With "Package managers only" on, add *.lexion.ai and *.salesforce.com to the allowlist.
  2. Confirm *.lexion.ai correctly allows app.lexion.ai (Lexion MCP plugin works).
  3. Confirm *.salesforce.com does NOT allow login.salesforce.com — same EAI_AGAIN failure, even with the literal login.salesforce.com also present in the list alongside the wildcard.

---

Evidence

Plugin error log (captured by salesforce-mcp v0.2.2's err.cause logging):

{
  "tool": "salesforce_start_auth",
  "error": "fetch failed",
  "error_name": "TypeError",
  "cause_code": "EAI_AGAIN",
  "cause_syscall": "getaddrinfo",
  "cause_hostname": "login.salesforce.com",
  "cause_message": "getaddrinfo EAI_AGAIN login.salesforce.com"
}

Mac terminal sanity check (same host, same time):

$ curl -I https://login.salesforce.com/
HTTP/2 200

DNS and routing from the host OS are healthy — the failure is specific to the Cowork plugin sandbox.

Allowlist configuration at time of failure (Package managers only mode):

  • login.salesforce.com
  • test.salesforce.com
  • nbtech.my.salesforce.com
  • nbtech.lightning.force.com
  • nbtech.file.force.com
  • *.salesforce.com
  • *.force.com
  • *.content.force.com
  • *.lexion.ai
  • *.netbraintech.com

Every form of the failing hostname (literal + wildcard) is present. *.lexion.ai worked; *.salesforce.com and all its literal companions did not.

After switching to "All domains" (same session, no other changes):
All Salesforce plugin tools succeed: salesforce_start_auth returns a user_code, Device Flow browser prompt completes, salesforce_poll_auth returns status: success with instance_url: https://nbtech.my.salesforce.com, and salesforce_query_records runs SOQL successfully.

---

Impact

  • Blocks secure rollout of salesforce-mcp to ~400 NetBrain users. The only workaround removes the admin's ability to restrict outbound traffic — a material weakening of enterprise security posture.
  • Silent misconfiguration: the UI shows allowlist entries as saved with no error state, so admins have no feedback their entries aren't working until a plugin fails with an opaque fetch error.
  • Affects every MCP plugin deployment on Cowork desktop. Any enterprise wanting to restrict egress to a specific allowlist cannot today — they must choose between "Package managers only" (plugins break) or "All domains" (no restriction).

---

Requested fix

  1. Primary: Make the additional-domain allowlist enforce correctly in "Package managers only" mode. Entries should be additive to the package-manager defaults.
  2. Secondary: Normalize wildcard matching across all domains so *.salesforce.comlogin.salesforce.com behaves identically to *.lexion.aiapp.lexion.ai.
  3. UX: If additional-domain entries are intentionally scoped in some way, surface that in the admin UI — a mode-dependent hint, section header, or warning banner.

---

Current workaround

Set Allow network egress to "All domains." This is the only configuration that allows our MCP plugin to reach Salesforce OAuth and API hosts. We consider this a temporary measure and intend to revert to a specific-domain allowlist once a fix lands.

---

Contact

Please reply to greg.baden@netbraintech.com. Available to provide:

  • Full plugin source (TypeScript)
  • Verbose err.cause logs from salesforce-mcp v0.2.2 capturing the EAI_AGAIN / 403-from-proxy failure pattern
  • Admin console screenshots showing allowlist state at failure, and passing after the "All domains" flip
  • Access to a NetBrain Enterprise Cowork environment to reproduce live

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗