Cowork Desktop: "Allow network egress" additional-domain entries not enforced when mode is "Package managers only" (DNS EAI_AGAIN; wildcard matching inconsistent)
Summary
In the Claude Enterprise admin console, under Organization settings → Capabilities → Code execution → Allow network egress, there is a top-level mode dropdown ("Package managers only" / "All domains") plus a list where admins can add additional domain entries (wildcards like *.salesforce.com or literals like login.salesforce.com).
The additional-domain list does not enforce entries when the top-level mode is set to "Package managers only." DNS resolution inside the MCP plugin runtime fails with EAI_AGAIN for hostnames explicitly present in the allowlist. Switching the dropdown to "All domains" is the only workaround — forcing admins into a permissive mode that defeats the purpose of having an allowlist.
Additionally, wildcard matching is inconsistent: *.lexion.ai correctly resolves app.lexion.ai, but *.salesforce.com does not resolve login.salesforce.com.
Reporter: Greg Baden, SVP & General Counsel / AI Initiative Lead, NetBrain Technologies
Contact: greg.baden@netbraintech.com
Anthropic org: NetBrain Technologies (Enterprise)
Date observed: 2026-04-20
Severity: Blocks 400-user rollout of our custom Salesforce MCP plugin; forces admins to widen egress to "All domains" as only workaround
Product area: Cowork desktop, MCP plugin runtime, admin egress controls
Related ticket: #51398 (${CLAUDE_PLUGIN_DATA} not persistent across conversations) — same investigation session, same plugin
---
Expected behavior
When an admin adds a domain entry to the allowlist (wildcard or literal), MCP plugin runtimes should reach that hostname regardless of the "Package managers only" vs "All domains" dropdown setting. The additional-domain list should be additive to the package-manager defaults, not gated behind "All domains."
Wildcard entries should match subdomains uniformly — *.example.com should match www.example.com for all domains without exception.
Actual behavior
With the top-level mode set to "Package managers only" and specific domains in the allowlist, the plugin runtime cannot resolve DNS for any of those domains. Node fetch() fails with cause.code: EAI_AGAIN from getaddrinfo, and HTTP CONNECT attempts return 403 from the Cowork proxy. Switching to "All domains" — without changing any other setting — makes the same plugin work immediately.
Wildcard matching is inconsistent: *.lexion.ai resolves subdomains correctly; *.salesforce.com does not.
---
Reproduction steps
Bug 1: "Package managers only" + specific-domain enforcement
- As an org admin, set Organization settings → Capabilities → Code execution → Allow network egress to "Package managers only".
- Add specific hostnames to the allowlist, e.g.:
login.salesforce.comnbtech.my.salesforce.com*.salesforce.com*.force.com
- Install any MCP plugin that calls one of those domains. (We used
salesforce-mcpv0.2.2, which POSTs tohttps://login.salesforce.com/services/oauth2/tokenonsalesforce_start_auth.) - Fully quit and relaunch Cowork. Start a fresh conversation.
- Invoke the plugin tool that triggers the outbound HTTP.
Observed: Plugin fails with cause.code: EAI_AGAIN, cause.syscall: getaddrinfo, cause.hostname: login.salesforce.com. Proxy logs show 403 from proxy after CONNECT login.salesforce.com:443.
- Without changing any other setting, flip the dropdown to "All domains". Re-run the same tool.
Observed: Plugin works immediately.
Bug 2: Wildcard-matcher inconsistency
- With "Package managers only" on, add
*.lexion.aiand*.salesforce.comto the allowlist. - Confirm
*.lexion.aicorrectly allowsapp.lexion.ai(Lexion MCP plugin works). - Confirm
*.salesforce.comdoes NOT allowlogin.salesforce.com— sameEAI_AGAINfailure, even with the literallogin.salesforce.comalso present in the list alongside the wildcard.
---
Evidence
Plugin error log (captured by salesforce-mcp v0.2.2's err.cause logging):
{
"tool": "salesforce_start_auth",
"error": "fetch failed",
"error_name": "TypeError",
"cause_code": "EAI_AGAIN",
"cause_syscall": "getaddrinfo",
"cause_hostname": "login.salesforce.com",
"cause_message": "getaddrinfo EAI_AGAIN login.salesforce.com"
}
Mac terminal sanity check (same host, same time):
$ curl -I https://login.salesforce.com/
HTTP/2 200
DNS and routing from the host OS are healthy — the failure is specific to the Cowork plugin sandbox.
Allowlist configuration at time of failure (Package managers only mode):
login.salesforce.comtest.salesforce.comnbtech.my.salesforce.comnbtech.lightning.force.comnbtech.file.force.com*.salesforce.com*.force.com*.content.force.com*.lexion.ai*.netbraintech.com
Every form of the failing hostname (literal + wildcard) is present. *.lexion.ai worked; *.salesforce.com and all its literal companions did not.
After switching to "All domains" (same session, no other changes):
All Salesforce plugin tools succeed: salesforce_start_auth returns a user_code, Device Flow browser prompt completes, salesforce_poll_auth returns status: success with instance_url: https://nbtech.my.salesforce.com, and salesforce_query_records runs SOQL successfully.
---
Impact
- Blocks secure rollout of
salesforce-mcpto ~400 NetBrain users. The only workaround removes the admin's ability to restrict outbound traffic — a material weakening of enterprise security posture. - Silent misconfiguration: the UI shows allowlist entries as saved with no error state, so admins have no feedback their entries aren't working until a plugin fails with an opaque fetch error.
- Affects every MCP plugin deployment on Cowork desktop. Any enterprise wanting to restrict egress to a specific allowlist cannot today — they must choose between "Package managers only" (plugins break) or "All domains" (no restriction).
---
Requested fix
- Primary: Make the additional-domain allowlist enforce correctly in "Package managers only" mode. Entries should be additive to the package-manager defaults.
- Secondary: Normalize wildcard matching across all domains so
*.salesforce.com→login.salesforce.combehaves identically to*.lexion.ai→app.lexion.ai. - UX: If additional-domain entries are intentionally scoped in some way, surface that in the admin UI — a mode-dependent hint, section header, or warning banner.
---
Current workaround
Set Allow network egress to "All domains." This is the only configuration that allows our MCP plugin to reach Salesforce OAuth and API hosts. We consider this a temporary measure and intend to revert to a specific-domain allowlist once a fix lands.
---
Contact
Please reply to greg.baden@netbraintech.com. Available to provide:
- Full plugin source (TypeScript)
- Verbose
err.causelogs fromsalesforce-mcpv0.2.2 capturing theEAI_AGAIN/ 403-from-proxy failure pattern - Admin console screenshots showing allowlist state at failure, and passing after the "All domains" flip
- Access to a NetBrain Enterprise Cowork environment to reproduce live
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗