Routine egress gateway blocks specific public hostnames with `host_not_allowed`
What's happening
I have a scheduled Claude Code routine (Routines / /code/triggers) that
runs a site audit against a public production domain I own
(www.mycardvault.io). Every HTTP request to that hostname from the
remote agent fails with:
HTTP/2 403
x-deny-reason: host_not_allowed
The intercepting TLS certificate is issued by "Egress Gateway Subordinate CA",
not by Cloudflare (which fronts the actual site), so the request is being
terminated at the routine's egress gateway before reaching the destination
— i.e., this is not a destination-side restriction.
The same site responds 200 from any normal client and from my local Claude Code session.
Why this matters
Six of the eleven checks in the audit pipeline (route smoke, form smoke,
form fail-paths, image health, rate-limit canary, sample card-detail) rely
on live HTTP to the public site. They've been silently returning BLOCKED in
every routine run since the routine was created on 2026-05-01. The audit
emails reach my inbox correctly via the Gmail MCP, so the egress block is
selective — clearly limited to specific non-MCP hostnames.
The hostname in question is the user's own production website. Site audits
/ health checks / synthetic monitoring against owned domains seem like an
obvious legitimate use case for scheduled remote agents.
What I'm asking for
One of:
- Document the egress allowlist policy — make it visible at routine
creation time which hostnames the agent can reach, and warn the user if
a hostname referenced in the prompt isn't reachable.
- Allow user-owned domain allowlist additions — let me add
www.mycardvault.io to my routine's egress allowlist via the routine
config (or a per-routine setting in the UI).
- Relax the default policy for public production hostnames — the
current default appears to deny essentially every public web hostname,
which is much narrower than the routine's MCP-connector reach implies.
Reproduction
- Schedule:
0 14 * * 2,5 - Last fired: 2026-05-05 14:00 UTC
- Audit body in the routine prompt; full failure email available on request
Workaround currently used
Static source-code analysis only. Ten of eleven checks become useless under
that constraint.
— Seth Melamed
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗