Claude Tag: bundle Domains/credential allow-layers never reach session egress (CONNECT 403 policy denial) — Tag-surface report of #34690 family
Summary
On Claude Tag (beta) channel sessions, the Access bundle allow-layers — a connection's Allowed hosts and the bundle's Domains tab — are never applied to the session's egress gateway. Every outbound request to the configured host is rejected at the CONNECT stage with a synthetic 403. This looks like the same "config plane never reaches the enforcement plane" gap tracked in #34690, #30112, #19087, #71629 (and the routines variant #41565), but I couldn't find any prior report for the Claude Tag surface, so filing this one.
Setup (verified)
- Team plan org, Claude Tag beta, Slack workspace freshly paired (verified correct: Claude Tag usage bills into this org and sessions are attributed there).
- Channel scope has an Access bundle attached containing:
- a Bearer connection with Allowed hosts =
primal.huklberrymedia.com(all methods), and - a Domains tab entry
primal.huklberrymedia.com:443(exact apex, no wildcard). - Scope is on Claude Tag version New (not Legacy). Tests were run in brand-new top-level threads and, after remove/re-invite of the app, in verifiably fresh sessions/containers.
Observed
~10 attempts across fresh sessions over one day, all byte-identical:
curl -sS -i https://primal.huklberrymedia.com/api/shopify
curl: (56) CONNECT tunnel failed, response 403
HTTP/1.1 403 Forbidden (Content-Length: 36 — synthetic, from the proxy; no origin response)
Proxy status ($HTTPS_PROXY/__agentproxy/status), newest recentRelayFailures entry:
{
"ts": "2026-07-09T21:59:05.714Z",
"kind": "connect_rejected",
"detail": "gateway answered 403 to CONNECT (policy denial or upstream failure)",
"host": "primal.huklberrymedia.com:443"
}
The connection in the admin console shows "Never used" throughout — its rules never fire.
In-session forensics
env | grep -i no_proxy (identical across no_proxy, NO_PROXY, GLOBAL_AGENT_NO_PROXY):
localhost,127.0.0.1,::1,127.0.0.0/8,0.0.0.0/8,::,169.254.0.0/16,
anthropic.com,.anthropic.com,*.anthropic.com,
registry.npmjs.org,jsr.io,npm.jsr.io,pypi.org,files.pythonhosted.org,
index.crates.io,proxy.golang.org,host.docker.internal,
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10,
.svc.cluster.local,*.svc.cluster.local
$HTTPS_PROXY is a plain http://host:port URL — no embedded JWT/token (unlike the token-carrying variant decoded in #34690). So policy is enforced purely server-side at the gateway, and that server-side policy demonstrably contains none of the bundle's hosts. There is no client-side knob at all.
Expected
Per the docs (Allow a host without a credential): a Domains-tab entry means "requests from those channels' sandboxes to that host go through with no credential attached", and a connection's Allowed websites should pass requests "with that credential attached". Neither happens.
Additional gap
The documented environment escape hatch is unusable: the scope's Environment picker offers only "Organization default", and there appears to be no way to create an organization-scoped environment (the claude.ai/code dialog creates account-scoped environments, which the picker explicitly excludes; the docs anchor attach-to-scope#choose-the-environment-for-a-scope referenced from customize.md doesn't exist on the live page).
An independent Claude Tag teardown (derivai.substack.com, Jul 2026) documents the identical bare allowlist in Tag sandboxes, which suggests this is not org-specific.
Ask
Provision the bundle allow-layers (Domains tab + connection Allowed hosts) into Claude Tag session egress policy — or provide a working self-serve path (org-scoped environment creation) to allowlist a host.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗