Add regional egress interception repro

[neekolas]

Summary

This PR adds a deployed reproduction for a container egress interception issue seen when a Worker uses a targeted region placement hint.

The examples/egress-tests suite now deploys two workers.dev environments with the same egress interception configuration:

• global: no Worker placement hint
• regional: placement = { mode = "targeted", region = "aws:us-east-1" }

The container applications use distinct names per environment so both can exist in the same account. The tests now run against a deployed Worker URL via EGRESS_TEST_BASE_URL instead of WranglerDevRunner, because the issue only reproduces after deploying with the regional placement hint.

Why

In the regional deployment, outbound interception appears not to run. Requests that should be blocked by deniedHosts / allowedHosts instead return 200, and requests that should be handled by outboundByHost / catch-all outbound reach the actual target path and return Not Found.

The matching global deployment passes the same tests.

How to Reproduce

Deploy both environments to an account with Containers enabled:

cd examples/egress-tests
npx wrangler deploy --env global
npx wrangler deploy --env regional

Run the tests against each workers.dev URL:

EGRESS_TEST_ENV=global \
EGRESS_TEST_BASE_URL=https://egress-tests-global.$YOUR_WORKERS_DEV_DOMAIN \
npx vitest run test/egress.test.ts

EGRESS_TEST_ENV=regional \
EGRESS_TEST_BASE_URL=https://egress-tests-regional.$YOUR_WORKERS_DEV_DOMAIN \
npx vitest run test/egress.test.ts

Observed Results

Global passes:

Test Files  1 passed (1)
     Tests  9 passed (9)
  Start at  08:09:26
  Duration  30.09s (transform 12ms, setup 0ms, import 21ms, tests 29.97s, environment 0ms)

Regional fails:

❯ test/egress.test.ts (9 tests | 9 failed) 66403ms
      × deniedHosts blocks the request 2861ms
      × allowedHosts gate blocks non-allowed hosts 1953ms
      × outboundByHost handler is invoked for matching allowed host 2440ms
      × catch-all outbound handler is invoked for allowed host without specific handler 2988ms
      × denied host is blocked even if it would match allowedHosts 2122ms
      × glob pattern in outboundByHost matches subdomains 3466ms
      × glob pattern in outboundByHost matches deeply nested subdomains 3172ms
      × glob pattern in allowedHosts blocks non-matching host 29074ms
      × denyHost also blocks the same hostname with a trailing dot 18326ms

Representative regional failures:

FAIL  test/egress.test.ts > egress interception > regional > deniedHosts blocks the request
AssertionError: expected 200 to be 520 // Object.is equality

- Expected
+ Received

- 520
+ 200

FAIL  test/egress.test.ts > egress interception > regional > outboundByHost handler is invoked for matching allowed host
AssertionError: expected 'Not Found' to be 'outboundByHost: by-host.com' // Object.is equality

Expected: "outboundByHost: by-host.com"
Received: "Not Found"

Validation

• npm run typecheck in examples/egress-tests
• npx wrangler deploy --env global --dry-run
• npx wrangler deploy --env regional --dry-run
• deployed global and confirmed 9/9 tests pass
• deployed regional and confirmed 9/9 tests fail in the egress interception path