From a30ef222d5538b388d11267afa401c0bdab707c6 Mon Sep 17 00:00:00 2001 From: Benjamin Date: Mon, 6 Oct 2025 11:00:36 -0500 Subject: [PATCH 01/22] init simple integration --- registry/coder/modules/claude-code/main.tf | 17 ++++++++++++ .../coder/modules/claude-code/main.tftest.hcl | 26 +++++++++++++++++++ .../modules/claude-code/scripts/start.sh | 18 ++++++++++++- 3 files changed, 60 insertions(+), 1 deletion(-) diff --git a/registry/coder/modules/claude-code/main.tf b/registry/coder/modules/claude-code/main.tf index 4836347b7..4d2ad66cf 100644 --- a/registry/coder/modules/claude-code/main.tf +++ b/registry/coder/modules/claude-code/main.tf @@ -192,6 +192,18 @@ variable "claude_md_path" { default = "$HOME/.claude/CLAUDE.md" } +variable "enable_boundary" { + type = bool + description = "Whether to enable coder boundary for network filtering" + default = false +} + +variable "boundary_log_dir" { + type = string + description = "Directory for boundary logs" + default = "/tmp/boundary_logs" +} + resource "coder_env" "claude_code_md_path" { count = var.claude_md_path == "" ? 0 : 1 @@ -231,6 +243,8 @@ locals { start_script = file("${path.module}/scripts/start.sh") module_dir_name = ".claude-module" remove_last_session_id_script_b64 = base64encode(file("${path.module}/scripts/remove-last-session-id.sh")) + # Extract hostname from access_url for boundary --allow flag + coder_host = replace(replace(data.coder_workspace.me.access_url, "https://", ""), "http://", "") } module "agentapi" { @@ -270,6 +284,9 @@ module "agentapi" { ARG_PERMISSION_MODE='${var.permission_mode}' \ ARG_WORKDIR='${local.workdir}' \ ARG_AI_PROMPT='${base64encode(var.ai_prompt)}' \ + ARG_ENABLE_BOUNDARY='${var.enable_boundary}' \ + ARG_BOUNDARY_LOG_DIR='${var.boundary_log_dir}' \ + ARG_CODER_HOST='${local.coder_host}' \ /tmp/start.sh EOT diff --git a/registry/coder/modules/claude-code/main.tftest.hcl b/registry/coder/modules/claude-code/main.tftest.hcl index c48923cf3..55eedd5e6 100644 --- a/registry/coder/modules/claude-code/main.tftest.hcl +++ b/registry/coder/modules/claude-code/main.tftest.hcl @@ -187,3 +187,29 @@ run "test_claude_code_permission_mode_validation" { error_message = "Permission mode should be one of the valid options" } } + +run "test_claude_code_with_boundary" { + command = plan + + variables { + agent_id = "test-agent-boundary" + workdir = "/home/coder/boundary-test" + enable_boundary = true + boundary_log_dir = "/tmp/test-boundary-logs" + } + + assert { + condition = var.enable_boundary == true + error_message = "Boundary should be enabled" + } + + assert { + condition = var.boundary_log_dir == "/tmp/test-boundary-logs" + error_message = "Boundary log dir should be set correctly" + } + + assert { + condition = local.coder_host != "" + error_message = "Coder host should be extracted from access URL" + } +} diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index b5fca7a5a..ccc22d90a 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -15,6 +15,9 @@ ARG_DANGEROUSLY_SKIP_PERMISSIONS=${ARG_DANGEROUSLY_SKIP_PERMISSIONS:-} ARG_PERMISSION_MODE=${ARG_PERMISSION_MODE:-} ARG_WORKDIR=${ARG_WORKDIR:-"$HOME"} ARG_AI_PROMPT=$(echo -n "${ARG_AI_PROMPT:-}" | base64 -d) +ARG_ENABLE_BOUNDARY=${ARG_ENABLE_BOUNDARY:-false} +ARG_BOUNDARY_LOG_DIR=${ARG_BOUNDARY_LOG_DIR:-"/tmp/boundary_logs"} +ARG_CODER_HOST=${ARG_CODER_HOST:-} echo "--------------------------------" @@ -25,6 +28,9 @@ printf "ARG_DANGEROUSLY_SKIP_PERMISSIONS: %s\n" "$ARG_DANGEROUSLY_SKIP_PERMISSIO printf "ARG_PERMISSION_MODE: %s\n" "$ARG_PERMISSION_MODE" printf "ARG_AI_PROMPT: %s\n" "$ARG_AI_PROMPT" printf "ARG_WORKDIR: %s\n" "$ARG_WORKDIR" +printf "ARG_ENABLE_BOUNDARY: %s\n" "$ARG_ENABLE_BOUNDARY" +printf "ARG_BOUNDARY_LOG_DIR: %s\n" "$ARG_BOUNDARY_LOG_DIR" +printf "ARG_CODER_HOST: %s\n" "$ARG_CODER_HOST" echo "--------------------------------" @@ -74,7 +80,17 @@ function start_agentapi() { fi fi printf "Running claude code with args: %s\n" "$(printf '%q ' "${ARGS[@]}")" - agentapi server --type claude --term-width 67 --term-height 1190 -- claude "${ARGS[@]}" + + if [ "${ARG_ENABLE_BOUNDARY:-false}" = "true" ]; then + mkdir -p "$ARG_BOUNDARY_LOG_DIR" + printf "Starting with coder boundary enabled\n" + agentapi server --type claude --term-width 67 --term-height 1190 -- \ + coder boundary --log-dir "$ARG_BOUNDARY_LOG_DIR" \ + --allow "*.anthropic.com" --allow "$ARG_CODER_HOST" -- \ + claude "${ARGS[@]}" + else + agentapi server --type claude --term-width 67 --term-height 1190 -- claude "${ARGS[@]}" + fi } validate_claude_installation From 00337b3bdfe59c27f28bc20afd73837d08395f91 Mon Sep 17 00:00:00 2001 From: Benjamin Date: Mon, 6 Oct 2025 11:19:21 -0500 Subject: [PATCH 02/22] default unprivileged --- registry/coder/modules/claude-code/main.tf | 7 +++++++ registry/coder/modules/claude-code/scripts/start.sh | 13 +++++++++++-- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/registry/coder/modules/claude-code/main.tf b/registry/coder/modules/claude-code/main.tf index 4d2ad66cf..6034cd5cd 100644 --- a/registry/coder/modules/claude-code/main.tf +++ b/registry/coder/modules/claude-code/main.tf @@ -204,6 +204,12 @@ variable "boundary_log_dir" { default = "/tmp/boundary_logs" } +variable "boundary_unprivileged" { + type = bool + description = "Whether to use --unprivileged flag with coder boundary (recommended for security)" + default = true +} + resource "coder_env" "claude_code_md_path" { count = var.claude_md_path == "" ? 0 : 1 @@ -286,6 +292,7 @@ module "agentapi" { ARG_AI_PROMPT='${base64encode(var.ai_prompt)}' \ ARG_ENABLE_BOUNDARY='${var.enable_boundary}' \ ARG_BOUNDARY_LOG_DIR='${var.boundary_log_dir}' \ + ARG_BOUNDARY_UNPRIVILEGED='${var.boundary_unprivileged}' \ ARG_CODER_HOST='${local.coder_host}' \ /tmp/start.sh EOT diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index ccc22d90a..00d536f7c 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -17,6 +17,7 @@ ARG_WORKDIR=${ARG_WORKDIR:-"$HOME"} ARG_AI_PROMPT=$(echo -n "${ARG_AI_PROMPT:-}" | base64 -d) ARG_ENABLE_BOUNDARY=${ARG_ENABLE_BOUNDARY:-false} ARG_BOUNDARY_LOG_DIR=${ARG_BOUNDARY_LOG_DIR:-"/tmp/boundary_logs"} +ARG_BOUNDARY_UNPRIVILEGED=${ARG_BOUNDARY_UNPRIVILEGED:-true} ARG_CODER_HOST=${ARG_CODER_HOST:-} echo "--------------------------------" @@ -30,6 +31,7 @@ printf "ARG_AI_PROMPT: %s\n" "$ARG_AI_PROMPT" printf "ARG_WORKDIR: %s\n" "$ARG_WORKDIR" printf "ARG_ENABLE_BOUNDARY: %s\n" "$ARG_ENABLE_BOUNDARY" printf "ARG_BOUNDARY_LOG_DIR: %s\n" "$ARG_BOUNDARY_LOG_DIR" +printf "ARG_BOUNDARY_UNPRIVILEGED: %s\n" "$ARG_BOUNDARY_UNPRIVILEGED" printf "ARG_CODER_HOST: %s\n" "$ARG_CODER_HOST" echo "--------------------------------" @@ -84,9 +86,16 @@ function start_agentapi() { if [ "${ARG_ENABLE_BOUNDARY:-false}" = "true" ]; then mkdir -p "$ARG_BOUNDARY_LOG_DIR" printf "Starting with coder boundary enabled\n" + + # Build boundary args with conditional --unprivileged flag + BOUNDARY_ARGS=(--log-dir "$ARG_BOUNDARY_LOG_DIR") + if [ "${ARG_BOUNDARY_UNPRIVILEGED:-true}" = "true" ]; then + BOUNDARY_ARGS+=(--unprivileged) + fi + BOUNDARY_ARGS+=(--allow "*.anthropic.com" --allow "$ARG_CODER_HOST") + agentapi server --type claude --term-width 67 --term-height 1190 -- \ - coder boundary --log-dir "$ARG_BOUNDARY_LOG_DIR" \ - --allow "*.anthropic.com" --allow "$ARG_CODER_HOST" -- \ + coder boundary "${BOUNDARY_ARGS[@]}" -- \ claude "${ARGS[@]}" else agentapi server --type claude --term-width 67 --term-height 1190 -- claude "${ARGS[@]}" From 4a1bf33b28dce8b63b5b0a6649474d8dc6fad6d1 Mon Sep 17 00:00:00 2001 From: Benjamin Date: Mon, 6 Oct 2025 14:36:30 -0500 Subject: [PATCH 03/22] additional urls and agentapi required urls --- registry/coder/modules/claude-code/main.tf | 7 +++++++ registry/coder/modules/claude-code/scripts/start.sh | 11 ++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/registry/coder/modules/claude-code/main.tf b/registry/coder/modules/claude-code/main.tf index 6034cd5cd..9d3c4a8b7 100644 --- a/registry/coder/modules/claude-code/main.tf +++ b/registry/coder/modules/claude-code/main.tf @@ -210,6 +210,12 @@ variable "boundary_unprivileged" { default = true } +variable "boundary_additional_allowed_urls" { + type = list(string) + description = "Additional URLs to allow through boundary (in addition to default allowed URLs)" + default = [] +} + resource "coder_env" "claude_code_md_path" { count = var.claude_md_path == "" ? 0 : 1 @@ -293,6 +299,7 @@ module "agentapi" { ARG_ENABLE_BOUNDARY='${var.enable_boundary}' \ ARG_BOUNDARY_LOG_DIR='${var.boundary_log_dir}' \ ARG_BOUNDARY_UNPRIVILEGED='${var.boundary_unprivileged}' \ + ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS='${join(" ", var.boundary_additional_allowed_urls)}' \ ARG_CODER_HOST='${local.coder_host}' \ /tmp/start.sh EOT diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index 00d536f7c..5dd959d4e 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -92,7 +92,16 @@ function start_agentapi() { if [ "${ARG_BOUNDARY_UNPRIVILEGED:-true}" = "true" ]; then BOUNDARY_ARGS+=(--unprivileged) fi - BOUNDARY_ARGS+=(--allow "*.anthropic.com" --allow "$ARG_CODER_HOST") + # Add default allowed URLs + BOUNDARY_ARGS+=(--allow "*.anthropic.com" --allow "registry.npmjs.org" --allow "*.sentry.io" --allow "claude.ai" --allow "$ARG_CODER_HOST") + + # Add any additional allowed URLs from the variable + if [ -n "$ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS" ]; then + IFS=' ' read -ra ADDITIONAL_URLS <<< "$ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS" + for url in "${ADDITIONAL_URLS[@]}"; do + BOUNDARY_ARGS+=(--allow "$url") + done + fi agentapi server --type claude --term-width 67 --term-height 1190 -- \ coder boundary "${BOUNDARY_ARGS[@]}" -- \ From 2a3e76d31c49d76d2f5acbca65ea724d41d3415a Mon Sep 17 00:00:00 2001 From: Benjamin Date: Mon, 6 Oct 2025 15:06:53 -0500 Subject: [PATCH 04/22] it's behind exp omfg --- registry/coder/modules/claude-code/scripts/start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index 5dd959d4e..9f1fd0a25 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -104,7 +104,7 @@ function start_agentapi() { fi agentapi server --type claude --term-width 67 --term-height 1190 -- \ - coder boundary "${BOUNDARY_ARGS[@]}" -- \ + coder exp boundary "${BOUNDARY_ARGS[@]}" -- \ claude "${ARGS[@]}" else agentapi server --type claude --term-width 67 --term-height 1190 -- claude "${ARGS[@]}" From 9796e05fdc0d34259bd220a36a68c34c6ea2a75d Mon Sep 17 00:00:00 2001 From: Benjamin Date: Mon, 6 Oct 2025 15:21:35 -0500 Subject: [PATCH 05/22] allow localhost for healthz and other reporting --- registry/coder/modules/claude-code/scripts/start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index 9f1fd0a25..7f31ea488 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -93,7 +93,7 @@ function start_agentapi() { BOUNDARY_ARGS+=(--unprivileged) fi # Add default allowed URLs - BOUNDARY_ARGS+=(--allow "*.anthropic.com" --allow "registry.npmjs.org" --allow "*.sentry.io" --allow "claude.ai" --allow "$ARG_CODER_HOST") + BOUNDARY_ARGS+=(--allow "*.anthropic.com" --allow "registry.npmjs.org" --allow "*.sentry.io" --allow "claude.ai" --allow "localhost" --allow "$ARG_CODER_HOST") # Add any additional allowed URLs from the variable if [ -n "$ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS" ]; then From 01c436a751871c3aa41f0bc986f4f900b329aaf3 Mon Sep 17 00:00:00 2001 From: Benjamin Date: Mon, 6 Oct 2025 15:34:31 -0500 Subject: [PATCH 06/22] specifically allow healthz --- registry/coder/modules/claude-code/scripts/start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index 7f31ea488..2488dda4c 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -93,7 +93,7 @@ function start_agentapi() { BOUNDARY_ARGS+=(--unprivileged) fi # Add default allowed URLs - BOUNDARY_ARGS+=(--allow "*.anthropic.com" --allow "registry.npmjs.org" --allow "*.sentry.io" --allow "claude.ai" --allow "localhost" --allow "$ARG_CODER_HOST") + BOUNDARY_ARGS+=(--allow "*.anthropic.com" --allow "registry.npmjs.org" --allow "*.sentry.io" --allow "claude.ai" --allow "localhost:8080/healthz" --allow "$ARG_CODER_HOST") # Add any additional allowed URLs from the variable if [ -n "$ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS" ]; then From 7acb90b2b8cb8eb39c9a1417424e7dad24f35ae7 Mon Sep 17 00:00:00 2001 From: Benjamin Date: Mon, 6 Oct 2025 15:47:57 -0500 Subject: [PATCH 07/22] fmt --- registry/coder/modules/claude-code/scripts/start.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index 2488dda4c..dd846cba3 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -86,7 +86,7 @@ function start_agentapi() { if [ "${ARG_ENABLE_BOUNDARY:-false}" = "true" ]; then mkdir -p "$ARG_BOUNDARY_LOG_DIR" printf "Starting with coder boundary enabled\n" - + # Build boundary args with conditional --unprivileged flag BOUNDARY_ARGS=(--log-dir "$ARG_BOUNDARY_LOG_DIR") if [ "${ARG_BOUNDARY_UNPRIVILEGED:-true}" = "true" ]; then @@ -94,7 +94,7 @@ function start_agentapi() { fi # Add default allowed URLs BOUNDARY_ARGS+=(--allow "*.anthropic.com" --allow "registry.npmjs.org" --allow "*.sentry.io" --allow "claude.ai" --allow "localhost:8080/healthz" --allow "$ARG_CODER_HOST") - + # Add any additional allowed URLs from the variable if [ -n "$ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS" ]; then IFS=' ' read -ra ADDITIONAL_URLS <<< "$ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS" @@ -102,7 +102,7 @@ function start_agentapi() { BOUNDARY_ARGS+=(--allow "$url") done fi - + agentapi server --type claude --term-width 67 --term-height 1190 -- \ coder exp boundary "${BOUNDARY_ARGS[@]}" -- \ claude "${ARGS[@]}" From 2cf20a4bda3226e2665954cf2556352723c6d231 Mon Sep 17 00:00:00 2001 From: Benjamin Date: Mon, 6 Oct 2025 16:18:20 -0500 Subject: [PATCH 08/22] try just localhost:8080 for the allow rule --- registry/coder/modules/claude-code/scripts/start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index dd846cba3..f5644744b 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -93,7 +93,7 @@ function start_agentapi() { BOUNDARY_ARGS+=(--unprivileged) fi # Add default allowed URLs - BOUNDARY_ARGS+=(--allow "*.anthropic.com" --allow "registry.npmjs.org" --allow "*.sentry.io" --allow "claude.ai" --allow "localhost:8080/healthz" --allow "$ARG_CODER_HOST") + BOUNDARY_ARGS+=(--allow "*.anthropic.com" --allow "registry.npmjs.org" --allow "*.sentry.io" --allow "claude.ai" --allow "localhost:8080" --allow "$ARG_CODER_HOST") # Add any additional allowed URLs from the variable if [ -n "$ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS" ]; then From 919c1bbbc5a69f8e4e5408c3fa06b87f039a1c7e Mon Sep 17 00:00:00 2001 From: Benjamin Date: Mon, 6 Oct 2025 16:48:26 -0500 Subject: [PATCH 09/22] try changing claudes mcp port --- registry/coder/modules/claude-code/main.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/registry/coder/modules/claude-code/main.tf b/registry/coder/modules/claude-code/main.tf index 9d3c4a8b7..fd3df5ec1 100644 --- a/registry/coder/modules/claude-code/main.tf +++ b/registry/coder/modules/claude-code/main.tf @@ -246,6 +246,12 @@ resource "coder_env" "claude_api_key" { value = var.claude_api_key } +resource "coder_env" "mcp_server_port" { + agent_id = var.agent_id + name = "MCP_SERVER_PORT" + value = "8081" +} + locals { # we have to trim the slash because otherwise coder exp mcp will # set up an invalid claude config From 7ba975a2d890dbc56ba54c066c28f6f2d774cbee Mon Sep 17 00:00:00 2001 From: Benjamin Date: Mon, 6 Oct 2025 17:12:08 -0500 Subject: [PATCH 10/22] remove the localhost allowance, going to fix on the boundary side of things --- registry/coder/modules/claude-code/scripts/start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index f5644744b..195730ccf 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -93,7 +93,7 @@ function start_agentapi() { BOUNDARY_ARGS+=(--unprivileged) fi # Add default allowed URLs - BOUNDARY_ARGS+=(--allow "*.anthropic.com" --allow "registry.npmjs.org" --allow "*.sentry.io" --allow "claude.ai" --allow "localhost:8080" --allow "$ARG_CODER_HOST") + BOUNDARY_ARGS+=(--allow "*.anthropic.com" --allow "registry.npmjs.org" --allow "*.sentry.io" --allow "claude.ai" --allow "$ARG_CODER_HOST") # Add any additional allowed URLs from the variable if [ -n "$ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS" ]; then From 785a6d895f21d24de555e9222dde8e8c7a4a69da Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Thu, 16 Oct 2025 13:38:49 +0000 Subject: [PATCH 11/22] claude-code integration with strict jail --- .../coder/modules/claude-code/scripts/start.sh | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index 195730ccf..d90f5e238 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -89,9 +89,6 @@ function start_agentapi() { # Build boundary args with conditional --unprivileged flag BOUNDARY_ARGS=(--log-dir "$ARG_BOUNDARY_LOG_DIR") - if [ "${ARG_BOUNDARY_UNPRIVILEGED:-true}" = "true" ]; then - BOUNDARY_ARGS+=(--unprivileged) - fi # Add default allowed URLs BOUNDARY_ARGS+=(--allow "*.anthropic.com" --allow "registry.npmjs.org" --allow "*.sentry.io" --allow "claude.ai" --allow "$ARG_CODER_HOST") @@ -103,9 +100,17 @@ function start_agentapi() { done fi - agentapi server --type claude --term-width 67 --term-height 1190 -- \ - coder exp boundary "${BOUNDARY_ARGS[@]}" -- \ - claude "${ARGS[@]}" + git clone https://github.com/coder/boundary + cd boundary + git checkout yevhenii/proxy-v3 + go install ./cmd/... + + BOUNDARY_ARGS+=(--proxy-port=8087) + + agentapi server --allowed-hosts="*" --type claude --term-width 67 --term-height 1190 -- \ + sudo -E env PATH=$PATH setpriv --inh-caps=+net_admin --ambient-caps=+net_admin --bounding-set=+net_admin /home/coder/go/bin/boundary "${BOUNDARY_ARGS[@]}" -- \ + claude + #"${ARGS[@]}" else agentapi server --type claude --term-width 67 --term-height 1190 -- claude "${ARGS[@]}" fi From 19cdadb20625d622a4bf1f2da54134670974aeb4 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Mon, 20 Oct 2025 18:08:14 +0000 Subject: [PATCH 12/22] remove unprivileged jail --- registry/coder/modules/claude-code/main.tf | 13 ------------- registry/coder/modules/claude-code/scripts/start.sh | 2 -- 2 files changed, 15 deletions(-) diff --git a/registry/coder/modules/claude-code/main.tf b/registry/coder/modules/claude-code/main.tf index fd3df5ec1..1285ed8ed 100644 --- a/registry/coder/modules/claude-code/main.tf +++ b/registry/coder/modules/claude-code/main.tf @@ -204,12 +204,6 @@ variable "boundary_log_dir" { default = "/tmp/boundary_logs" } -variable "boundary_unprivileged" { - type = bool - description = "Whether to use --unprivileged flag with coder boundary (recommended for security)" - default = true -} - variable "boundary_additional_allowed_urls" { type = list(string) description = "Additional URLs to allow through boundary (in addition to default allowed URLs)" @@ -246,12 +240,6 @@ resource "coder_env" "claude_api_key" { value = var.claude_api_key } -resource "coder_env" "mcp_server_port" { - agent_id = var.agent_id - name = "MCP_SERVER_PORT" - value = "8081" -} - locals { # we have to trim the slash because otherwise coder exp mcp will # set up an invalid claude config @@ -304,7 +292,6 @@ module "agentapi" { ARG_AI_PROMPT='${base64encode(var.ai_prompt)}' \ ARG_ENABLE_BOUNDARY='${var.enable_boundary}' \ ARG_BOUNDARY_LOG_DIR='${var.boundary_log_dir}' \ - ARG_BOUNDARY_UNPRIVILEGED='${var.boundary_unprivileged}' \ ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS='${join(" ", var.boundary_additional_allowed_urls)}' \ ARG_CODER_HOST='${local.coder_host}' \ /tmp/start.sh diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index d90f5e238..1a396c664 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -17,7 +17,6 @@ ARG_WORKDIR=${ARG_WORKDIR:-"$HOME"} ARG_AI_PROMPT=$(echo -n "${ARG_AI_PROMPT:-}" | base64 -d) ARG_ENABLE_BOUNDARY=${ARG_ENABLE_BOUNDARY:-false} ARG_BOUNDARY_LOG_DIR=${ARG_BOUNDARY_LOG_DIR:-"/tmp/boundary_logs"} -ARG_BOUNDARY_UNPRIVILEGED=${ARG_BOUNDARY_UNPRIVILEGED:-true} ARG_CODER_HOST=${ARG_CODER_HOST:-} echo "--------------------------------" @@ -31,7 +30,6 @@ printf "ARG_AI_PROMPT: %s\n" "$ARG_AI_PROMPT" printf "ARG_WORKDIR: %s\n" "$ARG_WORKDIR" printf "ARG_ENABLE_BOUNDARY: %s\n" "$ARG_ENABLE_BOUNDARY" printf "ARG_BOUNDARY_LOG_DIR: %s\n" "$ARG_BOUNDARY_LOG_DIR" -printf "ARG_BOUNDARY_UNPRIVILEGED: %s\n" "$ARG_BOUNDARY_UNPRIVILEGED" printf "ARG_CODER_HOST: %s\n" "$ARG_CODER_HOST" echo "--------------------------------" From 9dfdfd9ea9d67e9f0c4a9dd8cb9dfa453a4dc712 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Mon, 20 Oct 2025 18:48:13 +0000 Subject: [PATCH 13/22] Make boundary http proxy port configurable --- registry/coder/modules/claude-code/main.tf | 7 +++++++ registry/coder/modules/claude-code/scripts/start.sh | 7 +++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/registry/coder/modules/claude-code/main.tf b/registry/coder/modules/claude-code/main.tf index 1285ed8ed..e3ecb5f60 100644 --- a/registry/coder/modules/claude-code/main.tf +++ b/registry/coder/modules/claude-code/main.tf @@ -210,6 +210,12 @@ variable "boundary_additional_allowed_urls" { default = [] } +variable "boundary_proxy_port" { + type = string + description = "Port for HTTP Proxy used by Boundary" + default = "8087" +} + resource "coder_env" "claude_code_md_path" { count = var.claude_md_path == "" ? 0 : 1 @@ -294,6 +300,7 @@ module "agentapi" { ARG_BOUNDARY_LOG_DIR='${var.boundary_log_dir}' \ ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS='${join(" ", var.boundary_additional_allowed_urls)}' \ ARG_CODER_HOST='${local.coder_host}' \ + ARG_BOUNDARY_PROXY_PORT='${var.boundary_proxy_port}' \ /tmp/start.sh EOT diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index 1a396c664..ebac75afb 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -18,6 +18,7 @@ ARG_AI_PROMPT=$(echo -n "${ARG_AI_PROMPT:-}" | base64 -d) ARG_ENABLE_BOUNDARY=${ARG_ENABLE_BOUNDARY:-false} ARG_BOUNDARY_LOG_DIR=${ARG_BOUNDARY_LOG_DIR:-"/tmp/boundary_logs"} ARG_CODER_HOST=${ARG_CODER_HOST:-} +ARG_BOUNDARY_PROXY_PORT=${ARG_BOUNDARY_PROXY_PORT:-"8087"} echo "--------------------------------" @@ -31,6 +32,7 @@ printf "ARG_WORKDIR: %s\n" "$ARG_WORKDIR" printf "ARG_ENABLE_BOUNDARY: %s\n" "$ARG_ENABLE_BOUNDARY" printf "ARG_BOUNDARY_LOG_DIR: %s\n" "$ARG_BOUNDARY_LOG_DIR" printf "ARG_CODER_HOST: %s\n" "$ARG_CODER_HOST" +printf "ARG_BOUNDARY_PROXY_PORT: %s\n" "$ARG_BOUNDARY_PROXY_PORT" echo "--------------------------------" @@ -98,13 +100,14 @@ function start_agentapi() { done fi + # Set HTTP Proxy port used by Boundary + BOUNDARY_ARGS+=(--proxy-port $ARG_BOUNDARY_PROXY_PORT) + git clone https://github.com/coder/boundary cd boundary git checkout yevhenii/proxy-v3 go install ./cmd/... - BOUNDARY_ARGS+=(--proxy-port=8087) - agentapi server --allowed-hosts="*" --type claude --term-width 67 --term-height 1190 -- \ sudo -E env PATH=$PATH setpriv --inh-caps=+net_admin --ambient-caps=+net_admin --bounding-set=+net_admin /home/coder/go/bin/boundary "${BOUNDARY_ARGS[@]}" -- \ claude From c44d07ddce479b26a0af529a9acb08c1293cc0b7 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Mon, 20 Oct 2025 19:54:44 +0000 Subject: [PATCH 14/22] Make log-level configurable --- registry/coder/modules/claude-code/main.tf | 7 +++++++ registry/coder/modules/claude-code/scripts/start.sh | 5 +++++ 2 files changed, 12 insertions(+) diff --git a/registry/coder/modules/claude-code/main.tf b/registry/coder/modules/claude-code/main.tf index e3ecb5f60..33f244bb4 100644 --- a/registry/coder/modules/claude-code/main.tf +++ b/registry/coder/modules/claude-code/main.tf @@ -216,6 +216,12 @@ variable "boundary_proxy_port" { default = "8087" } +variable "boundary_log_level" { + type = string + description = "Log level for boundary process" + default = "INFO" +} + resource "coder_env" "claude_code_md_path" { count = var.claude_md_path == "" ? 0 : 1 @@ -301,6 +307,7 @@ module "agentapi" { ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS='${join(" ", var.boundary_additional_allowed_urls)}' \ ARG_CODER_HOST='${local.coder_host}' \ ARG_BOUNDARY_PROXY_PORT='${var.boundary_proxy_port}' \ + ARG_BOUNDARY_LOG_LEVEL='${var.boundary_log_level}' \ /tmp/start.sh EOT diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index ebac75afb..d4a2e592d 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -19,6 +19,7 @@ ARG_ENABLE_BOUNDARY=${ARG_ENABLE_BOUNDARY:-false} ARG_BOUNDARY_LOG_DIR=${ARG_BOUNDARY_LOG_DIR:-"/tmp/boundary_logs"} ARG_CODER_HOST=${ARG_CODER_HOST:-} ARG_BOUNDARY_PROXY_PORT=${ARG_BOUNDARY_PROXY_PORT:-"8087"} +ARG_BOUNDARY_LOG_LEVEL=${ARG_BOUNDARY_LOG_LEVEL:-"INFO"} echo "--------------------------------" @@ -33,6 +34,7 @@ printf "ARG_ENABLE_BOUNDARY: %s\n" "$ARG_ENABLE_BOUNDARY" printf "ARG_BOUNDARY_LOG_DIR: %s\n" "$ARG_BOUNDARY_LOG_DIR" printf "ARG_CODER_HOST: %s\n" "$ARG_CODER_HOST" printf "ARG_BOUNDARY_PROXY_PORT: %s\n" "$ARG_BOUNDARY_PROXY_PORT" +printf "ARG_BOUNDARY_LOG_LEVEL: %s\n" "$ARG_BOUNDARY_LOG_LEVEL" echo "--------------------------------" @@ -103,6 +105,9 @@ function start_agentapi() { # Set HTTP Proxy port used by Boundary BOUNDARY_ARGS+=(--proxy-port $ARG_BOUNDARY_PROXY_PORT) + # Set log level for boundary + BOUNDARY_ARGS+=(--log-level $ARG_BOUNDARY_LOG_LEVEL) + git clone https://github.com/coder/boundary cd boundary git checkout yevhenii/proxy-v3 From c7d76bbff912bbe8e72caa57f274fa390724e399 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Mon, 20 Oct 2025 20:00:13 +0000 Subject: [PATCH 15/22] mark warn default log level --- registry/coder/modules/claude-code/main.tf | 2 +- registry/coder/modules/claude-code/scripts/start.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/registry/coder/modules/claude-code/main.tf b/registry/coder/modules/claude-code/main.tf index 33f244bb4..dbea1fd67 100644 --- a/registry/coder/modules/claude-code/main.tf +++ b/registry/coder/modules/claude-code/main.tf @@ -219,7 +219,7 @@ variable "boundary_proxy_port" { variable "boundary_log_level" { type = string description = "Log level for boundary process" - default = "INFO" + default = "WARN" } resource "coder_env" "claude_code_md_path" { diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index d4a2e592d..692542454 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -19,7 +19,7 @@ ARG_ENABLE_BOUNDARY=${ARG_ENABLE_BOUNDARY:-false} ARG_BOUNDARY_LOG_DIR=${ARG_BOUNDARY_LOG_DIR:-"/tmp/boundary_logs"} ARG_CODER_HOST=${ARG_CODER_HOST:-} ARG_BOUNDARY_PROXY_PORT=${ARG_BOUNDARY_PROXY_PORT:-"8087"} -ARG_BOUNDARY_LOG_LEVEL=${ARG_BOUNDARY_LOG_LEVEL:-"INFO"} +ARG_BOUNDARY_LOG_LEVEL=${ARG_BOUNDARY_LOG_LEVEL:-"WARN"} echo "--------------------------------" From 5a74d509fcb82b58d00bcbc316e8c1efbae7ef6b Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Mon, 20 Oct 2025 20:32:46 +0000 Subject: [PATCH 16/22] install boundary from specific version --- registry/coder/modules/claude-code/main.tf | 9 ++++++++- registry/coder/modules/claude-code/scripts/start.sh | 13 ++++++++----- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/registry/coder/modules/claude-code/main.tf b/registry/coder/modules/claude-code/main.tf index dbea1fd67..c44179c70 100644 --- a/registry/coder/modules/claude-code/main.tf +++ b/registry/coder/modules/claude-code/main.tf @@ -198,6 +198,12 @@ variable "enable_boundary" { default = false } +variable "boundary_version" { + type = string + description = "Boundary version, valid git reference should be provided (tag, commit, branch)" + default = "main" +} + variable "boundary_log_dir" { type = string description = "Directory for boundary logs" @@ -303,11 +309,12 @@ module "agentapi" { ARG_WORKDIR='${local.workdir}' \ ARG_AI_PROMPT='${base64encode(var.ai_prompt)}' \ ARG_ENABLE_BOUNDARY='${var.enable_boundary}' \ + ARG_BOUNDARY_LOG_LEVEL='${var.boundary_log_level}' \ + ARG_BOUNDARY_VERSION='${var.boundary_version}' \ ARG_BOUNDARY_LOG_DIR='${var.boundary_log_dir}' \ ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS='${join(" ", var.boundary_additional_allowed_urls)}' \ ARG_CODER_HOST='${local.coder_host}' \ ARG_BOUNDARY_PROXY_PORT='${var.boundary_proxy_port}' \ - ARG_BOUNDARY_LOG_LEVEL='${var.boundary_log_level}' \ /tmp/start.sh EOT diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index 692542454..b9cca13bc 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -16,6 +16,7 @@ ARG_PERMISSION_MODE=${ARG_PERMISSION_MODE:-} ARG_WORKDIR=${ARG_WORKDIR:-"$HOME"} ARG_AI_PROMPT=$(echo -n "${ARG_AI_PROMPT:-}" | base64 -d) ARG_ENABLE_BOUNDARY=${ARG_ENABLE_BOUNDARY:-false} +ARG_BOUNDARY_VERSION=${ARG_BOUNDARY_VERSION:-"main"} ARG_BOUNDARY_LOG_DIR=${ARG_BOUNDARY_LOG_DIR:-"/tmp/boundary_logs"} ARG_CODER_HOST=${ARG_CODER_HOST:-} ARG_BOUNDARY_PROXY_PORT=${ARG_BOUNDARY_PROXY_PORT:-"8087"} @@ -31,6 +32,7 @@ printf "ARG_PERMISSION_MODE: %s\n" "$ARG_PERMISSION_MODE" printf "ARG_AI_PROMPT: %s\n" "$ARG_AI_PROMPT" printf "ARG_WORKDIR: %s\n" "$ARG_WORKDIR" printf "ARG_ENABLE_BOUNDARY: %s\n" "$ARG_ENABLE_BOUNDARY" +printf "ARG_BOUNDARY_VERSION: %s\n" "$ARG_BOUNDARY_VERSION" printf "ARG_BOUNDARY_LOG_DIR: %s\n" "$ARG_BOUNDARY_LOG_DIR" printf "ARG_CODER_HOST: %s\n" "$ARG_CODER_HOST" printf "ARG_BOUNDARY_PROXY_PORT: %s\n" "$ARG_BOUNDARY_PROXY_PORT" @@ -86,6 +88,12 @@ function start_agentapi() { printf "Running claude code with args: %s\n" "$(printf '%q ' "${ARGS[@]}")" if [ "${ARG_ENABLE_BOUNDARY:-false}" = "true" ]; then + # Install boundary from public github repo + git clone https://github.com/coder/boundary + cd boundary + git checkout $ARG_BOUNDARY_VERSION + go install ./cmd/... + mkdir -p "$ARG_BOUNDARY_LOG_DIR" printf "Starting with coder boundary enabled\n" @@ -108,11 +116,6 @@ function start_agentapi() { # Set log level for boundary BOUNDARY_ARGS+=(--log-level $ARG_BOUNDARY_LOG_LEVEL) - git clone https://github.com/coder/boundary - cd boundary - git checkout yevhenii/proxy-v3 - go install ./cmd/... - agentapi server --allowed-hosts="*" --type claude --term-width 67 --term-height 1190 -- \ sudo -E env PATH=$PATH setpriv --inh-caps=+net_admin --ambient-caps=+net_admin --bounding-set=+net_admin /home/coder/go/bin/boundary "${BOUNDARY_ARGS[@]}" -- \ claude From 2764f8236777522f834a319b02f2195b405f14da Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 21 Oct 2025 14:02:55 +0000 Subject: [PATCH 17/22] Remove --dangerously-skip-permissions flag when using boundary --- registry/coder/modules/claude-code/scripts/start.sh | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index d6c19187d..5385972ac 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -118,10 +118,18 @@ function start_agentapi() { # Set log level for boundary BOUNDARY_ARGS+=(--log-level $ARG_BOUNDARY_LOG_LEVEL) + # Remove --dangerously-skip-permissions from ARGS when using boundary (it doesn't work with elevated permissions) + # Create a new array without the dangerous permissions flag + CLAUDE_ARGS=() + for arg in "${ARGS[@]}"; do + if [ "$arg" != "--dangerously-skip-permissions" ]; then + CLAUDE_ARGS+=("$arg") + fi + done + agentapi server --allowed-hosts="*" --type claude --term-width 67 --term-height 1190 -- \ sudo -E env PATH=$PATH setpriv --inh-caps=+net_admin --ambient-caps=+net_admin --bounding-set=+net_admin /home/coder/go/bin/boundary "${BOUNDARY_ARGS[@]}" -- \ - claude - #"${ARGS[@]}" + claude "${CLAUDE_ARGS[@]}" else agentapi server --type claude --term-width 67 --term-height 1190 -- claude "${ARGS[@]}" fi From b00f5359e7cba1efcdbaf67994bbf3ba86b3e7d6 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 21 Oct 2025 14:56:58 +0000 Subject: [PATCH 18/22] refactor: add install_boundary function --- .../coder/modules/claude-code/scripts/start.sh | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index 5385972ac..241250e18 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -47,6 +47,14 @@ echo "--------------------------------" # avoid exiting if the script fails bash "/tmp/remove-last-session-id.sh" "$(pwd)" 2> /dev/null || true +function install_boundary() { + # Install boundary from public github repo + git clone https://github.com/coder/boundary + cd boundary + git checkout $ARG_BOUNDARY_VERSION + go install ./cmd/... +} + function validate_claude_installation() { if command_exists claude; then printf "Claude Code is installed\n" @@ -90,11 +98,7 @@ function start_agentapi() { printf "Running claude code with args: %s\n" "$(printf '%q ' "${ARGS[@]}")" if [ "${ARG_ENABLE_BOUNDARY:-false}" = "true" ]; then - # Install boundary from public github repo - git clone https://github.com/coder/boundary - cd boundary - git checkout $ARG_BOUNDARY_VERSION - go install ./cmd/... + install_boundary mkdir -p "$ARG_BOUNDARY_LOG_DIR" printf "Starting with coder boundary enabled\n" From 4f35b01cb6b10cc5a91c0460008a8892f93b2d1f Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 21 Oct 2025 15:00:08 +0000 Subject: [PATCH 19/22] refactor: minor fix --- registry/coder/modules/claude-code/scripts/start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index 241250e18..4511fd313 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -132,7 +132,7 @@ function start_agentapi() { done agentapi server --allowed-hosts="*" --type claude --term-width 67 --term-height 1190 -- \ - sudo -E env PATH=$PATH setpriv --inh-caps=+net_admin --ambient-caps=+net_admin --bounding-set=+net_admin /home/coder/go/bin/boundary "${BOUNDARY_ARGS[@]}" -- \ + sudo -E env PATH=$PATH setpriv --inh-caps=+net_admin --ambient-caps=+net_admin --bounding-set=+net_admin boundary "${BOUNDARY_ARGS[@]}" -- \ claude "${CLAUDE_ARGS[@]}" else agentapi server --type claude --term-width 67 --term-height 1190 -- claude "${ARGS[@]}" From 3b45c878b3a760debd00f945485b2a882bf1ad07 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 21 Oct 2025 15:21:26 +0000 Subject: [PATCH 20/22] fix: linter --- .github/typos.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/typos.toml b/.github/typos.toml index fdb747483..600a39baf 100644 --- a/.github/typos.toml +++ b/.github/typos.toml @@ -5,6 +5,7 @@ Hashi = "Hashi" HashiCorp = "HashiCorp" mavrickrishi = "mavrickrishi" # Username mavrick = "mavrick" # Username +inh = "inh" # Option in setpriv command [files] extend-exclude = ["registry/coder/templates/aws-devcontainer/architecture.svg"] #False positive \ No newline at end of file From ff9faa34d2816f179ffb66e7dc503f1b9e3a7e0c Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 21 Oct 2025 15:44:24 +0000 Subject: [PATCH 21/22] fix: use correct allow syntax --- registry/coder/modules/claude-code/scripts/start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index 4511fd313..5b6647bec 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -106,7 +106,7 @@ function start_agentapi() { # Build boundary args with conditional --unprivileged flag BOUNDARY_ARGS=(--log-dir "$ARG_BOUNDARY_LOG_DIR") # Add default allowed URLs - BOUNDARY_ARGS+=(--allow "*.anthropic.com" --allow "registry.npmjs.org" --allow "*.sentry.io" --allow "claude.ai" --allow "$ARG_CODER_HOST") + BOUNDARY_ARGS+=(--allow "*anthropic.com" --allow "registry.npmjs.org" --allow "*sentry.io" --allow "claude.ai" --allow "$ARG_CODER_HOST") # Add any additional allowed URLs from the variable if [ -n "$ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS" ]; then From 62a25025e43343ec0e484e3be132e9b5b7583d87 Mon Sep 17 00:00:00 2001 From: YEVHENII SHCHERBINA Date: Tue, 21 Oct 2025 15:55:48 +0000 Subject: [PATCH 22/22] refactor: minor refactor --- registry/coder/modules/claude-code/main.tf | 16 ++++++++-------- .../coder/modules/claude-code/scripts/start.sh | 8 ++++---- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/registry/coder/modules/claude-code/main.tf b/registry/coder/modules/claude-code/main.tf index 324a8fe8e..df3eaaa57 100644 --- a/registry/coder/modules/claude-code/main.tf +++ b/registry/coder/modules/claude-code/main.tf @@ -210,6 +210,12 @@ variable "boundary_log_dir" { default = "/tmp/boundary_logs" } +variable "boundary_log_level" { + type = string + description = "Log level for boundary process" + default = "WARN" +} + variable "boundary_additional_allowed_urls" { type = list(string) description = "Additional URLs to allow through boundary (in addition to default allowed URLs)" @@ -222,12 +228,6 @@ variable "boundary_proxy_port" { default = "8087" } -variable "boundary_log_level" { - type = string - description = "Log level for boundary process" - default = "WARN" -} - resource "coder_env" "claude_code_md_path" { count = var.claude_md_path == "" ? 0 : 1 @@ -338,12 +338,12 @@ module "agentapi" { ARG_WORKDIR='${local.workdir}' \ ARG_AI_PROMPT='${base64encode(var.ai_prompt)}' \ ARG_ENABLE_BOUNDARY='${var.enable_boundary}' \ - ARG_BOUNDARY_LOG_LEVEL='${var.boundary_log_level}' \ ARG_BOUNDARY_VERSION='${var.boundary_version}' \ ARG_BOUNDARY_LOG_DIR='${var.boundary_log_dir}' \ + ARG_BOUNDARY_LOG_LEVEL='${var.boundary_log_level}' \ ARG_BOUNDARY_ADDITIONAL_ALLOWED_URLS='${join(" ", var.boundary_additional_allowed_urls)}' \ - ARG_CODER_HOST='${local.coder_host}' \ ARG_BOUNDARY_PROXY_PORT='${var.boundary_proxy_port}' \ + ARG_CODER_HOST='${local.coder_host}' \ /tmp/start.sh EOT diff --git a/registry/coder/modules/claude-code/scripts/start.sh b/registry/coder/modules/claude-code/scripts/start.sh index 5b6647bec..daef71a30 100644 --- a/registry/coder/modules/claude-code/scripts/start.sh +++ b/registry/coder/modules/claude-code/scripts/start.sh @@ -20,9 +20,9 @@ ARG_AI_PROMPT=$(echo -n "${ARG_AI_PROMPT:-}" | base64 -d) ARG_ENABLE_BOUNDARY=${ARG_ENABLE_BOUNDARY:-false} ARG_BOUNDARY_VERSION=${ARG_BOUNDARY_VERSION:-"main"} ARG_BOUNDARY_LOG_DIR=${ARG_BOUNDARY_LOG_DIR:-"/tmp/boundary_logs"} -ARG_CODER_HOST=${ARG_CODER_HOST:-} -ARG_BOUNDARY_PROXY_PORT=${ARG_BOUNDARY_PROXY_PORT:-"8087"} ARG_BOUNDARY_LOG_LEVEL=${ARG_BOUNDARY_LOG_LEVEL:-"WARN"} +ARG_BOUNDARY_PROXY_PORT=${ARG_BOUNDARY_PROXY_PORT:-"8087"} +ARG_CODER_HOST=${ARG_CODER_HOST:-} echo "--------------------------------" @@ -36,9 +36,9 @@ printf "ARG_WORKDIR: %s\n" "$ARG_WORKDIR" printf "ARG_ENABLE_BOUNDARY: %s\n" "$ARG_ENABLE_BOUNDARY" printf "ARG_BOUNDARY_VERSION: %s\n" "$ARG_BOUNDARY_VERSION" printf "ARG_BOUNDARY_LOG_DIR: %s\n" "$ARG_BOUNDARY_LOG_DIR" -printf "ARG_CODER_HOST: %s\n" "$ARG_CODER_HOST" -printf "ARG_BOUNDARY_PROXY_PORT: %s\n" "$ARG_BOUNDARY_PROXY_PORT" printf "ARG_BOUNDARY_LOG_LEVEL: %s\n" "$ARG_BOUNDARY_LOG_LEVEL" +printf "ARG_BOUNDARY_PROXY_PORT: %s\n" "$ARG_BOUNDARY_PROXY_PORT" +printf "ARG_CODER_HOST: %s\n" "$ARG_CODER_HOST" echo "--------------------------------"