|
| 1 | +#Agent Boundary |
| 2 | + |
| 3 | +Agent Boundaries are process-level firewalls that restrict and audit what autonomous programs, such as AI agents, can access and use. |
| 4 | + |
| 5 | +Example of Agent Boundaries blocking a process. |
| 6 | + |
| 7 | +The easiest way to use Agent Boundaries is through existing Coder modules, such as the[Claude Code module](https://registry.coder.com/modules/coder/claude-code). It can also be ran directly in the terminal by installing the[CLI](https://github.com/coder/boundary). |
| 8 | + |
| 9 | +>[!NOTE] |
| 10 | +>The Coder Boundary CLI is free and open source. Integrations with the core product, such as with modules offering stronger isolation, are available to Coder Premium customers. |
| 11 | +
|
| 12 | +##Supported Agents |
| 13 | + |
| 14 | +Boundary supports the securing of any terminal-based agent, including your own custom agents. |
| 15 | + |
| 16 | +##Features |
| 17 | + |
| 18 | +Boundaries extend Coder's trusted workspaces with a defense-in-depth model that detects and prevents destructive actions without reducing productivity by slowing down workflows or blocking automation. They offer the following features: |
| 19 | + |
| 20 | +-_Policy-driven access controls_: limit what an agent can access (repos, registries, APIs, files, commands) |
| 21 | +-_Network policy enforcement_: block domains, subnets, or HTTP verbs to prevent exfiltration |
| 22 | +-_Audit-ready_: centralize logs, exportable for compliance, with full visibility into agent actions |
| 23 | + |
| 24 | +##Getting Started with Boundary |
| 25 | + |
| 26 | +For Early Access, users can use Agent Boundaries through its[open source CLI](https://github.com/coder/boundary), which can be run to wrap any process or invoked through rules in a YAML file. |
| 27 | + |
| 28 | +###Wrap the agent process with the Boundary CLI |
| 29 | + |
| 30 | +Users can also run Boundary directly in your workspace and configure it per template or per script. While free tier users won't get centralized policy management or the deeper, "strong isolation," they can still enforce per workspace network rules and log decisions locally. |
| 31 | + |
| 32 | +1. Install the[binary](https://github.com/coder/boundary) into the workspace image or at start-up. You can do so with the following command: |
| 33 | + |
| 34 | +```hcl |
| 35 | + curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh | bash |
| 36 | + ``` |
| 37 | +
|
| 38 | +1. Use the included `Makefile` to build your project. Here are a few example commands: |
| 39 | +
|
| 40 | + ```hcl |
| 41 | + make build # Build for current platform |
| 42 | + make build-all # Build for all platforms |
| 43 | + make test # Run tests |
| 44 | + make test-coverage # Run tests with coverage |
| 45 | + make clean # Clean build artifacts |
| 46 | + make fmt # Format code |
| 47 | + make lint # Lint code |
| 48 | + ``` |
| 49 | +
|
| 50 | +From here, there are two ways to integrate the open source Boundary CLI into a workspace. |
| 51 | +
|
| 52 | +#### Wrap a command inline with flags |
| 53 | +
|
| 54 | +1. Wrap the tool you want to guard. Below are some examples of usage: |
| 55 | +
|
| 56 | + ```hcl |
| 57 | + # Allow only requests to github.com |
| 58 | + boundary --allow "github.com" -- curl https://github.com |
| 59 | +
|
| 60 | + # Allow full access to GitHub issues API, but only GET/HEAD elsewhere on GitHub |
| 61 | + boundary \ |
| 62 | + --allow "github.com/api/issues/*" \ |
| 63 | + --allow "GET,HEAD github.com" \ |
| 64 | + -- npm install |
| 65 | +
|
| 66 | + # Default deny-all: everything is blocked unless explicitly allowed |
| 67 | + boundary -- curl https://example.com |
| 68 | + ``` |
| 69 | +
|
| 70 | + Additional information, such as Allow Rules, can be found in the [repository README](https://github.com/coder/boundary). |
| 71 | +
|
| 72 | +#### Use a config file (YAML) to set rules |
| 73 | +
|
| 74 | +Another option is to define rules in a YAML file, which only needs to be invoked once as opposed to through flags with each command. |
| 75 | +
|
| 76 | +1. Create a YAML file to store rules that will be applied to all `boundary` commands run in the Workspace. In this example, we call it `boundary.yaml`. |
| 77 | + A config example can be seen below: |
| 78 | +
|
| 79 | + ```hcl |
| 80 | + allow: |
| 81 | +
|
| 82 | + - domain: [github.com](http://github.com) |
| 83 | +
|
| 84 | + path: /api/issues/* |
| 85 | +
|
| 86 | + - domain: [github.com](http://github.com) |
| 87 | +
|
| 88 | + methods: [GET, HEAD] |
| 89 | + ``` |
| 90 | +
|
| 91 | +1. Run a `boundary` command. For example: |
| 92 | +
|
| 93 | + ```hcl |
| 94 | + boundary run --config ./boundary.yaml -- claude |
| 95 | + ``` |
| 96 | +
|
| 97 | + You will notice that the rules are automatically applied without any need for additional customization. |
| 98 | +
|
| 99 | +### Unprivileged vs. Privileged Mode |
| 100 | +
|
| 101 | +There are two approaches you can take to secure your agentic workflows with Agent Boundary. |
| 102 | +
|
| 103 | +#### Unprivileged Mode |
| 104 | +
|
| 105 | +In this case, a specific agent process or tool (for example, Claude Code or a CLI agent) runs inside of a constrained sandbox. This is the default mode in which Boundary will operate in and does not require root access. |
| 106 | +
|
| 107 | +Agents are prevented from reaching restricted domains or exfiltrating data, without blocking the rest of the dev's environment. |
| 108 | +
|
| 109 | +This is the fastest way to add real guardrails, but a determined user could still operate a tool outside of Boundary restrictions because the broader environment allows it. This mode relies on tools respecting certain settings, like HTTP proxies, and can lead to silent failures if a tool bypasses them. |
| 110 | +
|
| 111 | +#### Privileged Mode |
| 112 | +
|
| 113 | +In this case, boundaries are enforced at the level of the environment that the agent lives in. These are workspace- or session-level controls, including how the developer connects to it. |
| 114 | +
|
| 115 | +Currently, this must be turned on with a flag and ran with higher-level permissions such as root access or `CapNetAdmin`. |
| 116 | +
|
| 117 | +In addition to process-level egress rules, privileged mode locks down all pathways that could bypass policy, such as restricting or disabling SSH tunnels or parallel unbound IDEs. This delivers deterministic, policy-as-code enforcement and offers the highest assurance for regulated environments, but results in slightly more friction for mixed human-and-agent workflows. |
| 118 | +
|
| 119 | +### Opting out of Boundary |
| 120 | +
|
| 121 | +If you tried Boundary through a Coder module and decided you don't want to use it, you can turn it off by setting the flag to `boundary_enabled=false`. |