You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
@@ -4,118 +4,47 @@ Agent Boundaries are process-level firewalls that restrict and audit what autono
4
4
5
5
Example of Agent Boundaries blocking a process.
6
6
7
-
The easiest way to use Agent Boundaries is through existing Coder modules, such as the[Claude Code module](https://registry.coder.com/modules/coder/claude-code). It can also be ran directly in the terminal by installing the[CLI](https://github.com/coder/boundary).
8
-
9
-
>[!NOTE]
10
-
>The Coder Boundary CLI is free and open source. Integrations with the core product, such as with modules offering stronger isolation, are available to Coder Premium customers.
11
-
12
7
##Supported Agents
13
8
14
-
Boundary supports the securing of any terminal-based agent, including your own custom agents.
9
+
Agent Boundaries support the securing of any terminal-based agent, including your own custom agents.
15
10
16
11
##Features
17
12
18
-
Boundaries extend Coder's trusted workspaces with a defense-in-depth model that detects and prevents destructive actions without reducing productivity by slowing down workflows or blocking automation. They offer the following features:
19
-
20
-
-_Policy-driven access controls_: limit what an agent can access (repos, registries, APIs, files, commands)
21
-
-_Network policy enforcement_: block domains, subnets, or HTTP verbs to prevent exfiltration
22
-
-_Audit-ready_: centralize logs, exportable for compliance, with full visibility into agent actions
13
+
Agent Boundaries offer network policy enforcement, which blocks domains and HTTP verbs to prevent exfiltration, and writes logs to the workspace.
23
14
24
15
##Getting Started with Boundary
25
16
26
-
For Early Access, users can use Agent Boundaries through its[open source CLI](https://github.com/coder/boundary), which can be run to wrap any process or invoked through rules in a YAML file.
27
-
28
-
###Wrap the agent process with the Boundary CLI
29
-
30
-
Users can also run Boundary directly in your workspace and configure it per template or per script. While free tier users won't get centralized policy management or the deeper, "strong isolation," they can still enforce per workspace network rules and log decisions locally.
31
-
32
-
1. Install the[binary](https://github.com/coder/boundary) into the workspace image or at start-up. You can do so with the following command:
# Allow full access to GitHub issues API, but only GET/HEAD elsewhere on GitHub
61
-
boundary \
62
-
--allow "github.com/api/issues/*" \
63
-
--allow "GET,HEAD github.com" \
64
-
-- npm install
65
-
66
-
# Default deny-all: everything is blocked unless explicitly allowed
67
-
boundary -- curl https://example.com
68
-
```
69
-
70
-
Additional information, such as Allow Rules, can be found in the [repository README](https://github.com/coder/boundary).
71
-
72
-
#### Use a config file (YAML) to set rules
73
-
74
-
Another option is to define rules in a YAML file, which only needs to be invoked once as opposed to through flags with each command.
75
-
76
-
1. Create a YAML file to store rules that will be applied to all `boundary` commands run in the Workspace. In this example, we call it `boundary.yaml`.
77
-
A config example can be seen below:
78
-
79
-
```hcl
80
-
allow:
81
-
82
-
- domain: [github.com](http://github.com)
83
-
84
-
path: /api/issues/*
85
-
86
-
- domain: [github.com](http://github.com)
87
-
88
-
methods: [GET, HEAD]
89
-
```
90
-
91
-
1. Run a `boundary` command. For example:
92
-
93
-
```hcl
94
-
boundary run --config ./boundary.yaml -- claude
95
-
```
96
-
97
-
You will notice that the rules are automatically applied without any need for additional customization.
98
-
99
-
### Unprivileged vs. Privileged Mode
100
-
101
-
There are two approaches you can take to secure your agentic workflows with Agent Boundary.
102
-
103
-
#### Unprivileged Mode
104
-
105
-
In this case, a specific agent process or tool (for example, Claude Code or a CLI agent) runs inside of a constrained sandbox. This is the default mode in which Boundary will operate in and does not require root access.
106
-
107
-
Agents are prevented from reaching restricted domains or exfiltrating data, without blocking the rest of the dev's environment.
108
-
109
-
This is the fastest way to add real guardrails, but a determined user could still operate a tool outside of Boundary restrictions because the broader environment allows it. This mode relies on tools respecting certain settings, like HTTP proxies, and can lead to silent failures if a tool bypasses them.
110
-
111
-
#### Privileged Mode
112
-
113
-
In this case, boundaries are enforced at the level of the environment that the agent lives in. These are workspace- or session-level controls, including how the developer connects to it.
114
-
115
-
Currently, this must be turned on with a flag and ran with higher-level permissions such as root access or `CapNetAdmin`.
116
-
117
-
In addition to process-level egress rules, privileged mode locks down all pathways that could bypass policy, such as restricting or disabling SSH tunnels or parallel unbound IDEs. This delivers deterministic, policy-as-code enforcement and offers the highest assurance for regulated environments, but results in slightly more friction for mixed human-and-agent workflows.
118
-
119
-
### Opting out of Boundary
17
+
The easiest way to use Agent Boundaries is through existing Coder modules, such as the[Claude Code module](https://registry.coder.com/modules/coder/claude-code). It can also be ran directly in the terminal by installing the[CLI](https://github.com/coder/boundary).
120
18
121
-
If you tried Boundary through a Coder module and decided you don't want to use it, you can turn it off by setting the flag to `boundary_enabled=false`.
19
+
Below is an example of how to configure Agent Boundaries for usage in your workspace.
-`boundary_version` defines what version of Boundary is being applied. This is set to`main`, which points to the main branch of`coder/boundary`.
35
+
-`boundary_log_dir` is the directory where log files are written to when the workspace spins up.
36
+
-`boundary_log_level` defines the verbosity at which requests are logged. Boundary uses the following verbosity levels:
37
+
-`WARN`: logs only requests that have been blocked by Boundary
38
+
-`INFO`: logs all requests at a high level
39
+
-`DEBUG`: logs all requests in detail
40
+
-`boundary_additional_allowed_urls`: defines the URLs that the agent can access, in additional to the default URLs required for the agent to work
41
+
-`github.com` means only the specific domain is allowed
42
+
-`*.github.com` means only the subdomains are allowed - the specific domain is excluded
43
+
-`*github.com` means both the specific domain and all subdomains are allowed
44
+
- You can also also filter on methods, hostnames, and paths - for example,`GET,HEAD *github.com/coder`.
45
+
46
+
You can also run Agent Boundaries directly in your workspace and configure it per template. You can do so by installing the[binary](https://github.com/coder/boundary) into the workspace image or at start-up. You can do so with the following command: