You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/ai-coder/agent-boundary.md
+34-30Lines changed: 34 additions & 30 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,19 +1,17 @@
1
1
#Agent Boundary
2
2
3
-
Agent Boundaries are process-level firewalls that restrict and audit what autonomous programs, such as AI agents, can access and use.
4
-
5
-
6
-
3
+
Agent Boundaries are process-level firewalls that restrict and audit what autonomous programs, such as AI agents, can access and use.
7
4
5
+
Example of Agent Boundaries blocking a process.
8
6
9
7
The easiest way to use Agent Boundaries is through existing Coder modules, such as the[Claude Code module](https://registry.coder.com/modules/coder/claude-code). It can also be ran directly in the terminal by installing the[CLI](https://github.com/coder/boundary).
10
8
11
9
>[!NOTE]
12
10
>The Coder Boundary CLI is free and open source. Integrations with the core product, such as through modules, offers strong isolation and is available to Coder Premium customers.
13
11
14
-
##Supported Agents
12
+
##Supported Agents
15
13
16
-
Coder Boundary supports the securing of any terminal-based agent, including your own custom agents.
14
+
Coder Boundary supports the securing of any terminal-based agent, including your own custom agents.
17
15
18
16
##Features
19
17
@@ -26,57 +24,60 @@ Boundaries extend Coder's trusted workspaces with a defense-in-depth model that
26
24
##Architecture
27
25
28
26
Agent Boundary runs in two locations:
27
+
29
28
- Workspace: Boundary runs alongside your agent or tool, wrapping its process and enforcing outbound network policy at runtime
30
29
- Control place (Premium): Module-level config toggles enforcement and routes audit logs to centralized governance
31
30
32
31
[More detail to be added here]
33
32
34
33
##Getting Started with Boundary
35
34
36
-
There are two ways to use Agent Boundaries in your project.
35
+
There are two ways to use Agent Boundaries in your project.
37
36
38
37
Users of Coder Premium can enable Agent Boundaries simply by updating to the latest versions of their preferred coding agent modules, which integrate with Coder with just a few lines of Terraform. Once configured by platform admins, developers get agent-ready environments automatically - no extra setup required.
39
38
40
-
All other users can use Agent Boundaries through its[open source CLI](https://github.com/coder/boundary), which can be run to wrap any process or invoked through rules in a YAML file.
39
+
All other users can use Agent Boundaries through its[open source CLI](https://github.com/coder/boundary), which can be run to wrap any process or invoked through rules in a YAML file.
41
40
42
41
###Option 1) Apply Boundary through Coder modules
43
42
44
-
This option is available to Coder Premium users. It is the easiest way to use Agent Boundaries and offers centralized policy management with strong isolation.
43
+
This option is available to Coder Premium users. It is the easiest way to use Agent Boundaries and offers centralized policy management with strong isolation.
45
44
46
45
This integration offers:
46
+
47
47
- A built-in`coder boundary` subcommand
48
48
- Module authors do not need to ship or manage a separate binary
49
-
50
49
- A clean module interface
51
50
- Template admins toggle policy per template by using variables
52
51
- Stronger isolation and centralized governance hooks
53
52
- Protection beyond what is offered by the CLI path
54
53
55
-
To apply Agent Boundaries through Coder modules, follow the instructions below.
54
+
To apply Agent Boundaries through Coder modules, follow the instructions below:
56
55
57
-
1. Ensure that you have installed or updated to the latest version of the[Claude Code module](https://registry.coder.com/modules/coder/claude-code).
58
-
2. In the template that calls the module, set`module.boundary_configuration.enabled = true`.
59
-
3. Choose a policy expression.
56
+
1. Ensure that you have installed or updated to the latest version of the[Claude Code module](https://registry.coder.com/modules/coder/claude-code)
57
+
1. In the template that calls the module, set`module.boundary_configuration.enabled = true`
58
+
1. Choose a policy expression
60
59
- For simple rules, you can insert a variation of this example:`provide allow = ["domain=github.com path=/api/*", "method=GET,HEAD domain=github.com"]`
61
-
- For complexrules, you can package a YAML file into the workspace image or mount a path and set`config_path`.
60
+
- For complexrules, you can package a YAML file into the workspace image or mount a path and set`config_path`
62
61
63
62
[More detail to be added here]
64
63
65
64
###Option 2) Wrap the agent process with the Boundary CLI
66
65
67
-
Users can also run Boundary directly in your workspace and configure it per template or per script. While free tier users won't get centralized policy management or the deeper, "strong isolation," they can still enforce per workspace network rules and log decisions locally.
66
+
Users can also run Boundary directly in your workspace and configure it per template or per script. While free tier users won't get centralized policy management or the deeper, "strong isolation," they can still enforce per workspace network rules and log decisions locally.
68
67
69
68
There are two ways to integrate the open source Boundary CLI into a workspace.
70
69
71
70
####Wrap a command inline with flags
72
71
73
72
1. Install the[binary](https://github.com/coder/boundary) into the workspace image or at start-up. You can do so with the following command:
@@ -110,11 +110,12 @@ Another option is to define rules in a YAML file, which only needs to be invoked
110
110
111
111
1. Similarly to the previous method, install the [binary](https://github.com/coder/boundary) into the workspace image or at start-up. You can do so with the following command:
1. Use the included `Makefile` to build your project. Here are a few example commands:
117
+
118
+
```hcl
118
119
make build # Build for current platform
119
120
make build-all # Build for all platforms
120
121
make test # Run tests
@@ -123,11 +124,11 @@ Another option is to define rules in a YAML file, which only needs to be invoked
123
124
make fmt # Format code
124
125
make lint # Lint code
125
126
```
126
-
3. Create a YAML file to store rules that will be applied to all `boundary` commands run in the Workspace. In this example, we call it `boundary.yaml`.
127
+
1. Create a YAML file to store rules that will be applied to all `boundary` commands run in the Workspace. In this example, we call it `boundary.yaml`.
127
128
128
129
A config example can be seen below:
129
130
130
-
```
131
+
```hcl
131
132
allow:
132
133
133
134
- domain: [github.com](http://github.com)
@@ -138,8 +139,11 @@ Another option is to define rules in a YAML file, which only needs to be invoked
138
139
139
140
methods: [GET, HEAD]
140
141
```
141
-
4. Run a `boundary` command. For example:
142
-
`boundary run --config ./boundary.yaml -- claude`
142
+
1. Run a `boundary` command. For example:
143
+
144
+
```hcl
145
+
boundary run --config ./boundary.yaml -- claude
146
+
```
143
147
144
148
You will notice that the rules are automatically applied without any need for additional customization.