You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/ai-coder/agent-boundary.md
+20Lines changed: 20 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -147,6 +147,26 @@ Another option is to define rules in a YAML file, which only needs to be invoked
147
147
148
148
You will notice that the rules are automatically applied without any need for additional customization.
149
149
150
+
### Unprivileged vs. Privileged Mode
151
+
152
+
There are two approaches you can take to secure your agentic workflows with Agent Boundary.
153
+
154
+
#### Unprivileged Mode
155
+
156
+
In this case, a specific agent process or tool (for example, Claude Code or a CLI agent) runs inside of a constrained sandbox. This is the default mode in which Boundary will operate in and does not require root access.
157
+
158
+
Agents are prevented from reaching restricted domains or exfiltrating data, without blocking the rest of the dev's environment.
159
+
160
+
This is the fastest way to add real guardrails, but a determined user could still operate a tool outside of Boundary restrictions because the broader environment allows it. This mode relies on tools respecting certain settings, like HTTP proxies, and can lead to silent failures if a tool bypasses them.
161
+
162
+
#### Privileged Mode
163
+
164
+
In this case, boundaries are enforced at the level of the environment that the agent lives in. These are workspace- or session-level controls, including how the developer connects to it.
165
+
166
+
Currently, this must be turned on with a flag and ran with higher-level permissions such as root access or `CapNetAdmin`.
167
+
168
+
In addition to process-level egress rules, privileged mode locks down all pathways that could bypass policy, such as restricting or disabling SSH tunnels or parallel unbound IDEs. This delivers deterministic, policy-as-code enforcement and offers the highest assurance for regulated environments, but results in slightly more friction for mixed human-and-agent workflows.
169
+
150
170
### Opting out of Boundary
151
171
152
172
If you tried Boundary through a Coder module and decided you don't want to use it, you can turn it off by setting the flag to `boundary_enabled=false`.