Skip to content

Add boundary support to agent api#780

Open
shanewhite97 wants to merge 22 commits intocoder:mainfrom
shanewhite97:feat/agent-api-boundary-support
Open

Add boundary support to agent api#780
shanewhite97 wants to merge 22 commits intocoder:mainfrom
shanewhite97:feat/agent-api-boundary-support

Conversation

@shanewhite97
Copy link

@shanewhite97 shanewhite97 commented Mar 2, 2026
edited
Loading

Description

Adds optional Agent Boundary (network filtering) support to the agentapi module.
When enable_boundary = true with a user-provided boundary_config, the
module sets up the boundary config and exports AGENTAPI_BOUNDARY_PREFIX for
agent modules to use in their start scripts.

Closes #457

Type of Change

  • Feature/enhancement

Module Information

Path: registry/coder/modules/agentapi
Breaking change: No

@shanewhite97 shanewhite97 mentioned this pull request Mar 2, 2026
Open
@shanewhite97 shanewhite97 marked this pull request as draft March 2, 2026 15:33
@shanewhite97
Copy link
Author

shanewhite97 commented Mar 3, 2026

Proof of tests being completed:
image

image image image

@shanewhite97 shanewhite97 marked this pull request as ready for review March 3, 2026 11:51
@shanewhite97
Copy link
Author

shanewhite97 commented Mar 3, 2026

@matifali @zedkipp @evgeniy-scherbina

I believe this is now ready for review, if I have missed anything in the code or as part of the contributing process please just let me know and I will resolve, this is my first contribution.

Also, I was thinking it might be better to remove the Codex changes, and implement those in a separate PR once the new version of AgentAPI with the changes is released. But I will wait for your guidance before proceeding on that.
I will also likely some other modules as well once the agentapi changes are published.

Thanks!

@matifali matifali requested a review from Copilot March 3, 2026 11:55
@matifali
Copy link
Member

matifali commented Mar 3, 2026

@shanewhite97 We made some changes to how Codex starts in #781. Would be nice to take a look and rebase on main.

@shanewhite97
Copy link
Author

shanewhite97 commented Mar 3, 2026

@matifali yh I saw those, I think I will remove them out of this PR to keep things simple. Let me do that now.

I will also try to resolve the other pipeline errors

Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds optional Coder Boundary network filtering support to the shared agentapi module and wires it through to the Codex module so the Codex CLI can be executed behind boundary (nsjail/landjail), with documentation for how to enable it.

Changes:

  • Add new Terraform inputs (enable_boundary, boundary_jail_type, boundary_proxy_port, boundary_config_path) to the agentapi module and pass them into the runtime script.
  • Implement boundary setup in agentapi’s main.sh (config generation + exported wrapper) and update Codex start logic to invoke Codex via the wrapper when present.
  • Bump the Codex module’s dependency on coder/agentapi to 2.2.0 and document boundary usage in the Codex README.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
registry/coder/modules/agentapi/scripts/main.sh Adds boundary setup (config + exported wrapper) prior to running the module’s start script.
registry/coder/modules/agentapi/main.tf Adds boundary-related variables and passes them as script args into main.sh.
registry/coder-labs/modules/codex/scripts/start.sh Wraps the Codex invocation with BOUNDARY_WRAPPER when boundary is enabled.
registry/coder-labs/modules/codex/main.tf Exposes boundary variables and forwards them to the agentapi module; bumps agentapi module version.
registry/coder-labs/modules/codex/README.md Documents how to enable Boundary network filtering for Codex.

Shane White and others added 3 commits March 3, 2026 12:05
fix: bun prettier issue
658a90a
@shanewhite97
Update registry/coder/modules/agentapi/scripts/main.sh
9323297 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@shanewhite97
Update registry/coder/modules/agentapi/scripts/main.sh
8daa78a 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@shanewhite97 shanewhite97 changed the title Add boundary support to agent api and Codex CLI Module Add boundary support to agent api Mar 3, 2026
@shanewhite97
Copy link
Author

shanewhite97 commented Mar 3, 2026

@matifali I have added some changes based on the feedback, if you could run another review that would be appreciated :)

zedkipp
zedkipp reviewed Mar 4, 2026
View reviewed changes
@matifali matifali requested a review from 35C4n0r March 5, 2026 01:59
fix: swap to using wrapper script, remove redundant variables and cop…
18b8d41 
…y the boundary config, renamed BOUNDARY_PREFIX to AGENTAPI_BOUNDARY_PREFIX
@shanewhite97
Copy link
Author

shanewhite97 commented Mar 5, 2026

@zedkipp Thanks for those suggestions that was really helpful, hopefully they have all been address now but please let me know if anything is not as you would like.
Updated screenshots on tests:
image
image

zedkipp
zedkipp reviewed Mar 5, 2026
View reviewed changes
@matifali
Copy link
Member

matifali commented Mar 5, 2026

@35C4n0r can you also review the changes here? Thanks

@zedkipp
Copy link
Contributor

zedkipp commented Mar 6, 2026

@shanewhite97 there's some formatting to fix in the tests (check failed). Would be great to squash these commits down to a single commit with clear commit message before merge. Could be something like:

feat:  provide boundary support for agent modules

Enable any agent module to run its AI agent inside Coder's Agent Boundaries.
The agentapi module handles config setup and wrapper script creation, then
exports AGENTAPI_BOUNDARY_PREFIX for consuming modules to use in their
start scripts.

Users must provide a boundary config.yaml with their allowlist and
settings when enabling boundary.

The boundary related changes look good to me, but I would like @35C4n0r to have the final approval on the changes.

@35C4n0r
Copy link
Collaborator

35C4n0r commented Mar 6, 2026

I'll test and review this tommorow 👍

@shanewhite97
Copy link
Author

shanewhite97 commented Mar 6, 2026

@zedkipp Done the formatting 😄 Are we going to use a single commit message when merging? Or would you like me to do it another way?

Shane White added 2 commits March 6, 2026 17:49
feat: provide boundary support for agent modules
04e50d3 
Enable any agent module to run its AI agent inside Coder's Agent Boundaries.
The agentapi module handles config setup and wrapper script creation, then
exports AGENTAPI_BOUNDARY_PREFIX for consuming modules to use in their
start scripts.

Users must provide a boundary config.yaml with their allowlist and
settings when enabling boundary.
Merge branch 'feat/agent-api-boundary-support' of https://github.com/…
6cbaedd 
…shanewhite97/registry into feat/agent-api-boundary-support
@zedkipp
Copy link
Contributor

zedkipp commented Mar 6, 2026

Before or during merge works fine! Mainly want to ensure this gets merged as a single clear commit.

Lastly, it would be good to test that AGENTAPI_BOUNDARY_PREFIX is indeed set in a module like claude/codex/etc when boundary is enabled in the agentapi module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zedkipp zedkipp zedkipp left review comments

Copilot code review Copilot Copilot left review comments

@evgeniy-scherbina evgeniy-scherbina Awaiting requested review from evgeniy-scherbina

@35C4n0r 35C4n0r Awaiting requested review from 35C4n0r

At least 1 approving review is required to merge this pull request.

Assignees

@shanewhite97 shanewhite97

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Integrate coder/boundary with AI modules

5 participants

@shanewhite97 @matifali @zedkipp @35C4n0r