diff --git a/docs/admin/setup/data-retention.md b/docs/admin/setup/data-retention.md index 8eebf61388..6c44ae5249 100644 --- a/docs/admin/setup/data-retention.md +++ b/docs/admin/setup/data-retention.md @@ -1,7 +1,7 @@ # Data Retention Coder supports configurable retention policies that automatically purge old -Audit Logs, Connection Logs, Workspace Agent Logs, API keys, and AI Bridge +Audit Logs, Connection Logs, Workspace Agent Logs, API keys, and AI Gateway records. These policies help manage database growth by removing records older than a specified duration. @@ -33,11 +33,11 @@ a YAML configuration file. | Connection Logs | `--connection-logs-retention` | `CODER_CONNECTION_LOGS_RETENTION` | `0` (disabled) | How long to retain Connection Logs | | API Keys | `--api-keys-retention` | `CODER_API_KEYS_RETENTION` | `7d` | How long to retain expired API keys | | Workspace Agent Logs | `--workspace-agent-logs-retention` | `CODER_WORKSPACE_AGENT_LOGS_RETENTION` | `7d` | How long to retain workspace agent logs | -| AI Bridge | `--aibridge-retention` | `CODER_AIBRIDGE_RETENTION` | `60d` | How long to retain AI Bridge records | +| AI Gateway | `--aibridge-retention` | `CODER_AIBRIDGE_RETENTION` | `60d` | How long to retain AI Gateway records | > [!NOTE] -> AI Bridge retention is configured separately from other retention settings. -> See [AI Bridge Setup](../../ai-coder/ai-bridge/setup.md#data-retention) for +> AI Gateway retention is configured separately from other retention settings. +> See [AI Gateway Setup](../../ai-coder/ai-gateway/setup.md#data-retention) for > detailed configuration options. ### Duration Format @@ -128,15 +128,15 @@ For non-latest builds, logs are deleted if the agent hasn't connected within the retention period. Setting `--workspace-agent-logs-retention=7d` deletes logs for agents that haven't connected in 7 days (excluding those from the latest build). -### AI Bridge Data Behavior +### AI Gateway Data Behavior -AI Bridge retention applies to interception records and all related data, +AI Gateway retention applies to interception records and all related data, including token usage, prompts, and tool invocations. The default of 60 days provides a reasonable balance between storage costs and the ability to analyze usage patterns. For details on what data is retained, see the -[AI Bridge Data Retention](../../ai-coder/ai-bridge/setup.md#data-retention) +[AI Gateway Data Retention](../../ai-coder/ai-gateway/setup.md#data-retention) documentation. ## Best Practices @@ -199,7 +199,7 @@ retention: workspace_agent_logs: 0s # Keep workspace agent logs forever aibridge: - retention: 0s # Keep AI Bridge records forever + retention: 0s # Keep AI Gateway records forever ``` ## Monitoring @@ -214,9 +214,9 @@ containing the table name (e.g., `audit_logs`, `connection_logs`, `api_keys`). purge procedures. - [Connection Logs](../monitoring/connection-logs.md): Learn about Connection Logs and monitoring. -- [AI Bridge](../../ai-coder/ai-bridge/index.md): Learn about AI Bridge for +- [AI Gateway](../../ai-coder/ai-gateway/index.md): Learn about AI Gateway for centralized LLM and MCP proxy management. -- [AI Bridge Setup](../../ai-coder/ai-bridge/setup.md#data-retention): Configure - AI Bridge data retention. -- [AI Bridge Monitoring](../../ai-coder/ai-bridge/monitoring.md): Monitor AI - Bridge usage and metrics. +- [AI Gateway Setup](../../ai-coder/ai-gateway/setup.md#data-retention): Configure + AI Gateway data retention. +- [AI Gateway Monitoring](../../ai-coder/ai-gateway/monitoring.md): Monitor AI + Gateway usage and metrics. diff --git a/docs/ai-coder/agent-boundaries/index.md b/docs/ai-coder/agent-firewall/index.md similarity index 83% rename from docs/ai-coder/agent-boundaries/index.md rename to docs/ai-coder/agent-firewall/index.md index 969514c926..1a3a3e4420 100644 --- a/docs/ai-coder/agent-boundaries/index.md +++ b/docs/ai-coder/agent-firewall/index.md @@ -1,27 +1,32 @@ -# Agent Boundaries +# Agent Firewall -Agent Boundaries are process-level firewalls that restrict and audit what +Agent Firewall is a process-level firewall that restricts and audits what autonomous programs, such as AI agents, can access and use. -![Screenshot of Agent Boundaries blocking a process](../../images/guides/ai-agents/boundary.png)Example -of Agent Boundaries blocking a process. +![Screenshot of Agent Firewall blocking a process](../../images/guides/ai-agents/boundary.png)Example +of Agent Firewall blocking a process. + +> [!NOTE] +> Agent Firewall was previously known as "Agent Boundaries". Some +> configuration options and internal references still use the old name +> and will be updated in a future release. ## Supported Agents -Agent Boundaries support the securing of any terminal-based agent, including +Agent Firewall supports the securing of any terminal-based agent, including your own custom agents. ## Features -Agent Boundaries offer network policy enforcement, which blocks domains and HTTP +Agent Firewall offers network policy enforcement, which blocks domains and HTTP verbs to prevent exfiltration, and writes logs to the workspace. -Agent Boundaries also stream audit logs to Coder's control plane for centralized +Agent Firewall also streams audit logs to Coder's control plane for centralized monitoring of HTTP requests. -## Getting Started with Agent Boundaries +## Getting Started with Agent Firewall -The easiest way to use Agent Boundaries is through existing Coder modules, such +The easiest way to use Agent Firewall is through existing Coder modules, such as the [Claude Code module](https://registry.coder.com/modules/coder/claude-code). It can also be ran directly in the terminal by installing the @@ -32,10 +37,10 @@ can also be ran directly in the terminal by installing the > [!NOTE] > For information about version requirements and compatibility, see the [Version Requirements](./version.md) documentation. -Agent Boundaries is configured using a `config.yaml` file. This allows you to +Agent Firewall is configured using a `config.yaml` file. This allows you to maintain allow lists and share detailed policies with teammates. -In your Terraform module, enable Agent Boundaries with minimal configuration: +In your Terraform module, enable Agent Firewall with minimal configuration: ```tf module "claude-code" { @@ -63,7 +68,7 @@ log_level: warn For a basic recommendation of what to allow for agents, see the [Anthropic documentation on default allowed domains](https://code.claude.com/docs/en/claude-code-on-the-web#default-allowed-domains). -For a comprehensive example of a production Agent Boundaries configuration, see +For a comprehensive example of a production Agent Firewall configuration, see the [Coder dogfood policy example](https://github.com/coder/coder/blob/main/dogfood/coder/boundary-config.yaml). @@ -85,9 +90,9 @@ resource "coder_script" "boundary_config_setup" { } ``` -Agent Boundaries automatically reads `config.yaml` from +Agent Firewall automatically reads `config.yaml` from `~/.config/coder_boundary/` when it starts, so everyone who launches Agent -Boundaries manually inside the workspace picks up the same configuration without +Firewall manually inside the workspace picks up the same configuration without extra flags. This is especially convenient for managing extensive allow lists in version control. @@ -108,8 +113,8 @@ version control. `landjail`. See [Jail Types](#jail-types) for a detailed comparison. - `log_dir` defines where boundary writes log files. - `log_level` defines the verbosity at which requests are logged. Agent - Boundaries uses the following verbosity levels: - - `WARN`: logs only requests that have been blocked by Agent Boundaries + Firewall uses the following verbosity levels: + - `WARN`: logs only requests that have been blocked by Agent Firewall - `INFO`: logs all requests at a high level - `DEBUG`: logs all requests in detail - `no_user_namespace` disables creation of a user namespace inside the jail. @@ -124,7 +129,7 @@ version control. For detailed information about the rules engine and how to construct allowlist rules, see the [rules engine documentation](./rules-engine.md). -You can also run Agent Boundaries directly in your workspace and configure it +You can also run Agent Firewall directly in your workspace and configure it per template. You can do so by installing the [binary](https://github.com/coder/boundary) into the workspace image or at start-up. You can do so with the following command: @@ -135,7 +140,7 @@ curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh | ba ## Jail Types -Agent Boundaries supports two different jail types for process isolation, each +Agent Firewall supports two different jail types for process isolation, each with different characteristics and requirements: 1. **nsjail** - Uses Linux namespaces for isolation. This is the default jail @@ -168,31 +173,31 @@ environments where namespace capabilities are limited or unavailable. ## Audit Logs -Agent Boundaries stream audit logs to the Coder control plane, providing +Agent Firewall streams audit logs to the Coder control plane, providing centralized visibility into HTTP requests made within workspaces—whether from AI agents or ad-hoc commands run with `boundary`. Audit logs are independent of application logs: -- **Audit logs** record Agent Boundaries' policy decisions: whether each HTTP +- **Audit logs** record Agent Firewall's policy decisions: whether each HTTP request was allowed or denied based on the allowlist rules. These are always - sent to the control plane regardless of Agent Boundaries' configured log + sent to the control plane regardless of Agent Firewall's configured log level. -- **Application logs** are Agent Boundaries' operational logs written locally to +- **Application logs** are Agent Firewall's operational logs written locally to the workspace. These include startup messages, internal errors, and debugging information controlled by the `log_level` setting. -For example, if a request to `api.example.com` is allowed by Agent Boundaries +For example, if a request to `api.example.com` is allowed by Agent Firewall but the remote server returns a 500 error, the audit log records -`decision=allow` because Agent Boundaries permitted the request. The HTTP +`decision=allow` because Agent Firewall permitted the request. The HTTP response status is not tracked in audit logs. > [!NOTE] -> Requires Coder v2.30+ and Agent Boundaries v0.5.2+. +> Requires Coder v2.30+ and Agent Firewall v0.5.2+. ### Audit Log Contents -Each Agent Boundaries audit log entry includes: +Each Agent Firewall audit log entry includes: | Field | Description | |-----------------------|-----------------------------------------------------------------------------------------| @@ -209,7 +214,7 @@ Each Agent Boundaries audit log entry includes: ### Viewing Audit Logs -Agent Boundaries audit logs are emitted as structured log entries from the Coder +Agent Firewall audit logs are emitted as structured log entries from the Coder server. You can collect and analyze these logs using any log aggregation system such as Grafana Loki. diff --git a/docs/ai-coder/agent-boundaries/landjail.md b/docs/ai-coder/agent-firewall/landjail.md similarity index 66% rename from docs/ai-coder/agent-boundaries/landjail.md rename to docs/ai-coder/agent-firewall/landjail.md index b7d7d75dc1..b03eaf648d 100644 --- a/docs/ai-coder/agent-boundaries/landjail.md +++ b/docs/ai-coder/agent-firewall/landjail.md @@ -1,11 +1,11 @@ # landjail Jail Type -landjail is Agent Boundaries' alternative jail type that uses Landlock V4 for +landjail is Agent Firewall's alternative jail type that uses Landlock V4 for network isolation. ## Overview -Agent Boundaries uses Landlock V4 to enforce network restrictions: +Agent Firewall uses Landlock V4 to enforce network restrictions: - All `bind` syscalls are forbidden - All `connect` syscalls are forbidden except to the port that is used by http diff --git a/docs/ai-coder/agent-boundaries/nsjail/docker.md b/docs/ai-coder/agent-firewall/nsjail/docker.md similarity index 84% rename from docs/ai-coder/agent-boundaries/nsjail/docker.md rename to docs/ai-coder/agent-firewall/nsjail/docker.md index fe948d62dc..5b88477f96 100644 --- a/docs/ai-coder/agent-boundaries/nsjail/docker.md +++ b/docs/ai-coder/agent-firewall/nsjail/docker.md @@ -1,19 +1,19 @@ # nsjail on Docker This page describes the runtime and permission requirements for running Agent -Boundaries with the **nsjail** jail type on **Docker**. +Firewall with the **nsjail** jail type on **Docker**. For an overview of nsjail, see [nsjail](./index.md). ## Runtime & Permission Requirements for Running Boundary in Docker This section describes the Linux capabilities and runtime configurations -required to run Agent Boundaries with nsjail inside a Docker container. +required to run Agent Firewall with nsjail inside a Docker container. Requirements vary depending on the OCI runtime and the seccomp profile in use. ### 1. Default `runc` runtime with `CAP_NET_ADMIN` -When using Docker's default `runc` runtime, Agent Boundaries requires the +When using Docker's default `runc` runtime, Agent Firewall requires the container to have `CAP_NET_ADMIN`. This is the minimal capability needed for configuring virtual networking inside the container. @@ -30,10 +30,10 @@ For development or testing environments, you may grant the container `CAP_SYS_ADMIN`, which implicitly bypasses many of the restrictions in Docker's default seccomp profile. -- Agent Boundaries does not require `CAP_SYS_ADMIN` itself. +- Agent Firewall does not require `CAP_SYS_ADMIN` itself. - However, Docker's default seccomp policy commonly blocks namespace-related syscalls unless `CAP_SYS_ADMIN` is present. -- Granting `CAP_SYS_ADMIN` enables Agent Boundaries to run without modifying the +- Granting `CAP_SYS_ADMIN` enables Agent Firewall to run without modifying the seccomp profile. ⚠️ Warning: `CAP_SYS_ADMIN` is extremely powerful and should not be used in @@ -41,7 +41,7 @@ production unless absolutely necessary. ### 3. `sysbox-runc` runtime with `CAP_NET_ADMIN` -When using the `sysbox-runc` runtime (from Nestybox), Agent Boundaries can run +When using the `sysbox-runc` runtime (from Nestybox), Agent Firewall can run with only: - `CAP_NET_ADMIN` @@ -53,8 +53,8 @@ seccomp profile modifications. ## Docker Seccomp Profile Considerations Docker's default seccomp profile frequently blocks the `clone` syscall, which is -required by Agent Boundaries when creating unprivileged network namespaces. If -the `clone` syscall is denied, Agent Boundaries will fail to start. +required by Agent Firewall when creating unprivileged network namespaces. If +the `clone` syscall is denied, Agent Firewall will fail to start. To address this, you may need to modify or override the seccomp profile used by your container to explicitly allow the required `clone` variants. diff --git a/docs/ai-coder/agent-boundaries/nsjail/ecs.md b/docs/ai-coder/agent-firewall/nsjail/ecs.md similarity index 76% rename from docs/ai-coder/agent-boundaries/nsjail/ecs.md rename to docs/ai-coder/agent-firewall/nsjail/ecs.md index 77a45f02e9..9ed2755efb 100644 --- a/docs/ai-coder/agent-boundaries/nsjail/ecs.md +++ b/docs/ai-coder/agent-firewall/nsjail/ecs.md @@ -1,9 +1,9 @@ # nsjail on ECS -This page describes the runtime and permission requirements for running -Boundary with the **nsjail** jail type on **Amazon ECS**. +This page describes the runtime and permission requirements for running Agent +Firewall with the **nsjail** jail type on **Amazon ECS**. -## Runtime & Permission Requirements for Running Boundary in ECS +## Runtime & Permission Requirements for Running Agent Firewall in ECS The setup for ECS is similar to [nsjail on Kubernetes](./k8s.md); that environment is better explored and tested, so the Kubernetes page is a useful reference. On @@ -15,9 +15,9 @@ following examples use **ECS with Self Managed Node Groups** (EC2 launch type). ### Example 1: ECS + Self Managed Node Groups + Amazon Linux On **Amazon Linux** nodes with ECS, the default Docker seccomp profile enforced -by ECS blocks the syscalls needed for Boundary. Because it is difficult to +by ECS blocks the syscalls needed for Agent Firewall. Because it is difficult to disable or modify the seccomp profile on ECS, you must grant `SYS_ADMIN` (along -with `NET_ADMIN`) so that Boundary can create namespaces and run nsjail. +with `NET_ADMIN`) so that Agent Firewall can create namespaces and run nsjail. **Task definition (Terraform) — `linuxParameters`:** diff --git a/docs/ai-coder/agent-boundaries/nsjail/index.md b/docs/ai-coder/agent-firewall/nsjail/index.md similarity index 79% rename from docs/ai-coder/agent-boundaries/nsjail/index.md rename to docs/ai-coder/agent-firewall/nsjail/index.md index 59a24b9d1c..9a2ed86e8e 100644 --- a/docs/ai-coder/agent-boundaries/nsjail/index.md +++ b/docs/ai-coder/agent-firewall/nsjail/index.md @@ -1,6 +1,6 @@ # nsjail Jail Type -nsjail is Agent Boundaries' default jail type that uses Linux namespaces to +nsjail is Agent Firewall's default jail type that uses Linux namespaces to provide process isolation. It creates unprivileged network namespaces to control and monitor network access for processes running under Boundary. @@ -14,8 +14,8 @@ and permission requirements: ## Overview nsjail leverages Linux namespace technology to isolate processes at the network -level. When Agent Boundaries runs with nsjail, it creates a separate network -namespace for the isolated process, allowing Agent Boundaries to intercept and +level. When Agent Firewall runs with nsjail, it creates a separate network +namespace for the isolated process, allowing Agent Firewall to intercept and filter all network traffic according to the configured policy. This jail type requires Linux capabilities to create and manage network diff --git a/docs/ai-coder/agent-boundaries/nsjail/k8s.md b/docs/ai-coder/agent-firewall/nsjail/k8s.md similarity index 98% rename from docs/ai-coder/agent-boundaries/nsjail/k8s.md rename to docs/ai-coder/agent-firewall/nsjail/k8s.md index 29ba3ae36b..0328633edc 100644 --- a/docs/ai-coder/agent-boundaries/nsjail/k8s.md +++ b/docs/ai-coder/agent-firewall/nsjail/k8s.md @@ -1,7 +1,7 @@ # nsjail on Kubernetes This page describes the runtime and permission requirements for running Agent -Boundaries with the **nsjail** jail type on **Kubernetes**. +Firewall with the **nsjail** jail type on **Kubernetes**. ## Runtime & Permission Requirements for Running Boundary in Kubernetes diff --git a/docs/ai-coder/agent-boundaries/rules-engine.md b/docs/ai-coder/agent-firewall/rules-engine.md similarity index 100% rename from docs/ai-coder/agent-boundaries/rules-engine.md rename to docs/ai-coder/agent-firewall/rules-engine.md diff --git a/docs/ai-coder/agent-boundaries/version.md b/docs/ai-coder/agent-firewall/version.md similarity index 89% rename from docs/ai-coder/agent-boundaries/version.md rename to docs/ai-coder/agent-firewall/version.md index 49838450d1..4214a18447 100644 --- a/docs/ai-coder/agent-boundaries/version.md +++ b/docs/ai-coder/agent-firewall/version.md @@ -7,7 +7,7 @@ v4.7.0 or newer**. ### Coder v2.30.0+ -Since Coder v2.30.0, Agent Boundaries is embedded inside the Coder binary, and +Since Coder v2.30.0, Agent Firewall is embedded inside the Coder binary, and you don't need to install it separately. The `coder boundary` subcommand is available directly from the Coder CLI. @@ -26,7 +26,7 @@ the `coder boundary` subcommand isn't available in your Coder installation. In this case, you need to: 1. Set `use_boundary_directly = true` in your Terraform module configuration -2. Explicitly set `boundary_version` to specify which Agent Boundaries version +2. Explicitly set `boundary_version` to specify which Agent Firewall version to install Example configuration: @@ -44,7 +44,7 @@ module "claude-code" { ### Using Claude Code Module Before v4.7.0 If you're using Claude Code module before v4.7.0, the module expects to use -Agent Boundaries directly. You need to explicitly set `boundary_version` in your +Agent Firewall directly. You need to explicitly set `boundary_version` in your Terraform configuration: ```tf diff --git a/docs/ai-coder/agents/models.md b/docs/ai-coder/agents/models.md index 3ffaa7bc83..52d6976699 100644 --- a/docs/ai-coder/agents/models.md +++ b/docs/ai-coder/agents/models.md @@ -257,12 +257,12 @@ until you add a new personal key. ## Using an LLM proxy Organizations that route LLM traffic through a centralized proxy — such as -Coder's AI Bridge or third parties like LiteLLM — can point any provider's **Base URL** at their proxy endpoint. +Coder's AI Gateway or third parties like LiteLLM — can point any provider's **Base URL** at their proxy endpoint. -For example, to route all OpenAI traffic through Coder's AI Bridge: +For example, to route all OpenAI traffic through Coder's AI Gateway: 1. Add or edit the **OpenAI** provider. -1. Set the **Base URL** to your AI Bridge endpoint +1. Set the **Base URL** to your AI Gateway endpoint (e.g., `https://example.coder.com/api/v2/aibridge/openai/v1`). 1. Enter the API key your proxy expects. diff --git a/docs/ai-coder/ai-bridge/ai-bridge-proxy/index.md b/docs/ai-coder/ai-bridge/ai-bridge-proxy/index.md deleted file mode 100644 index 96bf0adacb..0000000000 --- a/docs/ai-coder/ai-bridge/ai-bridge-proxy/index.md +++ /dev/null @@ -1,35 +0,0 @@ -# AI Bridge Proxy - -AI Bridge Proxy extends [AI Bridge](../index.md) to support clients that don't allow base URL overrides. -While AI Bridge requires clients to support custom base URLs, many popular AI coding tools lack this capability. - -AI Bridge Proxy solves this by acting as an HTTP proxy that intercepts traffic to supported AI providers and forwards it to AI Bridge. Since most clients respect proxy configurations even when they don't support base URL overrides, this provides a universal compatibility layer for AI Bridge. - -For a list of clients supported through AI Bridge Proxy, see [Client Configuration](../clients/index.md). - -## How it works - -AI Bridge Proxy operates in two modes depending on the destination: - -* MITM (Man-in-the-Middle) mode for allowlisted AI provider domains: - * Intercepts and decrypts HTTPS traffic using a configured CA certificate - * Forwards requests to AI Bridge for authentication, auditing, and routing - * Supports: Anthropic, OpenAI, GitHub Copilot - -* Tunnel mode for all other traffic: - * Passes requests through without decryption - -Clients authenticate by passing their Coder token in the proxy credentials. - - - -## When to use AI Bridge Proxy - -Use AI Bridge Proxy when your AI tools don't support base URL overrides but do respect standard proxy configurations. - -For clients that support base URL configuration, you can use [AI Bridge](../index.md) directly. -Nevertheless, clients with base URL overrides also work with the proxy, in case you want to use multiple AI clients and some of them do not support base URL configuration. - -## Next steps - -* [Set up AI Bridge Proxy](./setup.md) on your Coder deployment diff --git a/docs/ai-coder/ai-gateway/ai-gateway-proxy/index.md b/docs/ai-coder/ai-gateway/ai-gateway-proxy/index.md new file mode 100644 index 0000000000..186c56cf9e --- /dev/null +++ b/docs/ai-coder/ai-gateway/ai-gateway-proxy/index.md @@ -0,0 +1,35 @@ +# AI Gateway Proxy + +AI Gateway Proxy extends [AI Gateway](../index.md) to support clients that don't allow base URL overrides. +While AI Gateway requires clients to support custom base URLs, many popular AI coding tools lack this capability. + +AI Gateway Proxy solves this by acting as an HTTP proxy that intercepts traffic to supported AI providers and forwards it to AI Gateway. Since most clients respect proxy configurations even when they don't support base URL overrides, this provides a universal compatibility layer for AI Gateway. + +For a list of clients supported through AI Gateway Proxy, see [Client Configuration](../clients/index.md). + +## How it works + +AI Gateway Proxy operates in two modes depending on the destination: + +* MITM (Man-in-the-Middle) mode for allowlisted AI provider domains: + * Intercepts and decrypts HTTPS traffic using a configured CA certificate + * Forwards requests to AI Gateway for authentication, auditing, and routing + * Supports: Anthropic, OpenAI, GitHub Copilot + +* Tunnel mode for all other traffic: + * Passes requests through without decryption + +Clients authenticate by passing their Coder token in the proxy credentials. + + + +## When to use AI Gateway Proxy + +Use AI Gateway Proxy when your AI tools don't support base URL overrides but do respect standard proxy configurations. + +For clients that support base URL configuration, you can use [AI Gateway](../index.md) directly. +Nevertheless, clients with base URL overrides also work with the proxy, in case you want to use multiple AI clients and some of them do not support base URL configuration. + +## Next steps + +* [Set up AI Gateway Proxy](./setup.md) on your Coder deployment diff --git a/docs/ai-coder/ai-bridge/ai-bridge-proxy/setup.md b/docs/ai-coder/ai-gateway/ai-gateway-proxy/setup.md similarity index 84% rename from docs/ai-coder/ai-bridge/ai-bridge-proxy/setup.md rename to docs/ai-coder/ai-gateway/ai-gateway-proxy/setup.md index 921343b779..92b4fc9b3f 100644 --- a/docs/ai-coder/ai-bridge/ai-bridge-proxy/setup.md +++ b/docs/ai-coder/ai-gateway/ai-gateway-proxy/setup.md @@ -1,18 +1,18 @@ # Setup -AI Bridge Proxy runs inside the Coder control plane (`coderd`), requiring no separate compute to deploy or scale. -Once enabled, `coderd` runs the `aibridgeproxyd` in-memory and intercepts traffic to supported AI providers, forwarding it to AI Bridge. +AI Gateway Proxy runs inside the Coder control plane (`coderd`), requiring no separate compute to deploy or scale. +Once enabled, `coderd` runs the `aibridgeproxyd` in-memory and intercepts traffic to supported AI providers, forwarding it to AI Gateway. **Required:** -1. AI Bridge must be enabled and configured (requires a **Premium** license with the [AI Governance Add-On](../../ai-governance.md)). See [AI Bridge Setup](../setup.md) for further information. -1. AI Bridge Proxy must be [enabled](#proxy-configuration) using the server flag. +1. AI Gateway must be enabled and configured (requires a **Premium** license with the [AI Governance Add-On](../../ai-governance.md)). See [AI Gateway Setup](../setup.md) for further information. +1. AI Gateway Proxy must be [enabled](#proxy-configuration) using the server flag. 1. A [CA certificate](#ca-certificate) must be configured for MITM interception. 1. [Clients](#client-configuration) must be configured to use the proxy and trust the CA certificate. ## Proxy Configuration -AI Bridge Proxy is disabled by default. To enable it, set the following configuration options: +AI Gateway Proxy is disabled by default. To enable it, set the following configuration options: ```shell CODER_AIBRIDGE_ENABLED=true \ @@ -28,7 +28,7 @@ coder server \ --aibridge-proxy-key-file=/path/to/ca.key ``` -Both the certificate and private key are required for AI Bridge Proxy to start. +Both the certificate and private key are required for AI Gateway Proxy to start. See [CA Certificate](#ca-certificate) for how to generate and obtain these files. By default, the proxy listener accepts plain HTTP connections. @@ -46,7 +46,7 @@ Both files must be provided together. The TLS certificate must include a Subject Alternative Name (SAN) matching the hostname or IP address that clients use to connect to the proxy. See [Proxy TLS Configuration](#proxy-tls-configuration) for how to generate and configure these files. -The AI Bridge Proxy only intercepts and forwards traffic to AI Bridge for the supported AI provider domains: +The AI Gateway Proxy only intercepts and forwards traffic to AI Gateway for the supported AI provider domains: * [Anthropic](https://www.anthropic.com/): `api.anthropic.com` * [OpenAI](https://openai.com/): `api.openai.com` @@ -59,7 +59,7 @@ For additional configuration options, see the [Coder server configuration](../.. ## Security Considerations > [!WARNING] -> The AI Bridge Proxy should only be accessible within a trusted network and **must not** be directly exposed to the public internet. +> The AI Gateway Proxy should only be accessible within a trusted network and **must not** be directly exposed to the public internet. > Without proper network restrictions, unauthorized users could route traffic through the proxy or intercept credentials. ### Encrypting client connections @@ -68,7 +68,7 @@ By default, AI tools send the Coder session token in the proxy credentials over This only applies to the initial connection between the client and the proxy. Once connected: -* MITM mode: A TLS connection is established between the AI tool and the proxy (using the configured CA certificate), then traffic is forwarded securely to AI Bridge. +* MITM mode: A TLS connection is established between the AI tool and the proxy (using the configured CA certificate), then traffic is forwarded securely to AI Gateway. * Tunnel mode: A TLS connection is established directly between the AI tool and the destination, passing through the proxy without decryption. As a best practice, apply one or more of the following to protect credentials during the initial connection: @@ -85,15 +85,15 @@ To prevent unauthorized use, restrict network access to the proxy so that only a ## CA Certificate -AI Bridge Proxy uses a CA (Certificate Authority) certificate to perform MITM interception of HTTPS traffic. +AI Gateway Proxy uses a CA (Certificate Authority) certificate to perform MITM interception of HTTPS traffic. When AI tools connect to AI provider domains through the proxy, the proxy presents a certificate signed by this CA. AI tools must trust this CA certificate, otherwise, the connection will fail. ### Self-signed certificate -Use a self-signed certificate when your organization doesn't have an internal CA, or when you want a dedicated CA specifically for AI Bridge Proxy. +Use a self-signed certificate when your organization doesn't have an internal CA, or when you want a dedicated CA specifically for AI Gateway Proxy. -Generate a CA certificate specifically for AI Bridge Proxy: +Generate a CA certificate specifically for AI Gateway Proxy: 1) Generate a private key: @@ -108,10 +108,10 @@ chmod 400 ca.key openssl req -new -x509 -days 3650 \ -key ca.key \ -out ca.crt \ - -subj "/CN=AI Bridge Proxy CA" + -subj "/CN=AI Gateway Proxy CA" ``` -Configure AI Bridge Proxy with both files: +Configure AI Gateway Proxy with both files: ```shell CODER_AIBRIDGE_PROXY_CERT_FILE=/path/to/ca.crt @@ -120,7 +120,7 @@ CODER_AIBRIDGE_PROXY_KEY_FILE=/path/to/ca.key ### Corporate CA certificate -If your organization has an internal CA that clients already trust, you can have it issue an intermediate CA certificate for AI Bridge Proxy. +If your organization has an internal CA that clients already trust, you can have it issue an intermediate CA certificate for AI Gateway Proxy. This simplifies deployment since AI tools that already trust your organization's root CA will automatically trust certificates signed by the intermediate. Your organization's CA issues a certificate and private key pair for the proxy. Configure the proxy with both files: @@ -158,14 +158,14 @@ How you configure AI tools to trust the certificate depends on the tool and oper ## Proxy TLS Configuration -By default, the AI Bridge Proxy listener accepts plain HTTP connections. +By default, the AI Gateway Proxy listener accepts plain HTTP connections. When TLS is enabled, the proxy serves over HTTPS, encrypting the connection between AI tools and the proxy. The TLS certificate is separate from the [MITM CA certificate](#ca-certificate). The CA certificate is used to sign dynamically generated certificates during MITM interception. The TLS certificate identifies the proxy itself, like any standard web server certificate. -The AI Bridge Proxy enforces a minimum TLS version of 1.2. +The AI Gateway Proxy enforces a minimum TLS version of 1.2. ### Configuration @@ -183,7 +183,7 @@ Both files must be provided together. If only one is set, the proxy will fail to ### Self-signed certificate -Use a self-signed certificate when your organization doesn't have an internal CA, or when you want a dedicated certificate specifically for the AI Bridge Proxy. +Use a self-signed certificate when your organization doesn't have an internal CA, or when you want a dedicated certificate specifically for the AI Gateway Proxy. The TLS certificate must include a Subject Alternative Name (SAN) matching the hostname or IP address that clients use to connect to the proxy. Without a matching SAN, clients will reject the connection. @@ -225,20 +225,20 @@ See [Client Configuration](#client-configuration) for details. ## Upstream proxy -If your organization requires all outbound traffic to pass through a corporate proxy, you can configure AI Bridge Proxy to chain requests to an upstream proxy. +If your organization requires all outbound traffic to pass through a corporate proxy, you can configure AI Gateway Proxy to chain requests to an upstream proxy. > [!NOTE] -> AI Bridge Proxy must be the first proxy in the chain. -> AI tools must be configured to connect directly to AI Bridge Proxy, which then forwards tunneled traffic to the upstream proxy. +> AI Gateway Proxy must be the first proxy in the chain. +> AI tools must be configured to connect directly to AI Gateway Proxy, which then forwards tunneled traffic to the upstream proxy. ### How it works Tunneled requests (non-allowlisted domains) are forwarded to the upstream proxy configured via [`CODER_AIBRIDGE_PROXY_UPSTREAM`](../../../reference/cli/server.md#--aibridge-proxy-upstream). -MITM'd requests (AI provider domains) are forwarded to AI Bridge, which then communicates with AI providers. -To ensure AI Bridge also routes requests through the upstream proxy, make sure to configure the proxy settings for the Coder server process. +MITM'd requests (AI provider domains) are forwarded to AI Gateway, which then communicates with AI providers. +To ensure AI Gateway also routes requests through the upstream proxy, make sure to configure the proxy settings for the Coder server process. - + ### Configuration @@ -263,7 +263,7 @@ If the system already trusts the upstream proxy's CA certificate, [`CODER_AIBRID ## Client Configuration -To use AI Bridge Proxy, AI tools must be configured to: +To use AI Gateway Proxy, AI tools must be configured to: 1. Route traffic through the proxy 1. Trust the proxy's CA certificate @@ -287,7 +287,7 @@ Note: if [TLS is not enabled](#proxy-tls-configuration) on the proxy, replace `h > `HTTP_PROXY` is not required since AI providers only use `HTTPS`. > Leaving it unset avoids routing unnecessary traffic through the proxy. -In order for AI tools that communicate with AI Bridge Proxy to authenticate with Coder via AI Bridge, the Coder session token needs to be passed in the proxy credentials as the password field. +In order for AI tools that communicate with AI Gateway Proxy to authenticate with Coder via AI Gateway, the Coder session token needs to be passed in the proxy credentials as the password field. ### Trusting the CA certificate @@ -356,6 +356,6 @@ For other operating systems, refer to the system's documentation for instruction For AI tools running inside Coder workspaces, template administrators can pre-configure the proxy settings and CA certificate in the workspace template. This provides a seamless experience where users don't need to configure anything manually. - + For tool-specific configuration details, check the [client compatibility table](../clients/index.md#compatibility) for clients that require proxy-based integration. diff --git a/docs/ai-coder/ai-bridge/audit.md b/docs/ai-coder/ai-gateway/audit.md similarity index 90% rename from docs/ai-coder/ai-bridge/audit.md rename to docs/ai-coder/ai-gateway/audit.md index d03a03581c..574cf2bcf9 100644 --- a/docs/ai-coder/ai-bridge/audit.md +++ b/docs/ai-coder/ai-gateway/audit.md @@ -1,6 +1,6 @@ # Auditing AI Sessions -AI Bridge groups intercepted requests into **sessions** and **threads** to show +AI Gateway groups intercepted requests into **sessions** and **threads** to show the causal relationships between human prompts and agent actions. This structure gives auditors clear provenance over who initiated what, and why. @@ -15,7 +15,7 @@ structure gives auditors clear provenance over who initiated what, and why. ## Human vs. Agent attribution -AI Bridge distinguishes between human-initiated and agent-initiated requests +AI Gateway distinguishes between human-initiated and agent-initiated requests using the `role` property: - A message with `role="user"` indicates a human-initiated action (i.e. prompt). @@ -24,16 +24,16 @@ using the `role` property: The `user` role is currently overloaded by clients like Claude Code and Codex; they inject system instructions -within `role="user"` blocks when using agents. AI Bridge applies a heuristic +within `role="user"` blocks when using agents. AI Gateway applies a heuristic of storing only the **last** prompt from a block of `role="user"` messages. > [!NOTE] -> AI Bridge cannot declare with certainty whether a request was human- or +> AI Gateway cannot declare with certainty whether a request was human- or > agent-initiated. ## LLM reasoning capture -AI Bridge captures model reasoning and thinking content when available. Both +AI Gateway captures model reasoning and thinking content when available. Both Anthropic (extended thinking) and OpenAI (reasoning summaries) support this feature. Reasoning data gives auditors insight into **why** a tool was called, not just what was called. @@ -77,7 +77,7 @@ When investigating an incident (policy violation, destructive action, etc.): ## What we store -AI Bridge captures the following data from each request/response: +AI Gateway captures the following data from each request/response: - Last user prompt - Token usage @@ -105,5 +105,5 @@ session data is kept. ## Next steps - [Monitoring](./monitoring.md) — Dashboards, data export, and tracing -- [Setup](./setup.md) — Configure AI Bridge and data retention +- [Setup](./setup.md) — Configure AI Gateway and data retention - [Reference](./reference.md) — API and technical reference diff --git a/docs/ai-coder/ai-bridge/clients/claude-code.md b/docs/ai-coder/ai-gateway/clients/claude-code.md similarity index 86% rename from docs/ai-coder/ai-bridge/clients/claude-code.md rename to docs/ai-coder/ai-gateway/clients/claude-code.md index 7f0dc01e54..797cf95724 100644 --- a/docs/ai-coder/ai-bridge/clients/claude-code.md +++ b/docs/ai-coder/ai-gateway/clients/claude-code.md @@ -1,27 +1,27 @@ # Claude Code -Claude Code can be configured using environment variables. All modes require a **[Coder session token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)** for authentication with AI Bridge. +Claude Code can be configured using environment variables. All modes require a **[Coder session token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)** for authentication with AI Gateway. ## Centralized API Key ```bash -# AI Bridge base URL. +# AI Gateway base URL. export ANTHROPIC_BASE_URL="/api/v2/aibridge/anthropic" -# Your Coder session token, used for authentication with AI Bridge. +# Your Coder session token, used for authentication with AI Gateway. export ANTHROPIC_AUTH_TOKEN="" ``` ## BYOK (Personal API Key) ```bash -# AI Bridge base URL. +# AI Gateway base URL. export ANTHROPIC_BASE_URL="/api/v2/aibridge/anthropic" # Your personal Anthropic API key, forwarded to Anthropic. export ANTHROPIC_API_KEY="" -# Your Coder session token, used for authentication with AI Bridge. +# Your Coder session token, used for authentication with AI Gateway. export ANTHROPIC_CUSTOM_HEADERS="X-Coder-AI-Governance-Token: " # Ensure no auth token is set so Claude Code uses the API key instead. @@ -31,10 +31,10 @@ unset ANTHROPIC_AUTH_TOKEN ## BYOK (Claude Subscription) ```bash -# AI Bridge base URL. +# AI Gateway base URL. export ANTHROPIC_BASE_URL="/api/v2/aibridge/anthropic" -# Your Coder session token, used for authentication with AI Bridge. +# Your Coder session token, used for authentication with AI Gateway. export ANTHROPIC_CUSTOM_HEADERS="X-Coder-AI-Governance-Token: " # Ensure no auth token is set so Claude Code uses subscription login instead. @@ -46,7 +46,7 @@ account. ## Pre-configuring in Templates -Template admins can pre-configure Claude Code for a seamless experience. Admins can automatically inject the user's Coder session token and the AI Bridge base URL into the workspace environment. +Template admins can pre-configure Claude Code for a seamless experience. Admins can automatically inject the user's Coder session token and the AI Gateway base URL into the workspace environment. ```hcl module "claude-code" { @@ -77,7 +77,7 @@ module "claude-code" { workdir = "/path/to/project" # Set to your project directory ai_prompt = data.coder_task.me.prompt - # Route through AI Bridge (Premium feature) + # Route through AI Gateway (Premium feature) enable_aibridge = true } ``` diff --git a/docs/ai-coder/ai-bridge/clients/cline.md b/docs/ai-coder/ai-gateway/clients/cline.md similarity index 92% rename from docs/ai-coder/ai-bridge/clients/cline.md rename to docs/ai-coder/ai-gateway/clients/cline.md index 0fe48d4edd..49236fa6f2 100644 --- a/docs/ai-coder/ai-bridge/clients/cline.md +++ b/docs/ai-coder/ai-gateway/clients/cline.md @@ -1,10 +1,10 @@ # Cline -Cline supports both OpenAI and Anthropic models and can be configured to use AI Bridge by setting providers. +Cline supports both OpenAI and Anthropic models and can be configured to use AI Gateway by setting providers. ## Configuration -To configure Cline to use AI Bridge, follow these steps: +To configure Cline to use AI Gateway, follow these steps: ![Cline Settings](../../../images/aibridge/clients/cline-setup.png)
diff --git a/docs/ai-coder/ai-bridge/clients/codex.md b/docs/ai-coder/ai-gateway/clients/codex.md similarity index 80% rename from docs/ai-coder/ai-bridge/clients/codex.md rename to docs/ai-coder/ai-gateway/clients/codex.md index 00f0811fe7..03470bfa0c 100644 --- a/docs/ai-coder/ai-bridge/clients/codex.md +++ b/docs/ai-coder/ai-gateway/clients/codex.md @@ -1,10 +1,10 @@ # Codex CLI -Codex CLI can be configured to use AI Bridge by setting up a custom model provider. +Codex CLI can be configured to use AI Gateway by setting up a custom model provider. ## Centralized API Key -To configure Codex CLI to use AI Bridge, set the following configuration options in your Codex configuration file (e.g., `~/.codex/config.toml`): +To configure Codex CLI to use AI Gateway, set the following configuration options in your Codex configuration file (e.g., `~/.codex/config.toml`): ```toml model_provider = "aibridge" @@ -16,7 +16,7 @@ env_key = "OPENAI_API_KEY" wire_api = "responses" ``` -To authenticate with AI Bridge, get your **[Coder session token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)** and set it in your environment: +To authenticate with AI Gateway, get your **[Coder session token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)** and set it in your environment: ```bash export OPENAI_API_KEY="" @@ -45,7 +45,7 @@ Set both environment variables: # Your personal OpenAI API key, forwarded to OpenAI. export OPENAI_API_KEY="" -# Your Coder session token, used for authentication with AI Bridge. +# Your Coder session token, used for authentication with AI Gateway. export CODER_SESSION_TOKEN="" ``` @@ -70,7 +70,7 @@ env_http_headers = { "X-Coder-AI-Governance-Token" = "CODER_SESSION_TOKEN" } Set your Coder session token and ensure `OPENAI_API_KEY` is not set: ```bash -# Your Coder session token, used for authentication with AI Bridge. +# Your Coder session token, used for authentication with AI Gateway. export CODER_SESSION_TOKEN="" # Ensure no OpenAI API key is set so Codex uses ChatGPT login instead. diff --git a/docs/ai-coder/ai-bridge/clients/copilot.md b/docs/ai-coder/ai-gateway/clients/copilot.md similarity index 62% rename from docs/ai-coder/ai-bridge/clients/copilot.md rename to docs/ai-coder/ai-gateway/clients/copilot.md index dadaae676f..d9ba2093de 100644 --- a/docs/ai-coder/ai-bridge/clients/copilot.md +++ b/docs/ai-coder/ai-gateway/clients/copilot.md @@ -1,15 +1,15 @@ # GitHub Copilot [GitHub Copilot](https://github.com/features/copilot) is an AI coding assistant that doesn't support custom base URLs but does respect proxy configurations. -This makes it compatible with [AI Bridge Proxy](../ai-bridge-proxy/index.md), which integrates with [AI Bridge](../index.md) for full access to auditing and governance features. -To use Copilot with AI Bridge, make sure AI Bridge Proxy is properly configured, see [AI Bridge Proxy Setup](../ai-bridge-proxy/setup.md) for instructions. +This makes it compatible with [AI Gateway Proxy](../ai-gateway-proxy/index.md), which integrates with [AI Gateway](../index.md) for full access to auditing and governance features. +To use Copilot with AI Gateway, make sure AI Gateway Proxy is properly configured, see [AI Gateway Proxy Setup](../ai-gateway-proxy/setup.md) for instructions. Copilot uses **per-user tokens** tied to GitHub accounts rather than a shared API key. Users must still authenticate with GitHub to use Copilot. For general information about GitHub Copilot, see the [GitHub Copilot documentation](https://docs.github.com/en/copilot). -For general client configuration requirements, see [AI Bridge Proxy Client Configuration](../ai-bridge-proxy/setup.md#client-configuration). +For general client configuration requirements, see [AI Gateway Proxy Client Configuration](../ai-gateway-proxy/setup.md#client-configuration). The sections below cover Copilot-specific setup for each client. ## Copilot CLI @@ -24,9 +24,9 @@ Set the `HTTPS_PROXY` environment variable: export HTTPS_PROXY="https://coder:${CODER_SESSION_TOKEN}@:8888" ``` -Replace `` with your AI Bridge Proxy hostname. +Replace `` with your AI Gateway Proxy hostname. -Note: if [TLS is not enabled](../ai-bridge-proxy/setup.md#proxy-tls-configuration) on the proxy, replace `https://` with `http://` in the proxy URL. +Note: if [TLS is not enabled](../ai-gateway-proxy/setup.md#proxy-tls-configuration) on the proxy, replace `https://` with `http://` in the proxy URL. ### CA certificate trust @@ -36,9 +36,9 @@ Copilot CLI is built on Node.js and uses the `NODE_EXTRA_CA_CERTS` environment v export NODE_EXTRA_CA_CERTS="/path/to/coder-aibridge-proxy-ca.pem" ``` -See [Client Configuration CA certificate trust](../ai-bridge-proxy/setup.md#trusting-the-ca-certificate) for details on how to obtain the certificate file. +See [Client Configuration CA certificate trust](../ai-gateway-proxy/setup.md#trusting-the-ca-certificate) for details on how to obtain the certificate file. -When [TLS is enabled](../ai-bridge-proxy/setup.md#proxy-tls-configuration) on the proxy, combine the MITM CA certificate and the TLS certificate into a single file: +When [TLS is enabled](../ai-gateway-proxy/setup.md#proxy-tls-configuration) on the proxy, combine the MITM CA certificate and the TLS certificate into a single file: ```shell cat coder-aibridge-proxy-ca.pem listener.crt > combined-ca.pem @@ -47,7 +47,7 @@ export NODE_EXTRA_CA_CERTS="/path/to/combined-ca.pem" Copilot CLI may start MCP server processes that use runtimes other than Node.js (e.g. Go). These processes inherit environment variables like `HTTPS_PROXY` but may not respect `NODE_EXTRA_CA_CERTS`. -Adding the TLS certificate to the [system trust store](../ai-bridge-proxy/setup.md#system-trust-store) ensures all processes trust it. +Adding the TLS certificate to the [system trust store](../ai-gateway-proxy/setup.md#system-trust-store) ensures all processes trust it. ## VS Code Copilot Extension @@ -56,7 +56,7 @@ For installation instructions, see [Installing the GitHub Copilot extension in V ### Proxy configuration You can configure the proxy using environment variables or VS Code settings. -For environment variables, see [AI Bridge Proxy client configuration](../ai-bridge-proxy/setup.md#configuring-the-proxy). +For environment variables, see [AI Gateway Proxy client configuration](../ai-gateway-proxy/setup.md#configuring-the-proxy). Alternatively, you can configure the proxy directly in VS Code settings: @@ -72,10 +72,10 @@ Or add directly to your `settings.json`: } ``` -Note: if [TLS is not enabled](../ai-bridge-proxy/setup.md#proxy-tls-configuration) on the proxy, replace `https://` with `http://` in the proxy URL. +Note: if [TLS is not enabled](../ai-gateway-proxy/setup.md#proxy-tls-configuration) on the proxy, replace `https://` with `http://` in the proxy URL. The `http.proxy` setting is used for both HTTP and HTTPS requests. -Replace `` with your AI Bridge Proxy hostname and `` with your coder session token. +Replace `` with your AI Gateway Proxy hostname and `` with your coder session token. Restart VS Code for changes to take effect. @@ -83,19 +83,19 @@ For more details, see [Configuring proxy settings for Copilot](https://docs.gith ### CA certificate trust -Add the AI Bridge Proxy CA certificate to your operating system's trust store. +Add the AI Gateway Proxy CA certificate to your operating system's trust store. By default, VS Code loads system certificates, controlled by the `http.systemCertificates` setting. -See [Client Configuration CA certificate trust](../ai-bridge-proxy/setup.md#trusting-the-ca-certificate) for details on how to obtain the certificate file. +See [Client Configuration CA certificate trust](../ai-gateway-proxy/setup.md#trusting-the-ca-certificate) for details on how to obtain the certificate file. -When [TLS is enabled](../ai-bridge-proxy/setup.md#proxy-tls-configuration) on the proxy, add the TLS certificate to the system trust store as well. +When [TLS is enabled](../ai-gateway-proxy/setup.md#proxy-tls-configuration) on the proxy, add the TLS certificate to the system trust store as well. ### Using Coder Remote extension When connecting to a Coder workspace with the [Coder extension](https://marketplace.visualstudio.com/items?itemName=coder.coder-remote), the Copilot extension runs inside the Coder workspace and not on your local machine. This means proxy and certificate configuration must be done in the Coder workspace environment. -When [TLS is enabled](../ai-bridge-proxy/setup.md#proxy-tls-configuration) on the proxy, add the TLS certificate to the workspace's system trust store as well. +When [TLS is enabled](../ai-gateway-proxy/setup.md#proxy-tls-configuration) on the proxy, add the TLS certificate to the workspace's system trust store as well. #### Proxy configuration @@ -107,14 +107,14 @@ Configure the proxy in VS Code's remote settings: 1. Search for `HTTP: Proxy` 1. Set the proxy URL using the format `https://coder:@:8888` -Note: if [TLS is not enabled](../ai-bridge-proxy/setup.md#proxy-tls-configuration) on the proxy, replace `https://` with `http://` in the proxy URL. +Note: if [TLS is not enabled](../ai-gateway-proxy/setup.md#proxy-tls-configuration) on the proxy, replace `https://` with `http://` in the proxy URL. -Replace `` with your AI Bridge Proxy hostname and `` with your coder session token. +Replace `` with your AI Gateway Proxy hostname and `` with your coder session token. #### CA certificate trust -Since the Copilot extension runs inside the Coder workspace, add the [AI Bridge Proxy CA certificate](../ai-bridge-proxy/setup.md#trusting-the-ca-certificate) to the Coder workspace's system trust store. -See [System trust store](../ai-bridge-proxy/setup.md#system-trust-store) for instructions on how to do this on Linux. +Since the Copilot extension runs inside the Coder workspace, add the [AI Gateway Proxy CA certificate](../ai-gateway-proxy/setup.md#trusting-the-ca-certificate) to the Coder workspace's system trust store. +See [System trust store](../ai-gateway-proxy/setup.md#system-trust-store) for instructions on how to do this on Linux. Restart VS Code for changes to take effect. @@ -140,10 +140,10 @@ For more details, see [Configuring proxy settings for Copilot](https://docs.gith ### CA certificate trust -Add the AI Bridge Proxy CA certificate to your operating system's trust store. +Add the AI Gateway Proxy CA certificate to your operating system's trust store. If the certificate is in the system trust store, no additional IDE configuration is needed. -When [TLS is enabled](../ai-bridge-proxy/setup.md#proxy-tls-configuration) on the proxy, add the TLS certificate to the system trust store as well, or add it under `Accepted certificates` in the IDE settings below. +When [TLS is enabled](../ai-gateway-proxy/setup.md#proxy-tls-configuration) on the proxy, add the TLS certificate to the system trust store as well, or add it under `Accepted certificates` in the IDE settings below. Alternatively, you can configure the IDE to accept the certificate: @@ -155,4 +155,4 @@ Alternatively, you can configure the IDE to accept the certificate: For more details, see [Trusted root certificates](https://www.jetbrains.com/help/idea/ssl-certificates.html) in the JetBrains documentation. -See [Client Configuration CA certificate trust](../ai-bridge-proxy/setup.md#trusting-the-ca-certificate) for details on how to obtain the certificate file. +See [Client Configuration CA certificate trust](../ai-gateway-proxy/setup.md#trusting-the-ca-certificate) for details on how to obtain the certificate file. diff --git a/docs/ai-coder/ai-bridge/clients/factory.md b/docs/ai-coder/ai-gateway/clients/factory.md similarity index 89% rename from docs/ai-coder/ai-bridge/clients/factory.md rename to docs/ai-coder/ai-gateway/clients/factory.md index 2a941ee9ae..d0cdacb98a 100644 --- a/docs/ai-coder/ai-bridge/clients/factory.md +++ b/docs/ai-coder/ai-gateway/clients/factory.md @@ -1,11 +1,11 @@ # Factory -Factort's Droid agent can be configured to use AI Bridge by setting up custom models for OpenAI and Anthropic. +Factort's Droid agent can be configured to use AI Gateway by setting up custom models for OpenAI and Anthropic. ## Configuration 1. Open `~/.factory/settings.json` (create it if it does not exist). -2. Add a `customModels` entry for each provider you want to use with AI Bridge. +2. Add a `customModels` entry for each provider you want to use with AI Gateway. 3. Replace `coder.example.com` with your Coder deployment URL. 4. Use a **[Coder session token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)** for `apiKey`. diff --git a/docs/ai-coder/ai-bridge/clients/index.md b/docs/ai-coder/ai-gateway/clients/index.md similarity index 83% rename from docs/ai-coder/ai-bridge/clients/index.md rename to docs/ai-coder/ai-gateway/clients/index.md index db717bc74c..591175a6f5 100644 --- a/docs/ai-coder/ai-bridge/clients/index.md +++ b/docs/ai-coder/ai-gateway/clients/index.md @@ -1,11 +1,11 @@ # Client Configuration -Once AI Bridge is setup on your deployment, the AI coding tools used by your users will need to be configured to route requests via AI Bridge. +Once AI Gateway is setup on your deployment, the AI coding tools used by your users will need to be configured to route requests via AI Gateway. -There are two ways to connect AI tools to AI Bridge: +There are two ways to connect AI tools to AI Gateway: - Base URL configuration (Recommended): Most AI tools allow customizing the base URL for API requests. This is the preferred approach when supported. -- AI Bridge Proxy: For tools that don't support base URL configuration, [AI Bridge Proxy](../ai-bridge-proxy/index.md) can intercept traffic and forward it to AI Bridge. +- AI Gateway Proxy: For tools that don't support base URL configuration, [AI Gateway Proxy](../ai-gateway-proxy/index.md) can intercept traffic and forward it to AI Gateway. ## Base URLs @@ -20,14 +20,14 @@ Replace `coder.example.com` with your actual Coder deployment URL. ## Authentication -Instead of distributing provider-specific API keys (OpenAI/Anthropic keys) to users, they authenticate to AI Bridge using their **Coder session token** or **API key**: +Instead of distributing provider-specific API keys (OpenAI/Anthropic keys) to users, they authenticate to AI Gateway using their **Coder session token** or **API key**: - **OpenAI clients**: Users set `OPENAI_API_KEY` to their Coder session token or API key - **Anthropic clients**: Users set `ANTHROPIC_API_KEY` to their Coder session token or API key > [!NOTE] -> Only Coder-issued tokens can authenticate users against AI Bridge. -> AI Bridge will use provider-specific API keys to [authenticate against upstream AI services](https://coder.com/docs/ai-coder/ai-bridge/setup#configure-providers). +> Only Coder-issued tokens can authenticate users against AI Gateway. +> AI Gateway will use provider-specific API keys to [authenticate against upstream AI services](../setup.md#configure-providers). Again, the exact environment variable or setting naming may differ from tool to tool. See a list of [supported clients](#all-supported-clients) below and consult your tool's documentation for details. @@ -45,22 +45,22 @@ Alternatively, [generate a long-lived API token](../../../admin/users/sessions-t ## Bring Your Own Key (BYOK) -In addition to centralized key management, AI Bridge supports **Bring Your +In addition to centralized key management, AI Gateway supports **Bring Your Own Key** (BYOK) mode. Users can provide their own LLM API keys or use provider subscriptions (such as Claude Pro/Max or ChatGPT Plus/Pro) while -AI Bridge continues to provide observability and governance. +AI Gateway continues to provide observability and governance. ![BYOK authentication flow](../../../images/aibridge/clients/byok_auth_flow.png) In BYOK mode, users need two credentials: -- A **Coder session token** to authenticate with AI Bridge. -- Their **own LLM credential** (personal API key or subscription token) which AI Bridge forwards +- A **Coder session token** to authenticate with AI Gateway. +- Their **own LLM credential** (personal API key or subscription token) which AI Gateway forwards to the upstream provider. BYOK and centralized modes can be used together. When a user provides -their own credential, AI Bridge forwards it directly. When no user -credential is present, AI Bridge falls back to the admin-configured +their own credential, AI Gateway forwards it directly. When no user +credential is present, AI Gateway falls back to the admin-configured provider key. This lets organizations offer centralized keys as a default while allowing individual users to bring their own. @@ -68,7 +68,7 @@ See individual client pages for configuration details. ## Compatibility -The table below shows tested AI clients and their compatibility with AI Bridge. +The table below shows tested AI clients and their compatibility with AI Gateway. | Client | OpenAI | Anthropic | Notes | |----------------------------------|--------|-----------|--------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -83,7 +83,7 @@ The table below shows tested AI clients and their compatibility with AI Bridge. | [VS Code](./vscode.md) | ✅ | ❌ | Only supports Custom Base URL for OpenAI. | | [JetBrains IDEs](./jetbrains.md) | ✅ | ❌ | Works in Chat mode via "Bring Your Own Key". | | [Zed](./zed.md) | ✅ | ✅ | | -| [GitHub Copilot](./copilot.md) | ⚙️ | - | Requires [AI Bridge Proxy](../ai-bridge-proxy/index.md). Uses per-user GitHub tokens. | +| [GitHub Copilot](./copilot.md) | ⚙️ | - | Requires [AI Gateway Proxy](../ai-gateway-proxy/index.md). Uses per-user GitHub tokens. | | WindSurf | ❌ | ❌ | No option to override base URL. | | Cursor | ❌ | ❌ | Override for OpenAI broken ([upstream issue](https://forum.cursor.com/t/requests-are-sent-to-incorrect-endpoint-when-using-base-url-override/144894)). | | Sourcegraph Amp | ❌ | ❌ | No option to override base URL. | @@ -92,15 +92,15 @@ The table below shows tested AI clients and their compatibility with AI Bridge. | Antigravity | ❌ | ❌ | No option to override base URL. | | -*Legend: ✅ supported, ⚙️ requires AI Bridge Proxy, ❌ not supported, - not applicable.* +*Legend: ✅ supported, ⚙️ requires AI Gateway Proxy, ❌ not supported, - not applicable.* ## Configuring In-Workspace Tools -AI coding tools running inside a Coder workspace, such as IDE extensions, can be configured to use AI Bridge. +AI coding tools running inside a Coder workspace, such as IDE extensions, can be configured to use AI Gateway. -While users can manually configure these tools with a long-lived API key, template admins can provide a more seamless experience by pre-configuring them. Admins can automatically inject the user's session token with `data.coder_workspace_owner.me.session_token` and the AI Bridge base URL into the workspace environment. +While users can manually configure these tools with a long-lived API key, template admins can provide a more seamless experience by pre-configuring them. Admins can automatically inject the user's session token with `data.coder_workspace_owner.me.session_token` and the AI Gateway base URL into the workspace environment. -In this example, Claude Code respects these environment variables and will route all requests via AI Bridge. +In this example, Claude Code respects these environment variables and will route all requests via AI Gateway. ```hcl data "coder_workspace_owner" "me" {} @@ -121,9 +121,9 @@ resource "coder_agent" "dev" { ## External and Desktop Clients -You can also configure AI tools running outside of a Coder workspace, such as local IDE extensions or desktop applications, to connect to AI Bridge. +You can also configure AI tools running outside of a Coder workspace, such as local IDE extensions or desktop applications, to connect to AI Gateway. -The configuration is the same: point the tool to the AI Bridge [base URL](#base-urls) and use a Coder API key for authentication. +The configuration is the same: point the tool to the AI Gateway [base URL](#base-urls) and use a Coder API key for authentication. Users can generate a long-lived API key from the Coder UI or CLI. Follow the instructions at [Sessions and API tokens](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself) to create one. diff --git a/docs/ai-coder/ai-bridge/clients/jetbrains.md b/docs/ai-coder/ai-gateway/clients/jetbrains.md similarity index 92% rename from docs/ai-coder/ai-bridge/clients/jetbrains.md rename to docs/ai-coder/ai-gateway/clients/jetbrains.md index 90935d03eb..81abafce3a 100644 --- a/docs/ai-coder/ai-bridge/clients/jetbrains.md +++ b/docs/ai-coder/ai-gateway/clients/jetbrains.md @@ -1,6 +1,6 @@ # JetBrains IDEs -JetBrains IDE (IntelliJ IDEA, PyCharm, WebStorm, etc.) support AI Bridge via the ["Bring Your Own Key" (BYOK)](https://www.jetbrains.com/help/ai-assistant/use-custom-models.html#provide-your-own-api-key) feature. +JetBrains IDE (IntelliJ IDEA, PyCharm, WebStorm, etc.) support AI Gateway via the ["Bring Your Own Key" (BYOK)](https://www.jetbrains.com/help/ai-assistant/use-custom-models.html#provide-your-own-api-key) feature. ## Prerequisites diff --git a/docs/ai-coder/ai-bridge/clients/kilo-code.md b/docs/ai-coder/ai-gateway/clients/kilo-code.md similarity index 97% rename from docs/ai-coder/ai-bridge/clients/kilo-code.md rename to docs/ai-coder/ai-gateway/clients/kilo-code.md index c940060b45..60fce5e44e 100644 --- a/docs/ai-coder/ai-bridge/clients/kilo-code.md +++ b/docs/ai-coder/ai-gateway/clients/kilo-code.md @@ -1,6 +1,6 @@ # Kilo Code -Kilo Code allows you to configure providers via the UI and can be set up to use AI Bridge. +Kilo Code allows you to configure providers via the UI and can be set up to use AI Gateway. ## Configuration diff --git a/docs/ai-coder/ai-bridge/clients/mux.md b/docs/ai-coder/ai-gateway/clients/mux.md similarity index 91% rename from docs/ai-coder/ai-bridge/clients/mux.md rename to docs/ai-coder/ai-gateway/clients/mux.md index 5b83873ba2..a15cc1db2f 100644 --- a/docs/ai-coder/ai-bridge/clients/mux.md +++ b/docs/ai-coder/ai-gateway/clients/mux.md @@ -2,11 +2,11 @@ Mux makes it easy to run parallel coding agents, each with its own isolated workspace, from your browser or desktop; it is open source and provider-agnostic. -Mux can be configured to route OpenAI- and Anthropic-compatible traffic through AI Bridge by setting a custom provider base URL and using a Coder-issued token for authentication. +Mux can be configured to route OpenAI- and Anthropic-compatible traffic through AI Gateway by setting a custom provider base URL and using a Coder-issued token for authentication. ## Prerequisites -- AI Bridge is enabled on your Coder deployment. +- AI Gateway is enabled on your Coder deployment. - A **[Coder session token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)** or long-lived API key. ## Configuration @@ -52,7 +52,7 @@ export ANTHROPIC_BASE_URL="https://coder.example.com/api/v2/aibridge/anthropic" ## Running Mux in a Coder workspace -If you want to run Mux inside a Coder workspace (for example, as a Coder app), you can install it with the [Mux module](https://registry.coder.com/modules/coder/mux) and pre-configure AI Bridge via environment variables on the agent: +If you want to run Mux inside a Coder workspace (for example, as a Coder app), you can install it with the [Mux module](https://registry.coder.com/modules/coder/mux) and pre-configure AI Gateway via environment variables on the agent: ```tf data "coder_workspace" "me" {} diff --git a/docs/ai-coder/ai-bridge/clients/opencode.md b/docs/ai-coder/ai-gateway/clients/opencode.md similarity index 58% rename from docs/ai-coder/ai-bridge/clients/opencode.md rename to docs/ai-coder/ai-gateway/clients/opencode.md index f9487e4eff..116dcd7431 100644 --- a/docs/ai-coder/ai-bridge/clients/opencode.md +++ b/docs/ai-coder/ai-gateway/clients/opencode.md @@ -1,10 +1,10 @@ # OpenCode -OpenCode supports both OpenAI and Anthropic models and can be configured to use AI Bridge by setting custom base URLs for each provider. +OpenCode supports both OpenAI and Anthropic models and can be configured to use AI Gateway by setting custom base URLs for each provider. ## Configuration -You can configure OpenCode to connect to AI Bridge by setting the following configuration options in your OpenCode configuration file (e.g., `~/.config/opencode/opencode.json`): +You can configure OpenCode to connect to AI Gateway by setting the following configuration options in your OpenCode configuration file (e.g., `~/.config/opencode/opencode.json`): ```json { @@ -26,7 +26,7 @@ You can configure OpenCode to connect to AI Bridge by setting the following conf ## Authentication -To authenticate with AI Bridge, get your **[Coder session token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)** and replace `` in `~/.local/share/opencode/auth.json` +To authenticate with AI Gateway, get your **[Coder session token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)** and replace `` in `~/.local/share/opencode/auth.json` ```json { diff --git a/docs/ai-coder/ai-bridge/clients/roo-code.md b/docs/ai-coder/ai-gateway/clients/roo-code.md similarity index 98% rename from docs/ai-coder/ai-bridge/clients/roo-code.md rename to docs/ai-coder/ai-gateway/clients/roo-code.md index 66749d121e..2445eed026 100644 --- a/docs/ai-coder/ai-bridge/clients/roo-code.md +++ b/docs/ai-coder/ai-gateway/clients/roo-code.md @@ -1,6 +1,6 @@ # Roo Code -Roo Code allows you to configure providers via the UI and can be set up to use AI Bridge. +Roo Code allows you to configure providers via the UI and can be set up to use AI Gateway. ## Configuration diff --git a/docs/ai-coder/ai-bridge/clients/vscode.md b/docs/ai-coder/ai-gateway/clients/vscode.md similarity index 93% rename from docs/ai-coder/ai-bridge/clients/vscode.md rename to docs/ai-coder/ai-gateway/clients/vscode.md index 279709b98c..6c100f0c1c 100644 --- a/docs/ai-coder/ai-bridge/clients/vscode.md +++ b/docs/ai-coder/ai-gateway/clients/vscode.md @@ -1,6 +1,6 @@ # VS Code -VS Code's native chat can be configured to use AI Bridge with the GitHub Copilot Chat extension's custom language model support. +VS Code's native chat can be configured to use AI Gateway with the GitHub Copilot Chat extension's custom language model support. ## Configuration diff --git a/docs/ai-coder/ai-bridge/clients/zed.md b/docs/ai-coder/ai-gateway/clients/zed.md similarity index 77% rename from docs/ai-coder/ai-bridge/clients/zed.md rename to docs/ai-coder/ai-gateway/clients/zed.md index 1cfb8795f1..944b9f244a 100644 --- a/docs/ai-coder/ai-bridge/clients/zed.md +++ b/docs/ai-coder/ai-gateway/clients/zed.md @@ -1,12 +1,12 @@ # Zed -Zed IDE supports AI Bridge via its `language_models` configuration in `settings.json`. +Zed IDE supports AI Gateway via its `language_models` configuration in `settings.json`. ## Configuration -To configure Zed to use AI Bridge, you need to edit your `settings.json` file. You can access this by pressing `Cmd/Ctrl + ,` or opening the command palette and searching for "Open Settings". +To configure Zed to use AI Gateway, you need to edit your `settings.json` file. You can access this by pressing `Cmd/Ctrl + ,` or opening the command palette and searching for "Open Settings". -You can configure both Anthropic and OpenAI providers to point to AI Bridge. +You can configure both Anthropic and OpenAI providers to point to AI Gateway. ```json { @@ -41,7 +41,7 @@ You can configure both Anthropic and OpenAI providers to point to AI Bridge. ## Authentication -Zed requires an API key for these providers. For AI Bridge, this key is your **[Coder Session Token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)**. +Zed requires an API key for these providers. For AI Gateway, this key is your **[Coder Session Token](../../../admin/users/sessions-tokens.md#generate-a-long-lived-api-token-on-behalf-of-yourself)**. You can set this in two ways: diff --git a/docs/ai-coder/ai-bridge/index.md b/docs/ai-coder/ai-gateway/index.md similarity index 61% rename from docs/ai-coder/ai-bridge/index.md rename to docs/ai-coder/ai-gateway/index.md index 46650c8423..997f20ea89 100644 --- a/docs/ai-coder/ai-bridge/index.md +++ b/docs/ai-coder/ai-gateway/index.md @@ -1,12 +1,12 @@ -# AI Bridge +# AI Gateway ![AI bridge diagram](../../images/aibridge/aibridge_diagram.png) -AI Bridge is a smart gateway for AI. It acts as an intermediary between your users' coding agents / IDEs +AI Gateway is a smart gateway for AI. It acts as an intermediary between your users' coding agents / IDEs and providers like OpenAI and Anthropic. By intercepting all the AI traffic between these clients and -the upstream APIs, AI Bridge can record user prompts, token usage, and tool invocations. +the upstream APIs, AI Gateway can record user prompts, token usage, and tool invocations. -AI Bridge solves 3 key problems: +AI Gateway solves 3 key problems: 1. **Centralized authn/z management**: no more issuing & managing API tokens for OpenAI/Anthropic usage. Users use their Coder session or API tokens to authenticate with `coderd` (Coder control plane), and @@ -16,9 +16,14 @@ AI Bridge solves 3 key problems: 1. **Centralized MCP administration**: define a set of approved MCP servers and tools which your users may use. -## When to use AI Bridge +> [!NOTE] +> AI Gateway was previously known as "AI Bridge". Some configuration +> options, environment variables, and API paths still use the old name +> and will be updated in a future release. -As LLM adoption grows, administrators need centralized auditing, monitoring, and token management. AI Bridge enables organizations to manage AI tooling access for thousands of engineers from a single control plane. +## When to use AI Gateway + +As LLM adoption grows, administrators need centralized auditing, monitoring, and token management. AI Gateway enables organizations to manage AI tooling access for thousands of engineers from a single control plane. If you are an administrator or devops leader looking to: @@ -28,12 +33,12 @@ If you are an administrator or devops leader looking to: - Investigate opportunities for AI automation - Uncover high-leverage use cases last -AI Bridge is best suited for organizations facing these centralized management and observability challenges. +AI Gateway is best suited for organizations facing these centralized management and observability challenges. ## Next steps -- [Set up AI Bridge](./setup.md) on your Coder deployment -- [Configure AI clients](./clients/index.md) to use AI Bridge +- [Set up AI Gateway](./setup.md) on your Coder deployment +- [Configure AI clients](./clients/index.md) to use AI Gateway - [Configure MCP servers](./mcp.md) for tool access - [Audit AI sessions](./audit.md) - [Monitor usage and metrics](./monitoring.md) and [configure data retention](./setup.md#data-retention) diff --git a/docs/ai-coder/ai-bridge/mcp.md b/docs/ai-coder/ai-gateway/mcp.md similarity index 70% rename from docs/ai-coder/ai-bridge/mcp.md rename to docs/ai-coder/ai-gateway/mcp.md index a4e8ee2453..a070172a47 100644 --- a/docs/ai-coder/ai-bridge/mcp.md +++ b/docs/ai-coder/ai-gateway/mcp.md @@ -1,18 +1,18 @@ # MCP > [!WARNING] -> Injected MCP in AI Bridge is deprecated and will be removed in a future release. +> Injected MCP in AI Gateway is deprecated and will be removed in a future release. [Model Context Protocol (MCP)](https://modelcontextprotocol.io/docs/getting-started/intro) is a mechanism for connecting AI applications to external systems. -AI Bridge can connect to MCP servers and inject tools automatically, enabling you to centrally manage the list of tools you wish to grant your users. +AI Gateway can connect to MCP servers and inject tools automatically, enabling you to centrally manage the list of tools you wish to grant your users. > [!NOTE] > Only MCP servers which support OAuth2 Authorization are supported currently. > > [_Streamable HTTP_](https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#streamable-http) is the only supported transport currently. In future releases we will support the (now deprecated) [_Server-Sent Events_](https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#backwards-compatibility) transport. -AI Bridge makes use of [External Auth](../../admin/external-auth/index.md) applications, as they define OAuth2 connections to upstream services. If your External Auth application hosts a remote MCP server, you can configure AI Bridge to connect to it, retrieve its tools and inject them into requests automatically - all while using each individual user's access token. +AI Gateway makes use of [External Auth](../../admin/external-auth/index.md) applications, as they define OAuth2 connections to upstream services. If your External Auth application hosts a remote MCP server, you can configure AI Gateway to connect to it, retrieve its tools and inject them into requests automatically - all while using each individual user's access token. For example, GitHub has a [remote MCP server](https://github.com/github/github-mcp-server?tab=readme-ov-file#remote-github-mcp-server) and we can use it as follows. @@ -20,7 +20,7 @@ For example, GitHub has a [remote MCP server](https://github.com/github/github-m CODER_EXTERNAL_AUTH_0_TYPE=github CODER_EXTERNAL_AUTH_0_CLIENT_ID=... CODER_EXTERNAL_AUTH_0_CLIENT_SECRET=... -# Tell AI Bridge where it can find this service's remote MCP server. +# Tell AI Gateway where it can find this service's remote MCP server. CODER_EXTERNAL_AUTH_0_MCP_URL=https://api.githubcopilot.com/mcp/ ``` @@ -50,13 +50,13 @@ In the above example, if you prompted your AI model with "list your available gi > 2. bmcp_github_list_gists > ``` -AI Bridge marks automatically injected tools with a prefix `bmcp_` ("bridged MCP"). It also namespaces all tool names by the ID of their associated External Auth application (in this case `github`). +AI Gateway marks automatically injected tools with a prefix `bmcp_` ("bridged MCP"). It also namespaces all tool names by the ID of their associated External Auth application (in this case `github`). ## Tool Injection -If a model decides to invoke a tool and it has a `bmcp_` suffix and AI Bridge has a connection with the related MCP server, it will invoke the tool. The tool result will be passed back to the upstream AI provider, and this will loop until the model has all of its required data. These inner loops are not relayed back to the client; all it sees is the result of this loop. See [Implementation Details](./reference.md#implementation-details). +If a model decides to invoke a tool and it has a `bmcp_` suffix and AI Gateway has a connection with the related MCP server, it will invoke the tool. The tool result will be passed back to the upstream AI provider, and this will loop until the model has all of its required data. These inner loops are not relayed back to the client; all it sees is the result of this loop. See [Implementation Details](./reference.md#implementation-details). -In contrast, tools which are defined by the client (i.e. the [`Bash` tool](https://docs.claude.com/en/docs/claude-code/settings#tools-available-to-claude) defined by _Claude Code_) cannot be invoked by AI Bridge, and the tool call from the model will be relayed to the client, after which it will invoke the tool. +In contrast, tools which are defined by the client (i.e. the [`Bash` tool](https://docs.claude.com/en/docs/claude-code/settings#tools-available-to-claude) defined by _Claude Code_) cannot be invoked by AI Gateway, and the tool call from the model will be relayed to the client, after which it will invoke the tool. If you have [Coder MCP Server](../mcp-server.md) enabled, as well as have `CODER_AIBRIDGE_INJECT_CODER_MCP_TOOLS=true` set, Coder's MCP tools will be injected into intercepted requests. diff --git a/docs/ai-coder/ai-bridge/monitoring.md b/docs/ai-coder/ai-gateway/monitoring.md similarity index 85% rename from docs/ai-coder/ai-bridge/monitoring.md rename to docs/ai-coder/ai-gateway/monitoring.md index d3adc59733..0bf6e081d4 100644 --- a/docs/ai-coder/ai-bridge/monitoring.md +++ b/docs/ai-coder/ai-gateway/monitoring.md @@ -1,6 +1,6 @@ # Monitoring -AI Bridge records the last `user` prompt, token usage, model reasoning, and every tool invocation for each intercepted request. Each capture is tied to a single "interception" that maps back to the authenticated Coder identity, making it easy to attribute spend and behaviour. +AI Gateway records the last `user` prompt, token usage, model reasoning, and every tool invocation for each intercepted request. Each capture is tied to a single "interception" that maps back to the authenticated Coder identity, making it easy to attribute spend and behaviour. ![User Prompt logging](../../images/aibridge/grafana_user_prompts_logging.png) @@ -19,11 +19,11 @@ in the setup guide for configuration and a full list of record types. ## Exporting Data -AI Bridge interception data can be exported for external analysis, compliance reporting, or integration with log aggregation systems. +AI Gateway interception data can be exported for external analysis, compliance reporting, or integration with log aggregation systems. ### REST API -You can retrieve AI Bridge sessions via the Coder API, with filtering and pagination support. +You can retrieve AI Gateway sessions via the Coder API, with filtering and pagination support. ```sh curl -X GET "https://coder.example.com/api/v2/aibridge/sessions" \ @@ -81,22 +81,22 @@ See `coder aibridge interceptions list --help` for all options. ## Data Retention -AI Bridge data is retained for **60 days by default**. Configure the retention +AI Gateway data is retained for **60 days by default**. Configure the retention period to balance storage costs with your organization's compliance and analysis needs. For configuration options and details, see [Data Retention](./setup.md#data-retention) -in the AI Bridge setup guide. +in the AI Gateway setup guide. ## Tracing -AI Bridge supports tracing via [OpenTelemetry](https://opentelemetry.io/), +AI Gateway supports tracing via [OpenTelemetry](https://opentelemetry.io/), providing visibility into request processing, upstream API calls, and MCP server interactions. ### Enabling Tracing -AI Bridge tracing is enabled when tracing is enabled for the Coder server. +AI Gateway tracing is enabled when tracing is enabled for the Coder server. To enable tracing set `CODER_TRACE_ENABLE` environment variable or [--trace](https://coder.com/docs/reference/cli/server#--trace) CLI flag: @@ -110,7 +110,7 @@ coder server --trace ### What is Traced -AI Bridge creates spans for the following operations: +AI Gateway creates spans for the following operations: | Span Name | Description | |---------------------------------------------|------------------------------------------------------| diff --git a/docs/ai-coder/ai-bridge/reference.md b/docs/ai-coder/ai-gateway/reference.md similarity index 77% rename from docs/ai-coder/ai-bridge/reference.md rename to docs/ai-coder/ai-gateway/reference.md index 398eb9a8ca..5a37525598 100644 --- a/docs/ai-coder/ai-bridge/reference.md +++ b/docs/ai-coder/ai-gateway/reference.md @@ -4,13 +4,13 @@ `coderd` runs an in-memory instance of `aibridged`, whose logic is mostly contained in https://github.com/coder/aibridge. In future releases we will support running external instances for higher throughput and complete memory isolation from `coderd`. -![AI Bridge implementation details](../../images/aibridge/aibridge-implementation-details.png) +![AI Gateway implementation details](../../images/aibridge/aibridge-implementation-details.png) ## Supported APIs API support is broken down into two categories: -- **Intercepted**: requests are intercepted, audited, and augmented - full AI Bridge functionality +- **Intercepted**: requests are intercepted, audited, and augmented - full AI Gateway functionality - **Passthrough**: requests are proxied directly to the upstream, no auditing or augmentation takes place Where relevant, both streaming and non-streaming requests are supported. @@ -38,4 +38,4 @@ Where relevant, both streaming and non-streaming requests are supported. ## Troubleshooting -To report a bug, file a feature request, or view a list of known issues, please visit our [GitHub repository for AI Bridge](https://github.com/coder/aibridge). If you encounter issues with AI Bridge, please reach out to us via [Discord](https://discord.gg/coder). +To report a bug, file a feature request, or view a list of known issues, please visit our [GitHub repository for AI Gateway](https://github.com/coder/aibridge). If you encounter issues with AI Gateway, please reach out to us via [Discord](https://discord.gg/coder). diff --git a/docs/ai-coder/ai-bridge/setup.md b/docs/ai-coder/ai-gateway/setup.md similarity index 84% rename from docs/ai-coder/ai-bridge/setup.md rename to docs/ai-coder/ai-gateway/setup.md index 60d6d11763..3d37910916 100644 --- a/docs/ai-coder/ai-bridge/setup.md +++ b/docs/ai-coder/ai-gateway/setup.md @@ -1,6 +1,6 @@ # Setup -AI Bridge runs inside the Coder control plane (`coderd`), requiring no separate compute to deploy or scale. Once enabled, `coderd` runs the `aibridged` in-memory and brokers traffic to your configured AI providers on behalf of authenticated users. +AI Gateway runs inside the Coder control plane (`coderd`), requiring no separate compute to deploy or scale. Once enabled, `coderd` runs the `aibridged` in-memory and brokers traffic to your configured AI providers on behalf of authenticated users. **Required**: @@ -10,7 +10,7 @@ AI Bridge runs inside the Coder control plane (`coderd`), requiring no separate ## Activation -You will need to enable AI Bridge explicitly: +You will need to enable AI Gateway explicitly: ```sh export CODER_AIBRIDGE_ENABLED=true @@ -21,13 +21,13 @@ coder server --aibridge-enabled=true ## Configure Providers -AI Bridge proxies requests to upstream LLM APIs. Configure at least one provider before exposing AI Bridge to end users. +AI Gateway proxies requests to upstream LLM APIs. Configure at least one provider before exposing AI Gateway to end users.
### OpenAI -Set the following when routing [OpenAI-compatible](https://coder.com/docs/reference/cli/server#--aibridge-openai-key) traffic through AI Bridge: +Set the following when routing [OpenAI-compatible](https://coder.com/docs/reference/cli/server#--aibridge-openai-key) traffic through AI Gateway: - `CODER_AIBRIDGE_OPENAI_KEY` or `--aibridge-openai-key` - `CODER_AIBRIDGE_OPENAI_BASE_URL` or `--aibridge-openai-base-url` @@ -40,7 +40,7 @@ If you'd like to create an [OpenAI key](https://platform.openai.com/api-keys) wi ### Anthropic -Set the following when routing [Anthropic-compatible](https://coder.com/docs/reference/cli/server#--aibridge-anthropic-key) traffic through AI Bridge: +Set the following when routing [Anthropic-compatible](https://coder.com/docs/reference/cli/server#--aibridge-anthropic-key) traffic through AI Gateway: - `CODER_AIBRIDGE_ANTHROPIC_KEY` or `--aibridge-anthropic-key` - `CODER_AIBRIDGE_ANTHROPIC_BASE_URL` or `--aibridge-anthropic-base-url` @@ -51,7 +51,7 @@ Anthropic does not allow [API keys](https://console.anthropic.com/settings/keys) ### Amazon Bedrock -Set the following when routing [Amazon Bedrock](https://coder.com/docs/reference/cli/server#--aibridge-bedrock-region) traffic through AI Bridge: +Set the following when routing [Amazon Bedrock](https://coder.com/docs/reference/cli/server#--aibridge-bedrock-region) traffic through AI Gateway: - `CODER_AIBRIDGE_BEDROCK_REGION` or `--aibridge-bedrock-region` - `CODER_AIBRIDGE_BEDROCK_ACCESS_KEY` or `--aibridge-bedrock-access-key` @@ -62,7 +62,7 @@ Set the following when routing [Amazon Bedrock](https://coder.com/docs/reference > [!NOTE] > `CODER_AIBRIDGE_BEDROCK_BASE_URL` or `--aibridge-bedrock-base-url` may be used instead of `CODER_AIBRIDGE_BEDROCK_REGION`/`--aibridge-bedrock-region` if you would like to specify a URL which does not follow the form of `https://bedrock-runtime..amazonaws.com` - for example if using a -proxy between AI Bridge and AWS Bedrock. +proxy between AI Gateway and AWS Bedrock. #### Obtaining Bedrock credentials @@ -79,7 +79,7 @@ proxy between AI Bridge and AWS Bedrock. - Under **Access keys**, click **Create access key**. - Select **"Application running outside AWS"** as the use case. - Click **Next**. - - Add a description like "Coder AI Bridge token". + - Add a description like "Coder AI Gateway token". - Click **Create access key**. - Save both the access key ID and secret access key securely. @@ -94,7 +94,7 @@ proxy between AI Bridge and AWS Bedrock. ### Additional providers and Model Proxies -AI Bridge can relay traffic to other OpenAI- or Anthropic-compatible services or model proxies like LiteLLM by pointing the base URL variables above at the provider you operate. Share feedback or follow along in the [`aibridge`](https://github.com/coder/aibridge) issue tracker as we expand support for additional providers. +AI Gateway can relay traffic to other OpenAI- or Anthropic-compatible services or model proxies like LiteLLM by pointing the base URL variables above at the provider you operate. Share feedback or follow along in the [`aibridge`](https://github.com/coder/aibridge) issue tracker as we expand support for additional providers.
@@ -103,7 +103,7 @@ AI Bridge can relay traffic to other OpenAI- or Anthropic-compatible services or ## Data Retention -AI Bridge records prompts, token usage, tool invocations, and model reasoning for auditing and +AI Gateway records prompts, token usage, tool invocations, and model reasoning for auditing and monitoring purposes. By default, this data is retained for **60 days**. Configure retention using `--aibridge-retention` or `CODER_AIBRIDGE_RETENTION`: @@ -126,7 +126,7 @@ For duration formats, how retention works, and best practices, see the ## Structured Logging -AI Bridge can emit structured logs for every interception record, making it +AI Gateway can emit structured logs for every interception record, making it straightforward to export data to external SIEM or observability platforms. Enable with `--aibridge-structured-logging` or `CODER_AIBRIDGE_STRUCTURED_LOGGING`: @@ -149,7 +149,7 @@ stderr) or [`--log-json`](../../reference/cli/server.md#--log-json). For machine ingestion, set `--log-json` to a file path or `/dev/stderr` so that records are emitted as JSON. -Filter for AI Bridge records in your logging pipeline by matching on the +Filter for AI Gateway records in your logging pipeline by matching on the `"interception log"` message. Each log line includes a `record_type` field that indicates the kind of event captured: diff --git a/docs/ai-coder/ai-governance.md b/docs/ai-coder/ai-governance.md index ace18eef55..329c2e6887 100644 --- a/docs/ai-coder/ai-governance.md +++ b/docs/ai-coder/ai-governance.md @@ -10,9 +10,9 @@ AI rollouts. The AI Governance Add-On is a per-user license that can be added to Premium seats. Each user with the add-on gets access to a set of features that help organizations safely roll out AI tooling at scale: -- [AI Bridge](./ai-bridge/index.md): LLM gateway to audit AI sessions, central +- [AI Gateway](./ai-gateway/index.md): LLM gateway to audit AI sessions, central MCP server management, and policy enforcement -- [Agent Boundaries](./agent-boundaries/index.md): Process-level firewalls for +- [Agent Firewall](./agent-firewall/index.md): Process-level firewalls for agents, restricting which domains can be accessed by AI agents - [Additional Tasks Use (via Agent Workspace Builds)](#how-coder-tasks-usage-is-measured): Additional allowance of Agent Workspace Builds for continued use of Coder @@ -45,7 +45,7 @@ security challenges that traditional developer tooling doesn't address. ### Auditing AI activity across teams Without centralized monitoring, teams have no way to understand how AI tools are -being used across the organization. AI Bridge provides audit trails of prompts, +being used across the organization. AI Gateway provides audit trails of prompts, token usage, and tool invocations, giving administrators insight into AI adoption patterns and potential issues. @@ -53,35 +53,35 @@ adoption patterns and potential issues. AI agents can make arbitrary network requests, potentially accessing unauthorized services or exfiltrating data. They can also execute destructive -commands within a workspace. Agent Boundaries enforce process-level policies +commands within a workspace. Agent Firewall enforces process-level policies that restrict which domains agents can reach and what actions they can perform, preventing unintended data exposure and destructive operations like `rm -rf`. ### Centralizing API key management Managing individual API keys for AI providers across hundreds of developers -creates security risks and administrative overhead. AI Bridge centralizes +creates security risks and administrative overhead. AI Gateway centralizes authentication so users authenticate through Coder, eliminating the need to distribute and rotate provider API keys. ### Standardizing MCP tools and servers Different teams may use different MCP servers and tools with varying security -postures. AI Bridge enables centralized MCP administration, allowing +postures. AI Gateway enables centralized MCP administration, allowing organizations to define approved tools and servers that all users can access. ### Measuring AI adoption and spend Without usage data, it's hard to justify AI tooling investments or identify -high-leverage use cases. AI Bridge captures metrics on token spend, adoption +high-leverage use cases. AI Gateway captures metrics on token spend, adoption rates, and usage patterns to inform decisions about AI strategy. ## GA status and availability -Starting with Coder v2.30 (February 2026), AI Bridge and Agent Boundaries are +Starting with Coder v2.30 (February 2026), AI Gateway and Agent Firewall are generally available as part of the AI Governance Add-On. -The AI Governance add-on is required to use AI Bridge and Agent Boundaries. +The AI Governance add-on is required to use AI Gateway and Agent Firewall. If your deployment does not have the add-on, you'll see a notification banner reminding you to enable it. @@ -119,7 +119,7 @@ and coding assistants. | Developer resumes an old Coder Task order to continue prototyping | Yes | | Developer starts a workspace for use with VS Code and Jupyter | No | | Developer creates a workspace for use with Cursor and Claude Code CLI | No | -| Developer creates a workspace for use with Coder AI Bridge and Agent Boundaries | No | +| Developer creates a workspace for use with Coder AI Gateway and Agent Firewall | No | In the future, additional capabilities for managing agents (beyond Coder Tasks) may also consume agent workspace builds. @@ -130,7 +130,7 @@ Without proper controls and sandboxing, it is not recommended to open up Coder Tasks to a large audience in the enterprise. Both Community and Premium deployments include 1,000 Agent Workspace Builds, primarily for proof-of-concept use and basic workflows. Community deployments do not have access to -[AI Bridge](./ai-bridge/index.md) or [Agent Boundaries](./agent-boundaries/index.md). +[AI Gateway](./ai-gateway/index.md) or [Agent Firewall](./agent-firewall/index.md). Our [AI Governance Add-On](./ai-governance.md) includes a shared usage pool of Agent Workspace Builds for automated workflows, along with limits that scale @@ -160,7 +160,7 @@ whether each user is consuming an AI seat: - A green check icon indicates the user is actively consuming an AI seat. - A gray X icon indicates the user is not consuming an AI seat. -A user consumes an AI seat when they use AI features such as AI Bridge or +A user consumes an AI seat when they use AI features such as AI Gateway or Tasks. The column helps administrators identify which users contribute to the organization's AI seat count, making it easier to manage seat allocations and stay within license limits. diff --git a/docs/ai-coder/index.md b/docs/ai-coder/index.md index 9580148405..4e2423c2ff 100644 --- a/docs/ai-coder/index.md +++ b/docs/ai-coder/index.md @@ -31,18 +31,18 @@ terminal-based agent such as Claude Code or Codex's Open Source CLI. [Learn more about Coder Tasks](./tasks.md) for best practices and how to get started. -## Secure Your Workflows with Agent Boundaries +## Secure Your Workflows with Agent Firewall AI agents can be powerful teammates, but must be treated as untrusted and unpredictable interns as opposed to tools. Without the right controls, they can go rogue. -[Agent Boundaries](./agent-boundaries/index.md) is a new tool that offers +[Agent Firewall](./agent-firewall/index.md) is a new tool that offers process-level safeguards that detect and prevent destructive actions. Unlike traditional mitigation methods like firewalls, service meshes, and RBAC systems, -Agent Boundaries is an agent-aware, centralized control point that can either be +Agent Firewall is an agent-aware, centralized control point that can either be embedded in the same secure Coder Workspaces that enterprises already trust, or used through an open source CLI. To learn more about features, implementation details, and how to get started, -check out the [Agent Boundaries documentation](./agent-boundaries/index.md). +check out the [Agent Firewall documentation](./agent-firewall/index.md). diff --git a/docs/ai-coder/security.md b/docs/ai-coder/security.md index f433c7c572..83d882d753 100644 --- a/docs/ai-coder/security.md +++ b/docs/ai-coder/security.md @@ -24,8 +24,8 @@ scopes or tokens from the standard one. Additional guidance and tooling is coming in future releases of Coder. -## Set Up Agent Boundaries +## Set Up Agent Firewall -Agent Boundaries are process-level "agent firewalls" that lets you restrict and +Agent Firewall is a process-level firewall that lets you restrict and audit what AI agents can access within Coder workspaces. To learn more about -this feature, see [Agent Boundaries](./agent-boundaries/index.md). +this feature, see [Agent Firewall](./agent-firewall/index.md). diff --git a/docs/ai-coder/tasks.md b/docs/ai-coder/tasks.md index d1642f73fa..04349dd385 100644 --- a/docs/ai-coder/tasks.md +++ b/docs/ai-coder/tasks.md @@ -15,7 +15,7 @@ The Task details view shows the user's complete chat, workspace status and, buil ![VS Code IDE Extension Details View](../images/guides/ai-agents/vs_code_tasks_extension_details.png) > [!NOTE] -> Both Community and Premium deployments include 1,000 Agent Workspace Builds for proof-of-concept use. Community deployments do not have access to [AI Bridge](./ai-bridge/index.md) or [Agent Boundaries](./agent-boundaries/index.md). To scale beyond the 1,000 build limit or enable AI Governance features, the [AI Governance Add-On](./ai-governance.md) provides expanded usage pools that grow with your user count. [Contact us](https://coder.com/contact) to discuss pricing. +> Both Community and Premium deployments include 1,000 Agent Workspace Builds for proof-of-concept use. Community deployments do not have access to [AI Gateway](./ai-gateway/index.md) or [Agent Firewall](./agent-firewall/index.md). To scale beyond the 1,000 build limit or enable AI Governance features, the [AI Governance Add-On](./ai-governance.md) provides expanded usage pools that grow with your user count. [Contact us](https://coder.com/contact) to discuss pricing. ## Supported Agents (and Models) diff --git a/docs/install/releases/esr-2.24-2.29-upgrade.md b/docs/install/releases/esr-2.24-2.29-upgrade.md index cfded0c453..1789477f54 100644 --- a/docs/install/releases/esr-2.24-2.29-upgrade.md +++ b/docs/install/releases/esr-2.24-2.29-upgrade.md @@ -28,9 +28,9 @@ Coder—particularly suited for long-running background operations like bug fixe documentation generation, PR reviews, and testing/QA.For more information, read our documentation [here](https://coder.com/docs/ai-coder/tasks). -### AI Bridge +### AI Gateway -AI Bridge was introduced in 2.26, and is a smart gateway that acts as an +AI Gateway was introduced in 2.26, and is a smart gateway that acts as an intermediary between users' coding agents/IDEs and AI providers like OpenAI and Anthropic. It solves three key problems: @@ -42,19 +42,19 @@ Anthropic. It solves three key problems: This is a Premium/Beta feature that intercepts AI traffic to record prompts, token usage, and tool invocations. For more information, read our documentation -[here](https://coder.com/docs/ai-coder/ai-bridge). +[here](../../ai-coder/ai-gateway/index.md). -### Agent Boundaries +### Agent Firewall -Agent Boundaries was introduced in 2.27 and is currently in Early Access. Agent -Boundaries are process-level firewalls in Coder that restrict and audit what +Agent Firewall was introduced in 2.27 and is currently in Early Access. Agent +Firewall is a process-level firewall in Coder that restricts and audits what autonomous programs (like AI agents) can access and do within a workspace. They provide network policy enforcement—blocking specific domains and HTTP verbs to prevent data exfiltration—and write logs to the workspace for auditability. -Boundaries support any terminal-based agent, including custom ones, and can be +Agent Firewall supports any terminal-based agent, including custom ones, and can be easily configured through existing Coder modules like the Claude Code module. For more information, read our documentation -[here](../../ai-coder/agent-boundaries/index.md). +[here](../../ai-coder/agent-firewall/index.md). ### Performance Enhancements diff --git a/docs/install/releases/feature-stages.md b/docs/install/releases/feature-stages.md index 66707ddc59..c43e3a3fea 100644 --- a/docs/install/releases/feature-stages.md +++ b/docs/install/releases/feature-stages.md @@ -106,7 +106,7 @@ available in the documentation. |------------------------------------------------------------------------------|------------------------------------------------|------------------| | [MCP Server](../../ai-coder/mcp-server.md) | Connect to agents Coder with a MCP server | mainline, stable | | [JetBrains Toolbox](../../user-guides/workspace-access/jetbrains/toolbox.md) | Access Coder workspaces from JetBrains Toolbox | mainline, stable | -| Agent Boundaries | Understanding Agent Boundaries in Coder Tasks | stable | +| Agent Firewall | Understanding Agent Firewall in Coder Tasks | stable | | [Workspace Sharing](../../user-guides/shared-workspaces.md) | Sharing workspaces | mainline, stable | diff --git a/docs/manifest.json b/docs/manifest.json index b140ce4d1c..3bf7b823cf 100644 --- a/docs/manifest.json +++ b/docs/manifest.json @@ -1007,8 +1007,8 @@ "path": "./ai-coder/tasks-migration.md" }, { - "title": "Security \u0026 Boundaries", - "description": "Learn about security and boundaries when running AI coding agents in Coder", + "title": "Security \u0026 Agent Firewall", + "description": "Learn about security and the Agent Firewall when running AI coding agents in Coder", "path": "./ai-coder/security.md" }, { @@ -1025,162 +1025,162 @@ "state": ["premium"], "children": [ { - "title": "Agent Boundaries", - "description": "Understanding Agent Boundaries in Coder Tasks", - "path": "./ai-coder/agent-boundaries/index.md", + "title": "Agent Firewall", + "description": "Understanding Agent Firewall in Coder Tasks", + "path": "./ai-coder/agent-firewall/index.md", "state": ["premium"], "children": [ { "title": "NS Jail", "description": "Documentation for Namespace Jail", - "path": "./ai-coder/agent-boundaries/nsjail/index.md", + "path": "./ai-coder/agent-firewall/nsjail/index.md", "children": [ { "title": "NS Jail on Docker", "description": "Runtime and permission requirements for running NS Jail on Docker", - "path": "./ai-coder/agent-boundaries/nsjail/docker.md" + "path": "./ai-coder/agent-firewall/nsjail/docker.md" }, { "title": "NS Jail on Kubernetes", "description": "Runtime and permission requirements for running NS Jail on Kubernetes", - "path": "./ai-coder/agent-boundaries/nsjail/k8s.md" + "path": "./ai-coder/agent-firewall/nsjail/k8s.md" }, { "title": "NS Jail on ECS", "description": "Runtime and permission requirements for running NS Jail on ECS", - "path": "./ai-coder/agent-boundaries/nsjail/ecs.md" + "path": "./ai-coder/agent-firewall/nsjail/ecs.md" } ] }, { "title": "LandJail", "description": "Documentation for LandJail", - "path": "./ai-coder/agent-boundaries/landjail.md" + "path": "./ai-coder/agent-firewall/landjail.md" }, { "title": "Rules Engine", - "description": "Documentation for the Boundary rules engine", - "path": "./ai-coder/agent-boundaries/rules-engine.md" + "description": "Documentation for the Agent Firewall rules engine", + "path": "./ai-coder/agent-firewall/rules-engine.md" }, { "title": "Version Compatibility", "description": "Version requirements and compatibility information", - "path": "./ai-coder/agent-boundaries/version.md" + "path": "./ai-coder/agent-firewall/version.md" } ] }, { - "title": "AI Bridge", + "title": "AI Gateway", "description": "AI Gateway for Enterprise Governance \u0026 Observability", - "path": "./ai-coder/ai-bridge/index.md", + "path": "./ai-coder/ai-gateway/index.md", "icon_path": "./images/icons/api.svg", "state": ["premium"], "children": [ { "title": "Setup", - "description": "How to set up and configure AI Bridge", - "path": "./ai-coder/ai-bridge/setup.md" + "description": "How to set up and configure AI Gateway", + "path": "./ai-coder/ai-gateway/setup.md" }, { "title": "Client Configuration", - "description": "How to configure your AI coding tools to use AI Bridge", - "path": "./ai-coder/ai-bridge/clients/index.md", + "description": "How to configure your AI coding tools to use AI Gateway", + "path": "./ai-coder/ai-gateway/clients/index.md", "children": [ { "title": "Claude Code", - "description": "Configure Claude Code to use AI Bridge", - "path": "./ai-coder/ai-bridge/clients/claude-code.md" + "description": "Configure Claude Code to use AI Gateway", + "path": "./ai-coder/ai-gateway/clients/claude-code.md" }, { "title": "Codex", - "description": "Configure Codex to use AI Bridge", - "path": "./ai-coder/ai-bridge/clients/codex.md" + "description": "Configure Codex to use AI Gateway", + "path": "./ai-coder/ai-gateway/clients/codex.md" }, { "title": "Mux", - "description": "Configure Mux to use AI Bridge", - "path": "./ai-coder/ai-bridge/clients/mux.md" + "description": "Configure Mux to use AI Gateway", + "path": "./ai-coder/ai-gateway/clients/mux.md" }, { "title": "OpenCode", - "description": "Configure OpenCode to use AI Bridge", - "path": "./ai-coder/ai-bridge/clients/opencode.md" + "description": "Configure OpenCode to use AI Gateway", + "path": "./ai-coder/ai-gateway/clients/opencode.md" }, { "title": "Factory", - "description": "Configure Factory to use AI Bridge", - "path": "./ai-coder/ai-bridge/clients/factory.md" + "description": "Configure Factory to use AI Gateway", + "path": "./ai-coder/ai-gateway/clients/factory.md" }, { "title": "Cline", - "description": "Configure Cline to use AI Bridge", - "path": "./ai-coder/ai-bridge/clients/cline.md" + "description": "Configure Cline to use AI Gateway", + "path": "./ai-coder/ai-gateway/clients/cline.md" }, { "title": "Kilo Code", - "description": "Configure Kilo Code to use AI Bridge", - "path": "./ai-coder/ai-bridge/clients/kilo-code.md" + "description": "Configure Kilo Code to use AI Gateway", + "path": "./ai-coder/ai-gateway/clients/kilo-code.md" }, { "title": "Roo Code", - "description": "Configure Roo Code to use AI Bridge", - "path": "./ai-coder/ai-bridge/clients/roo-code.md" + "description": "Configure Roo Code to use AI Gateway", + "path": "./ai-coder/ai-gateway/clients/roo-code.md" }, { "title": "VS Code", - "description": "Configure VS Code to use AI Bridge", - "path": "./ai-coder/ai-bridge/clients/vscode.md" + "description": "Configure VS Code to use AI Gateway", + "path": "./ai-coder/ai-gateway/clients/vscode.md" }, { "title": "JetBrains", - "description": "Configure JetBrains IDEs to use AI Bridge", - "path": "./ai-coder/ai-bridge/clients/jetbrains.md" + "description": "Configure JetBrains IDEs to use AI Gateway", + "path": "./ai-coder/ai-gateway/clients/jetbrains.md" }, { "title": "Zed", - "description": "Configure Zed to use AI Bridge", - "path": "./ai-coder/ai-bridge/clients/zed.md" + "description": "Configure Zed to use AI Gateway", + "path": "./ai-coder/ai-gateway/clients/zed.md" }, { "title": "GitHub Copilot", - "description": "Configure GitHub Copilot to use AI Bridge via AI Bridge Proxy", - "path": "./ai-coder/ai-bridge/clients/copilot.md" + "description": "Configure GitHub Copilot to use AI Gateway via AI Gateway Proxy", + "path": "./ai-coder/ai-gateway/clients/copilot.md" } ] }, { "title": "MCP Tools Injection", - "description": "How to configure MCP servers for tools injection through AI Bridge", - "path": "./ai-coder/ai-bridge/mcp.md", + "description": "How to configure MCP servers for tools injection through AI Gateway", + "path": "./ai-coder/ai-gateway/mcp.md", "state": ["early access"] }, { - "title": "AI Bridge Proxy", + "title": "AI Gateway Proxy", "description": "Proxy for AI coding tools without base URL override support", - "path": "./ai-coder/ai-bridge/ai-bridge-proxy/index.md", + "path": "./ai-coder/ai-gateway/ai-gateway-proxy/index.md", "state": ["premium"], "children": [ { "title": "Setup", - "description": "How to set up and configure AI Bridge Proxy", - "path": "./ai-coder/ai-bridge/ai-bridge-proxy/setup.md" + "description": "How to set up and configure AI Gateway Proxy", + "path": "./ai-coder/ai-gateway/ai-gateway-proxy/setup.md" } ] }, { "title": "Auditing AI Sessions", "description": "How to audit AI sessions", - "path": "./ai-coder/ai-bridge/audit.md" + "path": "./ai-coder/ai-gateway/audit.md" }, { "title": "Monitoring", - "description": "How to monitor AI Bridge", - "path": "./ai-coder/ai-bridge/monitoring.md" + "description": "How to monitor AI Gateway", + "path": "./ai-coder/ai-gateway/monitoring.md" }, { "title": "Reference", - "description": "Technical reference for AI Bridge", - "path": "./ai-coder/ai-bridge/reference.md" + "description": "Technical reference for AI Gateway", + "path": "./ai-coder/ai-gateway/reference.md" } ] },