shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-03 21:18:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
29775edf9598c876adf438da3f77f75eb00e052d
coder/docs/ai-coder/agent-firewall/rules-engine.md
T
Jiachen Jiang e9f0385198 docs: update AI Governance label and add v2.32 requirement (#24708) 
## Summary

Replace the "Premium" label with "AI Governance Add-On" and add a
disclaimer that the AI Governance Add-On is required for AI Gateway and
Agent Firewall as of Coder v2.32, across all AI Governance doc pages and
their children.

## Changes

**Label and requirement updates (7 files):**
- `docs/ai-coder/ai-governance.md`: Removed "(Premium)" from title;
updated GA section to state add-on required as of v2.32.
- `docs/ai-coder/ai-gateway/setup.md`: "Premium license" → "AI
Governance Add-On license".
- `docs/ai-coder/ai-gateway/ai-gateway-proxy/setup.md`: "Premium
license" → "AI Governance Add-On".
- `docs/ai-coder/ai-gateway/clients/claude-code.md`: "(Premium feature)"
→ "(AI Governance Add-On)".
- `docs/manifest.json`: `"state": ["premium"]` → `"state": ["ai
governance add-on"]` for 4 nav entries.

**Disclaimer added to all child pages (26 files):**

AI Gateway pages (18):
`index.md`, `setup.md`, `audit.md`, `monitoring.md`, `mcp.md`,
`reference.md`, `ai-gateway-proxy/index.md`,
`ai-gateway-proxy/setup.md`, `clients/index.md`,
`clients/claude-code.md`, `clients/codex.md`, `clients/mux.md`,
`clients/opencode.md`, `clients/factory.md`, `clients/cline.md`,
`clients/kilo-code.md`, `clients/roo-code.md`, `clients/vscode.md`,
`clients/jetbrains.md`, `clients/zed.md`, `clients/copilot.md`

Agent Firewall pages (8):
`index.md`, `version.md`, `landjail.md`, `rules-engine.md`,
`nsjail/index.md`, `nsjail/docker.md`, `nsjail/k8s.md`, `nsjail/ecs.md`

Other: `security.md`

> [!NOTE]
> The `"ai governance add-on"` state value in `manifest.json` is new.
The docs site renderer may need to be updated to support this state
value.

> Generated by Coder Agents
2026-05-07 17:09:54 -05:00

5.1 KiB
Raw Blame History

Rules Engine Documentation

Note

Agent Firewall requires the AI Governance Add-On. As of Coder v2.32, deployments without the add-on will not be able to access Agent Firewall.

Overview

The rulesengine package provides a flexible rule-based filtering system for HTTP/HTTPS requests. Rules use a simple key-value syntax with support for wildcards and multiple values.

Basic Syntax

Rules follow the format: key=value [key=value ...] with three supported keys:

  • method: HTTP method(s) - Any HTTP method (e.g., GET, POST, PUT, DELETE), * (all methods), or comma-separated list
  • domain: Domain/hostname pattern - github.com, *.example.com, * (all domains)
  • path: URL path pattern - /api/users, /api/*/users, * (all paths), or comma-separated list

Key behavior:

  • If a key is omitted, it matches all values
  • Multiple key-value pairs in one rule are separated by whitespace
  • Multiple rules in the allowlist are OR'd together (OR logic)
  • Default deny: if no rule matches, the request is denied

Examples:

allowlist:
  - domain=github.com # All methods, all paths for github.com (exact match)
  - domain=*.github.com # All subdomains of github.com
  - method=GET,POST domain=api.example.com # GET/POST to api.example.com (exact match)
  - domain=api.example.com path=/users,/posts # Multiple paths
  - method=GET domain=github.com path=/api/* # All three keys

Wildcard Symbol for Domains

The * wildcard matches domain labels (parts separated by dots).

Pattern Matches Does NOT Match
* All domains -
github.com github.com (exact match only) api.github.com, v1.api.github.com (subdomains), github.io
*.github.com api.github.com, v1.api.github.com (1+ subdomain levels) github.com (base domain)
api.*.com api.github.com, api.google.com api.v1.github.com (* in the middle matches exactly one domain label)
*.*.com api.example.com, api.v1.github.com -
api.* ERROR - Cannot end with * -

Important:

  • Patterns without * match exactly (no automatic subdomain matching)
  • *.example.com matches one or more subdomain levels
  • To match both base domain and subdomains, use separate rules: domain=github.com and domain=*.github.com
  • Domain patterns cannot end with asterisk

Wildcard Symbol for Paths

The * wildcard matches path segments (parts separated by slashes).

Pattern Matches Does NOT Match
* All paths -
/api/users /api/users /api/users/123 (subpaths don't match)
/api/* /api/users, /api/posts /api
/api/*/users /api/v1/users, /api/v2/users /api/users, /api/v1/v2/users
/*/users /api/users, /v1/users /api/v1/users
/api/v1/* /api/v1/users, /api/v1/users/123/details (1+ segments) /api/v1

Important:

  • * matches exactly one segment (except at the end)
  • * at the end matches one or more segments (special behavior)
  • * must match an entire segment (cannot be part of a segment like /api/user*)

Special Meaning of Wildcard at Beginning and End

Position Domain Path
Beginning 1+ subdomain levels Exactly 1 segment
Middle Exactly 1 label Exactly 1 segment
End Not allowed 1+ segments (special)
Standalone All domains All paths

Multipath

Specify multiple paths in a single rule by separating them with commas:

allowlist:
  - domain=api.example.com path=/users,/posts,/comments
  - domain=api.example.com path=/api,/api/*

NOTE: The pattern /api/* does not include the base path /api. To match both, use path=/api,/api/*.

Reference in New Issue View Git Blame Copy Permalink